Health and Human Services: PvcFR03

8/14/2019 Health and Human Services: PvcFR03

http://slidepdf.com/reader/full/health-and-human-services-pvcfr03 1/50

82561Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000/ Rules and Regulations

A covered entity may only extend thedeadline one time per request foraccounting.

The NPRM did not address whether acovered entity could charge a fee for theaccounting of disclosures.

In the final rule, we provide thatindividuals have a right to receive onefree accounting per 12 month period.

For each additional request by anindividual within the 12 month period,the covered entity may charge areasonable, cost-based fee. If it imposessuch a fee, the covered entity mustinform the individual of the fee inadvance and provide the individualwith an opportunity to withdraw ormodify the request in order to avoid orreduce the fee.

Procedures and Documentation

As in the proposed rule, we establishdocumentation requirements forcovered entities subject to this

provision. In accordance with§ 164.530(j), for disclosures that aresubject to the accounting requirement,the covered entity must retaindocumentation of the informationrequired to be included in theaccounting. The covered entity mustalso retain a copy of any accountingprovided and must document the titlesof the persons or offices responsible forreceiving and processing requests for anaccounting.

Section 164.530—AdministrativeRequirements

Designation of a Privacy Official and Contact Person

In § 164.518(a) of the NPRM, weproposed that covered entities berequired to designate an individual asthe covered entity’s privacy official,responsible for the implementation anddevelopment of the entity’s privacypolicies and procedures. We alsoproposed that covered entities berequired to designate a contact person toreceive complaints about privacy andprovide information about the matterscovered by the entity’s notice. Weindicated that the contact person could

be, but was not required to be, theperson designated as the privacyofficial. We proposed to leaveimplementation details to the discretionof the covered entity. We expectedimplementation to vary widelydepending on the size and nature of thecovered entity, with small officesassigning this as an additional duty toan existing staff person, and largeorganizations creating a full-timeprivacy official. In proposed § 164.512,we also proposed to require the coveredplan or provider’s privacy notice to

include the name of a contact person forprivacy matters.

The final regulation retains therequirements for a privacy official andcontact person as specified in theNPRM. These designations must bedocumented. The designation of privacyofficial and contact person positionswithin affiliated entities will depend on

how the covered entity chooses todesignate the covered entity(ies) under§ 164.504(b). If a subsidiary is defined asa covered entity under this regulation,then a separate privacy official andcontact person is required for thatcovered entity. If several subsidiariesare designated as a single coveredentity, pursuant to §164.504(b), thentogether they need have only a singleprivacy officer and contact person. If several covered entities share a noticefor services provided on the samepremises, pursuant to § 164.520(d), thatnotice need designate only one privacy

official and contact person for theinformation collected under that notice.These requirements are consistent

with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and theNational Committee for QualityAssurance, in its paper ‘‘ProtectingPersonal Health Information; Aframework for Meeting the Challengesin a Managed Care Environment.’’ Thispaper notes that ‘‘accountability isenhanced by having focal points whoare responsible for assessing compliancewith policies and procedures * * * ’’(p. 29)

Training

In § 164.518(b) of the NPRM weproposed to require that covered entitiesprovide training on the entities’ policiesand procedures to all members of theworkforce likely to have access toprotected health information. Eachentity would be required to provideinitial training by the date on which thisrule became applicable. After that date,each covered entity would have toprovide training to new members of theworkforce within a reasonable time afterjoining the entity. In addition, we

proposed that when a covered entitymade material changes in its privacypolicies or procedures, it would berequired to retrain those members of theworkforce whose duties were related tothe change within a reasonable time of making the change.

The NPRM would have required that,upon completion of the training, thetrainee would be required to sign astatement certifying that he or shereceived the privacy training and wouldhonor all of the entity’s privacy policiesand procedures. Entities would

determine the most effective means of achieving this training requirement fortheir workforce. We also proposed that,at least every three years after the initialtraining, covered entities would berequired to have each member of theworkforce sign a new statementcertifying that he or she would honor allof the entity’s privacy policies and

procedures. The covered entity wouldhave been required to document itspolicies and procedures for complyingwith the training requirements.

The final regulation requires coveredentities to train all members of theirworkforce on the policies andprocedures with respect to protectedhealth information required by this rule,as necessary and appropriate for themembers of the workforce to carry outtheir functions within the coveredentity. We do not change the proposedtime lines for training existing and newmembers of the workforce, or for

training due to material changes in thecovered entity’s policies andprocedures. We eliminate both therequirement for employees to sign acertification following training and thetriennial re-certification requirement.Covered entities are responsible forimplementing policies and proceduresto meet these requirements and fordocumenting that training has beenprovided.

Safeguards

In § 164.518(c) of the NPRM, weproposed to require covered entities toput in place administrative, technical,

and physical safeguards to protect theprivacy of protected health information.We made reference in the preamble tosimilar requirements proposed forcertain electronic information in theNotice of Proposed Rulemaking entitledthe Security and Electronic SignatureStandards (HCFA–0049–P). We statedthat we were proposing parallel andconsistent requirements for safeguardingthe privacy of protected healthinformation. In § 164.518(c)(3) of theNPRM, we required covered entities tohave safeguards to ensure thatinformation was not used in violation of

the requirements of this subpart or bypeople who did not have properauthorization to access the information.

We do not change the basic proposedrequirements that covered entities haveadministrative, technical and physicalsafeguards to protect the privacy of protected health information. Wecombine the proposed requirements intoa single standard that requires coveredentities to safeguard protected healthinformation from accidental orintentional use or disclosure that is aviolation of the requirements of this rule

VerDate 11<MAY>2000 19:16 Dec 27, 2000 Jkt 194001 PO 00000 Frm 00101 Fmt 4701 Sfmt 4700 E:\FR\FM\28DER2.SGM pfrm08 PsN: 28DER2



82562 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000/ Rules and Regulations

and to protect against the inadvertentdisclosure of protected healthinformation to persons other than theintended recipient. Limitations onaccess to protected health information

by the covered entities workforce willalso be covered by the policies andprocedures for ‘‘minimum necessary’’use of protected health information,

pursuant to §164.514(d). We expectthese provisions to work in tandem.

We do not prescribe the particularmeasures that covered entities must taketo meet this standard, because thenature of the required policies andprocedures will vary with the size of thecovered entity and the type of activitiesthat the covered entity undertakes. (Thatis, as with other provisions of this rule,this requirement is ‘‘scalable.’’)Examples of appropriate safeguardsinclude requiring that documentscontaining protected health information

be shredded prior to disposal, and

requiring that doors to medical recordsdepartments (or to file cabinets housingsuch records) remain locked andlimiting which personnel are authorizedto have the key or pass-code. We intendthis to be a common sense, scalable,standard. We do not require coveredentities to guarantee the safety of protected health information against allassaults. Theft of protected healthinformation may or may not signal aviolation of this rule, depending on thecircumstances and whether the coveredentity had reasonable policies to protectagainst theft. Organizations such as theAssociation for Testing and Materials

(ASTM) and the American HealthInformation Management Association(AHIMA) have developed a body of recommended practices for handling of protected health information thatcovered entities may find useful.

We note that the proposed HIPAASecurity Standards would requirecovered entities to safeguard the privacyand integrity of health information. Forelectronic information, compliance with

both regulations will be required.In § 164.518(c)(2) of the NPRM we

proposed requirements for verificationprocedures to establish identity and

authority for permitted disclosures of protected health information.In the final rule, this material has

been moved to §164.514(h).

Use or Disclosure of Protected HealthInformation by Whistleblowers

In § 164.518(c)(4) of the NPRM, thisprovision was entitled ‘‘ImplementationSpecification: Disclosures bywhistleblowers.’’ It is now retitled‘‘Disclosures by whistleblowers,’’ withcertain changes, and moved to§ 164.502(j)(1).

Complaints to the Covered Entity

In § 164.518(d) of the NPRM, weproposed to require covered entities tohave a mechanism for receivingcomplaints from individuals regardingthe health plan’s or provider’scompliance with the requirements of this proposed rule. We did not require

that the health plan or provider developa formal appeals mechanism, nor that‘‘due process’’ or any similar standard

be applied. Additionally, there was norequirement to respond in anyparticular manner or time frame.

We proposed two basic requirementsfor the complaint process. First, thecovered health plan or health careprovider would be required to identifyin the notice of information practices acontact person or office for receivingcomplaints. Second, the health plan orprovider would be required to maintaina record of the complaints that are filedand a brief explanation of their

resolution, if any.In the final rule, we retain the

requirement for an internal complaintprocess for compliance with this rule,including the two basic requirements of identifying a contact person anddocumenting complaints received andtheir dispositions, if any. We expand thescope of complaints that coveredentities must have a means of receivingto include complaints concerningviolations of the covered entity’sprivacy practices, not just violations of the rule. For example, a covered entitymust have a mechanism for receiving a

complaint that patient information isused at a nursing station in a way thatit can also be viewed by visitors to thehospital, regardless of whether thepractices at the nursing stations mightconstitute a violation of this rule.

Sanctions

In § 164.518(e) of the NPRM, weproposed to require all covered entitiesto develop, and apply whenappropriate, sanctions against membersof its workforce who failed to complywith privacy policies or procedures of the covered entity or with the

requirements of the rule. Coveredentities would be required to developand impose sanctions appropriate to thenature of the violation. The preamblestated that the type of sanction appliedwould vary depending on factors suchas the severity of the violation, whetherthe violation was intentional orunintentional, and whether theviolation indicated a pattern or practiceof improper use or disclosure of protected health information. Sanctionscould range from a warning totermination. The NPRM preamble

language also stated that coveredentities would be required to applysanctions against business associatesthat violated the proposed rule.

In the final rule, we retain therequirement for sanctions againstmembers of a covered entity’sworkforce. We also require a coveredentity to have written policies and

procedures for the application of appropriate sanctions for violations of this subpart and to document thosesanctions. These sanctions do not applyto whistleblower activities that meet theprovisions of §164.502(j) or complaints,investigations, or opposition that meetthe provisions of §164.530(g)(2). Weeliminate language regarding businessassociates from this section.Requirements with respect to businessassociates are stated in §164.504.

Duty To Mitigate

In proposed §164.518(f), we would

have required covered entities to havepolicies and procedures for mitigating,to the extent practicable, any deleteriouseffect of a use or disclosure of protectedhealth information in violation of therequirements of this subpart. The NPRMpreamble also included specificlanguage applying this requirement toharm caused by members of the coveredentity’s workforce and businessassociates.

With respect to business associates,the NPRM preamble but not the NPRMrule text, stated that covered entitieswould have a duty to take reasonable

steps in response to breaches of contractterms. Covered entities generally wouldnot be required to monitor the activitiesof their business associates, but would

be required to take steps to addressproblems of which they become aware,and, where the breach was serious orrepeated, would also be required tomonitor the business associate’sperformance to ensure that the wrongful

behavior had been remedied.Termination of the arrangement would

be required only if it became clear thata business associate could not be reliedupon to maintain the privacy of protected health information providedto it.

In the final rule, we clarify thisrequirement by imposing a duty forcovered entities to mitigate any harmfuleffect of a use or disclosure of protectedhealth information that is known to thecovered entity. We apply the duty tomitigate to a violation of the coveredentity’s policies and procedures, not justa violation of the requirements of thesubpart. We resolve the ambiguities inthe NPRM by imposing this duty oncovered entities for harm caused by





either members of their workforce or bytheir business associates.

We eliminate the language regardingpotential breaches of business associatecontracts from this section. All otherrequirements with respect to businessassociates are stated in §164.504.

Refraining from Intimidating or Retaliatory Acts

In § 164.522(d)(4) of the NPRM, in theCompliance and Enforcement section,we proposed that one of theresponsibilities of a covered entitywould be to refrain from intimidating orretaliatory acts. Specifically, the ruleprovided that ‘‘[a] covered entity maynot intimidate, threaten, coerce,discriminate against, or take otherretaliatory action against any individualfor the filing of a complaint under thissection, for testifying, assisting,participating in any manner in aninvestigation, compliance review,proceeding or hearing under this Act, oropposing any act or practice madeunlawful by this subpart.’’

In the final rule, we continue torequire that entities refrain fromintimidating or retaliatory acts;however, the provisions have beenmoved to the AdministrativeRequirements provisions in §164.530.This change is not just clerical; inmaking this change, we apply thisprovision to the privacy rule alonerather than to all the HIPAAadministrative simplification rules. (Thecompliance and enforcement provisionsthat were in §164 are now in Part 160,

Subpart C.)We continue to prohibit retaliationagainst individuals for filing acomplaint with the Secretary, but alsoprohibit retaliation against any otherperson who files such a complaint. Thisis the case because the term‘‘individual’’ is generally limited to theperson who is the subject of theinformation. The final rule prohibitsretaliation against persons, not justindividuals, for testifying, assisting, orparticipating in an investigation,compliance review, proceeding orhearing under Part C of Title XI. The

proposed regulation referenced the‘‘Act,’’ which is defined in Part 160 asthe Social Security Act. Because weonly intend to protect activities such asparticipation in investigations andhearings under the AdministrativeSimplification provisions of HIPAA, thefinal rule references Part C of Title XI of the Social Security Act.

The proposed rule would haveprohibited retaliatory actions againstindividuals for opposing any act orpractice made unlawful by this subpart.The final rule retains this provision, but

applies it to any person, only if theperson ‘‘has a good faith belief that thepractice opposed is unlawful, themanner of the opposition is reasonableand does not involve a disclosure of protected health information inviolation of this subpart.’’ The final ruleprovides additional protections, whichhad been included in the preamble to

the proposed rule. Specifically, weprohibit retaliatory actions againstindividuals who exercise any right, orparticipate in any process established bythe privacy rule (Part 164 Subpart E),and include as an example the filing of a complaint with the covered entity.

Waiver of Rights

In the final regulation, but not in theproposed regulation, we provide that acovered entity may not requireindividuals to waive their rights to filea complaint with the Secretary or theirother rights under this rule as acondition of the provision of treatment,payment, enrollment in a health plan oreligibility for benefits. This provisionensures that covered entities do not takeaway the rights that individuals have

been provided in Parts 160 and 164.

Requirements for Policies and Procedures, and DocumentationRequirements

In § 164.520 of the NPRM, weproposed to require covered entities todevelop and document their policiesand procedures for implementing therequirements of the rule. In the finalregulation we retain this approach, but

specify which standards must bedocumented in each of the relevantsections. In this section, we state thegeneral administrative requirementsapplicable to all policies and proceduresrequired throughout the regulation.

In § 164.530(i), (j), and (k) of the finalrule, we amend the NPRM language inseveral respects. In § 164.530(i) werequire that the policies and procedures

be reasonably designed to comply withthe standards, implementationspecifications, and other requirementsof the relevant part of the regulation,taking into account the size of the

covered entity and the nature of theactivities undertaken by the coveredentity that relate to protected healthinformation. However, we clarify thatthe requirements that policies andprocedures be reasonably designed maynot be interpreted to permit or excuseany action that violates the privacyregulation. Where the covered entity hasstated in its notice that it reserves theright to change information practices,we allow the new practice to apply toinformation created or collected prior tothe effective date of the new practice

and establish requirements for makingthis change. We also establish theconditions for making changes if thecovered entity has not reserved the rightto change its practices.

We require covered entities to modifyin a prompt manner their policies andprocedures to comply with changes inrelevant law and, where the change also

affects the practices stated in the notice,to change the notice. We make clear thatnothing in our requirements regardingchanges to policies and procedures orchanges to the notice may be used by acovered entity to excuse a failure tocomply with applicable law.

In § 164.530(j), we require that thepolicies and procedures requiredthroughout the regulation be maintainedin writing, and that any othercommunication, action, activity, ordesignation that must be documentedunder this regulation be documented inwriting. We note that ‘‘writing’’ includeselectronic storage; paper records are notrequired. We also note that, if a coveredentity is required to document the titleof a person, we mean the job title orsimilar description of the relevantposition or office.

We require covered entities to retainany documentation required under thisrule for at least six years (the statute of limitations period for the civil penalties)from the date of the creation of thedocumentation, or the date when thedocument was last in effect, which everis later. This generalizes the NPRMprovision to cover all documentationrequired under the rule. The language

on ‘‘last was in effect’’ is a change fromthe NPRM which was worded ‘‘unless alonger period applies under thissubpart.’’

This approach is consistent with theapproach recommended by the JointCommission on Accreditation of Healthcare Organizations, and theNational Committee for QualityAssurance, in its paper ‘‘ProtectingPersonal Health Information; Aframework for Meeting the Challengesin a Managed Care Environment.’’ Thispaper notes that ‘‘MCOs [Managed CareOrganizations] should have clearly

defined policies and procedures fordealing with confidentiality issues.’’ (p.29).

Standards for Certain Group HealthPlans

We add a new provision (§164.530(k))to clarify the administrativeresponsibilities of group health plansthat offer benefits through issuers andHMOs. Specifically, a group health planthat provides benefits solely through anissuer or HMO, and that does not create,receive or maintain protected health





information other than summary healthinformation or information regardingenrollment and disenrollment, is notsubject to the requirements of thissection regarding designation of aprivacy official and contact person,workforce training, safeguards,complaints, mitigation, or policies andprocedures. Such a group health plan is

only subject to the requirements of thissection regarding documentation withrespect to its plan documents. Issuersand HMOs are covered entities underthis rule, and thus have independentobligations to comply with this sectionwith respect to the protected healthinformation they maintain about theenrollees in such group health plans.The group health plans subject to thisprovision will have only limitedprotected health information. Therefore,imposing these requirements on thegroup health plan would impose

burdens not outweighed by a

corresponding enhancement in privacyprotections.

Section 164.532—Transition Provisions

In the NPRM, we did not address theeffect of the regulation on consents andauthorizations covered entities obtainedprior to the compliance date of theregulation.

In the final rule, we clarify that, incertain circumstances, a covered entitymay continue to rely upon consents,authorizations, or other express legalpermissions obtained prior to thecompliance date of this regulation to useor disclose protected health information

even if these consents, authorizations,or permissions do not meet therequirements set forth in §§ 164.506 or164.508.

We realize that a covered entity maywish to rely upon a consent,authorization, or other express legalpermission obtained from an individualprior to the compliance date of thisregulation which permits the use ordisclosure of individually identifiablehealth information for activities thatcome within treatment, payment, orhealth care operations (as defined in§ 164.501), but that do not meet the

requirements for consents set forth in§ 164.506. In the final rule, we permit acovered entity to rely upon suchconsent, authorization, or permission touse or disclose protected healthinformation that it created or received

before the applicable compliance date of the regulation to carry out the treatment,payment, or health care operations aslong as it meets two requirements. First,the covered entity may not make anyuse or disclosure that is expresslyexcluded from the consent,authorization, or permission. Second,

the covered entity must comply with alllimitations expressed in the consent,authorization, or permission. Thus, wedo not require a covered entity to obtaina consent that meets the requirements of § 164.506 to use or disclose thispreviously obtained protected healthinformation as long as the use ordisclosure is consistent with the

requirements of this section. However, acovered entity will need to obtain aconsent that meets the requirements of § 164.506 to the extent that it is requiredto obtain a consent under § 164.506from an individual before it may use ordisclose any protected healthinformation it creates or receives afterthe date by which it must comply withthis rule.

Similarly, we recognize that a coveredentity may wish to rely upon a consent,authorization, or other express legalpermission obtained from an individualprior to the applicable compliance date

of this regulation that specificallypermits the covered entity to use ordisclose individually identifiable healthinformation for activities other than tocarry out treatment, payment, or healthcare operations. In the final rule, wepermit a covered entity to rely uponsuch a consent, authorization, orpermission to use or disclose protectedhealth information that it created orreceived before the applicablecompliance date of the regulation for thespecific activities described in theconsent, authorization, or permission aslong as the covered entity complies withtwo requirements. First, the covered

entity may not make any use ordisclosure that is expressly excludedfrom the consent, authorization, orpermission. Second, the covered entitymust comply with all limitationsexpressed in the consent, authorization,or permission. Thus, we do not requireda covered entity to obtain anauthorization that meets therequirements of §164.508 to use ordisclose this previously obtainedprotected health information so long asthe use or disclosure is consistent withthe requirements of this section.However, a covered entity will need to

obtain an authorization that meets therequirements of §164.508, to the extentthat it is required to obtain anauthorization under this rule, from anindividual before it may use or discloseany protected health information itcreates or receives after the date bywhich it must comply with this rule.

Additionally, the final ruleacknowledges that covered entities maywish to rely upon consents,authorizations, or other express legalpermission obtained from an individualprior to the applicable compliance date

for a specific research project thatincludes the treatment of individuals,such as clinical trials. These consents,authorizations, or permissions mayspecifically permit a use or disclosure of individually identifiable healthinformation for purposes of the project.Alternatively, they may be generalconsents to participate in the project. A

covered entity may use or discloseprotected health information it createdor received before or after to theapplicable compliance date of this rulefor purposes of the project provided thatthe covered entity complies with alllimitations expressed in the consent,authorization, or permission.

If, pursuant to this section, a coveredentity relies upon a previously obtainedconsent, authorization, or other expresslegal permission and agrees to a requestfor a restriction by an individual under§ 164.522(a), any subsequent use ordisclosure under that consent,

authorization, or permission mustcomply with the agreed upon restrictionas well.

We believe it is necessary tograndfather in previously obtainedconsents, authorizations, or otherexpress legal permissions in thesecircumstances to ensure that importantfunctions of the health care system arenot impeded. We link the effectivenessof such consents, authorizations, orpermissions in these circumstances tothe applicable compliance date to givecovered entities sufficient notice of therequirements set forth in §§ 164.506 and164.508.

The rule does not change the pasteffectiveness of consents,authorizations, or other express legalpermissions that do not come withinthis section. This means that uses ordisclosures of individually identifiablehealth information made prior to thecompliance date of this regulation arenot subject to sanctions, even if theywere made pursuant to documents orpermissions that do not meet therequirements of this rule or were madewithout permission. This rule altersonly the future effectiveness of thepreviously obtained consents,

authorizations, or permissions. Coveredentities are not required to rely uponthese consents, authorizations, orpermissions and may obtain newconsents or authorizations that meet theapplicable requirements of §§ 164.506and 164.508.

When reaching this decision, weconsidered requiring all covered entitiesto obtain new consents or authorizationsconsistent with the requirements of §§ 164.506 and 164.508 before theywould be able to use or discloseprotected health information obtained





after the compliance date of these rules.We rejected this option because werecognize that covered entities may notalways be able to obtain new consentsor authorizations consistent with therequirements of §§164.506 and 164.508from all individuals upon whoseinformation they rely. We also refrainedfrom impeding the rights of covered

entities to exercise their interests in therecords they have created. We do notrequire covered entities with existingrecords or databases to destroy orremove the protected health informationfor which they do not have validconsents or authorizations that meet therequirements of §§164.506 and 164.508.Covered entities may rely upon theconsents, authorizations, or permissionsthey obtained from individuals prior tothe applicable compliance date of thisregulation consistent with theconstraints of those documents and therequirements discussed above.

We note that if a covered entityobtains before the applicablecompliance date of this regulation aconsent that meets the requirements of § 164.506, an authorization that meetsthe requirements of §164.508, or an IRBor privacy board waiver of authorizationthat meets the requirements of § 164.512(i), the consent, authorization,or waiver is effective for uses ordisclosures that occur after thecompliance date and that are consistentwith the terms of the consent,authorization, or waiver.

Section 164.534—Compliance Dates for

Initial Implementation of the PrivacyStandards

In the NPRM, we provided that acovered entity must be in compliancewith this subpart not later than 24months following the effective date of this rule, except that a covered entitythat is a small health plan must be incompliance with this subpart not laterthan 36 months following the effectivedate of the rule.

The final rule did not make anysubstantive changes. The format ischanged so as to more clearly present

the various compliance dates. The finalrule lists the types of covered entitiesand then the various dates that wouldapply to each of these entities.

III. Section-by-Section Discussion of Comments

The following describes theprovisions in the final regulation, andthe changes we make to the proposedprovisions section-by-section. Followingeach section are our responses to thecomments to that section. This sectionof the preamble is organized to follow

the corresponding section of the finalrule, not the NPRM.

General Comments

We received many comments on therule overall, not to a particularprovision. We respond to thosecomments here. Similar comments, butdirected to a specific provision in the

proposed rule, are answered below inthe corresponding section of thispreamble.

Comments on the Need for Privacy Standards, and Effects of thisRegulation on Current Protections

Comment: Many commentersexpressed the opinion that federallegislation is necessary to protect theprivacy of individuals’ healthinformation. One comment advocatedCongressional efforts to provide acomprehensive federal health privacylaw that would integrate the substance

abuse regulations with the privacyregulation.Response: We agree that

comprehensive privacy legislation isurgently needed. This administrationhas urged the Congress to pass suchlegislation. While this regulation willimprove the privacy of individuals’health information, only legislation canprovide the full array of privacyprotection that individuals need anddeserve.

Comment: Many commenters notedthat they do not go to a physician, or donot completely share health information

with their physician, because they areconcerned about who will have accessto that information. Many physicianscommented on their patients’ reluctanceto share information because of fear thattheir information will later be usedagainst them.

Response: We agree that strong federalprivacy protections are necessary toenhance patients’ trust in the healthcare system.

Comment: Many commentersexpressed concerns that this regulationwill allow access to health information

by those who today do not have such

access, or would allow their physicianto disclose information which may notlawfully be disclosed today. Many of these commenters stated that today,they consent to every disclosure of health information about them, and thatabsent their consent the privacy of theirhealth information is ‘‘absolute.’’ Othersstated that, today, health information isdisclosed only pursuant to a judicialorder. Several commenters wereconcerned that this regulation wouldoverride stronger state privacyprotection.

Response: This regulation does not,and cannot, reduce current privacyprotections. The statutory language of the HIPAA specifically mandates thatthis regulation does not preempt statelaws that are more protective of privacy.

As discussed in more detail in laterthis preamble, while many people

believe that they must be asked

permission prior to any release of healthinformation about them, current lawsgenerally do not impose such arequirement. Similarly, as discussed inmore detail later in this preamble,judicial review is required today onlyfor a small proportion of releases of health information.

Comment: Many commenters assertedthat today, medical records ‘‘belong’’ topatients. Others asserted that patientsown their medical information andhealth care providers and insurancecompanies who maintain health recordsshould be viewed as custodians of the

patients’ property.Response: We do not intend to change

current law regarding ownership of orresponsibility for medical records. Indeveloping this rule we reviewedcurrent law on this and related issues,and built on that foundation.

Under state laws, medical records areoften the property of the health careprovider or medical facility that createdthem. Some state laws also providepatients with access to medical recordsor an ownership interest in the healthinformation in medical records.However, these laws do not divest the

health care provider or the medicalfacility of its ownership interest inmedical records. These statutestypically provide a patient the right toinspect or copy health information fromthe medical record, but not the right totake the provider’s original copy of anitem in the medical record. If aparticular state law provides greaterownership rights, this regulation leavessuch rights in place.

Comment: Some commenters arguedthat the use and disclosure of sensitivepersonal information must be strictlyregulated, and violation of suchregulations should subject an entity tosignificant penalties and sanctions.

Response: We agree, and share thecommenters’ concern that the penaltiesin the HIPAA statute are not sufficientto fully protect individuals’ privacyinterests. The need for strongerpenalties is among the reasons we

believe Congress should passcomprehensive privacy legislation.

Comment: Many commentersexpressed the opinion that the proposedruled should provide stricter privacyprotections.





Response: We received nearly 52,000comments on the proposed regulation,and make substantial changes to theproposal in response to thosecomments. Many of these changes willstrengthen the protections that wereproposed in the NPRM.

Comment: Many comments expressconcerns that their health information

will be given to their employers.Response: We agree that employer

access to health information is aparticular concern. In this finalregulation, we make significant changesto the NPRM that clarify and provideadditional safeguards governing whenand how the health plans covered bythis regulation may disclose healthinformation to employers.

Comment: Several commenters arguedthat individuals should be able to suefor breach of privacy.

Response: We agree, but do not havethe legislative authority to grant a

private right of action to sue under thisstatute. Only Congress can grant thatright.

Objections to Government Access toProtected Health Information

Comment: Many commenters urgedthe Department not to create agovernment database of healthinformation, or a tracking system thatwould enable the government to trackindividuals health information.

Response: This regulation does notcreate such a database or trackingsystem, nor does it enable futurecreation of such a database. This

regulation describes the ways in whichhealth plans, health care clearinghouses,and certain health care providers mayuse and disclose identifiable healthinformation with and without theindividual’s consent.

Comment: Many commenters objectedto government access to or control overtheir health information, which they

believe the proposed regulation wouldprovide.

Response: This regulation does notincrease current government access tohealth information. This rule setsminimum privacy standards. It does not

require disclosure of health information,other than to the subject of the recordsor for enforcement of this rule. Healthplans and health care providers are freeto use their own professional ethics andjudgement to adopt stricter policies fordisclosing health information.

Comment: Some commenters viewedthe NPRM as creating fewer hurdles forgovernment access to protected healthinformation than for access to protectedhealth information by privateorganizations. Some health careproviders commented that the NPRM

would impose substantial newrestrictions on private sector use anddisclosure of protected healthinformation, but would makegovernment access to protected healthinformation easy. One consumeradvocacy group made the sameobservation.

Response: We acknowledge that many

of the national priority purposes forwhich we allow disclosure of protectedhealth information without consent orauthorization are for governmentfunctions, and that many of thegovernmental recipients of suchinformation are not governed by thisrule. It is the role of government toundertake functions in the broaderpublic interest, such as public healthactivities, law enforcement,identification of deceased individualsthrough coroners’ offices, and militaryactivities. It is these public purposeswhich can sometimes outweigh an

individual’s privacy interest. In thisrule, we specify the circumstances inwhich that balance is tipped toward thepublic interest with respect to healthinformation. We discuss the rationale

behind each of these permitteddisclosures in the relevant preamblesections below.

Miscellaneous Comments

Comment: Many commenters objectedto the establishment of a uniqueidentifier for health care or otherpurposes.

Response: This regulation does not

create an identifier. We assume thesecomments refer to the unique healthidentifier that Congress directed theSecretary to promulgate undersection1173(b) of the Social SecurityAct, added by section 262 of the HIPAA.Because of the public concerns aboutsuch an identifier, in the summer of 1998 Vice President Gore announcedthat the Administration would notpromulgate such a regulation untilcomprehensive medical privacyprotections were in place. In the fall of that year, Congress prohibited theDepartment from promulgating such anidentifier, and that prohibition remainsin place. The Department has no plansto promulgate a unique health identifier.

Comment: Many commenters askedthat we withdraw the proposedregulation and not publish a final rule.

Response: Under section 264 of theHIPAA, the Secretary is required byCongress to promulgate a regulationestablishing standards for healthinformation privacy. Further, for thereasons explained throughout thispreamble above, we believe that theneed to protect health information

privacy is urgent and that thisregulation is in the public’s interest.

Comment: Many commenters expressthe opinion that their consent should berequired for all disclosure of their healthinformation.

Response: We agree that consentshould be required prior to release of health information for many purposes,

and impose such a requirement in thisregulation. Requiring consent prior toall release of health information,however, would unduly jeopardizepublic safety and make many operationsof the health care system impossible.For example, requiring consent prior torelease of health information to a publichealth official who is attempting to trackthe source of an outbreak or epidemiccould endanger thousands of lives.Similarly, requiring consent before anoversight official could audit a healthplan would make detection of healthcare fraud all but impossible; it couldtake health plans months or years tolocate and obtain the consent of allcurrent and past enrollees, and thehealth plan would not have a strongincentive to do so. These uses of medical information are clearly in thepublic interest.

