[Federal Register: December 28, 2000 (Volume 65, Number 250)] [Rules and Regulations] [Page 82561-82610] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr28de00-31] [[pp. 82561-82610]] Standards for Privacy of Individually Identifiable Health Information [[Continued from page 82560]] [[Page 82561]] A covered entity may only extend the deadline one time per request for accounting. The NPRM did not address whether a covered entity could charge a fee for the accounting of disclosures. In the final rule, we provide that individuals have a right to receive one free accounting per 12 month period. For each additional request by an individual within the 12 month period, the covered entity may charge a reasonable, cost-based fee. If it imposes such a fee, the covered entity must inform the individual of the fee in advance and provide the individual with an opportunity to withdraw or modify the request in order to avoid or reduce the fee. Procedures and Documentation As in the proposed rule, we establish documentation requirements for covered entities subject to this provision. In accordance with Sec. 164.530(j), for disclosures that are subject to the accounting requirement, the covered entity must retain documentation of the information required to be included in the accounting. The covered entity must also retain a copy of any accounting provided and must document the titles of the persons or offices responsible for receiving and processing requests for an accounting. Section 164.530--Administrative Requirements Designation of a Privacy Official and Contact Person In Sec. 164.518(a) of the NPRM, we proposed that covered entities be required to designate an individual as the covered entity