In this regulation, we must balanceindividuals’ privacy interests against thelegitimate public interests in certainuses of health information. Where thereis an important public interest, thisregulation imposes proceduralsafeguards that must be met prior torelease of health information, in lieu of a requirement for consent. In some

instances the procedural safeguardsconsist of limits on the circumstances inwhich information may be disclosed, inothers the safeguards consist of limitson what information may be disclosed,and in other cases we require some formof legal process (e.g., a warrant orsubpoena) prior to release of healthinformation. We also allow disclosure of health information without consentwhere other law mandates thedisclosures. Where such other lawexists, another public entity has madethe determination that the publicinterests outweigh the individual’s

privacy interests, and we do not upsetthat determination in this regulation. Inshort, we tailor the safeguards to matchthe specific nature of the publicpurpose. The specific safeguards areexplained in each section of thisregulation below.

Comment: Many comments addressmatters not relevant to this regulation,such as alternative fuels, hospitalreimbursement, and gulf war syndrome.

Response: These and similar mattersare not relevant to this regulation andwill not be addressed further.





Comment: A few commentersquestioned why this level of detail isneeded in response to the HIPAACongressional mandate.

Response: This level of detail isnecessary to ensure that individuals’rights with respect to their healthinformation are clear, while alsoensuring that information necessary for

important public functions, such asprotecting public health, promoting

biomedical research, fighting health carefraud, and notifying family members indisaster situations, will not be impaired

by this regulation. We designed this ruleto reflect current practices and changesome of them. The comments and ourfact finding revealed the complexity of current health information practices,and we believe that the complexityentailed in reflecting those practices is

better public policy than a perhapssimpler rule that disturbed importantinformation flows.

Comment: A few comments statedthat the goal of administrativesimplification should never override theprivacy of individuals.

Response: We believe that privacy isa necessary component of administrative simplification, not acompeting interest.

Comment: At least one commentersaid that the goal of administrativesimplification is not well served by theproposed rule.

Response: Congress recognized thatprivacy is a necessary component of administrative simplification. Thestandardization of electronic health

information mandated by the HIPAAthat make it easier to share thatinformation for legitimate purposes alsomake the inappropriate sharing of thatinformation easier. For this reason,Congress included a mandate forprivacy standards in this section of theHIPAA. Without appropriate privacyprotections, public fear and instances of abuse would make it impossible for usto take full advantage of theadministrative and costs benefitsinherent in the administrativesimplification standards.

Comment: At least one commenter

asked us to require psychotherapists toassert any applicable legal privilege onpatients’ behalf when protected healthinformation is requested.

Response: Whether and when toassert a claim of privilege on a patient’s

behalf is a matter for other law and forthe ethics of the individual health careprovider. This is not a decision that canor should be made by the federalgovernment.

Comment: One commenter called forHHS to consider the privacy regulationin conjunction with the other HIPAA

standards. In particular, this commentfocused on the belief that the SecurityStandards should be compatible withthe existing and emerging health careand information technology industrystandards.

Response: We agree that both thisregulation and the final SecurityRegulation should be compatible with

existing and emerging technologyindustry standards. This regulation is‘‘technology neutral.’’ We do notmandate the use of any particulartechnologies, but rather set standardswhich can be met through a variety of means.

Comment: Several commentersclaimed that the statutory authoritygiven under HIPAA cannot providemeaningful privacy protections becausemany entities with access to protectedhealth information, such as employers,worker’s compensation carriers, and lifeinsurance companies, are not covered

entities. These commenters expressedsupport for comprehensive legislation toclose many of the existing loopholes.

Response: We agree with thecommenters that comprehensivelegislation is necessary to provide fullprivacy protection and have called formembers of Congress to pass suchlegislation to prevent unauthorized andpotentially harmful uses and disclosuresof information.

Part 160—Subpart A—GeneralProvisions

Section 160.103—Definitions

Business AssociateThe response to comments on the

definition of ‘‘business partner,’’renamed in this rule as ‘‘businessassociate,’’ is included in the responseto comments on the requirements for

business associates in the preamblediscussion of §164.504.

Covered Entity

Comment: A number of commentersurged the Department to expand orclarify the definition of ‘‘covered entity’’to include certain entities other thanhealth care clearinghouses, health plans,

and health care providers who conductstandard transactions. For example,several commenters asked that theDepartment generally expand the scopeof the rule to cover all entities thatreceive or maintain individuallyidentifiable health information; othersspecifically urged the Department tocover employers, marketing firms, andlegal entities that have access toindividually identifiable healthinformation. Some commenters askedthat life insurance and casualtyinsurance carriers be considered

covered entities for purposes of thisrule. One commenter recommended thatPharmacy Benefit Management (PBM)companies be considered coveredentities so that they may use anddisclose protected health informationwithout authorization.

In addition, a few commenters askedthe Department to clarify that the

definition includes providers who donot directly conduct electronictransactions if another entity, such as a

billing service or hospital, does so ontheir behalf.

Response: We understand that manyentities may use and discloseindividually identifiable healthinformation. However, our jurisdictionunder the statute is limited to healthplans, health care clearinghouses, andhealth care providers who transmit anyhealth information electronically inconnection with any of the standardfinancial or administrative transactions

in section 1173(a) of the Act. These arethe entities referred to in section1173(a)(1) of the Act and thus listed in§ 160.103 of the final rule.Consequently, once protected healthinformation leaves the purview of one of these covered entities, their businessassociates, or other related entities (suchas plan sponsors), the information is nolonger afforded protection under thisrule. We again highlight the need forcomprehensive federal legislation toeliminate such gaps in privacyprotection.

We also provide the following

clarifications with regard to specificentities.We clarify that employers and

marketing firms are not covered entities.However, employers may be plansponsors of a group health plan that isa covered entity under the rule. In sucha case, specific requirements apply tothe group health plan. See the preambleon §164.504 for a discussion of specific‘‘firewall’’ and other organizationalrequirements for group health plans andtheir employer sponsors. The final rulealso contains provisions addressingwhen an insurance issuer providing

benefits under a group health plan maydisclose summary health information toa plan sponsor.

With regard to life and casualtyinsurers, we understand that such

benefit providers may use and discloseindividually identifiable healthinformation. However, Congress did notinclude life insurers and casualtyinsurance carriers as ‘‘health plans’’ forthe purposes of this rule and thereforethey are not covered entities. See thediscussion regarding the definition of ‘‘health plan’’ and excepted benefits.





In addition, we clarify that a PBM isa covered entity only to the extent thatit meets the definition of one or more of the entities listed in §160.102. Whenproviding services to patients throughmanaged care networks, it is likely thata PBM is acting as a business associateof a health plan, and may thus use anddisclose protected health information

pursuant to the relevant provisions of this rule. PBMs may also be businessassociates of health care providers. Seethe preamble sections on §§164.502,164.504, and 164.506 for discussions of the specific requirements related to

business associates and consent.Lastly, we clarify that health care

providers who do not submit HIPAAtransactions in standard form becomecovered by this rule when other entities,such as a billing service or a hospital,transmit standard electronictransactions on their behalf. Theprovider could not circumvent these

requirements by assigning the task to acontractor.Comment: Many commenters urged

the Department to restrict or clarify thedefinition of ‘‘covered entity’’ toexclude certain entities, such asdepartment-operated hospitals (publichospitals); state Crime VictimCompensation Programs; employers;and certain lines of insurers, such asworkers’ compensation insurers,property and casualty insurers,reinsurers, and stop-loss insurers. Onecommenter expressed concern thatclergy, religious practitioners, and otherfaith-based service providers would

have to abide by the rule and asked thatthe Department exempt prayer healingand non-medical health care.

Response: The Secretary provides thefollowing clarifications in response tothese comments. To the extent that a‘‘department-operated hospital’’ meetsthe definition of a ‘‘health careprovider’’ and conducts any of thestandard transactions, it is a coveredentity for the purposes of this rule. Weagree that a state Crime VictimCompensation Program is not a coveredentity if it is not a health care providerthat conducts standard transactions,

health plan, or health careclearinghouse. Further, as describedabove, employers are not coveredentities.

In addition, we agree that workers’compensation insurers, property andcasualty insurers, reinsurers, and stop-loss insurers are not covered entities, asthey do not meet the statutory definitionof ‘‘health plan.’’ See further discussionin the preamble on §160.103 regardingthe definition of ‘‘health plan.’’However, activities related to ceding,securing, or placing a contract for

reinsurance, including stop-lossinsurance, are health care operations inthe final rule. As such, reinsurers andstop-loss insurers may obtain protectedhealth information from coveredentities.

Also, in response to the commentregarding religious practitioners, theDepartment clarifies that ‘‘health care’’

as defined under the rule does notinclude methods of healing that aresolely spiritual. Therefore, clergy orother religious practitioners that providesolely religious healing services are nothealth care providers within themeaning of this rule, and consequentlynot covered entities for the purposes of this rule.

Comment: A few commentersexpressed general uncertainty andrequested clarification as to whethercertain entities were covered entities forthe purposes of this rule. Onecommenter was uncertain as to whetherthe rule applies to certain social serviceentities, in addition to clinical socialworkers that the commenter believes areproviders. Other commenters askedwhether researchers or non-governmental entities that collect andanalyze patient data to monitor andevaluate quality of care are coveredentities. Another commenter requestedclarification regarding the definition’sapplication to public health agenciesthat also are health care providers aswell as how the rule affects publichealth agencies in their data collectionfrom covered entities.

Response: Whether the professionals

described in these comments arecovered by this rule depends on theactivities they undertake, not on theirprofession or degree. The definitions inthis rule are based on activities andfunctions, not titles. For example, asocial service worker whose activitiesmeet this rule’s definition of health carewill be a health care provider. If thatsocial service worker also transmitsinformation in a standard HIPAAtransaction, he or she will be a coveredhealth entity under this rule. Anothersocial service worker may provideservices that do not meet the rule’s

definition of health care, or may nottransmit information in a standardtransaction. Such a social serviceworker is not a covered entity under thisrule. Similarly, researchers in and of themselves are not covered entities.However, researchers may also be healthcare providers if they provide healthcare. In such cases, the persons, orentities in their role as health careproviders may be covered entities if they conduct standard transactions.

With regard to public health agenciesthat are also health care providers, the

health care provider ‘‘component’’ of the agency is the covered entity if thatcomponent conducts standardtransactions. See discussion of ‘‘healthcare components’’ below. As to the datacollection activities of a public healthagency, the final rule in § 164.512(b)permits a covered entity to discloseprotected health information to public

health authorities under specifiedcircumstances, and permits publichealth agencies that are also coveredentities to use protected healthinformation for these purposes. See§ 164.512(b) for further details.

Comment: A few commentersrequested that the Department clarifythat device manufacturers are notcovered entities. They stated that theproposal did not provide enoughguidance in cases where the‘‘manufacturer supplier’’ has only onepart of its business that acts as the‘‘supplier,’’ and additional detail is

needed about the relationship of the‘‘supplier component’’ of the companyto the rest of the business. Similarly,another commenter asserted that drug,

biologics, and device manufacturersshould not be covered entities simply byvirtue of their manufacturing activities.

Response: We clarify that if a suppliermanufacturer is a Medicare supplier,then it is a health care provider, and itis a covered entity if it conductsstandard transactions. Further, weclarify that a manufacturer of suppliesrelated to the health of a particularindividual, e.g., prosthetic devices, is ahealth care provider because the

manufacturer is providing ‘‘health care’’as defined in the rule. However, thatmanufacturer is a covered entity only if it conducts standard transactions. Wedo not intend that a manufacturer of supplies that are generic and notcustomized or otherwise specificallydesigned for particular individuals, e.g.,ace bandages for a hospital, is a healthcare provider. Such a manufacturer isnot providing ‘‘health care’’ as definedin the rule and is therefore not a coveredentity. We note that, even if such amanufacturer is a covered entity, it may

be an ‘‘indirect treatment provider’’

under this rule, and thus not subject toall of the rule’s requirements.With regard to a ‘‘supplier

component,’’ the final rule addresses thestatus of the unit or unit(s) of a largerentity that constitute a ‘‘health carecomponent.’’ See further discussionunder §164.504 of this preamble.

Finally, we clarify that drug, biologics, and device manufacturers arenot health care providers simply byvirtue of their manufacturing activities.The manufacturer must be providinghealth care consistent with the final





rule’s definition in order to beconsidered a health care provider.

Comment: A few commenters askedthat the Department clarify thatpharmaceutical manufacturers are notcovered entities. It was explained thatpharmaceutical manufacturers providesupport and guidance to doctors andpatients with respect to the proper use

of their products, provide free productsfor doctors to distribute to patients, andoperate charitable programs that providepharmaceutical drugs to patients whocannot afford to buy the drugs theyneed.

Response: A pharmaceuticalmanufacturer is only a covered entity if the manufacturer provides ‘‘health care’’according to the rule’s definition andconducts standard transactions. In theabove case, a pharmaceuticalmanufacturer that provides support andguidance to doctors and patientsregarding the proper use of theirproducts is providing ‘‘health care’’ forthe purposes of this rule, and therefore,is a health care provider to the extentthat it provides such services. Thepharmaceutical manufacturer that is ahealth care provider is only a coveredentity, however, if it conducts standardtransactions. We note that this rulepermits a covered entity to discloseprotected health information to anyperson for treatment purposes, withoutspecific authorization from theindividual. Therefore, a covered healthcare provider is permitted to discloseprotected health information to apharmaceutical manufacturer for

treatment purposes. Providing freesamples to a health care provider doesnot in itself constitute health care. Forfurther analysis of pharmacy assistanceprograms, see response to comment on§ 164.501, definition of ‘‘payment.’’

Comment: Several commenters askedabout the definition of ‘‘covered entity’’and its application to health careentities within larger organizations.

Response: A detailed discussion of the final rule’s organizationalrequirements and firewall restrictionsfor ‘‘health care components’’ of largerentities, as well as for affiliated, and

other entities is found at the discussionof § 164.504 of this preamble. Thefollowing responses to commentsprovide additional information withrespect to particular ‘‘componententity’’ circumstances.

Comment: Several commenters askedthat we clarify the definition of coveredentity to state that with respect topersons or organizations that providehealth care or have created health plans

but are primarily engaged in otherunrelated businesses, the term ‘‘coveredentity’’ encompasses only the health

care components of the entity.Similarly, others recommended thatonly the component of a governmentagency that is a provider, health plan, orclearinghouse should be considered acovered entity.

Other commenters requested that werevise proposed §160.102 to apply onlyto the component of an entity that

engages in the transactions specified inthe rule. Commenters stated thatcompanies should remain free toemploy licensed health care providersand to enter into corporate relationshipswith provider institutions without fearof being considered to be a coveredentity. Another commenter suggestedthat the regulation not apply to theprovider-employee or employer whenneither the provider nor the companyare a covered entity.

Some commenters specifically arguedthat the definition of ‘‘covered entity’’did not contemplate an integratedhealth care system and one commenterstated that the proposal would disruptthe multi-disciplinary, collaborativeapproach that many take to health caretoday by treating all components asseparate entities. Commenters,therefore, recommended that the ruletreat the integrated entity, not itsconstituent parts, as the covered entity.

A few commenters asked that theDepartment further clarify the definitionwith respect to the uniqueorganizational models and relationshipsof academic medical centers and theirparent universities and the rules thatgovern information exchange within the

institution. One commenter askedwhether faculty physicians who arepaid by a medical school or facultypractice plan and who are on themedical staff of, but not paid directly

by, a hospital are included within thecovered entity. Another commenterstated that it appears that only thehealth center at an academic institutionis the covered entity. Uncertainty wasalso expressed as to whether othercomponents of the institution that mightcreate protected health information onlyincidentally through the conduct of research would also be covered.

Response: The Departmentunderstands that in today’s health careindustry, the relationships among healthcare entities and non-health careorganizations are highly complex andvaried. Accordingly, the final rule givescovered entities some flexibility tosegregate or aggregate its operations forpurposes of the application of this rule.The new component entity provisioncan be found at §§ 164.504(b)-(c). Inresponse to the request for clarificationon whether the rule would apply to aresearch component of the covered

entity, we point out that if the researchactivities fall outside of the health carecomponent they would not be subject tothe rule. One organization may have oneor several ‘‘health care component(s)’’that each perform one or more of thehealth care functions of a coveredentity, i.e., health care provider, healthplan, health care clearinghouse. In

addition, the final rule permits coveredentities that are affiliated, i.e., sharecommon ownership or control, todesignate themselves, or their healthcare components, together to be a singlecovered entity for purposes of the rule.

It appears from the comments thatthere is not a common understanding of the meaning of ‘‘integrated deliverysystem.’’ Arrangements that apply thislabel to themselves operate and shareinformation many different ways, andmay or may not be financially orclinically integrated. In some cases,multiple entities hold themselves out as

one enterprise and engage together inclinical or financial activities. In others,separate entities share information butdo not provide treatment together orshare financial risk. Many health careproviders participate in more than onesuch arrangement.

Therefore, we do not include aseparate category of ‘‘covered entity’’under this rule for ‘‘integrated deliverysystems’’ but instead accommodate theoperations of these varied arrangementsthrough the functional provisions of therule. For example, covered entities thatoperate as ‘‘organized health carearrangements’’ as defined in this rule

may share protected health informationfor the operation of such arrangementwithout becoming business associates of one another. Similarly, the regulationdoes not require a business associatearrangement when protected healthinformation is shared for purposes of providing treatment. The application of this rule to any particular ‘‘integratedsystem’’ will depend on the nature of the common activities the participantsin the system perform. When theparticipants in such an arrangement are‘‘affiliated’’ as defined in this rule, theymay consider themselves a single

covered entity (see § 164. 504).The arrangements between academichealth centers, faculty practice plans,universities, and hospitals are similarlydiverse. We cannot describe a blanketrule that covers all such arrangements.The application of this rule will dependon the purposes for which theparticipants in such arrangements shareprotected health information, whethersome or all participants are undercommon ownership or control, andsimilar matters. We note that physicianswho have staff privileges at a covered





hospital do not become part of thathospital covered entity by virtue of having such privileges.

We reject the recommendation toapply the rule only to components of anentity that engage in the transactions.This would omit as covered entities, forexample, the health plan componentsthat do not directly engage in the

transactions, including components thatengage in important health planfunctions such as coveragedeterminations and quality review.Indeed, we do not believe that thestatute permits this result with respectto health plans or health careclearinghouses as a matter of negativeimplication from section 1172(a)(3). Weclarify that only a health care providermust conduct transactions to be acovered entity for purposes of this rule.

We also clarify that health careproviders (such as doctors or nurses)who work for a larger organization anddo not conduct transactions on theirown behalf are workforce members of the covered entity, not covered entitiesthemselves.

Comment: A few commenters askedthe Department to clarify the definitionto provide that a multi-line insurer thatsells insurance coverages, some of which do and others which do not meetthe definition of ‘‘health plan,’’ is not acovered entity with respect to actionstaken in connection with coverages thatare not ‘‘health plans.’’

Response: The final rule clarifies thatthe requirements below apply only tothe organizational unit or units of the

organization that are the ‘‘health carecomponent’’ of a covered entity, wherethe ‘‘covered functions’’ are not theprimary functions of the entity.Therefore, for a multi-line insurer, the‘‘health care component’’ is theinsurance line(s) that conduct, orsupport the conduct of, the health carefunction of the covered entity. Also, itshould be noted that excepted benefits,such as life insurance, are not includedin the definition of ‘‘health plan.’’ (Seepreamble discussion of §164.504).

Comment: A commenter questionedwhether the Health Care Financing

Administration (HCFA) is a coveredentity and how HCFA will share datawith Medicare managed careorganizations. The commenter alsoquestioned why the regulation mustapply to Medicaid since the existingMedicaid statute requires that stateshave privacy standards in place. It wasalso requested that the Departmentprovide a definition of ‘‘health plan’’ toclarify that state Medicaid Programs areconsidered as such.

Response: HCFA is a covered entity because it administers Medicare and

Medicaid, which are both listed in thestatute as health plans. Medicaremanaged care organizations are alsocovered entities under this regulation.As noted elsewhere in this preamble,covered entities that jointly administera health plan, such as Medicare +Choice, are both covered entities, andare not business associates of each other

by virtue of such joint administration.We do not exclude state Medicaid

programs. Congress explicitly includedthe Medicaid program as a coveredhealth plan in the HIPAA statute.

Comment: A commenter asked theDepartment to provide detailedguidance as to when providers, plans,and clearinghouses become coveredentities. The commenter provided thefollowing example: if a provider submitsclaims only in paper form, and acoordination of benefits (COB)transaction is created due to otherinsurance coverage, will the originalprovider need to be notified that theclaim is now in electronic form, andthat it has become a covered entity?Another commenter voiced concern asto whether physicians who do notconduct electronic transactions would

become covered entities if anotherentity using its records downstreamtransmits information in connectionwith a standard transaction on their

behalf.Response: We clarify that health care

providers who submit the transactionsin standard electronic form, healthplans, and health care clearinghousesare covered entities if they meet the

respective definitions. Health careproviders become subject to the rule if they conduct standard transactions. Inthe above example, the health careprovider would not be a covered entityif the coordination of benefitstransaction was generated by a payor.

We also clarify that health careproviders who do not submittransactions in standard form becomecovered by this rule when other entities,such as a billing service or a hospital,transmit standard electronictransactions on the providers’ behalf.However, where the downstream

transaction is not conducted on behalf of the health care provider, the providerdoes not become a covered entity due tothe downstream transaction.

Comment: Several commentersdiscussed the relationship betweensection 1179 of the Act and the privacyregulations. One commenter suggestedthat HHS retain the statement that acovered entity means ‘‘the entities towhich part C of title XI of the Actapplies.’’ In particular, the commenterobserved that section 1179 of the Actprovides that part C of title XI of the Act

does not apply to financial institutionsor to entities acting on behalf of suchinstitutions that are covered by thesection 1179 exemption. Thus, underthe definition of covered entity, theycomment that financial institutions andother entities that come within thescope of the section 1179 exemption areappropriately not covered entities.

Other commenters maintained thatsection 1179 of the Act means that theAct’s privacy requirements do not applyto the request for, or the use ordisclosure of, information by a coveredentity with respect to payment: (a) Fortransferring receivables; (b) for auditing;(c) in connection with—(i) a customerdispute; or (ii) an inquiry from or to acustomer; (d) in a communication to acustomer of the entity regarding thecustomer’s transactions payment card,account, check, or electronic fundstransfer; (e) for reporting to consumerreporting agencies; or (f) for complying

with: (i) a civil or criminal subpoena; or(ii) a federal or state law regulating theentity. These companies expressedconcern that the proposed rule did notinclude the full text of section 1179when discussing the list of activitiesthat were exempt from the rule’srequirements. Accordingly, theyrecommended including in the finalrule either a full listing of or a referenceto section 1179’s full list of exemptions.Furthermore, these firms opposedapplying the proposed rule’s minimumnecessary standard for disclosure of protected health information tofinancial institutions because of section

1179.These commenters suggest that in

light of section 1179, HHS lacks theauthority to impose restrictions onfinancial institutions and other entitieswhen they engage in activities describedin that section. One commenterexpressed concern that even thoughproposed §164.510(i) would havepermitted covered entities to disclosecertain information to financialinstitutions for banking and paymentprocesses, it did not state clearly thatfinancial institutions and other entitiesdescribed in section 1179 are exempt

from the rule’s requirements.Response: We interpret section 1179of the Act to mean that entities engagedin the activities of a financialinstitution, and those acting on behalf of a financial institution, are not subject tothis regulation when they are engaged inauthorizing, processing, clearing,settling, billing, transferring,reconciling, or collecting payments for afinancial institution. The statutoryreference to 12 U.S.C. 3401 indicatesthat Congress chose to adopt thedefinition of financial institutions found





in the Right to Financial Privacy Act,which defines financial institutions asany office of a bank, savings bank, cardissuer, industrial loan company, trustcompany, savings association, buildingand loan, homestead association,cooperative bank, credit union, orconsumer finance institution located inthe United States or one of its

Territories. Thus, when we use the term‘‘financial institution’’ in thisregulation, we turn to the definitionwith which Congress provided us. Weinterpret this provision to mean thatwhen a financial institution, or its agenton behalf of the financial institution,conducts the activities described insection 1179, the privacy regulation willnot govern the activity.

If, however, these activities areperformed by a covered entity or byanother entity, including a financialinstitution, on behalf of a coveredentity, the activities are subject to this

rule. For example, if a bank operates theaccounts payable system or other ‘‘backoffice’’ functions for a covered healthcare provider, that activity is notdescribed in section 1179. In suchinstances, because the bank would meetthe rule’s definition of ‘‘businessassociate,’’ the provider must enter intoa business associate contract with the

bank before disclosing protected healthinformation pursuant to thisrelationship. However, if the sameprovider maintains an account throughwhich he/she cashes checks frompatients, no business associate contractwould be necessary because the bank’s

activities are not undertaken for or on behalf of the covered entity, and fallwithin the scope of section 1179. In partto give effect to section 1179, in this rulewe do not consider a financialinstitution to be acting on behalf of acovered entity when it processesconsumer-conducted financialtransactions by debit, credit or otherpayment card, clears checks, initiates orprocesses electronic funds transfers, orconducts any other activity that directlyfacilitates or effects the transfer of fundsfor compensation for health care.

We do not agree with the comment

that section 1179 of the Act means thatthe privacy regulation’s requirementscannot apply to the activities listed inthat section; rather, it means that theentities expressly mentioned, financialinstitutions (as defined in the Right toFinancial Privacy Act), and their agentsthat engage in the listed activities for thefinancial institution are not within thescope of the regulation. Nor do weinterpret section 1179 to support anexemption for disclosures to financialinstitutions from the minimumnecessary provisions of this regulation.

Comment: One commenterrecommended that HHS include adefinition of ‘‘entity’’ in the final rule

because HIPAA did not define it. Thecommenter explained that in a modernhealth care environment, theorganization acting as the health plan orhealth care provider may involve manyinterrelated corporate entities and that

this could lead to difficulties indetermining what ‘‘entities’’ are actuallysubject to the regulation.

Response: We reject the commenter’ssuggestion. We believe it is clear in thefinal rule that the entities subject to theregulation are those listed at §160.102.However, we acknowledge that how therule applies to integrated or othercomplex health systems needs to beaddressed; we have done so in §164.504and in other provisions, such as thoseaddressing organized health carearrangements.

Comment: The preamble shouldclarify that self-insured group healthand workmen’s compensation plans arenot covered entities or businesspartners.

Response: In the preamble to theproposed rule we stated that certaintypes of insurance entities, such asworkers’ compensation, would not becovered entities under the rule. We donot change this position in this finalrule. The statutory definition of healthplan does not include workers’compensation products, and theregulatory definition of the termspecifically excludes them. However,HIPAA specifically includes most grouphealth plans within the definition of ‘‘health plan.’’

Comment: A health insurance issuerasserted that health insurers and thirdparty administrators are usuallyrequired by employers to submit reportsdescribing the volume, amount, payee,

basis for services rendered, types of claims paid and services for whichpayment was requested on behalf of itcovered employees. They recommendedthat the rule permit the disclosure of protected health information for suchpurposes.

Response: We agree that health plansshould be able to disclose protectedhealth information to employerssponsoring health plans under certaincircumstances. Section 164.504(f)explains the conditions under whichprotected health information may bedisclosed to plan sponsors. We believethat this provision gives sponsors accessto the information they need, butprotects individual’s information to theextent possible under our legislativeauthority.

Group Health Plan

For response to comments relating to‘‘group health plan,’’ see the response tocomments on ‘‘health plan’’ below andthe response to comments on § 164.504.

Health Care

Comment: A number of commentersasked that we include diseasemanagement activities and other similarhealth improvement programs, such aspreventive medicine, health educationservices and maintenance, health andcase management, and risk assessment,in the definition of ‘‘health care.’’Commenters maintained that the ruleshould avoid limiting technologicaladvances and new health care trendsintended to improve patient ‘‘healthcare.’’

Response: Review of these and othercomments, and our fact-finding,indicate that there are multiple,different, understandings of the

definition of these terms. Therefore,rather than create a blanket rule thatincludes such terms in or excludes suchterms from the definition of ‘‘healthcare,’’ we define health care based onthe underlying activities that constitutehealth care. The activities described bythese commenters are considered‘‘health care’’ under this rule to theextent that they meet this functionaldefinition. Listing activities by label ortitle would create the risk that importantactivities would be left out and, giventhe lack of consensus on what theseterms mean, could also create

confusion.Comment: Several commenters urgedthat the Department clarify that theactivities necessary to procure anddistribute eyes and eye tissue will not

be hampered by the rule. Some of thesecommenters explicitly requested that weinclude ‘‘eyes and eye tissue’’ in the listof procurement biologicals as well as‘‘eye procurement’’ in the definition of ‘‘health care.’’ In addition, it was arguedthat ‘‘administration to patients’’ beexcluded in the absence of a cleardefinition. Also, commentersrecommended that the definition

include other activities associated withthe transplantation of organs, such asprocessing, screening, and distribution.

Response: We delete from thedefinition of ‘‘health care’’ activitiesrelated to the procurement or banking of

blood, sperm, organs, or any other tissuefor administration to patients. We do so

because persons who make suchdonations are not seeking to be treated,diagnosed, or assessed or otherwiseseeking health care for themselves, butare seeking to contribute to the healthcare of others. In addition, the nature of





these activities entails a unique kind of information sharing and trackingnecessary to safeguard the nation’sorgan and blood supply, and thoseseeking to donate are aware that thisinformation sharing will occur.Consequently, such procurement or

banking activities are not consideredhealth care and the organizations that

perform such activities are notconsidered health care providers forpurposes of this rule.

With respect to disclosure of protected health information by coveredentities to facilitate cadaveric organ andtissue donation, the final rule explicitlypermits a covered entity to discloseprotected health information withoutauthorization, consent, or agreement toorgan procurement organizations orother entities engaged in theprocurement, banking, ortransplantation of cadaveric organs,eyes, or tissue for the purpose of facilitating donation andtransplantation. See §164.512(h). We donot include blood or sperm banking inthis provision because, for thoseactivities, there is direct contact withthe donor, and thus opportunity toobtain the individual’s authorization.

Comment: A large number of commenters urged that the term‘‘assessment’’ be included in the list of services in the definition, as‘‘assessment’’ is used to determine the

baseline health status of an individual.It was explained that assessments are

conducted in the initial step of diagnosis and treatment of a patient. If assessment is not included in the list of services, they pointed out that theservices provided by occupationalhealth nurses and employee healthinformation may not be covered.

Response: We agree and have addedthe term ‘‘assessment’’ to the definitionto clarify that this activity is considered‘‘health care’’ for the purposes of therule.

Comment: One commenter asked thatwe revise the definition to explicitlyexclude plasmapheresis from paragraph

(3) of the definition. It was explainedthat plasmapheresis centers do not havedirect access to health care recipients ortheir health information, and that thelimited health information collectedabout plasma donors is not used toprovide health care services as indicated

by the definition of health care.

Response: We address thecommenters’ concerns by removing theprovision related to procurement and

banking of human products from thedefinition.

Health Care Clearinghouse

Comment: The largest set of comments relating to health careclearinghouses focused on our proposalto exempt health care clearinghousesfrom the patient notice and access rightsprovisions of the regulation. In ourNPRM, we proposed to exempt healthcare clearinghouses from certainprovisions of the regulation that dealwith the covered entities’ notice of information practices and consumers’rights to inspect, copy, and amend theirrecords. The rationale for thisexemption was based on our belief thathealth care clearinghouses engageprimarily in business-to-businesstransactions and do not initiate ormaintain direct relationships withindividuals. We proposed this positionwith the caveat that the exemptionswould be void for any health careclearinghouse that had direct contactwith individuals in a capacity other

than that of a business partner. Inaddition, we indicated that, in mostinstances, clearinghouses also would beconsidered business partners under thisrule and would be bound by theircontracts with covered plans andproviders. They also would be subject tothe notice of information practicesdeveloped by the plans and providerswith whom they contract.

Commenters stated that, althoughhealth care clearinghouses do not havedirect contact with individuals, they dohave individually identifiable healthinformation that may be subject to

misuse or inappropriate disclosure.They expressed concern that we wereproposing to exempt health careclearinghouses from all or many aspectsof the regulation. These commenterssuggested that we either delete theexemption or make it very narrow,specific and explicit in the finalregulatory text.

Clearinghouse commenters, on theother hand, were in agreement with ourproposal, including the exemptionprovision and the provision that theexemption is voided when the entitydoes have direct contact with

individuals. They also stated that ahealth care clearinghouse that has adirect contact with individuals is nolonger a health care clearinghouse asdefined and should be subject to allrequirements of the regulation.

Response: In the final rule, where aclearinghouse creates or receivesprotected health information as a

business associate of another coveredentity, we maintain the exemption forhealth care clearinghouses from certainprovisions of the regulation dealingwith the notice of information practices

and patient’s direct access rights toinspect, copy and amend records(§§ 164.524 and 164.526), on thegrounds that a health care clearinghouseis engaged in business-to-businessoperations, and is not dealing directlywith individuals. Moreover, as businessassociates of plans and providers, healthcare clearinghouses are bound by the

notices of information practices of thecovered entities with whom theycontract.

Where a health care clearinghousecreates or receives protected healthinformation other than as a businessassociate, however, it must comply withall the standards, requirements, andimplementation specifications of therule. We describe and delimit the exactnature of the exemption in theregulatory text. See § 164.500(b). Wewill monitor developments in thissector should the basic business-to-

business relationship change.Comment: A number of comments

relate to the proposed definition of health care clearinghouse. Manycommenters suggested that we expandthe definition. They suggested thatadditional types of entities be includedin the definition of health careclearinghouse, specifically medicaltranscription services, billing services,coding services, and ‘‘intermediaries.’’One commenter suggested that thedefinition be expanded to add entitiesthat receive standard transactions,process them and clean them up, andthen send them on, without convertingthem to any standard format. Another

commenter suggested that the healthcare clearinghouse definition beexpanded to include entities that do notperform translation but may receiveprotected health information in astandard format and have access to thatinformation. Another commenter statedthat the list of covered entities shouldinclude any organization that receivesor maintains individually identifiablehealth information. One organizationrecommended that we expand thehealth care clearinghouse definition toinclude the concept of a research dataclearinghouse, which would collect

individually identifiable healthinformation from other covered entitiesto generate research data files for releaseas de-identified data or with appropriateconfidentiality safeguards. Onecommenter stated that HHS had gone

beyond Congressional intent byincluding billing services in thedefinition.

Response: We cannot expand thedefinition of ‘‘health careclearinghouse’’ to cover entities notcovered by the definition of this term inthe statute. In the final regulation, we





make a number of changes to addresspublic comments relating to definition.We modify the definition of health careclearinghouse to conform to thedefinition published in the TransactionsRule (with the addition of a few words,as noted above). We clarify in thepreamble that, while the term ‘‘healthcare clearinghouse’’ may have other

meanings and connotations in othercontexts, for purposes of this regulationan entity is considered a health careclearinghouse only to the extent that itactually meets the criteria in ourdefinition. Entities performing otherfunctions but not meeting the criteria fora health care clearinghouse are notclearinghouses, although they may be

business associates. Billing services areincluded in the regulatory definition of ‘‘health care clearinghouse,’’ if theyperform the specified clearinghousefunctions. Although we have not addedor deleted any entities from our original

definition, we will monitor industrypractices and may add other entities inthe future as changes occur in the healthsystem.

Comment: Several commenterssuggested that we clarify that an entityacting solely as a conduit through whichindividually identifiable healthinformation is transmitted or throughwhich protected health informationflows but is not stored is not a coveredentity, e.g., a telephone company orInternet Service Provider. Othercommenters indicated that once atransaction leaves a provider or planelectronically, it may flow through

several entities before reaching aclearinghouse. They asked that theregulation protect the information inthat interim stage, just as the securityNPRM established a chain of trustarrangement for such a network. Othersnoted that these ‘‘conduit’’ entities arelikely to be business partners of theprovider, clearinghouse or plan, and weshould clarify that they are subject to

business partner obligations as in theproposed Security Rule.

Response: We clarify that entitiesacting as simple and routinecommunications conduits and carriers

of information, such as telephonecompanies and Internet ServiceProviders, are not clearinghouses asdefined in the rule unless they carry outthe functions outlined in our definition.Similarly, we clarify that value addednetworks and switches are not healthcare clearinghouses unless they carryout the functions outlined in thedefinition, and clarify that such entitiesmay be business associates if they meetthe definition in the regulation.

Comment: Several commenters,including the large clearinghouses and

their trade associations, suggested thatwe not treat health care clearinghousesas playing a dual role as covered entityand business partner in the final rule

because such a dual role causesconfusion as to which rules actuallyapply to clearinghouses. In their view,the definition of health careclearinghouse is sufficiently clear to

stand alone and identify a health careclearinghouse as a covered entity, andallows health care clearinghouses tooperate under one consistent set of rules.

Response: For reasons explained in§ 164.504 of this preamble, we do notcreate an exception to the businessassociate requirements when the

business associate is also a coveredentity. We retain the concept that ahealth care clearinghouse may be acovered entity and a business associateof a covered entity under the regulation.As business associates, they would be

bound by their contracts with coveredplans and providers.

Health Care Provider

Comment: One commenter pointedout that the preamble referred to theobligations of providers and did not usethe term, ‘‘covered entity,’’ and thuscreated ambiguity about the obligationsof health care providers who may beemployed by persons other than coveredentities, e.g., pharmaceutical companies.It was suggested that a better reading of the statute and rule is that where neitherthe provider nor the company is a

covered entity, the rule does not imposean obligation on either the provider-employee or the employer.

Response: We agree. We use the term‘‘covered entity’’ whenever possible inthe final rule, except for the instanceswhere the final rule treats the entitiesdifferently, or where use of the term‘‘health care provider’’ is necessary forpurposes of illustrating an example.

Comment: Several commenters statedthat the proposal’s definition was broad,unclear, and/or confusing. Further, wereceived many comments requestingclarification as to whether specificentities or persons were ‘‘health careproviders’’ for the purposes of our rule.One commenter questioned whetheraffiliated members of a health caregroup (even though separate legalentities) would be considered as oneprimary health care provider.

Response: We permit legally distinctcovered entities that share commonownership or control to designatethemselves together to be a singlecovered entity. Such organizations maypromulgate a single shared notice of information practices and a consent

form. For more detailed information, seethe preamble discussion of § 164.504(d).

We understand the need foradditional guidance on whether specificentities or persons are health careproviders under the final rule. Weprovide guidance below and willprovide additional guidance as the ruleis implemented.

Comment: One commenter observedthat sections 1171(3), 1861(s) and1861(u) of the Act do not includepharmacists in the definition of healthcare provider or pharmacist services inthe definition of ‘‘medical or otherhealth services,’’ and questionedwhether pharmacists were covered bythe rule.

Response: The statutory definition of ‘‘health care provider’’ at section1171(3) includes ‘‘any other person ororganization who furnishes, bills, or ispaid for health care in the normalcourse of business.’’ Pharmacists’services are clearly within this statutorydefinition of ‘‘health care.’’ There is no

basis for excluding pharmacists whomeet these statutory criteria from thisregulation.

Comment: Some commentersrecommended that the scope of thedefinition be broadened or clarified tocover additional persons ororganizations. Several commentersargued for expanding the reach of thehealth care provider definition to coverentities such as state and local publichealth agencies, maternity supportservices (provided by nutritionists,social workers, and public health nurses

and the Special Supplemental NutritionProgram for Women, Infants andChildren), and those companies thatconduct cost-effectiveness reviews, riskmanagement, and benchmarkingstudies. One commenter queriedwhether auxiliary providers such aschild play therapists, and speech andlanguage therapists are considered to behealth care providers. Othercommenters questioned whether‘‘alternative’’ or ‘‘complementary’’providers, such as naturopathicphysicians and acupuncturists would beconsidered health care providers

covered by the rule.Response: As with other aspects of this rule, we do not define ‘‘health careprovider’’ based on the title or label of the professional. The professionalactivities of these kinds of providersvary; a person is a ‘‘health careprovider’’ if those activities areconsistent with the rule’s definition of ‘‘health care provider.’’ Thus, healthcare providers include persons, such asthose noted by the commenters, to theextent that they meet the definition. Wenote that health care providers are only





subject to this rule if they conductcertain transactions. See the definitionof ‘‘covered entity.’’

However companies that conductcost-effectiveness reviews, riskmanagement, and benchmarking studiesare not health care providers for thepurposes of this rule unless theyperform other functions that meet the

definition. These entities would be business associates if they perform suchactivities on behalf of a covered entity.

Comment: Another commenterrecommended that the Secretary expandthe definition of health care provider tocover health care providers whotransmit or ‘‘or receive’’ any health careinformation in electronic form.

Response: We do not accept thissuggestion. Section 1172(a)(3) states thatproviders that ‘‘transmit’’ healthinformation in connection with one of the HIPAA transactions are covered, butdoes not use the term ‘‘receive’’ or asimilar term.

Comment: Some comments related toonline companies as health careproviders and covered entities. Onecommenter argued that there was noreason ‘‘why an Internet pharmacyshould not also be covered’’ by the ruleas a health care provider. Anothercommenter stated that online healthcare service and content companies,including online medical recordcompanies, should be covered by thedefinition of health care provider.Another commenter pointed out that thedefinitions of covered entities cover‘‘Internet providers who ‘bill’ or are

‘paid’ for health care services orsupplies, but not those who financethose services in other ways, such asthrough sale of identifiable healthinformation or advertising.’’ It waspointed out that thousands of Internetsites use information provided byindividuals who access the sites formarketing or other purposes.

Response: We agree that onlinecompanies are covered entities underthe rule if they otherwise meet thedefinition of health care provider orhealth plan and satisfy the otherrequirements of the rule, i.e., providers

must also transmit health information inelectronic form in connection with aHIPAA transaction. We restate here thelanguage in the preamble to theproposed rule that ‘‘An individual ororganization that bills and/or is paid forhealth care services or supplies in thenormal course of business, such as* * * an ‘‘online’’ pharmacy accessibleon the Internet, is also a health careprovider for purposes of this statute’’(64 FR 59930).

Comment: We received manycomments related to the reference to

‘‘health clinic or licensed health careprofessional located at a school or

business in the preamble’s discussion of ‘‘health care provider.’’ It was statedthat including ‘‘licensed health careprofessionals located at a school or

business’’ highlights the need for theseindividuals to understand they have theauthority to disclose information to the

Social Security Administration (SSA)without authorization.

However, several commenters urgedHHS to create an exception for or deletethat reference in the preamblediscussion to primary and secondaryschools because of employer or businesspartner relationships. One federalagency suggested that the reference‘‘licensed health care professionalslocated at a [school]’’ be deleted fromthe preamble because the definition of health care provider does not include areference to schools. The commenteralso suggested that the Secretary

consider: adding language to thepreamble to clarify that the rules do notapply to clinics or school health careproviders that only maintain recordsthat have been excepted from thedefinition of protected healthinformation, adding an exception to thedefinition of covered entities for thoseschools, and limiting paperworkrequirements for these schools. Anothercommenter argued for deletingreferences to schools because theproposed rule appeared to supersede orcreate ambiguity as to the FamilyEducational Rights and Privacy Act(FERPA), which gives parents the right

to access ‘‘education’’ and healthrecords of their unemancipated minorchildren. However, in contrast, onecommenter supported the inclusion of health care professionals who provideservices at schools or businesses.

Response: We realize that ourdiscussion of schools in the NPRM mayhave been confusing. Therefore, weaddress these concerns and set forth ourpolicy regarding protected healthinformation in educational agencies andinstitutions in the ‘‘Relationship toOther Federal Laws’’ discussion of FERPA, above.

Comment: Many commenters urgedthat direct contact with the patient benecessary for an entity to be considereda health care provider. Commenterssuggested that persons andorganizations that are remote to thepatient and have no direct contactshould not be considered health careproviders. Several commenters arguedthat the definition of health careprovider covers a person that provideshealth care services or supplies onlywhen the provider furnishes to or billsthe patient directly. It was stated that

the Secretary did not intend thatmanufacturers, such as pharmaceutical,

biologics, and device manufacturers,health care suppliers, medical-surgicalsupply distributors, health care vendorsthat offer medical record documentationtemplates and that typically do not dealdirectly with the patient, be consideredhealth care providers and thus covered

entities. However, in contrast, onecommenter argued that, as an in vitrodiagnostics manufacturer, it should becovered as a health care provider.

Response: We disagree with thecomments that urged that directdealings with an individual be aprerequisite to meeting the definition of health care provider. Many providersincluded in the statutory definition of provider, such as clinical labs, do nothave direct contact with patients.Further, the use and disclosure of protected health information by indirecttreatment providers can have a

significant effect on individuals’privacy. We acknowledge, however, thatproviders who treat patients onlyindirectly need not have the full arrayof responsibilities as direct treatmentproviders, and modify the NPRM tomake this distinction with respect toseveral provisions (see, for example§ 164.506 regarding consent). We alsoclarify that manufacturers and healthcare suppliers who are consideredproviders by Medicare are providersunder this rule.

Comment: Some commenterssuggested that blood centers and plasmadonor centers that collect and distribute

source plasma not be consideredcovered health care providers becausethe centers do not provide ‘‘health careservices’’ and the blood donors are not‘‘patients’’ seeking health care.Similarly, commenters expressedconcern that organ procurementorganizations might be consideredhealth care providers.

Response: We agree and have deletedfrom the definition of ‘‘health care’’ theterm ‘‘procurement or banking of blood,sperm, organs, or any other tissue foradministration to patients.’’ See priordiscussion under ‘‘health care.’’

Comment: Several commentersproposed to restrict coverage to onlythose providers who furnished and werepaid for services and supplies. It wasargued that a salaried employee of acovered entity, such as a hospital-basedprovider, should not be covered by therule because that provider would besubject both directly to the rule as acovered entity and indirectly as anemployee of a covered entity.

Response: The ‘‘dual’’ direct andindirect situation described in thesecomments can arise only when a health





care provider conducts standard HIPAAtransactions both for itself and for itsemployer. For example, when theservices of a provider such as a hospital-

based physician are billed through astandard HIPAA transaction conductedfor the employer, in this example thehospital, the physician does not becomea covered provider. Only when the

provider uses a standard transaction onits own behalf does he or she become acovered health care provider. Thus, theresult is typically as suggested by thiscommenter. When a hospital-basedprovider is not paid directly, that is,when the standard HIPAA transaction isnot on its behalf, it will not become acovered provider.

Comment: Other commenters arguedthat an employer who provides healthcare services to its employees for whomit neither bills the employee nor paysfor the health care should not beconsidered health care providers

covered by the proposed rule.Response: We clarify that theemployer may be a health care providerunder the rule, and may be covered bythe rule if it conducts standardtransactions. The provisions of § 164.504 may also apply.

Comment: Some commenters wereconfused about the preamble statement:‘‘in order to implement the principles inthe Secretary’s Recommendations, wemust impose any protections on thehealth care providers that use anddisclose the information, rather than onthe researcher seeking the information,’’with respect to the rule’s policy that a

researcher who provides care to subjectsin a trial will be considered a healthcare provider. Some commenters werealso unclear about whether theindividual researcher providing healthcare to subjects in a trial would beconsidered a health care provider orwhether the researcher’s homeinstitution would be considered a healthcare provider and thus subject to therule.

Response: We clarify that, in general,a researcher is also a health careprovider if the researcher provideshealth care to subjects in a clinical

research study and otherwise meets thedefinition of ‘‘health care provider’’under the rule. However, a health careprovider is only a covered entity andsubject to the rule if that providerconducts standard transactions. Withrespect to the above preamble statement,we meant that our jurisdiction under thestatute is limited to covered entities.Therefore, we cannot apply anyrestrictions or requirements on aresearcher in that person’s role as aresearcher. However, if a researcher isalso a health care provider that conducts

standard transactions, that researcher/provider is subject to the rule withregard to its provider activities.

As to applicability to a researcher/provider versus the researcher’s homeinstitution, we provide the followingguidance. The rule applies to theresearcher as a covered entity if theresearcher is a health care provider who

conducts standard transactions forservices on his or her own behalf,regardless of whether he or she is partof a larger organization. However, if theservices and transactions are conductedon behalf of the home institution, thenthe home institution is the coveredentity for purposes of the rule and theresearcher/provider is a workforcemember, not a covered entity.

Comment: One commenter expressedconfusion about those instances when ahealth care provider was a coveredentity one day, and one who ‘‘worksunder a contract’’ for a manufacturer thenext day.

Response: If persons are coveredunder the rule in one role, they are notnecessarily covered entities when theyparticipate in other activities in anotherrole. For example, that person could bea covered health care provider in ahospital one day but the next day readresearch records for a differentemployer. In its role as researcher, theperson is not covered, and protectionsdo not apply to those research records.

Comment: One commenter suggestedthat the Secretary modify proposed§ 160.102, to add the following clause atthe end (after (c)) (regarding health care

provider), ‘‘With respect to any entitywhose primary business is not that of ahealth plan or health care providerlicensed under the applicable laws of any state, the standards, requirements,and implementation specifications of this subchapter shall apply solely to thecomponent of the entity that engages inthe transactions specified in [§]160.103.’’ (Emphasis added.) Anothercommenter also suggested that thedefinition of ‘‘covered entity’’ be revisedto mean entities that are ‘‘primarily orexclusively engaged in health care-related activities as a health plan, health

care provider, or health careclearinghouse.’’Response: The Secretary rejects these

suggestions because they willimpermissibly limit the entities covered

by the rule. An entity that is a healthplan, health care provider, or healthcare clearinghouse meets the statutorydefinition of covered entity regardless of how much time is devoted to carryingout health care-related functions, orregardless of what percentage of theirtotal business applies to health care-related functions.

Comment: Several commenters soughtto distinguish a health care providerfrom a business partner as proposed inthe NPRM. For example, a number of commenters argued that diseasemanagers that provide services ‘‘on

behalf of’’ health plans and health careproviders, and case managers (avariation of a disease management

service) are business partners and not‘‘health care providers.’’ Anothercommenter argued that a diseasemanager should be recognized(presumably as a covered entity)

because of its involvement from thephysician-patient level through complexinteractions with health care providers.

Response: To the extent that a diseaseor case manager provides services on

behalf of or to a covered entity asdescribed in the rule’s definition of

business associate, the disease or casemanager is a business associate forpurposes of this rule. However, if services provided by the disease or casemanager meet the definition of treatment and the person otherwisemeets the definition of ‘‘health careprovider,’’ such a person is a health careprovider for purposes of this rule.

Comment: One commenter arguedthat pharmacy employees who assistpharmacists, such as technicians andcashiers, are not business partners.

Response: We agree. Employees of apharmacy that is a covered entity areworkforce members of that coveredentity for purposes of this rule.

Comment: A number of commentersrequested that we clarify the definitionof health care provider (‘‘* * * whofurnishes, bills, or is paid for health careservices or supplies in the normalcourse of business’’) by defining thevarious terms ‘‘furnish’’, ‘‘supply’’, and‘‘in the normal course of business.’’ Forinstance, it was stated that this wouldhelp employers recognize when servicessuch as an employee assistance programconstituted health care covered by therule.

Response: Although we understandthe concern expressed by thecommenters, we decline to follow theirsuggestion to define terms at this levelof specificity. These terms are incommon use today, and an attempt atspecific definition would risk theinadvertent creations of conflict withindustry practices. There is a significantvariation in the way employers structuretheir employee assistance programs(EAPs) and the type of services that theyprovide. If the EAP provides directtreatment to individuals, it may be ahealth care provider.





Health Information

The response to comments on healthinformation is included in the responseto comments on individuallyidentifiable health information, in thepreamble discussion of §164.501.

Health Plan

Comment: One commenter suggestedthat to eliminate any ambiguity, theSecretary should clarify that the catch-all category under the definition of health plan includes ‘‘24-hour coverageplans’’ (whether insured or self-insured)that integrate traditional employeehealth benefits coverage and workers’compensation coverage for the treatmentof on-the-job injuries and illnessesunder one program. It was stated thatthis clarification was essential if theSecretary persisted in excludingworkers’ compensation from the finalrule.

Response: We understand concerns

that such plans may use and discloseindividually identifiable healthinformation. We therefore clarify that tothe extent that 24-hour coverage planshave a health care component thatmeets the definition of ‘‘health plan’’ inthe final rule, such components mustabide by the provisions of the final rule.In the final rule, we have added a newprovision to §164.512 that permitscovered entities to disclose informationunder workers’ compensation andsimilar laws. A health plan that is a 24-hour plan is permitted to makedisclosures as necessary to comply with

such laws.Comment: A number of commentersurged that certain types of insuranceentities, such as workers’ compensationand automobile insurance carriers,property and casualty insurance healthplans, and certain forms of limited

benefits coverage, be included in thedefinition of ‘‘health plan.’’ It wasargued that consumers deserve the sameprotection with respect to their healthinformation, regardless of the entityusing it, and that it would beinequitable to subject health insurancecarriers to more stringent standards than

other types of insurers that useindividually identifiable healthinformation.

Response: The Congress did notinclude these programs in the definitionof a ‘‘health plan’’ under section 1171 of the Act. Further, HIPAA’s legislativehistory shows that the House Report’s(H. Rep. 104–496) definition of ‘‘healthplan’’ originally included certain benefitprograms, such as workers’compensation and liability insurance,

but was later amended to clarify thedefinition and remove these programs.

Thus, since the statutory definition of ahealth plan both on its face and throughlegislative history evidence Congress’intention to exclude such programs, wedo not have the authority to require thatthese programs comply with thestandards. We have added explicitlanguage to the final rule whichexcludes the excepted benefit programs,

as defined in section 2971(c)(1) of thePHS Act, 42 U.S.C. 300gg-91(c)(1).

Comment: Some commenters urgedHHS to include entities such as stoploss insurers and reinsurers in thedefinition of ‘‘health plan.’’ It wasobserved that such entities have come toplay important roles in managed caredelivery systems. They asserted thatincreasingly, capitated health plans andproviders contract with their reinsurersand stop loss carriers to medicallymanage their high cost outlier casessuch as organ and bone marrowtransplants, and therefore should be

specifically cited as subject to theregulations.Response: Stop-loss and reinsurers do

not meet the statutory definition of health plan. They do not provide or payfor the costs of medical care, asdescribed in the statute, but ratherinsure health plans and providersagainst unexpected losses. Therefore,we cannot include them as health plansin the regulation.

Comment: A commenter asserted thatthere is a significant discrepancy

between the effect of the definition of ‘‘group health plan’’ as proposed in§ 160.103, and the anticipated impact in

the cost estimates of the proposed ruleat 64 FR 60014. Paragraph (1) of theproposed definition of ‘‘health plan’’defined a ‘‘group health plan’’ as anERISA-defined employee welfare benefitplan that provides medical care andthat: ‘‘(i) Has 50 or more participants, or (ii) Is administered by an entity otherthan the employer that established andmaintains the plan[.]’’ (emphasis added)According to this commenter, under thisdefinition, the only insured or self-insured ERISA plans that would not beregulated ‘‘health plans’’ would be thosethat have less than 50 participants and

are self administered.The commenter presumed that the wehad intended to exclude from thedefinition of ‘‘health plan’’ (and fromcoverage under the proposed rule) allERISA plans that are small (less than 50participants) or are administered by athird party, whether large or small,

based on the statement at 64 FR 60014,note 18. That footnote stated that theDepartment had ‘‘not included the 3.9million ‘other’ employer-health planslisted in HCFA’s administrativesimplification regulations because these

plans are administered by a third party.The proposed regulation will notregulate the employer plans but willregulate the third party administratorsof the plan.’’ The commenter urged usnot to repeat the statutory definition,and to adopt the policy implied in thefootnote.

Response: We agree with the

commenter’s observation that footnote18 (64 FR 60014) was inconsistent withthe proposed definition. We erred indrafting that note. The definition of ‘‘group health plan’’ is adopted from thestatutory definition at section1171(5)(A), and excludes from the ruleas ‘‘health plans’’ only the few insuredor self-insured ERISA plans that haveless than 50 participants and are self administered. We reject thecommenter’s proposed change to thedefinition as inconsistent with thestatute.

Comment: A number of insurancecompanies asked that long term careinsurance policies be excluded from thedefinition of ‘‘health plan.’’ It wasargued that such policies do not providesufficiently comprehensive coverage of the cost of medical care, and are limited

benefit plans that provide or pay for thecost of custodial and other relatedservices in connection with a long term,chronic illness or disability.

These commenters asserted thatHIPAA recognizes this nature of longterm care insurance, observing that,with respect to HIPAA’s portabilityrequirements, Congress enacted a seriesof exclusions for certain defined types

of health plan arrangements that do nottypically provide comprehensivecoverage. They maintained thatCongress recognized that long term careinsurance is excluded, so long as it isnot a part of a group health plan. Wherea long term care policy is offeredseparately from a group health plan it isconsidered an excepted benefit and isnot subject to the portability andguarantee issue requirements of HIPAA.Although this exception does not appearin the Administrative Simplificationprovisions of HIPAA, it was assertedthat it is guidance with respect to the

treatment of long term care insurance asa limited benefit coverage and not ascoverage that is so ‘‘sufficientlycomprehensive’’ that it is to be treatedin the same manner as a typical,comprehensive major medical healthplan arrangement.

Another commenter offered adifferent perspective observing thatthere are some long-term care policies—that do not pay for medical care andtherefore are not ‘‘health plans.’’ It wasnoted that most long-term care policiesare reimbursement policies—that is,





provides or pays for the cost of medicalcare,’’ and asserted that absentclarification there could be seriousconfusion as to whether property andcasualty benefit providers are ‘‘healthplans’’ under the rule.

Response: We agree and as describedabove have added language to the finalrule to clarify that the ‘‘excepted

benefits’’ as defined under 42 U.S.C.300gg–91(c)(1), which includes liabilityprograms such as property and casualty

benefit providers, are not health plansfor the purposes of this rule.

Comment: Some commentersrecommended that the Secretary replacethe term ‘‘medical care’’ with ‘‘healthcare.’’ It was observed that ‘‘health care’’was defined in the proposal, and thatthis definition was used to define whata health care provider does. However,they observed that the definition of ‘‘health plan’’ refers to the provision of or payment for ‘‘medical care,’’ which isnot defined. Another commenterrecommended that HHS add theparenthetical phrase ‘‘as such term isdefined in section 2791 of the PublicHealth Service Act’’ after the phrase‘‘medical care.’’

Response: We disagree with the firstrecommendation. We understand thatthe term ‘‘medical care’’ can be easilyconfused with the term ‘‘health care.’’However, the two terms are notsynonymous. The term ‘‘medical care’’is a statutorily defined term and its useis critical in making a determination asto whether a health plan is considereda ‘‘health plan’’ for purposes of

administrative simplification. Inaddition, since the term ‘‘medical care’’is used in the regulation only in thecontext of the definition of ‘‘healthplan’’ and we believe that its inclusionin the regulatory text may causeconfusion, we did not add a definitionof ‘‘medical care’’ in the final rule.However, consistent with the secondrecommendation above, the statutorycite for ‘‘medical care’’ was added to thedefinition of ‘‘health plan’’ in theTransactions Rule, and thus is reflectedin this final rule.

Comment: A number of commenters

urged that the Secretary define morenarrowly what characteristics wouldmake a government program that paysfor specific health care services a‘‘health plan.’’ Commenters argued thatthere are many ‘‘payment’’ programsthat should not be included, asdiscussed below, and that if nodistinctions were made, ‘‘health plan’’would mean the same as ‘‘purchaser’’ oreven ‘‘payor.’’

Commenters asserted that there are anumber of state programs that pay for‘‘health care’’ (as defined in the rule) but

that are not health plans. They said thatexamples include the WIC program(Special Supplemental NutritionProgram for Women, Infants, andChildren) which pays for nutritionalassessment and counseling, among otherservices; the AIDS Client ServicesProgram (including AIDS prescriptiondrug payment) under the federal Ryan

White Care Act and state law; thedistribution of federal family planningfunds under Title X of the Public HealthServices Act; and the breast and cervicalhealth program which pays for cancerscreening in targeted populations.Commenters argued that these are notinsurance plans and do not fall withinthe ‘‘health plan’’ definition’s list of examples, all of which are eitherinsurance or broad-scope programs of care under a contract or statutoryentitlement. However, paragraph (16) inthat list opens the door to broaderinterpretation through the catchall

phrase, ‘‘any other individual or groupplan that provides or pays for the costof medical care.’’ Commenters assertthat clarification is needed.

A few commenters stated that otherstate agencies often work in partnershipwith the state Medicaid program toimplement certain Medicaid benefits,such as maternity support services andprenatal genetics screening. Theyconcluded that while this probablymakes parts of the agency the ‘‘businesspartner’’ of a covered entity, they wereuncertain whether it also makes thesame agency parts a ‘‘health plan’’ as

well.Response: We agree with thecommenters that clarification is neededas to the rule’s application togovernment programs that pay forhealth care services. Accordingly, in thefinal rule we have excepted from thedefinition of ‘‘health plan’’ agovernment funded program which doesnot have as its principal purpose theprovision of, or payment for, the cost of health care or which has as its principalpurpose the provision, either directly or

by grant, of health care. For example,the principal purpose of the WIC

program is not to provide or pay for thecost of health care, and thus, the WICprogram is not a health plan forpurposes of this rule. The program of health care services for individualsdetained by the INS provides healthcare directly, and so is not a health plan.Similarly, the family planning programauthorized by Title X of the PublicHealth Service Act pays for careexclusively through grants, and so is nota health plan under this rule. Theseprograms (the grantees under the Title Xprogram) may be or include health care

providers and may be covered entities if they conduct standard transactions.

We further clarify that, where a publicprogram meets the definition of ‘‘healthplan,’’ the government agency thatadministers the program is the coveredentity. Where two agencies administer aprogram jointly, they are both a healthplan. For example, both the Health Care

Financing Administration and theinsurers that offers a Medicare+Choiceplan are ‘‘health plans’’ with respect toMedicare beneficiaries. An agency thatdoes not administer a program butwhich provides services for such aprogram is not a covered entity by virtueof providing such services. Whether anagency providing services is a businessassociate of the covered entity dependson whether its functions for the coveredentity meet the definition of businessassociate in §164.501 and, in theexample described by this comment, inparticular on whether the arrangement

falls into the exception in§ 164.504(e)(1)(ii)(C) for governmentagencies that collect eligibility orenrollment information for coveredgovernment programs.

Comment: Some commentersexpressed support for retaining thecategory in paragraph (16) of theproposal’s definition: ‘‘Any otherindividual or group health plan, orcombination thereof, that provides orpays for the cost of medical care.’’Others asked that the Secretary clarifythis category. One commenter urged thatthe final rule clearly define which planswould meet the criteria for this category.

Response: As described in theproposed rule, this category implementsthe language at the beginning of thestatutory definition of the term ‘‘healthplan’’: ‘‘The term ‘health plan’ means anindividual or group plan that provides,or pays the cost of, medical care * * *Such term includes the following, andany combination thereof * * *’’ Thisstatutory language is general, notspecific, and as such, we are leaving itgeneral in the final rule. However, asdescribed above, we add explicitlanguage which excludes certain‘‘excepted benefits’’ from the definition

of ‘‘health plan’’ in an effort to clarifywhich plans are not health plans for thepurposes of this rule. Therefore, to theextent that a certain benefits plan orprogram otherwise meets the definitionof ‘‘health plan’’ and is not explicitlyexcepted, that program or plan isconsidered a ‘‘health plan’’ underparagraph (1)(xvii) of the final rule.

Comment: A commenter explainedthat HIPAA defines a group health plan

by expressly cross-referencing thestatutory sections in the PHS Act andthe Employee Retirement Income





Security Act of 1974 (ERISA), 29 U.S.C.1001, et seq., which define the terms‘‘group health plan,’’ ‘‘employee welfare

benefit plan’’ and ‘‘participant.’’ See 29U.S.C. 1002(l) (definition of ‘‘employeewelfare benefit plan,’’ which is the coreof the definition of group health planunder both ERISA and the PHS Act); 29U.S.C. 100217) (definition of

participant); 29 U.S.C. 1193(a)(definition of ‘‘group health plan,’’which is identical to that in section2791(a) of the PHS Act).

It was pointed out that the preambleand the text of the proposed rule bothlimit the definition of all three terms totheir current definitions. Thecommenter reasoned that since theERISA definitions may change over timethrough statutory amendment,Department of Labor regulations orjudicial interpretation, it would not beclear what point in time is to beconsidered current. Therefore, they

suggested deleting references to‘‘current’’ or ‘‘currently’’ in thepreamble and in the regulation withrespect to these three ERISA definitions.

In addition, the commenter stated thatas the preamble to the NPRM correctlyreflected, HIPAA expressly cross-references ERISA’s definition of ‘‘participant’’ in section 3(7) of ERISA,29 U.S.C. 1002(7). 42 U.S.C.1320d(5)(A). The text of the privacyregulation, however, omits this cross-reference. It was suggested that thereference to section 3(7) of ERISA,defining ‘‘participant,’’ be included inthe regulation.

Finally, HIPAA incorporates thedefinition of a group health plan as setforth in section 2791(a) of the PHS Act,42 U.S.C. 300gg–91(a)(l). That definitionrefers to the provision of medical care‘‘directly or through insurance,reimbursement, or otherwise.’’ Theword ‘‘reimbursement’’ is omitted in

both the preamble and the text of theregulation; the commenter suggestedrestoring it to both.

Response: We agree. These changeswere made to the definition of ‘‘healthplan’’ as promulgated in theTransactions Rule, and are reflected in

this final rule.Small Health Plan

Comment: One commenterrecommended that we delete thereference to $5 million in the definitionand instead define a ‘‘small health plan’’as a health plan with fewer than 50participants. It was stated that using adollar limitation to define a ‘‘smallhealth plan’’ is not meaningful for self-insured plans and some other types of health plan coverage arrangements. Acommenter pointed out that the general

definition of a health plan refers to ‘‘50or more participants,’’ and that using adollar factor to define a ‘‘small healthplan’’ would be inconsistent with thisdefinition.

Response: We disagree. The SmallBusiness Administration (SBA)promulgates size standards that indicatethe maximum number of employees or

annual receipts allowed for a concern(13 CFR 121.105) and its affiliates to beconsidered ‘‘small.’’ The size standardsthemselves are expressed either innumber of employees or annual receipts(13 CFR 121.201). The size standards forcompliance with programs of otheragencies are those for SBA programswhich are most comparable to theprograms of such other agencies, unlessotherwise agreed by the agency and theSBA (13 CFR 121.902). With respect tothe insurance industry, the SBA hasspecified that annual receipts of $5million is the maximum allowed for a

concern and its affiliates to beconsidered small (13 CFR 121.201).Consequently, we retain the proposal’sdefinition in the final rule to beconsistent with SBA requirements.

We understand there may be someconfusion as to the meaning of ‘‘annualreceipts’’ when applied to a health plan.For our purposes, therefore, we consider‘‘pure premiums’’ to be equivalent to‘‘annual receipts.’’

Workforce

Comment: Some commentersrequested that we exclude ‘‘volunteers’’

from the definition of workforce. Theystated that volunteers are importantcontributors within many coveredentities, and in particular hospitals.They argued that it was unfair to askthat these people donate their time andat the same time subject them to thepenalties placed upon the paidemployees by these regulations, and thatit would discourage people fromvolunteering in the health care setting.

Response: We disagree. We believethat differentiating those persons underthe direct control of a covered entitywho are paid from those who are not is

irrelevant for the purposes of protectingthe privacy of health information, andfor a covered entity’s management of itsworkforce. In either case, the person isworking for the covered entity. Withregard to implications for theindividual, persons in a covered entity’sworkforce are not held personally liablefor violating the standards orrequirements of the final rule. Rather,the Secretary has the authority toimpose civil monetary penalties and insome cases criminal penalties for suchviolations on only the covered entity.

Comment: One commenter asked thatthe rule clarify that employeesadministering a group health or otheremployee welfare benefit plan on theiremployers’ behalf are considered part of the covered entity’s workforce.

Response: As long as the employeeshave been identified by the group healthplan in plan documents as performing

functions related to the group healthplan (consistent with the requirementsof §164.504(f)), those employees mayhave access to protected healthinformation. However, they are notpermitted to use or disclose protectedhealth information for employment-related purposes or in connection withany other employee benefit plan oremployee benefit of the plan sponsor.

Part 160—Subpart B—Preemption of State Law

We summarize and respond below tocomments received in the Transactionsrulemaking on the issue of preemption,as well as those received on this topicin the Privacy rulemaking. Because noprocess was proposed in theTransactions rulemaking for grantingexceptions under section 1178(a)(2)(A),a process for making exceptiondeterminations was not adopted in theTransactions Rule. Instead, since aprocess for making exceptiondeterminations was proposed in thePrivacy rulemaking, we decided that thecomments received in the Transactionsrulemaking should be considered andaddressed in conjunction with thecomments received on the process

proposed in the Privacy rulemaking. See65 FR 50318 for a fuller discussion.Accordingly, we discuss the preemptioncomments received in the Transactionsrulemaking where relevant below.

Comment: The majority of commentson preemption addressed the subject ingeneral terms. Numerous comments,particularly from plans and providers,argued that the proposed preemptionprovisions were burdensome,ineffective, or insufficient, and thatcomplete federal preemption of the‘‘patchwork’’ of state privacy laws isneeded. They also argued that the

proposed preemption provisions arelikely to invite litigation. Variouspractical arguments in support of thisposition were made. Some of thesecomments recognized that theSecretary’s authority under section 1178of the Act is limited and acknowledgedthat the Secretary’s proposals werewithin her statutory authority. Onecommenter suggested that the exceptiondetermination process would result in avery costly and laborious andsometimes inconsistent analysis of theoccasions in which state law would





survive federal preemption, and thussuggested the final privacy regulationspreempt state law with only limitedexceptions, such as reporting childabuse. Many other comments, however,recommended changing the proposedpreemption provisions to preempt stateprivacy laws on as blanket a basis aspossible.

One comment argued that theassumption that more stringent privacylaws are better is not necessarily true,citing a 1999 GAO report findingevidence that the stringent stateconfidentiality laws of Minnesota haltedthe collection of comparativeinformation on health care quality.

Several comments in this vein werealso received in the Transactionsrulemaking. The majority of thesecomments took the position thatexceptions to the federal standardsshould either be prohibited ordiscouraged. It was argued that grantingexceptions to the standards, particularlythe transactions standards, would beinconsistent with the statute’s objectiveof promoting administrativesimplification through the use of uniform transactions.

Many other commenters, however,endorsed the ‘‘federal floor’’ approach of the proposed rules. (These commentswere made in the context of theproposed privacy regulations.) Thesecomments argued that this approachwas preferable because it would notimpair the effectiveness of state privacylaws that are more protective of privacy,while raising the protection afforded

medical information in states that donot enact laws that are as protective asthe rules below. Some commentsargued, however, that the rules shouldgive even more deference to state law,questioning in particular the definitionsand the proposed addition to the ‘‘otherpurposes’’ criterion for exceptiondeterminations in this regard.

Response: With respect to theexception process provided for bysection 1178(a)(2)(A), the contentionthat the HIPAA standards shoulduniformly control is an argument thatshould be addressed to the Congress,

not this agency. Section 1178 of the Actexpressly gives the Secretary authorityto grant exceptions to the general rulethat the HIPAA standards preemptcontrary state law in the circumstancesshe determines come within theprovisions at section 1178(a)(2)(A). Weagree that the underlying statutory goalof standardizing financial andadministrative health care transactionsdictates that exceptions should begranted only on narrow grounds.Nonetheless, Congress clearly intendedto accommodate some state laws in

these areas, and the Department is notfree to disregard this Congressionalchoice. As is more fully explained

below, we have interpreted the statutorycriteria for exceptions under section1178(a)(2)(A) to balance the need forrelative uniformity with respect to theHIPAA standards with state needs to setcertain policies in the statutorily

defined areas.The situation is different with respect

to state laws relating to the privacy of protected health information. Many of the comments arguing for uniformstandards were particularly concernedwith discrepancies between the federalprivacy standards and various stateprivacy requirements. Unlike thesituation with respect to thetransactions standards, where stateshave generally not entered the field, allstates regulate the privacy of somemedical information to a greater orlesser extent. Thus, we understand the

private sector’s concern at having toreconcile differing state and federalprivacy requirements.

This is, however, likewise an areawhere the policy choice has been made

by Congress. Under section1178(a)(2)(B) of the Act and section264(c)(2) of HIPAA, provisions of stateprivacy laws that are contrary to andmore stringent than the correspondingfederal standard, requirement, orimplementation specification are notpreempted. The effect of theseprovisions is to let the law that is mostprotective of privacy control (the‘‘federal floor’’ approach referred to by

many commenters), and this policychoice is one with which we agree.Thus, the statute makes it impossible forthe Secretary to accommodate therequests to establish uniformlycontrolling federal privacy standards,even if doing so were viewed asdesirable.

Comment: Numerous commentsstated support for the proposal atproposed Subpart B to issue advisoryopinions with respect to the preemptionof state laws relating to the privacy of individually identifiable healthinformation. A number of these

comments appeared to assume that theSecretary’s advisory opinions would bedispositive of the issue of whether ornot a state law was preempted. Many of these commenters suggested what theysaw as improvements to the proposedprocess, but supported the proposal tohave the Department undertake thisfunction.

Response: Despite the general supportfor the advisory opinion proposal, wedecided not to provide specifically forthe issuance of such opinions. Thefollowing considerations led to this

decision. First, the assumption bycommenters that an advisory opinionwould establish what law applied in agiven situation and thereby simplify thetask of ascertaining what legalrequirements apply to a covered entityor entities is incorrect. Any suchopinion would be advisory only.Although an advisory opinion issued by

the Department would indicate tocovered entities how the Departmentwould resolve the legal conflict inquestion and would apply the law indetermining compliance, it would not

bind the courts. While we assume thatmost courts would give such opinionsdeference, the outcome could not beguaranteed.

Second, the thousands of questionsraised in the public comment about theinterpretation, implications, andconsequences of all of the proposedregulatory provisions have led us toconclude that significant advice and

technical assistance about all of theregulatory requirements will have to beprovided on an ongoing basis. Werecognize that the preemption concernsthat would have been addressed by theproposed advisory opinions were likelyto be substantial. However, there is noreason to assume that they will be themost substantial or urgent of thequestions that will most likely need to

be addressed. It is our intent to provideas much technical advice and assistanceto the regulated community as we canwith the resources available. Ourconcern is that setting up an advisoryopinion process for just one of the many

types of issues that will have to beaddressed will lead to a non-optimalallocation of those resources. Uponcareful consideration, therefore, wehave decided that we will be better ableto prioritize our workload and be betterable to be responsive to the most urgentand substantial questions raised to theDepartment, if we do not provide for aformal advisory opinion process onpreemption as proposed.

Comment: A few commenters arguedthat the Privacy Rule should preemptstate laws that would impose morestringent privacy requirements for the

conduct of clinical trials. Onecommenter asserted that the existingfederal regulations and guidelines forpatient informed consent, together withthe proposed rule, would adequatelyprotect patient privacy.

Response: The Department does nothave the statutory authority underHIPAA to preempt state laws that wouldimpose more stringent privacyrequirements on covered entities.HIPAA provides that the rulepromulgated by the Secretary may notpreempt state laws that are in conflict





with the regulatory requirements andthat provide greater privacy protections.

Section 160.201—Applicability

Comment: Several commentersindicated that the guidance provided bythe definitions at proposed § 160.202would be of substantial benefit both toregulated entities and to the public.

However, these commenters argued thatthe applicability of such definitionswould be too limited as drafted, sinceproposed §160.201 provided that thedefinitions applied only to‘‘determinations and advisory opinionsissued by the Secretary pursuant to 42U.S.C. 1320d–7.’’ The commentersstated that it would be far more helpfulto make the definitions in proposed§ 160.202 more broadly applicable, toprovide general guidance on the issue of preemption.

Response: We agree with thecomments on this issue, and have

revised the applicability provision of subpart B below accordingly. Section160.201 below sets out that Subpart Bimplements section 1178. This means,in our view, that the definitions of thestatutory terms at § 160.202 arelegislative rules that apply when thosestatutory terms are employed, whether

by HHS, covered entities, or the courts.


Contrary

Comment: Some commenters assertedthat term ‘‘contrary’’ as defined at§ 160.202 was overly broad and that its

application would be time-consumingand confusing for states. Thesecommenters argued that, under theproposed definition, a state would berequired to examine all of its lawsrelating to health information privacy inorder to determine whether or not itslaw were contrary to the requirementsproposed. It was also suggested that thedefinition contain examples of how itwould work in practical terms.

A few commenters, however, arguedthat the definition of ‘‘contrary’’ asproposed was too narrow. Onecommenter argued that the Secretary

erred in her assessment of the case lawanalyzing what is known as ‘‘conflictpreemption’’ and which is set forth inshorthand in the tests set out at§ 160.202.

Response: We believe that thedefinition proposed represents a policythat is as clear as is feasible and whichcan be applied nationally anduniformly. As was noted in thepreamble to the proposed rules (at 64 FR59997), the tests in the proposeddefinition of ‘‘contrary’’ are adoptedfrom the jurisprudence of ‘‘conflict

preemption.’’ Since preemption is ajudicially developed doctrine, it isreasonable to interpret this term asindicating that the statutory analysisshould tie in to the analyticalformulations employed by the courts.Also, while the court-developed testsmay not be as clear as commenterswould like, they represent a long-term,

thoughtful consideration of the problemof defining when a state/federal conflictexists. They will also, we assume,generally be employed by the courtswhen conflict issues arise under therules below. We thus see no practicalalternative to the proposed definitionand have retained it unchanged. Withrespect to various suggestions forshorthand versions of the proposedtests, such as the arguably broader term‘‘inconsistent with,’’ we see nooperational advantages to such terms.

Comment: One comment asked thatthe Department clarify that if state law

is not preempted, then the federal lawwould not also apply.Response: This comment raises two

issues, both of which deservediscussion. First, a state law may not bepreempted because there is no conflictwith the analogous federal requirement;in such a situation, both laws can, andmust, be complied with. We thus do notaccept this suggestion, to the extent thatit suggests that the federal law wouldgive way in this situation. Second, astate law may also not be preempted

because it comes within section1178(a)(2)(B), section 1178(b), or section1178(c); in this situation, a contrary

federal law would give way.Comment: One comment urged the

Department to take the position thatwhere state law exists and no analogousfederal requirement exists, the staterequirement would not be ‘‘contrary to’’the federal requirement and wouldtherefore not trigger preemption.

Response: We agree with thiscomment.

Comment: One commenter criticizedthe definition as unhelpful in the multi-state transaction context. For example, itwas asked whether the issue of whethera state law was ‘‘contrary to’’ should be

determined by the law of the statewhere the treatment is provided, wherethe claim processor is located, wherethe payment is issued, or the datamaintained, assuming all are in differentstates.

Response: This is a choice of lawissue, and, as is discussed more fully

below, is a determination that isroutinely made today in connectionwith multi-state transactions. Seediscussion below under ExceptionDeterminations (Criteria for ExceptionDeterminations).

State Law

Comment: Comments noted that thedefinition of ‘‘state law’’ does notexplicitly include common law andrecommended that it be revised to do soor to clarify that the term includesevidentiary privileges recognized atstate law. Guidance concerning the

impact of state privileges was alsorequested.Response: As requested, we clarify

that the definition of ‘‘state law’’includes common law by including theterm ‘‘common law.’’ In our view, thisphrase encompasses evidentiaryprivileges recognized at state law(which may also, we note, be embodiedin state statutes).

Comment: One comment criticizedthis definition as unwieldy, in thatlocating state laws pertaining to privacyis likely to be difficult. It was noted thatFlorida, for example, has more than 60statutes that address health privacy.

Response: To the extent that statelaws currently apply to covered entities,they have presumably determined whatthose laws require in order to complywith them. Thus, while determiningwhich laws are ‘‘contrary’’ to the federalrequirements will require additionalwork in terms of comparing state lawwith the federal requirements, entitiesshould already have acquired theknowledge of state law needed for thistask in the ordinary course of doing

business.Comment: The New York City

Department of Health noted that in

many cases, provisions of New YorkState law are inapplicable within NewYork City, because the state legislaturehas recognized that the local code istailored to the particular needs of theCity. It urged that the New York CityCode be treated as state law, forpreemption purposes.

Response: We agree that, to the extenta state treats local law as substituting forstate law it could be considered to be‘‘state law’’ for purposes of thisdefinition. If, however, a local law islocal in scope and effect, and a tier of state law exists over the same subject

matter, we do not think that the locallaw could or should be treated as ‘‘statelaw’’ for preemption purposes. We donot have sufficient information to assessthe situation raised by this commentwith respect to this principle, and soexpress no opinion thereon.

More Stringent

Comment: Many commenterssupported the policy in the proposeddefinition of ‘‘individual’’ at proposed§ 164.502, which would have permittedunemancipated minors to exercise, on





their own behalf, rights granted toindividuals in cases where theyconsented to the underlying health care.Commenters stated, however, that theproposed preemption provision wouldleave in place state laws authorizing orprohibiting disclosure to parents of theprotected health information of theirminor children and would negate the

proposed policy for the treatment of minors under the rule. The commentsstated that such state laws should betreated like other state laws, andpreempted to the extent that they areless protective of the privacy of minors.

Other commenters supported theproposed preemption provision—not topreempt a state law to the extent itauthorizes or prohibits disclosure of protected health information regarding aminor to a parent.

Response: Laws regarding access tohealth care for minors andconfidentiality of their medical records

vary widely; this regulation recognizesand respects the current diversity of state law in this area. Where states haveconsidered the balance involved inprotecting the confidentiality of minors’health information and have explicitlyacted, for example, to authorizedisclosure, defer the decision to discloseto the discretion of the health careprovider, or prohibit disclosure of minor’s protected health information toa parent, the rule defers to thesedecisions to the extent that they regulatesuch disclosures.

Comment: The proposed definition of

‘‘more stringent’’ was criticized asaffording too much latitude to forgranting exceptions for state laws thatare not protective of privacy. It wassuggested that the test should be ‘‘mostprotective of the individual’s privacy.’’

Response: We considered adoptingthis test. However, for the reasons setout at 64 FR 59997, we concluded thatthis test would not provide sufficientguidance. The comments did notaddress the concerns we raised in thisregard in the preamble to the proposedrules, and we continue to believe thatthey are valid.

Comment: A drug company expressedconcern with what it saw as theexpansive definition of this term,arguing that state governments mayhave less experience with the specialneeds of researchers than federalagencies and may unknowingly adoptlaws that have a deleterious effect onresearch. A provider group expressedconcern that allowing stronger statelaws to prevail could result indiminished ability to get enoughpatients to complete high qualityclinical trials.

Response: These concerns arefundamentally addressed to the ‘‘federalfloor’’ approach of the statute, not to thedefinition proposed: even if thedefinition of ‘‘more stringent’’ werenarrowed, these concerns would stillexist. As discussed above, since the‘‘federal floor’’ approach is statutory, itis not within the Secretary’s authority to

change the dynamics that are of concern.

Comment: One comment stated thatthe proposed rule seemed to indicatethat the ‘‘more stringent’’ and ‘‘contraryto’’ definitions implied that thesestandards would apply to ERISA plansas well as to non-ERISA plans.

Response: The concern underlyingthis comment is that ERISA plans,which are not now subject to certainstate laws because of the ‘‘field’’preemption provision of ERISA butwhich are subject to the rules below,will become subject to state privacylaws that are ‘‘more stringent’’ than thefederal requirements, due to theoperation of section 1178(a)(2)(B),together with section 264(c)(2). Wedisagree that this is the case. While thecourts will have the final say on thesequestions, it is our view that thesesections simply leave in place morestringent state laws that wouldotherwise apply; to the extent that suchstate laws do not apply to ERISA plans

because they are preempted by ERISA,we do not think that section 264(c)(2)overcomes the preemption effected bysection 514(a) of ERISA. For morediscussion of this point, see 64 FR

60001.Comment: The Lieutenant Governor’s

Office of the State of Hawaii requesteda blanket exemption for Hawaii from thefederal rules, on the ground that itsrecently enacted comprehensive healthprivacy law is, as a whole, morestringent than the proposed federalstandards. It was suggested that, forexample, special weight should be givento the severity of Hawaii’s penalties. Itwas suggested that a new definition(‘‘comprehensive’’) be added, and that‘‘more stringent’’ be defined in thatcontext as whether the state act or code

as a whole provides greater protection.An advocacy group in Vermontargued that the Vermont legislature waspoised to enact stronger and morecomprehensive privacy laws and statedthat the group would resent a federalprohibition on that.

Response: The premise of thesecomments appears to be that theprovision-by-provision approach of Subpart B, which is expressed in thedefinition of the term ‘‘contrary’’, iswrong. As we explained in the preambleto the proposed rules (at 64 FR 59995),

however, the statute dictates aprovision-by-provision comparison of state and federal requirements, not theoverall comparison suggested by thesecomments. We also note that theapproach suggested would bepractically and analytically problematic,in that it would be extremely difficult,if not impossible, to determine what is

a legitimate stopping point for theprovisions to be weighed on either thestate side or the federal side of the scalein determining which set of laws wasthe ‘‘more stringent.’’ We accordingly donot accept the approach suggested bythese comments.

With respect to the comment of theVermont group, nothing in the rules

below prohibits or places any limits onstates enacting stronger or morecomprehensive privacy laws. To theextent that states enact privacy laws thatare stronger or more comprehensivethan contrary federal requirements, they

will presumably not be preemptedunder section 1178(a)(2)(B). To theextent that such state laws are notcontrary to the federal requirements,they will act as an overlay on the federalrequirements and will have effect.

Comment: One comment raised theissue of whether a private right of actionis a greater penalty, since the proposedfederal rule has no comparable remedy.

Response: We have reconsidered theproposed ‘‘penalty’’ provision of theproposed definition of ‘‘more stringent’’and have eliminated it. The HIPAAstatute provides for only two types of penalties: fines and imprisonment. Both

types of penalties could be imposed inaddition to the same type of penaltyimposed by a state law, and should notinterfere with the imposition of othertypes of penalties that may be availableunder state law. Thus, we think it isunlikely that there would be a conflict

between state and federal law in thisrespect, so that the proposed criterion isunnecessary and confusing. In addition,the fact that a state law allows anindividual to file a lawsuit to protectprivacy does not conflict with theHIPAA penalty provisions.

Relates to the Privacy of Individually

Identifiable Health InformationComment: One comment criticized

the definition of this term as too narrowin scope and too uncertain. Thecommenter argued that determining thespecific purpose of a state law may bedifficult and speculative, because manystate laws have incomplete,inaccessible, or non-existent legislativehistories. It was suggested that thedefinition be revised by deleting theword ‘‘specific’’ before the word‘‘purpose.’’ Another commenter argued





that the definition of this term should benarrowed to minimize reversepreemption by more stringent statelaws. One commenter generallysupported the proposed definition of this term.

Response: We are not accepting thefirst comment. The purpose of a givenstate enactment should be ascertainable,

if not from legislative history or apurpose statement, then from the statuteviewed as a whole. The same should betrue of state regulations or rulings. Inany event, it seems appropriate torestrict the field of state laws that maypotentially trump the federal standardsto those that are clearly intended toestablish state public policy and operatein the same area as the federalstandards. To the extent that thedefinition in the rules below does this,we have accommodated the secondcomment. We note, however, that we donot agree that the definition should be

further restricted to minimize ‘‘reversepreemption,’’ as suggested by thiscomment, as we believe that state lawsthat are more protective of privacy thancontrary federal standards shouldremain, in order to ensure that theprivacy of individuals’ healthinformation receives the maximum legalprotection available.

Sections 160.203 and 160.204—Exception Determinations and AdvisoryOpinions

Most of the comments received onproposed Subpart B lumped together theproposed process for exception

determinations under section1178(a)(2)(A) with the proposed processfor issuing advisory opinions undersection 1178(a)(2)(B), either because thesubstance of the comment applied to

both processes or because thecommenters did not draw a distinction

between the two processes. We addressthese general comments in this section.

Comment: Numerous commenters,particularly providers and providergroups, recommended that exceptiondeterminations and advisory opinionsnot be limited to states and advocatedallowing all covered entities (including

individuals, providers and insurers), orprivate sector organizations, to requestdeterminations and opinions withrespect to preemption of state laws.Several commenters argued that limitingrequests to states would deny thirdparty stakeholders, such as life anddisability income insurers, any means of resolving complex questions as to whatrule they are subject to. One commenternoted that because it is an insurer whowill be liable if it incorrectly analyzesthe interplay between laws and reachesan incorrect conclusion, there would be

little incentive for the states to requestclarification. It would also cause largeadministrative burdens which, it wasstated, would be costly and confusing.It was also suggested that the request forthe exception be made to the applicablestate’s attorney general or chief legalofficer, as well as the Secretary. Variouschanges to the language were suggested,

such as adding that ‘‘a covered entity, orany other entity impacted by this rule’’

be allowed to submit the writtenrequest.

Response: We agree, and havechanged §164.204(a) below accordingly.

The decision to eliminate advisoryopinions makes this issue moot withrespect to those opinions.

Comment: Several commenters notedthat it was unclear under the proposedrule which state officials would beauthorized to request a determination.

Response: We agree that the proposedrule was unclear in this respect. Thefinal rule clarifies who may make therequest for a state, with respect toexception determinations. See,§ 160.204(a). The language adoptedshould ensure that the Secretaryreceives an authoritative statement fromthe state. At the same time, thislanguage provides states with flexibility,in that the governor or other chief elected official may choose to designateother state officials to make suchrequests.

Comment: Many commentersrecommended that a process beestablished whereby HHS performs aninitial state-by-state critical analysis to

provide guidance on which state lawswill not be preempted; most suggestedthat such an analysis (alternativelyreferred to as a database orclearinghouse) should be completed

before providers would be required tocome into compliance. Many of thesecomments argued that the Secretaryshould bear the cost for the analyses of state law, disagreeing with the premisestated in the preamble to the proposedrules that it is more efficient for theprivate market to complete the state-by-state review. Several comments alsorequested that HHS continue to

maintain and monitor the exceptiondetermination process, and update thedatabase over time in order to provideguidance and certainty on theinteraction of the federal rules withnewly enacted or amended state lawsthat are produced after the final rule.Some comments recommended thateach state be required to certifyagreement with the HHS analyses.

In contrast, one hospital associationnoted concerns that the Secretary wouldconduct a nationwide analysis of statelaws. The comment stated that

implementation would be difficult sincemuch of the law is a product of commonlaw, and such state-specific researchshould only be attempted byexperienced health care attorneys ineach jurisdiction.

Response: These comments seem to be principally concerned with potentialconflicts between state privacy laws and

the privacy standards, because, as ismore fully explained below, preemptionof contrary state laws not relating toprivacy is automatic unless theSecretary affirmatively acts undersection 1178(a)(2)(A) to grant anexception. We recognize that theprovisions of sections 1178(b) (statepublic health laws), and 1178(c) (stateregulation of health plans) similarlypreserve state laws in those areas, butvery little of the public commentappeared to be concerned with theselatter statutory provisions. Accordingly,we respond below to what we see as the

commenters’ main concern.The Department will not do the kindof global analysis requested by many of these comments. What these commentsare in effect seeking is a global advisoryopinion as to when the federal privacystandards will control and when theywill not. We understand the desire forcertainty underlying these comments.Nonetheless, the reasons set out aboveas the basis for our decision not toestablish a formal advisory opinionprocess apply equally to these requests.We also do not agree that the task of evaluating the requirements below inlight of existing state law is unduly

burdensome or unreasonable. Rather, itis common for new federal requirementsto necessitate an examination by theregulated entities of the interaction

between existing state law and thefederal requirements incident to cominginto compliance.

We agree, however, that the case isdifferent where the Secretary hasaffirmatively acted, either throughgranting an exception under section1178(a)(2)(A) or by making a specificdetermination about the effect of aparticular state privacy law in, forexample, the course of determining an

entity’s compliance with the privacystandards. As is discussed below, theDepartment intends to make notice of exception determinations that it makesroutinely available.

We do not agree with the commentssuggesting that compliance by coveredentities be delayed pending completionof an analysis by the Secretary and thatstates be required to certify agreementwith the Secretary’s analysis, as we arenot institutionalizing the advisoryopinion/analysis process upon whichthese comments are predicated.





Furthermore, with respect to thesuggestion regarding delaying thecompliance date, Congress provided insection 1175(b) of the Act for a delay inwhen compliance is required toaccommodate the needs of coveredentities to address implementationissues such as those raised by thesecomments. With respect to the

suggestion regarding requiring states tocertify their agreement with theSecretary’s analysis, we have noauthority to do this.

Comment: Several commenterscriticized the proposed provision forannual publication of determinationsand advisory opinions in the FederalRegister as inadequate. They suggestedthat more frequent notices should bemade and the regulation be changedaccordingly, to provide for publicationeither quarterly or within a few days of a determination. A few commenterssuggested that any determinations

made, or opinions issued, by theSecretary be published on theDepartment’s website within 10 days ora few days of the determination oropinion.

Response: We agree that the proposedprovision for annual publication wasinadequate and have accordinglydeleted it. Subpart B contains noexpress requirement for publication, asthe Department is free to publish itsdeterminations absent such arequirement. It is our intention topublish notice of exceptiondeterminations on a periodic basis inthe Federal Register. We will also

consider other avenues of making suchdecisions publicly available as we moveinto the implementation process.

Comment: A few commenters arguedthat the process for obtaining anexception determination or an advisoryopinion from the Secretary will result ina period of time in which there isconfusion as to whether state or federallaw applies. The proposed regulationssay that the federal provisions willremain effective until the Secretarymakes a determination concerning thepreemption issue. This means that, forexample, a state law that was enacted

and enforced for many years will bepreempted by federal law for the periodof time during which it takes theSecretary to make a determination. Thenif the Secretary determines that the statelaw is not preempted, the state law willagain become effective. Such situationswill result in confusion and unintendedviolations of the law. One of thecommenters suggested that requests forexceptions be required only when achallenge is brought against a particularstate law, and that a presumption of validity should lie with state laws.

Another commenter, however, urgedthat ‘‘instead of the presumption of preemption, the state laws in questionwould be presumed to be subject to theexception unless or until the Secretarymakes a determination to the contrary.’’

Response: It is true that the effect of section 1178(a)(2)(A) is that the federalstandards will preempt contrary state

law and that such preemption will not be removed unless and until theSecretary acts to grant an exceptionunder that section (assuming, of course,that another provision of section 1178does not apply). We do not agree,however, that confusion should result,where the issue is whether a given statelaw has been preempted under section1178(a)(2)(A). Because preemption isautomatic with respect to state laws thatdo not come within the other provisionsof section 1178 (i.e., sections1178(a)(2)(B), 1178(b), and 1178(c)),such state laws are preempted until the

Secretary affirmatively acts to preservethem from preemption by granting anexception under section 1178(a)(2)(A).

We cannot accept the suggestion thata presumption of validity attach to statelaws, and that states not be required torequest exceptions except in verynarrow circumstances. The statutoryscheme is the opposite: The statuteeffects preemption in the section1178(a)(2)(A) context unless theSecretary affirmatively acts to except thecontrary state law in question.

With respect to preemption undersections 1178(b) and 1178(c) (the carve-outs for state public health laws and

state regulation of health plans), we donot agree that preemption is likely to bea major cause of uncertainty. We havedeferred to Congressional intent bycrafting the permissible releases forpublic health, abuse, and oversight

broadly. See, §§164.512(b)—(d) below.Since there must first be a conflict

between a state law and a federalrequirement in order for an issue of preemption to even arise, we think that,as a practical matter, few preemptionquestions should arise with respect tosections 1178(b) and 1178(c).

With respect to preemption of state

privacy laws under section1178(a)(2)(B), however, we agree thatthe situation may be more difficult toascertain, because the Secretary doesnot determine the preemption status of a state law under that section, unlike thesituation with respect to section1178(a)(2)(A). We have tried to definethe term ‘‘more stringent’’ to identifyand particularize the factors to beconsidered by courts to those relevant toprivacy interests. The more specific(than the statute) definition of this termat § 160.202 below should provide some

guidance in making the determinationas to which law prevails. Ambiguity inthe state of the law might also be a factorto be taken into account in determiningwhether a penalty should be applied.

Comment: Several commentsrecommended that exceptiondeterminations or advisory opinionsencompass a state act or code in its

entirety (in lieu of a provision-specificevaluation) if it is considered morestringent as a whole than the regulation.It was argued that since the provisionsof a given law are typicallyinterconnected and related, adopting oroverriding them on a provision-by-provision basis would result indistortions and/or unintendedconsequences or loopholes. Forexample, when a state law includesauthorization provisions, some of whichare consistent with the federalrequirements and some which are not,the cleanest approach is to view the

state law as inconsistent with thefederal requirements and thuspreempted in its entirety. Similarly,another comment suggested that stateconfidentiality laws written to addressthe specific needs of individuals servedwithin a discreet system of care beconsidered as a whole in assessingwhether they are as stringent or morestringent than the federal requirements.Another comment requested explicitclarification that state laws with a

broader scope than the regulation will be viewed as more stringent and beallowed to stand.

Response: We have not adopted the

approach suggested by these comments.As discussed above with respect to thedefinition of the term ‘‘more stringent,’’it is our view that the statute precludesthe approach suggested. We also suggestthat this approach ignores the fact thateach separate provision of law usuallyrepresents a nuanced policy choice to,for example, permit this use or prohibitthat disclosure; the aggregated approachproposed would fail to recognize andweigh such policy choices.

Comment: One commentrecommended that the final rule: permitrequests for exception determinations

and advisory opinions as of the date of publication of the final rule, require theSecretary to notify the requestor withina specified short period of time of alladditional information needed, andprohibit enforcement action until theSecretary issues a response.

Response: With respect to the firstrecommendation, we clarify thatrequests for exception determinationsmay be made at any time; since theprocess for issuing advisory opinionshas not been adopted, thisrecommendation is moot as it pertains





to advisory opinions. With respect tothe second recommendation, we willundertake to process exception requestsas expeditiously as possible, but, for thereasons discussed below in connectionwith the comments relating to settingdeadlines for those determinations, wecannot commit at this time to a‘‘specified short period of time’’ within

which the Secretary may requestadditional information. We see noreason to agree to the thirdrecommendation. Because contrary statelaws for which an exception is availableonly under section 1178(a)(2)(A) will bepreempted by operation of law unlessand until the Secretary acts to grant anexception, there will be an ascertainablecompliance standard for compliancepurposes, and enforcement actionwould be appropriate where suchcompliance did not occur.

Sections 160.203(a) and 160.204(a)—Exception Determinations

Section 160.203(a)—Criteria for Exception Determinations

Comment: Numerous commentscriticized the proposed criteria for theirsubstance or lack thereof. A number of commenters argued that theeffectiveness language that was added tothe third statutory criterion made theexception so massive that it wouldswallow the rule. These commentsgenerally expressed concern that lawsthat were less protective of privacywould be granted exceptions under thislanguage. Other commenters criticized

the criteria generally as creating a largeloophole that would let state laws thatdo not protect privacy trump the federalprivacy standards.

Response: We agree with thesecomments. The scope of the statutorycriteria is ambiguous, but they could beread so broadly as to largely swallow thefederal protections. We do not think thatthis was Congress’s intent. Accordingly,we have added language to most of thestatutory criteria clarifying their scope.With respect to the criteria at1178(a)(2)(A)(i), this clarifying languagegenerally ties the criteria more

specifically to the concern withprotecting and making more efficientthe health care delivery and paymentsystem that underlies theAdministrative Simplificationprovisions of HIPAA, but, with respectto the catch-all provision at section1178(a)(2)(A)(i)(IV), also requires thatprivacy interests be balanced with suchconcerns, to the extent relevant. Werequire that exceptions for rules toensure appropriate state regulation of insurance and health plans be stated ina statute or regulation, so that such

exceptions will be clearly tied tostatements of priorities made bypublicly accountable bodies (e.g.,through the public comment process forregulations, and by elected officialsthrough statutes). With respect to thecriterion at section 1178(a)(2)(A)(ii), wehave further delineated what ‘‘addressescontrolled substances’’ means. The

language provided, which builds onconcepts at 21 U.S.C. 821 and theMedicare regulations at 42 CFR 1001.2,delineates the area within which thegovernment traditionally regulatescontrolled substances, both civilly andcriminally; it is our view that HIPAAwas not intended to displace suchregulation.

Comment: Several commenters urgedthat the request for determination by theSecretary under proposed §160.204(a)

be limited to cases where an exceptionis absolutely necessary, and that inmaking such a determination, the

Secretary should be required to make adetermination that the benefits of granting an exception outweigh thepotential harm and risk of disclosure inviolation of the regulation.

Response: We have not furtherdefined the statutory term ‘‘necessary’’,as requested. We believe that thedetermination of what is ‘‘necessary’’will be fact-specific and contextdependent, and should not be furthercircumscribed absent such specifics.The state will need to make its case thatthe state law in question is sufficiently‘‘necessary’’ to accomplish theparticular statutory ground for

exception that it should trump thecontrary federal standard, requirement,or implementation specification.

Comment: One commenter noted thata state should be required to explainwhether it has taken any action tocorrect any less stringent state law forwhich an exception has been requested.This commenter recommended that asection be added to proposed§ 160.204(a) stating that ‘‘a state mustspecify what, if any, action has beentaken to amend the state law to complywith the federal regulations.’’ Anothercomment, received in the Transactions

rulemaking, took the position thatexception determinations should begranted only if the state standards inquestion exceeded the nationalstandards.

Response: The first and last commentsappear to confuse the ‘‘more stringent’’criterion that applies under section1178(a)(2)(B) of the Act with the criteriathat apply to exceptions under section1178(a)(2)(A). We are also not adoptingthe language suggested by the firstcomment, because we do not agree thatstates should necessarily have to try to

amend their state laws as a preconditionto requesting exceptions under section1178(a)(2)(A). Rather, the questionshould be whether the state has made aconvincing case that the state law inquestion is sufficiently necessary forone of the statutory purposes that itshould trump the contrary federalpolicy.

Comment: One commenter stated thatexceptions for state laws that arecontrary to the federal standards shouldnot be preempted where the state andfederal standards are found to be equal.

Response: This suggestion has not been adopted, as it is not consistentwith the statute. With respect to theadministrative simplification standardsin general, it is clear that the intent of Congress was to preempt contrary statelaws except in the limited areasspecified as exceptions or carve-outs.See, section 1178. This statutoryapproach is consistent with theunderlying goal of simplifying healthcare transactions through the adoptionof uniform national standards. Evenwith respect to state laws relating to theprivacy of medical information, thestatute shields such state laws frompreemption by the federal standardsonly if they are ‘‘more’’ stringent thanthe related federal standard orimplementation specification.

Comment: One commenter noted thatdeterminations would apply only totransactions that are wholly intrastate.Thus, any element of a health caretransaction that would implicate morethan one state’s law would

automatically preclude the Secretary’sevaluation as to whether the laws weremore or less stringent than the federalrequirement. Other commentersexpressed confusion about thisproposed requirement, noting thatproviders and plans operate now in amulti-state environment.

Response: We agree with thecommenters and have dropped theproposed requirement. As noted by thecommenters, health care entities nowtypically operate in a multi-stateenvironment, so already make thechoice of law judgements that are

necessary in multi-state transactions. Itis the result of that calculus that willhave to be weighed against the federalstandards, requirements, andimplementation specifications in thepreemption analysis.

Comment: One comment received inthe Transactions rulemaking suggestedthat the Department should allowexceptions to the standard transactionsto accommodate abbreviatedtransactions between state agencies,such as claims between a public healthdepartment and the state Medicaid





agency. Another comment requested anexception for Home and CommunityBased Waiver Services from thetransactions standards.

Response: The concerns raised bythese comments would seem to be moreproperly addressed through the processestablished for maintaining andmodifying the transactions standards. If

the concerns underlying thesecomments cannot be addressed in thismanner, however, there is nothing inthe rules below to preclude states fromrequesting exceptions in such cases.They will then have to make the casethat one or more grounds for exceptionapplies.

Section 160.204(a)—Process for Exception Determinations—Commentsand Responses

Comment: Several comments receivedin the Transactions rulemaking statedthat the process for applying for andgranting exception determinations(referred to as ‘‘waivers’’ by some)needed to be spelled out in the finalrule.

Response: We agree with thesecomments. As noted above, since noprocess was proposed in theTransactions rulemaking, a process formaking exception determinations wasnot adopted in those final rules. SubpartB below adopts a process for makingexception determinations, whichresponds to these comments.

Comment: Comments stated that theexception process would be

burdensome, unwieldy, and time-

consuming for state agencies as well asthe Department. One comment took theposition that states should not berequired to submit exception requests tothe Department under proposed§ 160.203(a), but could providedocumentation that the state law meetsone of the conditions articulated inproposed § 160.203.

Response: We disagree that theprocess adopted at §164.204 below will

be burdensome, unwieldy, or time-consuming. The only thing theregulation describes is the showings thata requestor must make as part of its

submission, and all are relevant to theissue to be determined by the Secretary.How much information is submitted is,generally speaking, in the requestor’scontrol, and the regulation places norestrictions on how the requestorobtains it, whether by acting directly, byworking with providers and/or plans, or

by working with others. With respect tothe suggestion that states not berequired to submit exception requests,we disagree that this suggestion is eitherstatutorily authorized or advisable. Weread this comment as implicitly

suggesting that the Secretary mustproactively identify instances of conflictand evaluate them. This suggestion is,thus, at bottom the same as the manysuggestions that we create a database orcompendium of controlling law, and itis rejected for the same reasons.

Comment: Several comments urgedthat all state requests for non-

preemption include a process for publicparticipation. These comments believethat members of the public and otherinterested stakeholders should beallowed to submit comments on a state’srequest for exception, and that thesecomments should be reviewed andconsidered by the Secretary indetermining whether the exceptionshould be granted. One commentsuggested that the Secretary at least givenotice to the citizens of the state priorto granting an exception.

Response: The revision to§ 160.204(a), to permit requests for

exception determinations by anyperson, responds to these comments.

Comment: Many commenters notedthat the lack of a clear and reasonabletime line for the Secretary to issue anexception determination would notprovide sufficient assurance that thequestions regarding what rules applywill be resolved in a time frame thatwill allow business to be conductedproperly, and argued that this wouldincrease confusion and uncertaintyabout which statutes and regulationsshould be followed. Timeframes of 60 or90 days were suggested. One group

suggested that, if a state does not receivea response from HHS within 60 days,the waiver should be deemed approved.

Response: The workload prioritizationand management considerationsdiscussed above with respect toadvisory opinions are also relevant hereand make us reluctant to agree to adeadline for making exceptiondeterminations. This is particularly trueat the outset, since we have noexperience with such requests. Wetherefore have no basis for determininghow long processing such requests willtake, how many requests we will need

to process, or what resources will beavailable for such processing. We agreethat states and other requesters shouldreceive timely responses and will makeevery effort to make determinations asexpeditiously as possible, but we cannotcommit to firm deadlines in this initialrule. Once we have experience inhandling exception requests, we willconsult with states and others in regardto their experiences and concerns andtheir suggestions for improving theSecretary’s expeditious handling of suchrequests.

We are not accepting the suggestionthat requests for exception be deemedapproved if not acted upon in somedefined time period. Section1178(a)(2)(A) requires a specificdetermination by the Secretary. Thesuggested policy would not beconsistent with this statutoryrequirement. It is also inadvisable from

a policy standpoint, in that it wouldtend to maximize exceptions. Thiswould be contrary to the underlyingstatutory policy in favor of uniformfederal standards.

Comment: One commenter tookexception to the requirement for statesto seek a determination from theDepartment that a provision of state lawis necessary to prevent fraud and abuseor to ensure appropriate state regulationof insurance plans, contending that thismandate could interfere with theInsurance Commissioners’ ability to dotheir jobs. Another commenter

suggested that the regulationspecifically recognize the broad scope of state insurance department activities,such as market conduct examinations,enforcement investigations, andconsumer complaint handling.

Response: The first comment raises anissue that lies outside our legalauthority to address, as section1178(a)(2)(A) clearly mandates that theSecretary make a determination in theseareas. With respect to the secondcomment, to the extent these concernspertain to health plans, we believe thatthe provisions at §164.512 relating tooversight and disclosures required by

law should address the concernsunderlying this comment.

Section 160.204(a)(4)—Period of Effectiveness of ExceptionDeterminations

Comment: Numerous commentersstated that the proposed three yearlimitation on the effectiveness of exception determinations would posesignificant problems and should belimited to one year, since a one yearlimitation would provide more frequentreview of the necessity for exceptions.The commenters expressed concern that

state laws which provide less privacyprotection than the federal regulationwould be given exceptions by theSecretary and thus argued that theexceptions should be more limited induration or that the Secretary shouldrequire that each request, regardless of duration, include a description of thelength of time such an exception would

be needed.One state government commenter,

however, argued that the 3 year limitshould be eliminated entirely, on theground that requiring a redetermination





every three years would be burdensomefor the states and be a waste of time andresources for all parties. Othercommenters, including two stateagencies, suggested that the exemptionshould remain effective until either thestate law or the federal regulation ischanged. Another commenter suggestedthat the three year sunset be deleted and

that the final rule provide for automaticreview to determine if changes incircumstance or law would necessitateamendment or deletion of the opinion.Other recommendations includeddeeming the state law as continuing ineffect upon the submission of a stateapplication for an exemption rather thanwaiting for a determination by theSecretary that may not occur for asubstantial period of time.

Response: We are persuaded that theproposed 3 year limit on exceptiondeterminations does not make sensewhere neither law providing the basis

for the exception has changed in theinterim. We also agree that where eitherlaw has changed, a previously grantedexception should not continue. Section160.205(a) below addresses theseconcerns.

Sections 160.203(b) and 160.204(b)—Advisory Opinions

Section 160.203(b)—Effect of Advisory Opinions

Comment: Several commentersquestioned whether or not DHHS hasstanding to issue binding advisoryopinions and recommended that theDepartment clarify this issue beforeimplementation of this regulation. Onerespondent suggested that theDepartment clarify in the final rule thelegal issues on which it will opine inadvisory opinion requests, and state thatin responding to requests for advisoryopinions the Department will not opineon the preemptive force of ERISA withrespect to state laws governing theprivacy of individually identifiablehealth information, since interpretationsas to the scope and extent of ERISA’spreemption provisions are outside of theDepartment’s jurisdictional authority.

One commenter asked whether a statecould enforce a state law which theSecretary had indicated through anadvisory opinion is preempted byfederal law. This commenter also askedwhether the state would be subject topenalties if it chose to continue toenforce its own laws.

Response: As discussed above, in partfor reasons raised by these comments,the Department has decided not to havea formal process for issuing advisoryopinions, as proposed.

Several of these concerns, however,raise issues of broader concern that needto be addressed. First, we disagree thatthe Secretary lacks legal authority toopine on whether or not state privacylaws are preempted. The Secretary ischarged by law with determiningcompliance, and where state law andthe federal requirements conflict, a

determination of which law controlswill have to be made in order todetermine whether the federal standard,requirement, or implementationspecification at issue has been violated.Thus, the Secretary cannot carry out herenforcement functions without makingsuch determinations. It is furtherreasonable that, if the Secretary makessuch determinations, she can makethose determinations known, forwhatever persuasive effect they mayhave.

The questions as to whether a statecould enforce, or would be subject to

penalties if it chose to continue toenforce, its own laws following a denial by the Secretary of an exception requestunder §160.203 or a holding by a courtof competent jurisdiction that a stateprivacy law had been preempted by acontrary federal privacy standard raiseseveral issues. First, a state law ispreempted under the Act only to theextent that it applies to covered entities;thus, a state is free to continue toenforce a ‘‘preempted’’ state law againstnon-covered entities to which the statelaw applies. If there is a question of coverage, states may wish to establishprocesses to ascertain which entities

within their borders are covered entitieswithin the meaning of these rules.Second, with respect to covered entities,if a state were to try to enforce apreempted state law against suchentities, it would presumably be actingwithout legal authority in so doing. Wecannot speak to what remedies might beavailable to covered entities to protectthemselves against such wrongful stateaction, but we assume that coveredentities could seek judicial relief, if allelse failed. With respect to the issue of imposing penalties on states, we do notsee this as likely. The only situation that

we can envision in which penaltiesmight be imposed on a state would beif a state agency were itself a coveredentity and followed a preempted statelaw, thereby violating the contraryfederal standard, requirement, orimplementation specification.

Section 160.204(b)—Process for Advisory Opinions

Comment: Several commenters statedthat it was unclear whether a statewould be required to submit a requestfor an advisory opinion in order for the

law to be considered more stringent andthus not preempted. The Departmentshould clarify whether a state law could

be non-preempted even without such anadvisory opinion. Another commenterrequested that the final rule explicitlystate that the stricter rule alwaysapplies, whether it be state or federal,and regardless of whether there is any

conflict between state and federal law.Response: The elimination of the

proposed process for advisory opinionsrenders moot the first question. Also,the preceding response clarifies thatwhich law preempts in the privacycontext (assuming that the state law andfederal requirement are ‘‘contrary’’) is amatter of which one is the ‘‘morestringent.’’ This is not a matter whichthe Secretary will ultimately determine;rather, this is a question about whichthe courts will ultimately make the finaldetermination. With respect to thesecond comment, we believe that

§ 160.203(b) below responds to thisissue, but we would note that the statutealready provides for this.

Comment: Several commenterssupported the decision to limit theparties who may request advisoryopinions to the state. These commentersdid not believe that insurers should beallowed to request an advisory opinionand open every state law up tochallenge and review.

Several commenters requested thatguidance on advisory opinions beprovided in all circumstances, not onlyat the Secretary’s discretion. It was

suggested that proposed§ 160.204(b)(2)(iv) be revised to read asfollows: ‘‘A state may submit a writtenrequest to the Secretary for an advisoryopinion under this paragraph. Therequest must include the followinginformation: the reasons why the statelaw should or should not be preempted

by the federal standard, requirement, orimplementation specification, includinghow the state law meets the criteria at§ 160.203(b).’’

Response: The decision not to have aformal process for issuing advisoryopinions renders these issues moot.

Sections 160.203(c) and 160.203(d)—Statutory Carve-Outs

Comment: Several commenters askedthat the Department provide morespecific examples itemizing activitiestraditionally regulated by the state thatcould constitute ‘‘carve-out’’ exceptions.These commenters also requested thatthe Department include language in theregulation stating that if a state law fallswithin several different exceptions, thestate chooses which determinationexception shall apply.





Response: We are concerned thatitemizing examples in this way couldleave out important state laws or createinadvertent negative implications thatlaws not listed are not included.However, as explained above, we havedesigned the types of activities that arepermissive disclosures for public healthunder §164.512(b) below in part to

come within the carve-out effected bysection 1178(b); while the stateregulatory activities covered by section1178(c) will generally come within§ 164.512(d) below. With respect to thecomments asking that a state get to‘‘choose’’ which exception it comesunder, we have in effect provided forthis with respect to exceptions undersection 1178(a)(2)(A), by giving the statethe right to request an exception underthat section. With respect to exceptionsunder section 1178(a)(2)(B), thoseexceptions occur by operation of law,and it is not within the Secretary’s

power to ‘‘let’’ the state choose whetheran exception occurs under that section.Comment: Several commenters took

the position that the Secretary shouldnot limit the procedural requirements inproposed §160.204(a) to only thoseapplications under proposed§ 160.203(a). They urged that therequirements of proposed §160.204(a)should also apply to preemption undersections 1178(a)(2)(B), 1178(b) and1178(c). It was suggested that the rulesshould provide for exceptiondeterminations with respect to thematters covered by these provisions of the statute; such additional provisions

would provide clear procedures forstates to follow and ensure that requestsfor exceptions are adequatelydocumented.

A slightly different approach wastaken by several commenters, whorecommended that proposed§ 160.204(b) be amended to clarify thatthe Secretary will also issue advisoryopinions as to whether a state lawconstitutes an exception underproposed §§160.203(c) and 160.203(d).This change would, they argued, givestates the same opportunity for guidancethat they have under §160.203(a) and

(b), and as such, avoid costly lawsuitsto preserve state laws.Response: We are not taking either of

the recommended courses of action.With respect to the recommendationthat we expand the exceptiondetermination process to encompassexceptions under sections 1178(a)(2)(B),1178(b), and 1178(c), we do not have theauthority to grant exceptions underthese sections. Under section 1178, theSecretary has authority to makeexception determinations only withrespect to the matters covered by section

1178(a)(2)(A); contrary state lawscoming within section 1178(a)(2)(B) arepreempted if not more stringent, whileif a contrary state law comes withinsection 1178(b) or section 1178(c), it isnot preempted. These latter statutoryprovisions operate by their own terms.Thus, it is not within the Secretary’sauthority to establish the determination

process which these comments seek.With respect to the request seeking

advisory opinions in the section 1178(b)and 1178(c) situations, we agree that wehave the authority to issue suchopinions. However, the considerationsdescribed above that have led us not toadopt a formal process for issuingadvisory opinions in the privacy contextapply with equal force and effect here.

Comment: One commenter arguedthat it would be unnecessarily

burdensome for state health dataagencies (whose focus is on the cost of healthcare or improving Medicare,Medicaid, or the healthcare system) toobtain a specific determination from theDepartment for an exception underproposed §160.203(c). States should berequired only to notify the Secretary of their own determination that suchcollection is necessary. It was alsoargued that cases where the statutorycarve-outs apply should not require aSecretarial determination.

Response: We clarify that noSecretarial determination is required foractivities that fall into one of thestatutory carve-outs. With respect todata collections for state health dataagencies, we note that provision has

been made for many of these activitiesin several provisions of the rules below,such as the provisions relating todisclosures required by law(§ 164.512(a)), disclosures for oversight(§ 164.512(d)), and disclosures forpublic health (§164.512(b)). Somedisclosures for Medicare and Medicaidpurposes may also come within thedefinition of health care operations. Afuller discussion of this issue appears inconnection with §164.512 below.

Constitutional Comments and

ResponsesComment: Several commenters

suggested that as a general matter therule is unconstitutional.

Response: We disagree that the rule isunconstitutional. The particulargrounds for this conclusion are set outwith respect to particular constitutionalissues in the responses below. Withrespect to the comments that simplymade this general assertion, the lack of detail of the comments makes asubstantive response impossible.

Article II

Comment: One commenter contendedthat the Secretary improperly delegatedauthority to private entities by requiringcovered entities to enter into contractswith, monitor, and take action forviolations of the contract against their

business partners. These comments

assert that the selection of these entitiesto ‘‘enforce’’ the regulations violates theExecutive Powers Clause and theAppointments and Take Care Clauses.

Response: We reject the assertion thatthe business associate provisionsconstitute an improper delegation of executive power to private entities.HIPAA provides HHS with authority toenforce the regulation against coveredentities. The rules below regulate onlythe conduct of the covered entity; to theextent a covered entity chooses toconduct its funding through a businessassociate, those functions are stillfunctions of the covered entity. Thus, no

improper delegation has occurred because what is being regulated are theactions of the covered entity, not theactions of the business associate in itsindependent capacity.

We also reject the suggestion that the business associates provisionsconstitute an improper appointment of covered entities to enforce theregulation and violate the Take CareClause. Because the Secretary has notdelegated authority to covered entities,the inference that she has appointedcovered entities to exercise suchauthority misses the mark.

Commerce Clause

Comment: A few commenterssuggested that the privacy regulationregulates activities that are not ininterstate commerce and which are,therefore, beyond the powers the U.S.Constitution gives the federalgovernment.

Response: We disagree. Health careproviders, health plans, and health careclearinghouses are engaged in economicand commercial activities, including theexchange of individually identifiablehealth information electronically across

state lines. These activities constituteinterstate commerce. Therefore, theycome within the scope of Congress’power to regulate interstate commerce.

Nondelegation Doctrine

Comment: Some commenters objectedto the manner by which Congressprovided the Secretary authority topromulgate this regulation. Thesecomments asserted that Congressviolated the nondelegation doctrine by(1) not providing an ‘‘intelligibleprinciple’’ to guide the agency, (2) not





tightly regulated businesses in thecountry. Because the industry has suchan extensive history of governmentoversight and involvement, thoseoperating within it have no reasonableexpectation of privacy from thegovernment such that a warrant would

be required to determine compliancewith the rules.

In addition, the cases cited by thecommenters concern unannouncedsearches of the premises and facilities of particular entities. Because ourenforcement provisions only provide forthe review of books, records, and otherinformation and only during normal

business hours with notice, except forexceptional situations, this case lawdoes not apply.

As for business associates, theyvoluntarily enter into their agreementswith covered entities. This agreement,therefore, functions as knowing andvoluntary consents to the search (even

assuming it could be understood to bea search) and obviates the need for awarrant.

Fifth Amendment

Comment: Several comments assertedthat the proposed rules violated theFifth Amendment because in thecommenters’ views they authorized thetaking of privacy property without justcompensation or due process of law.

Response: We disagree. The rules setforth below do not address the issue of who owns an individual’s medicalrecord. Instead, they address what uses

and disclosures of protected healthinformation may be made by coveredentities with or without a consent orauthorization. As described in responseto a similar comment, medical recordshave been the property of the healthcare provider or medical facility thatcreated them, historically. In somestates, statutes directly provide theseentities with ownership. These laws arelimited by laws that provide patients ortheir representatives with access to therecords or that provide the patient withan ownership interest in the informationwithin the records. As we discuss, the

final rule is consistent with current statelaw that provides patients access toprotected health information, but notownership of medical records. Statelaws that provide patients with greateraccess would remain in effect.Therefore, because patients do not owntheir records, no taking can occur. Asfor their interest in the information, thefinal rule retains their rights. As forcovered entities, the final rule does nottake away their ownership rights ormake their ownership interest in theprotected health information worthless.

Therefore, no taking has occurred inthese situations either.

Ninth and Tenth Amendments

Comment: Several comments assertedthat the proposed rules violated theNinth and Tenth Amendments. Onecommenter suggested that the NinthAmendment prohibits long and

complicated regulations. Othercommenters suggested that the proposedrules authorized the compelleddisclosure of individually identifiablehealth information in violation of Stateconstitutional provisions, such as thosein California and Florida. Similarly, acouple of commenters asserted that theprivacy rules violate the TenthAmendment.

Response: We disagree. The Ninthand Tenth Amendments address therights retained by the people andacknowledge that the States or thepeople are reserved the powers notdelegated to the federal government andnot otherwise prohibited by theConstitution. Because HHS is regulatingunder a delegation of authority fromCongress in an area that affectsinterstate commerce, we are within thepowers provided to Congress in theConstitution. Nothing in the NinthAmendment, or any other provision of the Constitution, restricts the length orcomplexity of any law. Additionally, wedo not believe the rules belowimpermissibly authorize behavior thatviolates State constitutions. This rulerequires disclosure only to theindividual or to the Secretary to enforce

this rule. As noted in the preamblediscussion of ‘‘Preemption,’’ these rulesdo not preempt State laws, includingconstitutional provisions, that arecontrary to and more stringent, asdefined at §160.502, than these rules.See the discussion of ‘‘Preemption’’ forfurther clarification. Therefore, if theseState constitutions are contrary to therule below and provide greaterprotection, they remain in full force; if they do not, they are preempted, inaccordance with the Supremacy Clauseof the Constitution.

Right to Privacy

Comment: Several commentssuggested that the proposed regulationwould violate the right to privacyguaranteed by the First, Fourth, Fifth,and Ninth Amendments because itwould permit covered entities todisclose protected health informationwithout the consent of the individual.

Response: These comments did notprovide specific facts or legal basis forthe claims. We are, thus, unable toprovide a substantive response to theseparticular comments. However, we note

that the rule requires disclosures only tothe individual or to the Secretary todetermine compliance with this rule.Other uses or disclosures under this ruleare permissive, not required. Therefore,if a particular use or disclosure underthis rule is viewed as interfering with aright that prohibited the use ordisclosure, the rule itself is not what

requires the use or disclosure.Void for Vagueness

Comment: One comment suggestedthat the Secretary’s use of a‘‘reasonableness’’ standard isunconstitutionally vague. Specifically,this comment objected to therequirement that covered entities use‘‘reasonable’’ efforts to use or disclosethe minimum amount of protectedhealth information, to ensure that

business partners comply with theprivacy provisions of their contracts, tonotify business partners of anyamendments or corrections to protectedhealth information, and to verify theidentity of individuals requestinginformation, as well as charge only a‘‘reasonable’’ fee for inspecting andcopying health information. Thiscomment asserted that the Secretaryprovided ‘‘inadequate guidance’’ as towhat qualifies as ‘‘reasonable.’’

Response: We disagree with thecomment’s suggestion that by applyinga ‘‘reasonableness’’ standard, theregulation has failed to provide for ‘‘fairwarning’’ or ‘‘fair enforcement.’’ The‘‘reasonableness’’ standard is well-established in law; for example, it is the

foundation of the common law of torts.Courts also have consistently held asconstitutional statutes that rely upon a‘‘reasonableness’’ standard. Our relianceupon a ‘‘reasonableness’’ standard, thus,provides covered entities withconstitutionally sufficient guidance.

Criminal Intent

Comment: One comment argued thatthe regulation’s reliance upon a‘‘reasonableness’’ standard criminalizes‘‘unreasonable efforts’’ withoutrequiring criminal intent or mens rea.

Response: We reject this suggestion

because HIPAA clearly provides thecriminal intent requirement.Specifically, HIPPA provides that a‘‘person who knowingly and inviolation of this part—(1) uses or causesto be used a unique health identifier; (2)obtains individually identifiable healthinformation relating to an individual; or(3) discloses individually identifiablehealth information to another person,shall be punished as provided insubsection (b).’’ HIPAA section 1177(emphasis added). Subsection (b) alsorelies on a knowledge standard in





outlining the three levels of criminalsanctions. Thus, Congress, not theSecretary, established the mens rea byincluding the term ‘‘knowingly’’ in thecriminal penalty provisions of HIPAA.

Data Collection

Comment: One commenter suggestedthat the U.S. Constitution authorized the

collection of data on individuals onlyfor the purpose of the census.

Response: While it might be true thatthe U.S. Constitution expresslydiscusses the national census, it doesnot forbid federal agencies fromcollecting data for other purposes. Theability of agencies to collect non-censusdata has been upheld by the courts.

Relationship to Other Federal Laws

Comment: We received severalcomments that sought clarification of the interaction of various federal lawsand the privacy regulation. Many of these comments simply listed federal

laws and regulations with which thecommenter currently must comply. Forexample, commenters noted that theymust comply with regulations relatingto safety, public health, and civil rights,including Medicare and Medicaid, theAmericans with Disabilities Act, theFamily and Medical Leave Act, theFederal Aviation Administrationregulations, the Department of Transportation regulations, the FederalHighway Administration regulations,the Occupational Safety and HealthAdministration regulations, and theEnvironmental Protection Agency

regulations, and alcohol and drug freeworkplace rules. These commenterssuggested that the regulation stateclearly and unequivocally that uses ordisclosures of protected healthinformation for these purposes werepermissible. Some suggested modifyingthe definition of health care operationsto include these uses specifically.Another suggestion was to add a sectionthat permitted the transmission of protected health information toemployers when reasonably necessaryto comply with federal, state, ormunicipal laws and regulations, or

when necessary for public or employeesafety and health.Response: Although we sympathize

with entities’ needs to evaluate theexisting laws with which they mustcomply in light of the requirements of the final regulation, we are unable torespond substantially to comments thatdo not pose specific questions. We offer,however, the following guidance: if ancovered entity is required to discloseprotected health information pursuantto a specific statutory or regulatoryscheme, the covered entity generally

will be permitted under §164.512(a) tomake these disclosures without aconsent or authorization; if, however, astatute or regulation merely suggests adisclosure, the covered entity will needto determine if the disclosure comeswithin another category of permissibledisclosure under §§164.510 or 164.512or, alternatively, if the disclosure would

otherwise come within §164.502. If not,the entity will need to obtain a consentor authorization for the disclosure.

Comment: One commenter soughtclarification as to when a disclosure isconsidered to be ‘‘required’’ by anotherlaw versus ‘‘permitted’’ by that law.

Responses: We use these termsaccording to their common usage. By‘‘required by law,’’ we mean that acovered entity has a legal obligation todisclose the information. For example, if a statute states that a covered entitymust report the names of all individualspresenting with gun shot wounds to theemergency room or else be fined $500for each violation, a covered entitywould be required by law to disclose theprotected health information necessaryto comply with this mandate. Theprivacy regulation permits this type of disclosure, but does not require it.Therefore, if a covered entity chose notto comply with the reporting statute itwould violate only the reporting statuteand not the privacy regulation.

On the other hand, if a statute statedthat a covered entity may or is permittedto report the names of all individualspresenting with gun shot wounds to theemergency room and, in turn, would

receive $500 for each month it madethese reports, a covered entity wouldnot be permitted by §164.512(a) todisclose the protected healthinformation. Of course, if anotherpermissible provision applied to thesefacts, the covered entity could make thedisclosure under that provision, but itwould not be considered to be adisclosure. See discussion under§ 164.512(a) below.

Comment: Several commenterssuggested that the proposed rule wasunnecessarily duplicative of existingregulations for federal programs, such as

Medicare, Medicaid, and the FederalEmployee Health Benefit Program.Response: Congress specifically

subjected certain federal programs,including Medicare, Medicaid, and theFederal Employee Health BenefitProgram to the privacy regulation byincluding them within the definition of ‘‘health plan.’’ Therefore, coveredentities subject to requirements of existing federal programs will also haveto comply with the privacy regulation.

Comment: One comment asserts thatthe regulation would not affect current

federal requirements if the currentrequirements are weaker than therequirements of the privacy regulation.This same commenter suggested thatcurrent federal requirements will trump

both state law and the proposedregulation, even if Medicaidtransactions remain wholly intrastate.

Response: We disagree. As noted in

our discussion of ‘‘Relationship to OtherFederal Laws,’’ each law or regulationwill need to be evaluated individually.We similarly disagree with the secondassertion made by the commenter. Thefinal rule will preempt state laws onlyin specific instances. For a moredetailed analysis, see the preamblediscussion of ‘‘Preemption.’’

Administrative Subpoenas

Comment: One comment stated thatthe final rule should not impose newstandards on administrative subpoenasthat would conflict with existing laws oradministrative or judicial rules thatestablish standards for issuingsubpoenas. Nor should the final ruleconflict with established standards forthe conduct of administrative, civil, orcriminal proceedings, including therules regarding the discovery of evidence. Other comments soughtfurther restrictions on access toprotected health information in thiscontext.

Response: Section 164.512(e) belowaddresses disclosures for judicial andadministrative proceedings. The finalrules generally do not interfere withthese existing processes to the extent an

individual served with a subpoena,court order, or other similar process isable to raise objections alreadyavailable. See the discussion belowunder §164.512(e) for a fuller response.

Americans with Disabilities Act

Comment: Several commentsdiscussed the intersection between theproposed Privacy Rule and theAmericans with Disabilities Act(‘‘ADA’’) and sections 503 and 504 of the Rehabilitation Act of 1973. Onecomment suggested that the final ruleexplicitly allows disclosures authorized

by the Americans with Disabilities Actwithout an individual’s authorization, because this law, in the commenter’sview, provides more than adequateprotection for the confidentiality of medical records in the employmentcontext. The comment noted that underthese laws employers may receiveinformation related to fitness for duty,pre-employment physicals, routineexaminations, return to workexaminations, examinations followingother types of absences, examinationstriggered by specific events, changes in





circumstances, requests for reasonableaccommodations, leave requests,employee wellness programs, andmedical monitoring.

Other commenters suggested that theADA requires the disclosure of protected health information toemployers so that the employee maytake advantage of the protections of

these laws. They suggested that the finalrules clarify that employment may beconditioned on obtaining anauthorization for disclosure of protectedhealth information for lawful purposesand provide guidance concerning theinteraction of the ADA with the finalregulation’s requirements. Severalcommenters wanted clarification thatthe privacy regulation would not permitemployers to request or use protectedhealth information in violation of theADA.

Response: We disagree with thecomment that the final rule shouldallow disclosures of protected healthinformation authorized by the ADAwithout the individual’s authorization.We learned from the comments thataccess to and use of protected healthinformation by employers is of particular concern to many people. Withregard to employers, we do not havestatutory authority to regulate them.Therefore, it is beyond the scope of thisregulation to prohibit employers fromrequesting or obtaining protected healthinformation. Covered entities maydisclose protected health informationabout individuals who are members of an employer’s workforce with an

authorization. Nothing in the privacyregulation prohibits employers fromobtaining that authorization as acondition of employment. We note,however, that employers must complywith other laws that govern them, suchas nondiscrimination laws. Forexample, if an employer receives arequest for a reasonableaccommodation, the employer mayrequire reasonable documentation aboutthe employee’s disability and thefunctional limitations that require thereasonable accommodation, if thedisability and the limitations are not

obvious. If the individual providesinsufficient documentation and does notprovide the missing information in atimely manner after the employer’ssubsequent request, the employer mayrequire the individual to go to anappropriate health professional of theemployer’s choice. In this situation, theemployee does not authorize thedisclosure of information to substantiatethe disability and the need forreasonable accommodation, theemployer need not provide theaccommodation.

We agree that this rule does notpermit employers to request or useprotected health information inviolation of the ADA or otherantidiscrimination laws.

Appropriations Laws

Comment: One comment suggestedthat the penalty provisions of HIPAA, if

extended to the privacy regulation,would require the Secretary to violate‘‘Appropriations Laws’’ because theSecretary could be in the position of assessing penalties against her own andother federal agencies in their roles ascovered entities. Enforcing penalties onthese entities would require the transferof agency funds to the General Fund.

Response: We disagree. Although weanticipate achieving voluntarycompliance and resolving any disputesprior to the actual assessment of penalties, the Department of Justice’sOffice of Legal Counsel has determined

in similar situations that federalagencies have authority to assesspenalties against other federal agenciesand that doing so is not in violation of the Anti-Deficiency Act, 31 U.S.C. 1341.

Balanced Budget Act of 1997

Comment: One comment expressedconcern that the regulation would placetremendous burdens on providersalready struggling with the effects of theBalanced Budget Act of 1997.

Response: We appreciate the costscovered entities face when complyingwith other statutory and regulatoryrequirements, such as the Balanced

Budget Act of 1997. However, HHScannot address the impact of theBalanced Budget Act or other statutes inthe context of this regulation.

Comment: Another comment statedthat the regulation is in direct conflictwith the Balanced Budget Act of 1997(‘‘BBA’’). The comment asserts that theregulation’s compliance date conflictswith the BBA, as well as GenerallyAcceptable Accounting Principles.According to the comment, coveredentities that made capital acquisitions toensure compliance with the year 2000(‘‘Y2K’’) problem would not be able to

account for the full depreciation of thesesystems until 2005. Because HIPAArequires compliance before that time,the regulation would force prematureobsolescence of this equipment becausewhile it is Y2K compliant, it may beHIPAA non-compliant.

Response: This comment raises twodistinct issues—(1) the investment innew equipment and (2) the compliancedate. With regard to the first issue, wereject the comment’s assertion that theregulation requires covered entities topurchase new information systems or

information technology equipment, butrealize that some covered entities mayneed to update their equipment. Wehave tried to minimize the costs, whileresponding appropriately to Congress’mandate for privacy rules. We havedealt with the cost issues in detail in the‘‘Regulatory Impact Analysis’’ section of this Preamble. With regard to the second

issue, Congress, not the Secretary,established the compliance data atsection 1175(b) of the Act.

Civil Rights of Institutionalized PersonsAct

Comment: A few comments expressedconcern that the privacy regulationwould inadvertently hinder theDepartment of Justice Civil RightsDivisions’ investigations under the CivilRights of Institutionalized Persons Act(‘‘CRIPA’’). These comments suggestedclearly including civil rightsenforcement activities as health careoversight.

Response: We agree with thiscomment. We do not intend for theprivacy rules to hinder CRIPAinvestigations. Thus, the final ruleincludes agencies that are authorized bylaw to ‘‘enforce civil rights laws forwhich health information is relevant’’ inthe definition of ‘‘health oversightagency’’ at §164.501. Covered entitiesare permitted to disclose protectedhealth information to health oversightagencies under §164.512(d) without anauthorization. Therefore, we do not

believe the final rule should hinder theDepartment of Justice’s ability to

conduct investigations pursuant to itsauthority in CRIPA.

Clinical Laboratory Improvement Amendments

Comment: One comment expressedconcern that the proposed definition of health care operations did not includeactivities related to the quality controlclinical studies performed bylaboratories to demonstrate the qualityof patient test results. Because theClinical Laboratory ImprovementAmendments of 1988 (‘‘CLIA’’) requiresthese studies that the comment asserted

require the use of protected healthinformation, the comment suggestedincluding this specific activity in thedefinition of ‘‘health care operations.’’

Response: We do not intend for theprivacy regulation to impede the abilityof laboratories to comply with therequirements of CLIA. Quality controlactivities come within the definition of ‘‘health care operations’’ in § 164.501

because they come within the meaningof the term ‘‘quality assuranceactivities.’’ To the extent they would notcome within health care operations, but





are required by CLIA, the privacyregulation permits clinical laboratoriesthat are regulated by CLIA to complywith mandatory uses and disclosures of protected health information pursuantto § 164.512(a).

Comment: One comment stated thatthe proposed regulation’s right of accessfor inspection and copying provisions

were contrary to CLIA in that CLIApermits laboratories to disclose lab testresults only to ‘‘authorized persons.’’This comment suggested that the finalrule include language adopting thisrestriction to ensure that patients notobtain laboratory test results before theappropriate health care provider hasreviewed and explained those results tothe patients.

A similar comment stated that thelack of preemption of state laws couldcreate problems for clinical laboratoriesunder CLIA. Specifically, this commentnoted that CLIA permits clinical

laboratories to perform tests only uponthe written or electronic request of, andto provide the results to, an ‘‘authorizedperson.’’ State laws define who is an‘‘authorized person.’’ The commentexpressed concern as to whether theregulation would preempt state lawsthat only permit physicians to receivetest results.

Response: We agree that CLIAcontrols in these cases. Therefore, wehave amended the right of access,§ 164.524(a), so that a covered entitythat is subject to CLIA does not have toprovide access to the individual to theextent such access would be prohibited

by law. Because of this change, we believe the preemption concern is moot.

Controlled Substance Act

Comment: One comment expressedconcern that the privacy regulation asproposed would restrict the DrugEnforcement Agency’s (‘‘the DEA’’)enforcement of the ControlledSubstances Act (‘‘CSA’’). The commentsuggested including enforcementactivities in the definition of ‘‘healthoversight agency.’’

Response: In our view, the privacyregulation should not impede the DEA’s

ability to enforce the CSA. First, to theextent the CSA requires disclosures tothe DEA, these disclosures would bepermissible under § 164.512(a). Second,some of the DEA’s CSA activities comewithin the exception for healthoversight agencies which permitsdisclosures to health oversight agenciesfor:

Activities authorized by law, includingaudits; civil, administrative, or criminalinvestigations; inspections * * * civil,administrative, or criminal proceedings oractions; and other activity necessary for

appropriate oversight of the health caresystem.

Therefore, to the extent the DEA isenforcing the CSA, disclosures to it inits capacity as a health oversight agencyare permissible under §164.512(d).Alternatively, CSA required disclosuresto the DEA for law enforcementpurposes are permitted under§ 164.512(f). When acting as a lawenforcement agency under the CSA, theDEA may obtain the informationpursuant to §164.512(f). Thus, we donot agree that the privacy regulationwill impede the DEA’s enforcement of the CSA. See the preamble discussion of § 164.512 for further explanation.

Comment: One commenter suggestedclarifying the provisions allowingdisclosures that are ‘‘required by law’’ toensure that the mandatory reportingrequirements the CSA imposes oncovered entities, including makingavailable reports, inventories, and

records of transactions, are notpreempted by the regulation.

Response: We agree that the privacyregulation does not alter coveredentities’ obligations under the CSA.Because the CSA requires coveredentities manufacturing, distributing,and/or dispensing controlled substancesto maintain and provide to the DEAspecific records and reports, the privacyregulation permits these disclosuresunder §164.512(a). In addition, whenthe DEA seeks documents to determinean entity’s compliance with the CSA,such disclosures are permitted under

§ 164.512(d).Comment: The same commenterexpressed concern that the proposedprivacy regulation inappropriatelylimits voluntary reporting and wouldprevent or deter employees of coveredentities from providing the DEA withinformation about violations of the CSA.

Response: We agree with the generalconcerns expressed in this comment.We do not believe the privacy rules willlimit voluntary reporting of violations of the CSA. The CSA requires certainentities to maintain several types of records that may include protected

health information. Although reportsthat included protected healthinformation may be restricted underthese rules, reporting the fact that anentity is not maintaining proper reportsis not. If it were necessary to obtainprotected health information during theinvestigatory stages following such avoluntary report, the DEA would be ableto obtain the information in other ways,such as by following the administrativeprocedures outlined in §164.512(e).

We also agree that employees of covered entities who report violations of

the CSA should not be subjected toretaliation by their employers. Under§ 164.502(j), we specifically state that acovered entity is not considered to haveviolated the regulation if a workforcemember or business associate in goodfaith reports violations of laws orprofessional standards by coveredentities to appropriate authorities. See

discussion of § 164.502(j) below.Department of Transportation

Comment: Several commenters statedthat the Secretary should recognize inthe preamble that it is permissible foremployers to condition employment onan individual’s delivering a consent tocertain medical tests and/orexaminations, such as drug-freeworkplace programs and Department of Transportation (‘‘DOT’’)-requiredphysical examinations. These commentsalso suggested that employers should beable to receive certain information, suchas pass/fail test and examination results,fitness-to-work assessments, and otherlegally required or permissible physicalassessments without obtaining anauthorization. To achieve this goal,these comments suggested defining‘‘health information’’ to excludeinformation such as information abouthow much weight a specific employeecan lift.

Response: We reject the suggestion todefine ‘‘health information,’’ whichCongress defined in HIPAA, so that itexcludes individually identifiablehealth information that may be relevantto employers for these types of

examinations and programs. We do notregulate employers. Nothing in the rulesprohibit employers from conditioningemployment on an individual signingthe appropriate consent orauthorization. By the same token,however, the rules below do not relieveemployers from their obligations underthe ADA and other laws that restrict thedisclosure of individually identifiablehealth information.

Comment: One commenter assertedthat the proposed regulation conflictswith the DOT guidelines regardingpositive alcohol and drug tests that

require the employer be notified inwriting of the results. This documentcontains protected health information.In addition, the treatment center recordsmust be provided to the SubstanceAbuse Professional (‘‘SAP’’) and theemployer must receive a report fromSAP with random drug testingrecommendations.

Response: It is our understanding thatDOT requires drug testing of allapplicants for employment in safety-sensitive positions or individuals beingtransferred to such positions.





Employers, pursuant to DOTregulations, may condition anemployee’s employment or positionupon first obtaining an authorization forthe disclosure of results of these tests tothe employer. Therefore, we do not

believe the final rules conflict with theDOT requirements, which do notprohibit obtaining authorizations before

such information is disclosed toemployers.

Developmental Disabilities Act

Comment: One commenter urged HHSto ensure that the regulation would notimpede access to individuallyidentifiable health information toentities that are part of the Protectionand Advocacy System to investigateabuse and neglect as authorized by theDevelopmental Disabilities Bill of RightsAct.

Response: The DevelopmentalDisabilities Assistance and Bill of Rights

Act of 2000 (‘‘DD Act’’) mandatesspecific disclosures of individuallyidentifiable health information toProtection and Advocacy systemsdesignated by the chief elected officialof the states and Territories. Therefore,covered entities may make thesedisclosures under §164.512(a) withoutfirst obtaining an individual’sauthorization, except in thosecircumstances in which the DD Actrequires the individual’s authorization.Therefore, the rules below will notimpede the functioning of the existingProtection and Advocacy System.

Employee Retirement Income Security Act of 1974

Comment: Several commentersobjected to the fact that the NPRM didnot clarify the scope of preemption of state laws under the EmployeeRetirement Income Security Act of 1974(ERISA). These commenters assertedthat the final rule must state that ERISApreempts all state laws (including thoserelating to the privacy of individuallyidentifiable health information) so thatmultistate employers could continue toadminister their group health plansusing a single set of rules. In contrast,other commenters criticized theDepartment for its analysis of thecurrent principles governing ERISApreemption of state law, pointing outthat the Department has no authority tointerpret ERISA.

Response: This Department has noauthority to issue regulations underERISA as requested by some of thesecommenters, so the rule below does notcontain the statement requested. See thediscussion of this point under‘‘Preemption’’ above.

Comment: One commenter requestedthat the final rule clarify that section264(c)(2) of HIPAA does not save statelaws that would otherwise bepreempted by the Federal EmployeesHealth Benefits Program. Thecommenter noted that in the NPRM thisstatement was made with respect toMedicare and ERISA, but not the law

governing the FEHBP.Response: We agree with this

comment. The preemption analysis setout above with respect to ERISA appliesequally to the Federal Employees HealthBenefit Program.

Comment: One commenter noted thatthe final rule should clarify theinterplay between state law, thepreemption standards in Subtitle A of Title I of HIPAA (Health Care Access,Portability and Renewability), and thepreemption standards in the privacyrequirements in Subtitle F of Title II of HIPAA (Administrative Simplification).

Response: The NPRM described onlythe preemption standards that applywith respect to the statutory provisionsof HIPAA that were implemented by theproposed rule. We agree that thepreemption standards in Subtitle A of Title I of HIPAA are different. Congressexpressly provided that the preemptionprovisions of Title I apply only to Part7, which addresses portability, access,and renewability requirements forGroup Health Plans. To the extent statelaws contain provisions regardingportability, access, or renewability, aswell as privacy requirements, a coveredentity will need to evaluate the privacy

provisions under the Title II preemptionprovisions, as explained in thepreemption provisions of the rules, andthe other provisions under the Title Ipreemption requirements.

European Union Privacy Directive and U.S. Safe Harbors

Comment: Several comments statedthat the privacy regulation should beconsistent with the European Union’sDirective on Data Protection. Otherssought guidance as to how to complywith both the E.U. Directive on DataProtection and the U.S. Safe Harbor

Privacy Principles.Response: We appreciate the need forcovered entities obtaining personal datafrom the European Union to understandhow the privacy regulation intersectswith the Data Protection Directive. Wehave provided guidance as to thisinteraction in the ‘‘Other Federal Laws’’provisions of the preamble.

Comment: A few comments expressedconcern that the proposed definition of ‘‘individual’’ excluded foreign militaryand diplomatic personnel and theirdependents, as well as overseas foreign

national beneficiaries. They noted thatthe distinctions are based on nationalityand are inconsistent with the stance of the E.U. Directive on Data Protectionand the Department of Commerce’sassurances to the EuropeanCommission.

Response: We agree with the generalprinciple that privacy protections

should protect every person, regardlessof nationality. As noted in thediscussion of the definition of ‘‘individual,’’ the final regulation’sdefinition does not exclude foreignmilitary and diplomatic personnel, theirdependents, or overseas foreign national

beneficiaries from the definition of individual. As described in thediscussion of §164.512 below, the finalrule applies to foreign diplomaticpersonnel and their dependents like allother individuals. Foreign militarypersonnel receive the same treatmentunder the final rule as U.S. military

personnel do, as discussed with regardto §164.512 below. Overseas foreignnational beneficiaries to the extent theyreceive care for the Department of Defense or a source acting on behalf of the Department of Defense remaingenerally excluded from the final rulesprotections. For a more detailedexplanation, see §164.500.

Fair Credit Reporting Act

Comment: A few commentersrequested that we exclude informationmaintained, used, or disclosed pursuantto the Fair Credit Reporting Act(‘‘FCRA’’) from the requirements of the

privacy regulation. These commentersnoted that the protection in the privacyregulation duplicate those in the FCRA.

Response: Although we realize thatsome overlap between FCRA and theprivacy rules may exist, we have chosennot to remove information that maycome within the purview of FCRA fromthe scope of our rules because FCRA’sfocus is not the same as ourCongressional mandate to protectindividually identifiable healthinformation.

To the extent a covered entity seeksto engage in collection activities or other

payment-related activities, it may do sopursuant to the requirements of this rulerelated to payment. See discussion of §§ 164.501 and 164.502 below.

We understand that some coveredentities may be part of, or containcomponents that are, entities whichmeet the definition of ‘‘consumerreporting agencies.’’ As such, theseentities are subject to the FCRA. Asdescribed in the preamble to § 164.504,covered entities must designate whatparts of their organizations will betreated as covered entities for the





purpose of these privacy rules. Thecovered entity component will need tocomply with these rules, while thecomponents that are consumer reportingagencies will need to comply withFCRA.

Comment: One comment suggestedthat the privacy regulation wouldconflict with the FCRA if the

regulation’s requirement applied toinformation disclosed to consumerreporting agencies.

Response: To the extent a coveredentity is required to disclose protectedhealth information to a consumerreporting agency, it may do so under§ 164.512(a). See also discussion underthe definition of ‘‘payment’’ below.

Fair Debt Collection and Practices Act

Comment: Several commentsexpressed concern that health plans andhealth care providers be able tocontinue using debt collectors incompliance with the Fair DebtCollections Practices Act and relatedlaws.

Response: In our view, health plansand health care providers will be able tocontinue using debt collectors. Usingthe services of a debt collector to obtainpayment for the provision of health carecomes within the definition of ‘‘payment’’ and is permitted under theregulation. Thus, so long as the use of debt collectors is consistent with theregulatory requirements (such as,providers obtain the proper consents,the disclosure is of the minimumamount of information necessary to

collect the debt, the provider or healthplan enter into a business associateagreement with the debt collector, etc.),relying upon debt collectors to obtainreimbursement for the provision of health care would not be prohibited bythe regulation.

Family Medical Leave Act

Comment: One comment suggestedthat the proposed regulation adverselyaffects the ability of an employer todetermine an employee’s entitlement toleave under the Family Medical LeaveAct (‘‘FMLA’’) by affecting the

employer’s right to receive medicalcertification of the need for leave,additional certifications, and fitness forduty certification at the end of the leave.The commenter sought clarification asto whether a provider could discloseinformation to an employer without firstobtaining an individual’s consent orauthorization. Another commentersuggested that the final rule explicitlyexclude from the rule disclosuresauthorized by the FMLA, because, in thecommenter’s view, it provides morethan adequate protection for the

confidentiality of medical records in theemployment context.

Response: We disagree that the FMLAprovides adequate privacy protectionsfor individually identifiable healthinformation. As we understand theFMLA, the need for employers to obtainprotected health information under thestatute is analogous to the employer’s

need for protected health informationunder the ADA. In both situations,employers may need protected healthinformation to fulfill their obligationsunder these statutes, but neither statuterequires covered entities to provide theinformation directly to the employer.Thus, covered entities in thesecircumstances will need an individual’sauthorizations before the disclosure ismade to the employer.

Federal Common Law

Comment: One commenter did notwant the privacy rules to interfere withthe federal common law governingcollective bargaining agreementspermitting employers to insist on thecooperation of employees with medicalfitness evaluations.

Response: We do not seek to interferewith legal medical fitness evaluations.These rules require a covered entity tohave an individual’s authorization

before the information resulting fromsuch evaluations is disclosed to theemployer unless another provision of the rule applies. We do not prohibitemployers from conditioningemployment, accommodations, or other

benefits, when legally permitted to do

so, upon the individual/employeeproviding an authorization that wouldpermit the disclosure of protectedhealth information to employers bycovered entities. See §164.508(b)(4)

below.

Federal Educational Rights and Privacy Act

Comment: A few commenterssupported the exclusion of ‘‘educationrecords’’ from the definition of ‘‘protected health information.’’However, one commenter requested that‘‘treatment records’’ of students who are

18 years or older attending post-secondary education institutions beexcluded from the definition of ‘‘protected health information’’ as wellto avoid confusion.

Response: We agree with thesecommenters. See ‘‘Relationship to OtherFederal Laws’’ for a description of ourexclusion of FERPA ‘‘educationrecords’’ and records defined at 20U.S.C. 1232g(a)(4)(B)(iv), commonlyreferred to as ‘‘treatment records,’’ fromthe definition of ‘‘protected healthinformation.’’

Comment: One comment suggestedthat the regulation should not apply toany health information that is part of an‘‘education record’’ in any educationalagency or institution, regardless of itsFERPA status.

Response: We disagree. As noted inour discussion of ‘‘Relationship of OtherFederal Laws,’’ we exclude education

records from the definition of protectedhealth information because Congressexpressly provided privacy protectionsfor these records and explained howthese records should be treated inFERPA.

Comment: One commenter suggestedeliminating the preamble language thatdescribes school nurses and on-siteclinics as acting as providers andsubject to the privacy regulation, notingthat this language is confusing andinconsistent with the statementsprovided in the preamble explicitlystating that HIPAA does not preempt

FERPA.Response: We agree that this language

may have been confusing. We haveprovided a clearer expression of whenschools may be required to comply withthe privacy regulation in the‘‘Relationship to Other Federal Laws’’section of the preamble.

Comment: One commenter suggestedadding a discussion of FERPA to the‘‘Relationship to Other Federal Laws’’section of the preamble.

Response: We agree and have addedFERPA to the list of federal lawsdiscussed in ‘‘Relationship to Other

Federal Laws’’ section of the preamble.Comment: One commenter stated thatschool clinics should not have tocomply with the ‘‘ancillary’’administrative requirements, such asdesignating a privacy official,maintaining documentation of theirpolicies and procedures, and providingthe Secretary of HHS with access.

Response: We disagree. Because wehave excluded education records andrecords described at 20 U.S.C.1232g(a)(4)(B)(iv) held by educationalagencies and institutions subject toFERPA from the definition of protected

health information, only non-FERPAschools would be subject to theadministrative requirements. Most of these school clinics will also not becovered entities because they are notengaged in HIPAA transactions andthese administrative requirements willnot apply to them. However, to theextent a school clinic is within thedefinition of a health care provider, asCongress defined the term, and theschool clinic is engaged in HIPAAtransactions, it will be a covered entityand must comply with the rules below.





Comment: Several commentersexpressed concern that the privacyregulation would eliminate the parents’ability to have access to information intheir children’s school health records.Because the proposed regulationsuggests that school-based clinics keephealth records separate from othereducational files, these comments

argued that the regulation is contrary tothe spirit of FERPA, which providesparents with access rights to theirchildren’s educational files.

Response: As noted in the‘‘Relationship to Other Federal Laws’’provision of the preamble, to the extentinformation in school-based clinics isnot protected health information

because it is an education record, theFERPA access requirements apply andthis regulation does not. For more detailregarding the rule’s application tounemancipated minors, see thepreamble discussion about ‘‘Personal

Representatives.’’Federal Employees Compensation Act

Comment: One comment noted thatthe Federal Employees CompensationAct (‘‘FECA’’) requires claimants to signa release form when they file a claim.This commenter suggested that theprivacy regulation should not placeadditional restrictions on this type of release form.

Response: We agree. In the final rule,we have added a new provision,§ 164.512(l), that permits coveredentities to make disclosures authorized

under workers’ compensation andsimilar laws. This provision wouldpermit covered entities to makedisclosures authorized under FECA andnot require a different release form.

Federal Employees Health BenefitsProgram

Comment: A few comments expressedconcern about the preemption effect onFEHBP and wanted clarification that theprivacy regulation does not alter theexisting preemptive scope of theprogram.

Response: We do not intend to affectthe preemptive scope of the FEHBP. TheFederal Employee Health Benefit Act of 1998 preempts any state law that‘‘relates to’’ health insurance or plans. 5U.S.C. 8902(m). The final rule does notattempt to alter the preemptive scopeCongress has provided to the FEHBP.

Comment: One comment suggestedthat in the context of FEHBP HHSshould place the enforcementresponsibilities of the privacy regulationwith Office of Personnel Management,as the agency responsible foradministering the program.

Response: We disagree. Congressplaced enforcement with the Secretary.See section 1176 of the Act.

Federal Rules of Civil Procedure

Comment: A few comments suggestedrevising proposed §164.510(d) so that itis consistent with the existing discoveryprocedure under the Federal Rules of

Civil Procedure or local rules.Response: We disagree that the rulesregarding disclosures and uses of protected health information for judicialand administrative procedures shouldprovide only those protections that existunder existing discovery rules.Although the current process may beappropriate for other documents andinformation requested during thediscovery process, the current system,as exemplified by the Federal Rules of Civil Procedure, does not providesufficient protection for protected healthinformation. Under current discoveryrules, private attorneys, governmentofficials, and others who develop suchrequests make the initial determinationsas to what information ordocumentation should be disclosed.Independent third-party review, such asthat by a court, only becomes necessaryif a person of whom the request is maderefuses to provide the information. If this happens, the person seekingdiscovery must obtain a court order ormove to compel discovery. In our viewthis system does not provide sufficientprotections to ensure that unnecessaryand unwarranted disclosures of protected health information does not

occur. For a related discuss, see thepreamble regarding ‘‘Disclosures for

Judicial and AdministrativeProceedings’’ under §164.512(e).

Federal Rules of Evidence

Comment: Many comments requestedclarification that the privacy regulationdoes not conflict or interfere with thefederal or state privileges. In particular,one of these comments suggested thatthe final regulation provide thatdisclosures for a purpose recognized bythe regulation not constitute a waiver of federal or state privileges.

Response: We do not intend for theprivacy regulation to interfere withfederal or state rules of evidence thatcreate privileges. Consistent with TheUniform Health-Care Information Actdrafted by the National Conference of Commissioners on Uniform State Laws,we do not view a consent or anauthorization to function as a waiver of federal or state privileges. For furtherdiscussion of the effect of consent orauthorization on federal or stateprivileges, see preamble discussions in§§ 164.506 and 164.508.

Comment: Other commentsapplauded the Secretary’s references to

Jaffee v. Redman, 518 U.S. 1 (1996),which recognized a psychotherapist-patient privilege, and asked theSecretary to incorporate expressly thisprivilege into the final regulation.

Response: We agree that thepsychotherapist-patient relationship is

an important one that deservesprotection. However, it is beyond thescope our mandate to create specificevidentiary privileges. It is alsounnecessary because the United StatesSupreme Court has adopted thisprivilege.

Comment: A few comments discussedwhether one remedy for violating theprivacy regulation should be to excludeor suppress evidence obtained inviolation of the regulation. Onecomment supported using this penalty,while another opposed it.

Response: We do not have the

authority to mandate that courts applyor not apply the exclusionary rule toevidence obtained in violation of theregulation. This issue is in the purviewof the courts.

Federal Tort Claims Act

Comment: One comment contendedthat the proposed regulation’srequirement mandating covered entitiesto name the subjects of protected healthinformation disclosed under a businesspartner contract as third party intended

beneficiaries under the contract wouldhave created an impermissible right of action against the government under the

Federal Tort Claims Act (‘‘FTCA’’).Response: Because we have deleted

the third party beneficiary provisionsfrom the final rules, this comment ismoot.

Comment: Another commentsuggested the regulation would hamperthe ability of federal agencies to discloseprotected health information to theirattorneys, the Department of Justice,during the initial stages of the claims

brought under the FTCA.Response: We disagree. The

regulation applies only to federalagencies that are covered entities. To the

extent an agency is not a covered entity,it is not subject to the regulation; to theextent an agency is a covered entity, itmust comply with the regulation. Acovered entity that is a federal agencymay disclose relevant information to itsattorneys, who are business associates,for purposes of health care operations,which includes uses or disclosures forlegal functions. See § 164.501(definitions of ‘‘business associate’’ and‘‘health care operations’’). The final ruleprovides specific provisions describinghow federal agencies may provide





adequate assurances for these types of disclosures of protected healthinformation. See §164.504(e)(3).

Food and Drug Administration

Comment: A few comments expressedconcerns about the use of protectedhealth information for reportingactivities to the Food and Drug

Administration (‘‘FDA’’). Their concernfocused on the ability to obtain ordisclose protected health informationfor pre-and post-marketing adverseevent reports, device tracking, and post-marketing safety and efficacyevaluation.

Response: We agree with thiscomment and have provided thatcovered entities may disclose protectedhealth information to persons subject tothe jurisdiction of the FDA, to complywith the requirements of, or at thedirection of, the FDA with regard toreporting adverse events (or similar

reports with respect to dietarysupplements), the tracking of medicaldevices, other post-marketingsurveillance, or other similarrequirements described at §164.512(b).

Foreign Standards

Comment: One comment asked howthe regulation could be enforced againstforeign countries (or presumably entitiesin foreign countries) that solicit medicalrecords from entities in the UnitedStates.

Response: We do not regulatesolicitations of information. To theextent a covered entity wants to comply

with a request for disclosure of protected health information to foreigncountries or entities within foreigncountries, it will need to comply withthe privacy rules before making thedisclosure. If the covered entity fails tocomply with the rules, it will be subjectto enforcement proceedings.

Freedom of Information Act

Comment: One comment asserted thatthe proposed privacy regulationconflicts with the Freedom of Information Act (‘‘FOIA’’). Thecomment argued that the proposed

restriction on disclosures by agencieswould not come within one of thepermissible exemptions to the FOIA. Inaddition, the comment noted that onlyin exceptional circumstances would theprotected health information of deceased individuals come within anexemption because, for the most part,death extinguishes an individual’s rightto privacy.

Response: Section 164.512(a) belowpermits covered entities to discloseprotected health information when suchdisclosures are required by other laws as

long as they follow the requirements of those laws. Therefore, the privacyregulation will not interfere with theability of federal agencies to complywith FOIA, when it requires thedisclosure.

We disagree, however, that mostprotected health information will notcome within Exemption 6 of FOIA. See

the discussion above under‘‘Relationship to Other Federal Laws’’for our review of FOIA. Moreover, wedisagree with the comment’s assertionthat the protected health information of deceased individuals does not comewithin Exemption 6. Courts haverecognized that a deceased individual’ssurviving relatives may have a privacyinterest that federal agencies mayconsider when balancing privacyinterests against the public interest indisclosure of the requested information.Federal agencies will need to considernot only the privacy interests of the

subject of the protected healthinformation in the record requested, butalso, when appropriate, those of adeceased individual’s family consistentwith judicial rulings.

If an agency receives a FOIA requestfor the disclosure of protected healthinformation of a deceased individual, itwill need to determine whether or notthe disclosure comes within Exemption6. This evaluation must be consistentwith the court’s rulings in this area. If the exemption applies, the federalagency will not have to release theinformation. If the federal agencydetermines that the exemption does not

apply, may release it under § 164.512(a)of this regulation.

Comment: One commenter expressedconcern that our proposal to protect theindividually identifiable healthinformation about the deceased for twoyears following death would impedepublic interest reporting and would beat odds with many state Freedom of Information laws that make deathrecords and autopsy reports publicinformation. The commenter suggestedpermitting medical information to beavailable upon the death of anindividual or, at the very least, that an

appeals process be permitted so thathealth information trustees would beallowed to balance the interests inprivacy and in public disclosure andrelease or not release the informationaccordingly.

Response: These rules permit coveredentities to make disclosures that arerequired by state Freedom of Information Act (FOIA) laws under§ 164.512(a). Thus, if a state FOIA lawdesignates death records and autopsyreports as public information that must

be disclosed, a covered entity may

disclose it without an authorizationunder the rule. To the extent that suchinformation is required to be disclosed

by FOIA or other law, such disclosuresare permitted under the final rule. Inaddition, to the extent that deathrecords and autopsy reports areobtainable from non-covered entities,such as state legal authorities, access to

this information is not impeded by thisrule.

If another law does not require thedisclosure of death records and autopsyreports generated and maintained by acovered entity, which are protectedhealth information, covered entities arenot allowed to disclose suchinformation except as permitted orrequired by the final rule, even if another entity discloses them.

Comment: One comment soughtclarification of the relationship betweenthe Freedom of Information Act, thePrivacy Act, and the privacy rules.

Response: We have provided thisanalysis in the ‘‘Relationship to OtherFederal Laws’’ section of the preamblein our discussion of the Freedom of Information Act.

Gramm-Leach-Bliley

Comments: One commenter notedthat the Financial ServicesModernization Act, also known asGramm-Leach-Bliley (‘‘GLB’’), requiresfinancial institutions to provide detailedprivacy notices to individuals. Thecommenter suggested that the privacyregulation should not require financial

institutions to provide additional notice.Response: We disagree. To the extenta covered entity is required to complywith the notice requirements of GLBand those of our rules, the coveredentity must comply with both. We willwork with the FTC and other agenciesimplementing GLB to avoid unnecessaryduplication. For a more detaileddiscussion of GLB and the privacy rules,see the ‘‘Relationship to Other FederalLaws’’ section of the preamble.

Comment: A few commenters askedthat the Department clarify thatfinancial institutions, such as banks,

that serve as payors are covered entities.The comments explained that with theenactment of the Gramm-Leach-BlileyAct, banks are able to form holdingcompanies that will include insurancecompanies (that may be coveredentities). They recommended that banks

be held to the rule’s requirements and be required to obtain authorization toconduct non-payment activities, such asfor the marketing of health and non-health items and services or the use anddisclosure to non-health relateddivisions of the covered entity.





Response: These comments did notprovide specific facts that would permitus to provide a substantive response. Anorganization will need to determinewhether it comes within the definitionof ‘‘covered entity.’’ An organizationmay also need to consider whether ornot it contains a health care component.Organizations that are uncertain about

the application of the regulation to themwill need to evaluate their specific factsin light of this rule.

Inspector General Act

Comment: One comment requestedthe Secretary to clarify in the preamblethat the privacy regulation does notpreempt the Inspector General Act.

Response: We agree that to the extentthe Inspector General Act requires usesor disclosures of protected healthinformation, the privacy regulation doesnot preempt it. The final rule providesthat to the extent required under section

201(a)(5) of the Act, nothing in thissubchapter should be construed todiminish the authority of any InspectorGeneral, including the authorityprovided in the Inspector General Act of 1978. See discussion of § 160.102 above.

Medicare and Medicaid

Comment: One comment suggestedpossible inconsistencies between theregulation and Medicare/Medicaidrequirements, such as those under theQuality Improvement System forManaged Care. This commenter askedthat HHS expand the definition of health care operations to include health

promotion activities and avoid potentialconflicts.

Response: We disagree that theprivacy regulation would prohibitmanaged care plans operating in theMedicare or Medicaid programs fromfulfilling their statutory obligations. Tothe extent a covered entity is required

by law to use or disclose protectedhealth information in a particularmanner, the covered entity may makesuch a use or disclosure under§ 164.512(a). Additionally, qualityassessment and improvement activitiescome within the definition of ‘‘health

care operations.’’ Therefore, the specificexample provided by the commenterwould seem to be a permissible use ordisclosure under §164.502, even if itwere not a use or disclosure ‘‘required

by law.’’Comment: One commenter stated that

Medicare should not be able to requirethe disclosure of psychotherapy notes

because it would destroy a practitioner’sability to treat patients effectively.

Response: If the Title XVIII of theSocial Security Act requires thedisclosure of psychotherapy notes, the

final rule permits, but does not require,a covered entity to make such adisclosure under § 164.512(a). If,however, the Social Security Act doesnot require such disclosures, Medicaredoes not have the discretion to requirethe disclosure of psychotherapy notes asa public policy matter because the finalrule provides that covered entities, with

limited exceptions, must obtain anindividual’s authorization beforedisclosing psychotherapy notes. See§ 164.508(a)(2).

National Labor Relations Act

Comment: A few comments expressedconcern that the regulation did notaddress the obligation of coveredentities to disclose protected healthinformation to collective bargainingrepresentatives under the NationalLabor Relations Act.

Response: The final rule does notprohibit disclosures that covered

entities must make pursuant to otherlaws. To the extent a covered entity isrequired by law to disclose protectedhealth information to collective

bargaining representatives under theNLRA, it may to so without anauthorization. Also, the definition of ‘‘health care operations’’ at § 164.501permits disclosures to employeerepresentatives for purposes of grievance resolution.

Organ Donation

Comment: One commenter expressedconcern about the potential impact of the regulation on the organ donation

program under 42 CFR part 482.Response: In the final rule, we add

provisions allowing the use ordisclosure of protected healthinformation to organ procurementorganizations or other entities engagedin the procurement, banking, ortransplantation of cadaveric organs,eyes, or tissue for the purpose of facilitating donation andtransplantation. See §164.512(h).

Privacy Act Comments

Comment: One comment suggestedthat the final rule unambiguously

permit the continued operation of thestatutorily established or authorizeddiscretionary routine uses permittedunder the Privacy Act for both lawenforcement and health oversight.

Response: We disagree. See thediscussion of the Privacy Act in‘‘Relationship to Other Federal Laws’’above.

Public Health Services Act

Comment: One comment suggestedthat the Public Health Service Actplaces more stringent rules regarding

the disclosure of information onFederally Qualified Health Centers thanthe proposed privacy regulationsuggested. Therefore, the commentersuggested that the final rule exemptFederally Qualified Health Centers fromthe rules requirements

Response: We disagree. Congressexpressly included Federally Qualified

Health Centers, a provider of medical orother health services under the SocialSecurity Act section 1861(s), within itsdefinition of health care provider insection 1171 of the Act; therefore, wecannot exclude them from theregulation.

Comment: One commenter noted thatno conflicts existed between theproposed rule and the Public HealthServices Act.

Response: As we discuss in the‘‘Relationship to Other Federal Laws’’section of the preamble, the PublicHealth Service Act contains explicitconfidentiality requirements that are sogeneral as not to create problems of inconsistency. We recognized, however,that in some cases, that law or itsaccompanying regulations may containgreater restrictions. In those situations,a covered entity’s ability to make whatare permissive disclosures under thisprivacy regulation would be limited bythose laws.

Reporting Requirement

Comment: One comment noted thatfederal agencies must provideinformation to certain entities pursuantto various federal statutes. For example,

federal agencies must not withholdinformation from a Congressionaloversight committee or the GeneralAccounting Office. Similarly, somefederal agencies must provide theBureau of the Census and the NationalArchives and Records Administrationwith certain information. This commentexpressed concern that the privacyregulation would conflict with theserequirements. Additionally, thecommenter asked whether the privacynotice would need to contain these usesand disclosures and recommended thata general statement that these federal

agencies would disclose protectedhealth information when required bylaw be considered sufficient to meet theprivacy notice requirements.

Response: To the extent a federalagency acting as a covered entity isrequired by federal statute to discloseprotected health information, theregulation permits the disclosure asrequired by law under § 164.512(a). Thenotice provisions at§ 164.520(b)(1)(ii)(B) require coveredentities to provide a brief description of the purposes for which the covered





entity is permitted or required by therules to use or disclose protected healthinformation without an individual’swritten authorization. If these statutesrequire the disclosures, covered entitiessubject to the requirement may make thedisclosure pursuant to §164.512(a).Thus, their notice must include adescription of the category of these

disclosures. For example, a generalstatement such as the covered entity‘‘will disclose your protected healthinformation to comply with legalrequirements’’ should suffice.

Comment: One comment stressed thatthe final rule should not inadvertentlypreempt mandatory reporting laws dulyenacted by federal, state, or locallegislative bodies. This commenter alsosuggested that the final rule not preventthe reporting of violations to lawenforcement agencies.

Response: We agree. Like theproposed rule, the final rule permits

covered entities to disclose protectedhealth information when required bylaw under §164.512(a). To the extent acovered entity is required by law tomake a report to law enforcementagencies or is otherwise permitted tomake a disclosure to a law enforcementagency as described in §164.512(f), itmay do so without an authorization.Alternatively, a covered entity mayalways request that individualsauthorize these disclosures.

Security Standards

Comment: One comment called forHHS to consider the privacy regulation

in conjunction with the other HIPAAstandards. In particular, this commentfocused on the belief that the securitystandards should be compatible withthe existing and emerging health careand information technology industrystandards.

Response: We agree that the securitystandards and the privacy rules should

be compatible with one another and areworking to ensure that the final rules in

both areas function together. Becausewe are addressing comments regardingthe privacy rules in this preamble, wewill consider the comment about the

security standard as we finalize that setof rules.

Substance Abuse Confidentiality Statuteand Regulations

Comment: Several commenters notedthat many health care providers are

bound by the federal restrictionsgoverning alcohol and drug abuserecords. One commenter noted that theNPRM differed substantially from thesubstance abuse regulations and wouldhave caused a host of practical problemsfor covered entities. Another

commenter, however, supported theNPRM’s analysis that stated that morestringent provisions of the substanceabuse provisions would apply. Thiscommenter suggested an even strongerapproach of including in the text aprovision that would preserve existingfederal law. Yet, one commentsuggested that the regulation as

proposed would confuse providers bymaking it difficult to determine whenthey may disclose information to lawenforcement because the privacyregulation would permit disclosuresthat the substance abuse regulationswould not.

Response: We appreciate the need of some covered entities to evaluate theprivacy rules in light of federalrequirements regarding alcohol anddrug abuse records. Therefore, weprovide a more detailed analysis in the‘‘Relationship to Other Federal Laws’’section of the preamble.

Comment: Some of these commentersalso noted that state laws contain strictconfidentiality requirements. A fewcommenters suggested that HHSreassess the regulations to avoidinconsistencies with state privacyrequirements, implying that problemsexist because of conflicts between thefederal and state laws regarding theconfidentiality of substance abuseinformation.

Response: As noted in the preamblesection discussing preemption, the finalrules do not preempt state laws thatprovide more privacy protections. For amore detailed analysis of the

relationship between state law and theprivacy rules, see the ‘‘Preemption’’provisions of the preamble.

Tribal Law

Comments: One commenter suggestedthat the consultation process with tribalgovernments described in the NPRMwas inadequate under Executive OrderNo. 13084. In addition, the commenterexpressed concern that the disclosuresfor research purposes as permitted bythe NPRM would conflict with anumber of tribal laws that offerindividuals greater privacy rights with

respect to research and reflects culturalappropriateness. In particular, thecommenter referenced the HealthResearch Code for the Navajo Nationwhich creates a entity with broaderauthority over research conducted onthe Navajo Nation than the local IRBand requires informed consent by studyparticipants. Other laws mentioned bythe commenter included the NavajoNation Privacy and Access toInformation Act and a similar policyapplicable to all health care providerswithin the Navajo Nation. The

commenter expressed concern that theproposed regulation research provisionswould override these tribal laws.

Response: We disagree with thecomment that the consultation withtribal governments undertaken prior tothe proposed regulation is inadequateunder Executive Order No. 13084. Asstated in the proposed regulation, the

Department consulted withrepresentatives of the National Congressof American Indians and the NationalIndian Health Board, as well as others,about the proposals and the applicationof HIPAA to the Tribes, and thepotential variations based on therelationship of each Tribe with the IHSfor the purpose of providing healthservices. In addition, Indian and tribalgovernments had the opportunity to,and did, submit substantive commentson the proposed rules.

Additionally, disclosures permitted by this regulation do not conflict withthe policies as described by thiscommenter. Disclosures for researchpurposes under the final rule, as in theproposed regulation, are permissivedisclosures only. The rule describes theouter boundaries of permissibledisclosures. A covered health careprovider that is subject to the tribal lawsof the Navajo Nation must continue tocomply with those tribal laws. If thetribal laws impose more stringentprivacy standards on disclosures forresearch, such as requiring informedconsent in all cases, nothing in the finalrule would preclude compliance withthose more stringent privacy standards.

The final rule does not interfere withthe internal governance of the NavajoNation or otherwise adversely affect thepolicy choices of the tribal governmentwith respect to the culturalappropriateness of research conductedin the Navajo Nation.

TRICARE

Comment: One comment expressedconcern regarding the application of the‘‘minimum necessary’’ standard toinvestigations of health care providersunder the TRICARE (formerly theCHAMPUS) program. The comment also

expressed concern that health careproviders would be able to avoidproviding their records to suchinvestigators because the proposed§ 164.510 exceptions were notmandatory disclosures.

Response: In our view, neither theminimum necessary standard nor thefinal §§ 164.510 and 164.512 permissivedisclosures will impede suchinvestigations. The regulation requirescovered entities to make all reasonableefforts not to disclose more than theminimum amount of protected health





information necessary to accomplish theintended purpose of the use ordisclosure. This requirement, however,does not apply to uses or disclosuresthat are required by law. See§ 164.502(b)(2)(iv). Thus, if thedisclosure to the investigators isrequired by law, the minimumnecessary standard will not apply.

Additionally, the final rule providesthat covered entities rely, if suchreliance is reasonable, on assertionsfrom public officials about whatinformation is reasonably necessary forthe purpose for which it is being sought.See § 164.514(d)(3)(iii).

We disagree with the assertion thatproviders will be able to avoidproviding their records to investigators.Nothing in this rule permits coveredentities to avoid disclosures required byother laws.

Veterans Affairs

Comment: One comment soughtclarification about how disclosures of protected health information wouldoccur within the Veterans Affairsprograms for veterans and theirdependents.

Response: We appreciate thecommenter’s request for clarification asto how the rules will affect disclosuresof protected health information in thespecific context of Veteran’s Affairsprograms. Veterans health careprograms under 38 U.S.C. chapter 17 aredefined as ‘‘health plans.’’ Withoutsufficient details as to the particularaspects of the Veterans Affairs programs

that this comment views as problematic,we cannot comment substantively onthis concern.

Comment: One comment suggestedthat the final regulation clarify that theanalysis applied to the substance abuseregulations apply to laws governingVeteran’s Affairs health records.

Response: Although we realize somedifference may exist between the laws,we believe the discussion of federalsubstance abuse confidentialityregulations in the ‘‘Relationship toOther Federal Laws’’ preamble providesguidance that may be applied to the

laws governing Veteran’s Affairs (‘‘VA’’)health records. In most cases, a conflictwill not exist between these privacyrules and the VA programs. Forexample, some disclosures allowedwithout patient consent or authorizationunder the privacy regulation may not bewithin the VA statutory list of permissible disclosures without awritten consent. In such circumstances,the covered entity would have to abide

by the VA statute, and no conflict exists.If the disclosures permitted by the VAstatute come within the permissible

disclosures of our rules, no conflictexists. In some cases, our rules maydemand additional requirements, suchas obtaining the approval of a privacy

board or Institutional Review Board if acovered entity seeks to discloseprotected health information forresearch purposes without theindividual’s authorization. A covered

entity subject to the VA statute willneed to ensure that it meets therequirements of both that statute and theregulation below. If a conflict arises, thecovered entity should evaluate thespecific potential conflicting provisionsunder the implied repeal analysis setforth in the ‘‘Relationship to OtherFederal Laws’’ discussion in thepreamble.

WIC

Comment: One comment called onother federal agencies to examine theirregulations and policies regarding the

use and disclosure of protected healthinformation. The comment suggestedthat other agencies revise theirregulations and policies to avoidduplicative, contradictory, or morestringent requirements. The commentnoted that the U.S. Department of Agriculture’s Special SupplementalNutrition Program for Women, Infants,and Children (‘‘WIC’’) does not releaseWIC data. Because the commenter

believed the regulation would notprohibit the disclosure of WIC data, thecomment stated that the Department of Agriculture should now release suchinformation.

Response: We support other federalagencies to whom the rules apply intheir efforts to review existingregulations and policies regardingprotected health information. However,we do not agree with the suggestion thatother federal agencies that are notcovered entities must reduce theprotections or access-related rights theyprovide for individually identifiablehealth information they hold.

Part 160, Subpart C—Compliance andEnforcement

Section 160.306(a)—Who Can File

Complaints With the Secretary Comment: The proposed rule limited

those who could file a complaint withthe Secretary to individuals. A numberof commenters suggested that otherpersons with knowledge of a possibleviolation should also be able to filecomplaints. Examples that wereprovided included a mental health careprovider with first hand knowledge of ahealth plan improperly requiringdisclosure of psychotherapy notes andan occupational health nurse with

knowledge that her human resourcesmanager is improperly reviewingmedical records. A few comments raisedthe concern that permitting any personto file a complaint lends itself to abuseand is not necessary to ensure privacyrights and that the complainant should

be a person for whom there is a duty toprotect health information.

Response: As discussed below, therule defines ‘‘individual’’ as the personwho is the subject of the individuallyidentifiable health information.However, the covered entity may allowother persons, such as personalrepresentatives, to exercise the rights of the individual under certaincircumstances, e.g., for a deceasedindividual. We agree with thecommenters that any person may

become aware of conduct by a coveredentity that is in violation of the rule.Such persons could include the coveredentity’s employees, business associates,

patients, or accrediting, healthoversight, or advocacy agencies ororganizations. Many persons, such asthe covered entity’s employees, may, infact, be in a better position than the‘‘individual’’ to know that a violationhas occurred. Another example is a stateProtection and Advocacy group thatmay represent persons withdevelopmental disabilities. We havedecided to allow complaints from anyperson. The term ‘‘person’’ is notrestricted here to human beings ornatural persons, but also includes anytype of association, group, ororganization.

Allowing such persons to filecomplaints may be the only way theSecretary may learn of certain possibleviolations. Moreover, individuals whoare the subject of the information maynot be willing to file a complaint

because of fear of embarrassment orretaliation. Based on our experiencewith various civil rights laws, such asTitle VI of the Civil Rights Act of 1964and Title II of the Americans withDisabilities Act, that allow any personto file a complaint with the Secretary,we do not believe that this practice willresult in abuse. Finally, upholding

privacy protections benefits all personswho have or may be served by thecovered entity as well as the generalpublic, and not only the subject of theinformation.

If a complaint is received fromsomeone who is not the subject of protected health information, the personwho is the subject of this informationmay be concerned with the Secretary’sinvestigation of this complaint. Whilewe did not receive comments on thisissue, we want to protect the privacyrights of this individual. This might





without having received a complaint orhaving reason to believe there isnoncompliance. A number of thesecommenters appeared to believe that theSecretary would engage in ‘‘routinevisits.’’ Some commenters suggestedthat the Secretary should only be able toconduct compliance reviews if theSecretary has initiated an investigation

of a complaint regarding the coveredentity in the preceding twelve months.Some commenters suggested that thereshould only be compliance reviews

based on established criteria for reviews(e.g., finding of ‘‘reckless disregard’’).Many of these commenters stated thatcooperating with compliance reviews ispotentially burdensome and expensive.

One commenter asked whether theSecretary will have a process forreviewing all covered entities todetermine how they are complying withrequirements. This commenterquestioned whether covered entities

will be required to submit plans andwait for Departmental approval.Another commenter suggested that

the Secretary specify a time limit for thecompletion of a compliance review.

Response: We disagree with thecommenters that the final rule shouldrestrict the Secretary’s ability to conductcompliance reviews. The Secretaryneeds to maintain the flexibility toconduct whatever reviews are necessaryto ensure compliance with the rule.

Section 160.310 (a) and (c)—TheSecretary’s Access to Information inDetermining Compliance

Comment: Some commenters raisedobjections to provisions in the proposedrule which required that coveredentities maintain records and submitcompliance reports as the Secretarydetermines is necessary to determinecompliance and required that coveredentities permit access by the Secretaryduring normal business hours to its

books, records, accounts, and othersources of information, includingprotected health information, and itsfacilities, that are pertinent toascertaining compliance with thissubpart. One commenter stated that the

Secretary’s access to private healthinformation without appropriate patientconsent is contrary to the intent of HIPAA. Another commenter expressedthe view that, because covered entitiesface criminal penalties for violations,these provisions violate the FifthAmendment protections against forcedself incrimination. Other commentersstated that covered entities should begiven the reason the Secretary needs tohave access to its books and records.Another commenter stated that thereshould be a limit to the frequency or

extent of intrusion by the federalgovernment into the business practicesof a covered entity and that theseprovisions violate the FourthAmendment of the Constitution.

Finally, a coalition of church planssuggested that the Secretary providechurch plans with additional proceduralsafeguards to reduce unnecessary

intrusion into internal churchoperations. These suggested safeguardsincluded permitting HHS to obtainrecords and other documents only if they are relevant and necessary tocompliance and enforcement activitiesrelated to church plans, requiring asenior official to determine theappropriateness of compliance-relatedactivities for church plans, andproviding church plans with a self-correcting period similar to thatCongress expressly provided in Title I of HIPAA under the tax code.

Response: The final rule retains theproposed language in these twoprovisions with one change. The ruleadds a provision indicating that theSecretary’s access to information held

by the covered entity may be at any timeand without notice where exigentcircumstances exist, such as where timeis of the essence because documentsmight be hidden or destroyed. Thus,covered entities will generally receivenotice before the Secretary seeks toaccess the entity’s books or records.

Other than the exigent circumstanceslanguage, the language in these twoprovisions is virtually the same as thelanguage in this Department’s regulation

implementing Title VI of the CivilRights Act of 1964. 45 CFR 80.6(b) and(c). The Title VI regulation isincorporated by reference in otherDepartment regulations prohibitingdiscrimination of the basis of disability.45 CFR 84.61. Similar provisionsallowing this Department access torecipient information is found in theSecretary’s regulation implementing theAge Discrimination Act. 45 CFR 91.34.These provisions have not proved to be

burdensome to entities that are subjectto these civil rights regulations (i.e., allrecipients of Department funds).

We do not interpret Constitutionalcase law as supporting the view that afederal agency’s review of informationpursuant to statutory mandate violatesthe Fifth Amendment protectionsagainst forced self incrimination. Norwould such a review of this informationraise Fourth Amendment problems. Seediscussion above regardingConstitutional comments and responses.

We appreciate the concern that theSecretary not involve herself unnecessarily into the internaloperations of church plans. However, by

providing health insurance or care totheir employees, church plans areengaging in a secular activity. Under theregulation, church plans are subject tothe same compliance and enforcementrequirements with which other coveredentities must comply. Because Congressdid not carve out specific exceptions orrequire stricter standards for

investigations related to church plans,incorporating such measures into theregulation would be inappropriate.

Additionally, there is no indicationthat the regulation will directly interferewith the religious practices of churchplans. Also, the regulation as writtenappropriately limits the ability of investigators to obtain information fromcovered entities. The regulationprovides that the Secretary may obtainaccess only to information that ispertinent to ascertain compliance withthe regulation. We do not anticipateasking for information that is not

necessary to assess compliance with theregulation. The purpose of obtainingrecords and similar materials is todetermine compliance, not to engage inany sort of review or evaluation of religious activities or beliefs. Therefore,we believe the regulation appropriately

balances the need to access informationto determine compliance with the desireof covered entities to avoid openingevery record in their possession to thegovernment.

Provision of Technical Assistance

Comment: A number of commentersinquired as to how a covered entity can

request technical assistance from theSecretary to come into compliance. Anumber of commenters suggested thatthe Secretary provide interpretiveguidance to assist with compliance.Others recommended that the Secretaryhave a contact person or privacy official,available by telephone or email, toprovide guidance on theappropriateness of a disclosure or adenial of access. One commentersuggested that there be a formal processfor a covered entity to submitcompliance activities to the Secretaryfor prior approval and clarification. This

commenter suggested that clarifications be published on a contemporaneous basis in the Federal Register to helpcorrect any ambiguities and confusionin implementation. It was also suggestedthat the Secretary undertake anassessment of ‘‘best practices’’ of covered entities and document andpromote the findings to serve as aconvenient ‘‘road map’’ for othercovered entities. Another commentersuggested that we work with providersto create implementation guidelinesmodeled after the interpretative





using a particular standard or meetinganother requirement.

We support a self-regulation approachin that we recognize that mostcompliance will be achieved by thevoluntary activities of covered entitiesrather than by our enforcementactivities. Our emphasis will be oneducation, technical assistance, and

voluntary compliance and not onfinding violations and imposingpenalties. We also support a consumerempowerment approach. Aknowledgeable consumer is key to theeffectiveness of this rule. A consumerfamiliar with the requirements of thisrule will be equipped to make choicesregarding which covered entity will bestserve their privacy interests and willknow their rights under the rule andhow they can seek redress for violationsof this rule. Privacy-minded consumerswill seek to protect the privacy rights of others by bringing concerns to the

attention of covered entities, the public,and the Secretary. However, we do notagree that we should defer enforcementwhere violations of the rule occur.

Comment: One commenter expressedconcern that by filing a complaint anindividual would be required to revealsensitive information to the public.Another commenter suggested thatcomplaints regarding noncompliance inregard to psychotherapy notes should bemade to a panel of mental healthprofessionals designated by theSecretary. This commenter alsoproposed that all patient information bemaintained as privileged, not be

revealed to the public, and be keptunder seal after the case is reviewed andclosed.

Response: We appreciate this concernand will seek to ensure that individuallyidentifiable health information andother personal information contained incomplaints will not be available to thepublic. The privacy regulation provides,at §160.310(c)(3), that protected healthinformation obtained by the Secretary inconnection with an investigation orcompliance review will not be disclosedexcept if necessary for ascertaining orenforcing compliance with the

regulation or if required by law. Inaddition, this Department generallyseeks to protect the privacy of individuals to the fullest extentpossible, while permitting the exchangeof records required to fulfill itsadministrative and programresponsibilities. The Freedom of Information Act, 5 U.S.C. 552, and theHHS implementing regulation, 45 CFRpart 5, provide substantial protection forrecords about individuals wheredisclosure would constitute anunwarranted invasion of their personal

privacy. In implementing the privacyregulation, OCR plans to continue itscurrent practice of protecting itscomplaint files from disclosure. OCRtreats these files as investigatory recordscompiled for law enforcement purposes.Moreover, OCR maintains thatdisclosing protected health informationin these files generally constitutes an

unwarranted invasion of personalprivacy.

It is not clear in regarding the use of mental health professionals, whetherthe commenter believes that suchprofessionals should be involved

because they would be best able to keeppsychotherapy notes confidential or

because such professionals can bestunderstand the meaning or relevance of such notes. OCR anticipates that it willnot have to obtain a copy or reviewpsychotherapy notes in investigatingmost complaints regardingnoncompliance in regard to such notes.

There may be some cases where areview of the notes may be needed suchas where we need to identify that theinformation a covered entity disclosedwas in fact psychotherapy notes. If weneed to obtain a copy of psychotherapynotes, we will keep these notesconfidential and secure. OCRinvestigative staff will be trained toensure that they fully respect theconfidentiality of personal information.In addition, while the specific contentsof these notes is generally not relevantto violations under this rule, if suchnotes are relevant, we will secure the

expertise of mental health professionalsif needed in reviewing psychotherapynotes.

Comment: A member of Congress anda number of privacy and consumergroups expressed concern with whetherOCR has adequate funding to carry outthe major responsibility of enforcing thecomplaint process established by thisrule. The Senator stated that ‘‘[d]ue tothe limited enforcement ability allowedfor in this rule by HIPAA, it is essentialthat OCR have the capacity to enforcethe regulations. Now is the time for OCRto begin building the necessaryinfrastructure to enforce the regulationeffectively.’’

Response: We agree and arecommitted to an effective enforcementprogram. We are working with Congressto ensure that the Secretary has thenecessary funds to secure voluntarycompliance through education andtechnical assistance, to investigatecomplaints and conduct compliancereviews, to provide states withexception determinations, and to usecivil and criminal penalties whennecessary. We will continue to work

with Congress and within the newAdministration in this regard.

Coordination With Reviewing Authorities

Comment: A number of commentersreferenced other entities that alreadyconsider the privacy of healthinformation. One commenter indicated

opposition to the delegation of inspections to third party organizations,such as the Joint Commission on theAccreditation of HealthcareOrganizations (JCAHO). A fewcommenters indicated that stateagencies are already authorized toinvestigate violations of state privacystandards and that we should rely onthose agencies to investigate allegedviolations of the privacy rules ordelegate its complaint process to statesthat wish to carry out this responsibilityor to those states that have a complaintprocess in place. Another commenterargued that individuals should berequired to exhaust any state processes

before filing a complaint with theSecretary. Others referenced the factthat state medical licensing boardsinvestigate complaints againstphysicians for violating patientconfidentiality. One group asked thatthe federal government streamline all of these activities so physicians can havea single entity to whom they must beresponsive. Another group suggestedthat OMB should be given responsibilityfor ensuring that FEHB Plans operate incompliance with the privacy standardsand for enforcement.

A few commenters stated that theregulation might be used as a basis forviolation findings and subsequentpenalties under other Departmentauthorities, such as under Medicare’sConditions of Participation related topatient privacy and right toconfidentiality of medical records. Onecommenter wanted some assurance thatthis regulation will not be used asgrounds for sanctions under Medicare.Another commenter indicated supportfor making compliance with the privacyregulation a Condition of Participationunder Medicare.

Response: HIPAA does not give theSecretary the authority to delegate herresponsibilities to other private orpublic agencies such as JCAHO or stateagencies. However, we plan to exploreways that we may benefit from currentactivities that also serve to protect theprivacy of individually identifiablehealth information. For example, if weconduct an investigation or review of acovered entity, that entity may want toshare information regarding findings of other bodies that conducted similarreviews. We would welcome such





information. In developing itsenforcement program, we may exploreways it can coordinate with otherregulatory or oversight bodies so that wecan efficiently and effectively pursueour joint interests in protecting privacy.

We do not accept the suggestion thatindividuals be required to exhaust theirremedies under state law before filing a

complaint with the Secretary. Ourrationale is similar to that discussedabove in regard to the suggestion thatcovered entities be required to exhausta covered entity’s internal complaintprocess before filing a complaint withthe Secretary. Congress provided forfederal privacy protection and we wantto allow individuals the right to thisprotection without barriers or delay.Covered entities may in their privacynotice inform individuals of any rightsthey have under state law including anyright to file privacy complaints. We donot have the authority to interfere with

state processes and HIPAA explicitlyprovides that we cannot preempt statelaws that provide greater privacyprotection.

We have not yet addressed the issueas to whether this regulation might beused as a basis for violation findings orpenalties under other Departmentauthorities. We note that Medicareconditions of participation requireparticipating providers to haveprocedures for ensuring theconfidentiality of patient records, aswell as afford patients with the right tothe confidentiality of their clinicalrecords.

Penalties

Comment: Many commentersconsidered the statutory penaltiesinsufficient to protect privacy, statingthat the civil penalties are too weak tohave the impact needed to reduce therisk of inappropriate disclosure. Somecommenters took the opposing view andstated that large fines and prisonsentences for violations woulddiscourage physicians from transmittingany sort of health care information toany other agency, regardless of themedical necessity. Another comment

expressed the concern that doctors will be at risk of going to jail for protectingthe privacy of individuals (by notdisclosing information the government

believes should be released).Response: The enforcement regulation

will address the application of the civilmonetary and criminal penalties underHIPAA. The regulation will bepublished in the Federal Register as aproposed regulation and the public willhave an opportunity to comment. We donot believe that our rule, and thepenalties available under it, will

discourage physicians and otherproviders from using or disclosingnecessary information. We believe thatthe rule permits physicians to make thedisclosures that they need to makeunder the health care system withoutexposing themselves to jeopardy underthe rule. We believe that the penaltiesunder the statute are woefully

inadequate. We support legislation thatwould increase the amount of thesepenalties.

Comment: A number of commentersstated that the regulations should permitindividuals to sue for damages caused

by breaches of privacy under theseregulations. Some of these commentersspecified that damages, equitable relief,attorneys fees, and punitive damagesshould be available. Conversely, onecomment stated that strong penalties arenecessary and would preclude the needfor a private right of action. Anothercommenter stated that he does not

believe that the statute intended to giveindividuals the equivalent of a right tosue, which results from makingindividuals third party beneficiaries tocontracts between business partners.

Response: We do not have theauthority to provide a private right of action by regulation. As discussed

below, the final rule deletes the thirdparty beneficiary provision that was inthe proposed rule.

However, we believe that, in additionto strong civil monetary penalties,federal law should allow any individualwhose rights have been violated to bringan action for actual damages and

equitable relief. The Secretary’sRecommendations, which weresubmitted to Congress on September 11,1997, called for a private right of actionto permit individuals to enforce theirprivacy rights.

Comment: One comment stated that,in calculating civil monetary penalties,the criteria should include aggravatingor mitigating circumstances andwhether the violation is a minor or firsttime violation. Several comments statedthat penalties should be tiered so thatthose that commit the most egregiousviolations face stricter civil monetary

penalties.Response: As mentioned above, issuesregarding civil fines and criminalpenalties will be addressed in theenforcement regulation.

Comment: One comment stated thatthe regulation should clarify whether asingle disclosure that involved thehealth information of multiple partieswould constitute a single or multipleinfractions, for the purpose of calculating the penalty amount.

Response: The enforcement regulationwill address the calculation of penalties.

However, we note that section 1176subjects persons to civil monetarypenalties of not more than $100 for eachviolation of a requirement or prohibitionand not more than $25,000 in a calendaryear for all violations of an identicalrequirement or prohibition. Forexample, if a covered entity fails topermit amendment of protected health

information for 10 patients in onecalendar year, the entity may be finedup to $1000 ($100 times 10 violationsequals $1000).

Part 164—Subpart A—GeneralRequirements

Part 164—Subpart B–D—Reserved

Part 164—Subpart E—Privacy

Section 164.500—Applicability

Covered Entities

The response to comments on coveredentities is included in the response tocomments on the definition of ‘‘covered

entity’’ in the preamble discussion of § 160.103.

Covered Information

The response to comments on coveredinformation is included in the responseto comments on the definition of ‘‘protected health information’’ in thepreamble discussion of §164.501.


Designated record set

Comment: Many commentersgenerally supported our proposeddefinition of designated record set.

Commenters suggested differentmethods for narrowing the informationaccessible to individuals, such asexcluding information obtained withoutface-to-face interaction (e.g., phoneconsultations). Other commentersrecommended broadening theinformation accessible to individuals,such as allowing access to ‘‘the entiremedical record,’’ not just a designatedrecord set. Some commenters advocatedfor access to all information aboutindividuals. A few commentersgenerally supported the provision butrecommended that consultation and

interpretative assistance be providedwhen the disclosure may cause harm ormisunderstanding.

Response: We believe individualsshould have a right to access anyprotected health information that may

be used to make decisions about themand modify the final rule to accomplishthis result. This approach facilitates anopen and cooperative relationship

between individuals and covered healthcare providers and health plans andallows individuals fair opportunities toknow what health information may be





2Privacy Protection Study Commission,‘‘Personal Privacy in an Information Society,’’ July1977, p. 298–299.

3Health Privacy Working Group, ‘‘Best Principlesfor Health Privacy,’’ Health Privacy Project,Institute for Health Care Research and Policy,Georgetown University, July 1999.

4National Committee on Quality Assurance andthe Joint Commission on Accreditation of Healthcare Organizations, ‘‘Protecting PersonalHealth Information: A Framework for Meeting theChallenges in a Managed Care Environment,’’ 1998,p. 25.

5ASTM, ‘‘Standard Guide for Confidentiality,Privacy, Access and Data Security, Principles forHealth Information Including Computer-BasedPatient Records,’’ E 1869–97, §11.1.1.

used to make decisions about them. Welist certain records that are always partof the designated record set. For coveredproviders these are the medical recordand billing record. For health plansthese are the enrollment, payment,claims adjudication, and case ormedical management records. Thepurpose of these specified records is

management of the accounts and healthcare of individuals. In addition, weinclude in the designated record set towhich individuals have access anyrecord used, in whole or in part, by orfor the covered entity to make decisionsabout individuals. Only protectedhealth information that is in adesignated record set is covered.Therefore, if a covered provider has aphone conversation, informationobtained during that conversation issubject to access only to the extent thatit is recorded in the designated recordset.

We do not require a covered entity toprovide access to all individuallyidentifiable health information, becausethe benefits of access to information notused to make decisions aboutindividuals is limited and is outweighed

by the burdens on covered entities of locating, retrieving, and providingaccess to such information. Suchinformation may be found in manytypes of records that include significantinformation not relevant to theindividual as well as information aboutother persons. For example, a hospital’speer review files that include protectedhealth information about many patients

but are used only to improve patientcare at the hospital, and not to makedecisions about individuals, are not partof that hospital’s designated record sets.

We encourage but do not requirecovered entities to provide interpretiveassistance to individuals accessing theirinformation, because such arequirement could imposeadministrative burdens that outweighthe benefits likely to accrue.

The importance to individuals of having the right to inspect and copyinformation about them is supported bya variety of industry groups and is

recognized in current state and federallaw. The July 1977 Report of the PrivacyProtection Study Commissionrecommended that individuals haveaccess to medical records and medicalrecord information.2 The Privacy Act (5U.S.C. 552a) requires governmentagencies to permit individuals to reviewrecords and have a copy made in a formcomprehensible to the individual. In its

report ‘‘Best Principles for HealthPrivacy,’’ the Health Privacy WorkingGroup recommended that individualsshould have the right to accessinformation about them.3 The NationalAssociation of InsuranceCommissioners’ Health InformationPrivacy Model Act establishes the rightof an individual to examine or receive

a copy of protected health informationin the possession of the carrier or aperson acting on behalf of the carrier.

Many states also establish a right forindividuals to access health informationabout them. For example, Alaska law(AK Code 18.23.005) entitles patients‘‘to inspect and copy any recordsdeveloped or maintained by a healthcare provider or other person pertainingto the health care rendered to thepatient.’’ Hawaii law (HRS section323C–11) requires health care providersand health plans, among others, topermit individuals to inspect and copy

protected health information aboutthem. Many other states have similarprovisions.

Industry and standard-settingorganizations also have developedpolicies to enable individual access tohealth information. The NationalCommittee for Quality Assurance andthe Joint Commission on Accreditationof Healthcare Organizations issuedrecommendations stating, ‘‘Patients’confidence in the protection of theirinformation requires that they have themeans to know what is contained intheir records. The opportunity forpatients to review their records will

enable them to correct any errors andmay provide them with a betterunderstanding of their health status andtreatment.’’ 4 Standards of the AmericanSociety for Testing and Materials state,‘‘The patient or his or her designatedpersonal representative has access rightsto the data and information in his or herhealth record and other healthinformation databases except asrestricted by law. An individual should

be able to inspect or see his or herhealth information or request a copy of all or part of the health information, or

both.’’ 5 We build on this well-

established principle in this final rule.

Comment: Several commentersadvocated for access to not onlyinformation that has already been usedto make decisions, but also informationthat may be used to make decisions.Other commenters believed accessibleinformation should be more limited; forexample, some commenters argued thataccessible information should be

restricted to only information used tomake health care decisions.

Response: We agree that it is desirablethat individuals have access toinformation reasonably likely to be usedto make decisions about them. On theother hand, it is desirable that thecategory of records covered be readilyascertainable by the covered entity. Wetherefore define ‘‘designated record set’’to include certain categories of records(a provider’s medical record and billingrecord, the enrollment records, andcertain other records maintained by ahealth plan) that are normally used, and

are reasonably likely to be used, to makedecisions about individuals. We alsoadd a category of other records that are,in fact, used, in whole or in part, tomake decisions about individuals. Thiscategory includes records that are usedto make decisions about anyindividuals, whether or not the recordshave been used to make a decisionabout the particular individualrequesting access.

We disagree that accessibleinformation should be restricted toinformation used to make health caredecisions, because other decisions bycovered entities can also affect

individuals’ interests. For example,covered entities make financialdecisions about individuals, such aswhether an individual’s deductible has

been met. Because such decisions cansignificantly affect individuals’interests, we believe they should haveaccess to any protected healthinformation included in such records.

Comment: Some commenters believedthe rule should use the term‘‘retrievable’’ instead of ‘‘retrieved’’ todescribe information accessible toindividuals. Other commenterssuggested that the rule follow the

Privacy Act’s principle of allowingaccess only when entities retrieverecords by individual identifiers. Somecommenters requested clarification thatcovered entities are not required tomaintain information by name or otherpatient identifier.

Response: We have modified theproposed definition of the designatedrecord set to focus on how informationis used, not how it is retrieved.Information may be retrieved orretrievable by name, but if it is neverused to make decisions about any





individuals, the burdens of requiring acovered entity to find it and to redactinformation about other individualsoutweigh any benefits to the individualof having access to the information.When the information might be used toaffect the individual’s interests,however, that balance changes and the

benefits outweigh the burdens. We

confirm that this regulation does notrequire covered entities to maintain anyparticular record set by name oridentifier.

Comment: A few commentersrecommended denial of access forinformation relating to investigations of claims, fraud, and misrepresentations.Many commenters suggested thatsensitive, proprietary, and legaldocuments that are ‘‘typical state lawprivileges’’ be excluded from the right toaccess. Specific suggestions forexclusion, either from the right of accessor from the definition of designated

record set, include quality assuranceactivities, information related tomedical appeals, peer review andcredentialing, attorney-clientinformation, and compliance committeeactivities. Some commenters suggestedexcluding information already suppliedto individuals on previous requests andinformation related to health careoperations. However, some commentersfelt that such information was alreadyexcluded from the definition of designated record set. Othercommenters requested clarification thatthis provision will not prevent patientsfrom getting information related to

medical malpractice.Response: We do not agree that

records in these categories are neverused to affect the interests of individuals. For example, whileprotected health information used forpeer review and quality assuranceactivities typically would not be used tomake decisions about individuals, and,thus, typically would not be part of adesignated record set, we cannot saythat this is true in all cases. We designthis provision to be sufficiently flexibleto work with the varying practices of covered entities.

The rule addresses several of thesecomments by excepting from the accessprovisions (§164.524) informationcompiled in reasonable anticipation of,or for use in, a civil, criminal, oradministrative action or proceeding.Similarly, nothing in this rule requiresa covered entity to divulge informationcovered by physician-patient or similarprivilege. Under the access provisions, acovered entity may redact informationin a record about other persons orinformation obtained under a promise of confidentiality, prior to releasing the

information to the individual. Weclarify that nothing in this provisionwould prevent access to informationneeded to prosecute or defend a medicalmalpractice action; the rules of therelevant court determine such access.

We found no persuasive evidence tosupport excluding information alreadysupplied to individuals on previous

requests. The burdens of trackingrequests and the information providedpursuant to requests outweigh the

burdens of providing the accessrequested. A covered entity may,however, discuss the scope of therequest for access with the individual tofacilitate the timely provision of access.For example, if the individual agrees,the covered entity could supply only theinformation created or received sincethe date access was last granted.

Disclosure

Comment: A number of commentersasked that the definition of ‘‘disclosure’’

be modified so that it is clear that it doesnot include the release, transfer,provision of access to, or divulging inany other manner of protected healthinformation to the individual who is thesubject of that information. It wassuggested that we revise the definitionin this way to clarify that a health careprovider may release protected healthinformation to the subject of theinformation without first requiring thatthe patient complete an authorizationform.

Response: We agree with thecommenters’ concern, but accomplish

this result through a different provisionin the regulation. In §164.502 of thisfinal rule, we specify that disclosures of protected health information to theindividual are not subject to thelimitations on disclosure of protectedhealth information otherwise imposed

by this rule.Comment: A number of commenters

stated that the regulation should notapply to disclosures occurring within oramong different subsidiaries orcomponents of the same entity. Onecommenter interpreted ‘‘disclosure’’ tomean outside the agency or, in the case

of a state Department of Health, outsidesister agencies and offices that directlyassist the Secretary in performingMedicaid functions and are listed in thestate plan as entitled to receiveMedicaid data.

Response: We agree that there arecircumstances under which relatedorganizations may be treated as a singlecovered entity for purposes of protectingthe privacy of health information, andmodify the rule to accommodate suchcircumstances. In §164.504 of the finalrule, we specify the conditions under

which affiliated companies maycombine into a single covered entity andsimilarly describe which components of a larger organization must comply withthe requirements of this rule. Forexample, transfers of information withinthe designated component or affiliatedentity are uses while transfers of information outside the designated

component or affiliated entity aredisclosures. See the discussion of § 164.504 for further information andrationale. It is not clear from thesecomments whether the particularorganizational arrangements describedcould constitute a single covered entity.

Comment: A commenter noted thatthe definition of ‘‘disclosure’’ shouldreflect that health plan correspondencecontaining protected health information,such as Explanation of Benefits (EOBs),is frequently sent to the policyholder.Therefore, it was suggested that thewords ‘‘provision of access to’’ be

deleted from the definition and that a‘‘disclosure’’ be clarified to include theconveyance of protected healthinformation to a third party.

Response: The definition is, on itsface, broad enough to cover the transfersof information described and so is notchanged. We agree that health plansmust be able to send EOBs topolicyholders. Sending EOBcorrespondence to a policyholder by acovered entity is a disclosure forpurposes of this rule, but it is adisclosure for purposes of payment.Therefore, subject to the provisions of § 164.522(b) regarding Confidential

Communications, it is permitted even if it discloses to the policyholderprotected health information aboutanother individual (see below).

Health care operations

Comment: Several commenters statedthat the list of activities within thedefinition of health care operations wastoo broad and should be narrowed. Theyasserted that the definition should belimited to exclude activities that havelittle or no connection to the care of aparticular patient or to only includeemergency treatment situations or

situations constituting a clear andpresent danger to oneself or others.Response: We disagree. We believe

that narrowing the definition in themanner requested will place serious

burdens on covered entities and impairtheir ability to conduct legitimate

business and management functions.Comment: Many commenters,

including physician groups, consumergroups, and privacy advocates, arguedthat we should limit the informationthat can be used for health careoperations to de-identified data. They





argued that if an activity could be donewith de-identified data, it should not beincorporated in the definition of healthcare operations.

Response: We disagree. We believethat many activities necessary for the

business and administrative operationsof health plans and health careproviders are not possible with de-

identified information or are possibleonly under unduly burdensomecircumstances. For example, identifiedinformation may be used or disclosedduring an audit of claims, for a plan tocontact a provider about alternativetreatments for specific patients, and inreviewing the competence of health careprofessionals. Further, not all coveredentities have the same ability to de-identify protected health information.Covered entities with highly automatedinformation systems will be able to usede-identified data for many purposes.Other covered entities maintain most of

their records on paper, so a requirementto de-identify information would placetoo great a burden on the legitimate androutine business functions included inthe definition of health care operations.Small business, which are most likely tohave largely paper records, would findsuch a blanket requirement particularly

burdensome.Protected health information that is

de-identified pursuant to §164.514(a) isnot subject to this rule. We hope thisprovides covered entities capable of de-identifying information with theincentive to do so.

Comment: Some commentersrequested that we permit the use of demographic data (geographic, location,age, gender, and race) separate from allother data for health care operations.They argued that demographic data wasneeded to establish provider networksand monitor providers to ensure that theneeds of ethnic and minoritypopulations were being addressed.

Response: The use of demographicdata for the stated purposes is withinthe definition of health care operations;a special rule is not necessary.

Comment: Some commenters pointed

out that the definition of health careoperations is similar to, and at timesoverlaps with, the definition of research.In addition, a number of commentersquestioned whether or not researchconducted by the covered entity or its

business partner must only beapplicable to and used within thecovered entity to be considered healthcare operations. Others questionedwhether such studies or researchperformed internal to a covered entityare ‘‘health care operations’’ even if generalizable results may be produced.

Response: We agree that some healthcare operations have many of thecharacteristics of research studies and inthe NPRM asked for comments on howto make this distinction. While a clearanswer was not suggested in any of thecomments, the comments generallytogether with our fact finding lead to theprovisions in the final rule. The

distinction between health careoperations and research rests onwhether the primary purpose of thestudy is to produce ‘‘generalizableknowledge.’’ We have modified thedefinition of health care operations toinclude ‘‘quality assessment andimprovement activities, includingoutcomes evaluation and developmentof clinical guidelines, provided that theobtaining of generalizable knowledge isnot the primary purpose of any studiesresulting from such activities.’’ If theprimary purpose of the activity is toproduce generalizable knowledge, the

activity fits within this rule’s definitionof ‘‘research’’ and the covered entitymust comply with §§ 164.508 or164.512, including obtaining anauthorization or the approval of aninstitutional review board or privacy

board. If not and the activity otherwisemeets the definition of health careoperations, the activity is not researchand may be conducted under the healthcare operations provisions of this rule.

In some instances, the primarypurpose of the activity may change aspreliminary results are analyzed. Anactivity that was initiated as an internaloutcomes evaluation may produce

information that the covered entitywants to generalize. If the purpose of astudy changes and the covered entitydoes intend to generalize the results, thecovered entity should document thechange in status of the activity toestablish that they did not violate therequirements of this rule. (See definitionof ‘‘research,’’ below, for furtherinformation on the distinction between‘‘research’’ and ‘‘health careoperations.’’)

We note that the difficulty indetermining when an activity is for theinternal operations of an entity and

when it is a research activity is a long-standing issue in the industry. Thevariation among commenters’ views isone of many indications that, today,there is not consensus on how to drawthis line. We do not resolve the largerissue here, but instead providerequirements specific to the informationcovered by this rule.

Comment: Several commenters askedthat disease management and disabilitymanagement activities be explicitlyincluded in the definition of health careoperations. Many health plans asserted

that they would not be able to providedisease management, wellness, andhealth promotion activities if theactivity were solely captured in therule’s definition of ‘‘treatment.’’ Theyalso expressed concern that ‘‘treatment’’usually applies to an individual, not toa population, as is the practice fordisease management.

Response: We were unable to findgenerally accepted definitions of theterms ‘‘disease management’’ and‘‘disability management.’’ Rather thanrely on this label, we include many of the functions often included indiscussions of disease management inthis definition or in the definition of treatment, and modify both definitionsto address the commenters’ concerns.For example, we have revised thedefinition of health care operations toinclude population-based activitiesrelated to improving health or reducinghealth care costs. This topic is discussed

further in the comment responsesregarding the definition of ‘‘treatment,’’ below.

Comment: Several commenters urgedthat the definition of health careoperations be illustrative and flexible,rather than structured in the form of alist as in the proposed rule. They

believed it would be impossible toidentify all the activities that constitutehealth care operations. Commentersrepresenting health plans wereconcerned that the ‘‘static’’ nature of thedefinition would stifle innovation andcould not reflect the new functions thathealth plans may develop in the future

that benefit consumers, improve quality,and reduce costs. Other commenters,expressed support for the approachtaken in the proposed rule, but felt thelist was too broad.

Response: In the final rule, we revisethe proposed definition of health careoperations to broaden the list of activities included, but we do not agreewith the comments asking for anillustrative definition rather than aninclusive list. Instead, we describe theactivities that constitute health careoperations in broad terms andcategories, such as ‘‘quality assessment’’

and ‘‘business planning anddevelopment.’’ We believe the use of broadly stated categories will allowindustry innovation, but without theprivacy risks entailed in an illustrativeapproach.

Comment: Several commenters notedthat utilization review and internalquality review should be included inthe definition. They pointed out that

both of these activities were discussedin the preamble to the proposed rule butwere not incorporated into theregulation text.





that the proposed rule would not permitsuch sharing of information.

Response: While we agree thatintegrating health information fromdifferent benefit programs may produceefficiencies as well as benefits forindividuals, the integration also raisessignificant privacy concerns,particularly if there are no safeguards on

uses and disclosures from the integrateddata. Under HIPAA, we do not havejurisdiction over many types of insurersthat use health information, such asworkers’ compensation insurers orinsurers providing disability income

benefits, and we cannot address theextent to which they provideindividually identifiable healthinformation to a health plan, nor do weprohibit a health plan from receivingsuch information. Once a health planreceives identifiable health information,however, the information becomesprotected and may only be used and

disclosed as otherwise permitted by thisrule.We clarify, however, that a covered

entity may provide data and statisticalanalyses for its customers as a healthcare operation, provided that it does notdisclose protected health information ina way that would otherwise violate thisrule. A group health plan or healthinsurance issuer or HMO, or their

business associate on their behalf, mayperform such analyses for an employercustomer and provide the results in de-identified form to the customer, usingintegrated data received from otherinsurers, as long as protected health

information is not disclosed in violationof this rule. See the definition of ‘‘healthcare operations,’’ §164.501. If theemployer sponsors more than one grouphealth plan, or if its group health planprovides coverage through more thanone health insurance issuer or HMO, thedifferent covered entities may be anorganized health care arrangement and

be able to jointly participate in such ananalysis as part of the health careoperations of such organized health carearrangement. See the definitions of ‘‘health care operations’’ and ‘‘organizedhealth care arrangement,’’ §164.501. We

further clarify that a plan sponsorproviding plan administration to agroup health plan may participate insuch an analysis, provided that therequirements of §164.504(f) and otherparts of this rule are met.

The results described above are the

We note that under the arrangementsdescribed above, the final rule providessubstantial flexibility to covered entitiesto provide general data and statisticalanalyses, resulting in the disclosure of de-identified information, to employersand other customers. An employer alsomay receive protected healthinformation from a covered entity for

any purpose, including those describedin comment above, with theauthorization of the individual. See§ 164.508.

Comment: A number of commentersasserted that the proposed definitionappeared to limit training andeducational activities to that of healthcare professionals, students, andtrainees. They asked that we expand thedefinition to include other education-related activities, such as continuingeducation for providers and training of non-health care professionals as neededfor supporting treatment or payment.

Response: We agree with thecommenters that the definition of healthcare operations was unnecessarilylimiting with respect to educationalactivities and expand the definition of health care operations to include‘‘conducting training programs in whichstudents, trainees, or practitioners inareas of health care learn undersupervision to practice or improve theirskills as health care providers.’’ Weclarify that medical rounds areconsidered treatment, not health careoperations.

Comment: A few commentersoutlined the need to include the trainingof non-health care professionals, such ashealth data analysts, administrators, andcomputer programmers within thedefinition of health care operations. Itwas argued that, in many cases, theseprofessionals perform functions whichsupport treatment and payment and willneed access to protected healthinformation in order to carry out theirresponsibilities.

Response: We agree and expand thedefinition of health care operations toinclude training of non-health care

professionals.Comment: One commenter stated that

the definition did not explicitly includephysician credentialing and peerreview.

Response: We have revised the

Health Oversight Agency

Comment: Some commenters soughtto have specific organizations defined ashealth oversight agencies. For example,some commenters asked that theregulation text, rather than thepreamble, explicitly list state insurancedepartments as an example of health

oversight agencies. Medical devicemanufacturers recommended expandingthe definition to include governmentcontractors such as coding committees,which provide data to HCFA to help theagency make reimbursement decisions.

One federal agency soughtclarification that several of its sub-agencies were oversight agencies; it wasconcerned about its status in part

because the agency fits into more thanone of the categories of health oversightagency listed in the proposed rule.

Other commenters recommendedexpanding the definition of oversightagency to include private-sector

accreditation organizations. Onecommenter recommended stating in thefinal rule that private companiesproviding information to insurers andemployers are not included in thedefinition of health oversight agency.

Response: Because the range of healthoversight agencies is so broad, we donot include specific examples in thedefinition. We include many examplesin the preamble above and providefurther clarity here.

As under the NPRM, state insurancedepartments are an example of a healthoversight agency. A commenter

concerned about state trauma registriesdid not describe the registries’ activitiesor legal charters, so we cannot clarifywhether such registries may be healthoversight agencies. Governmentcontractors such as coding committees,which provide data to HCFA to supportpayment processes, are not therebyhealth oversight agencies under thisrule. We clarify that public agenciesmay fit into more than one category of health oversight agency.

The definition of health oversightagency does not include private-sectoraccreditation organizations. While their

work can promote quality in the healthcare delivery system, privateaccreditation organizations are notauthorized by law to oversee the healthcare system or government programs inwhich health information is necessaryto determine eligibility or compliance,

Health and Human Services: PvcFR03

Documents

Transcript of Health and Human Services: PvcFR03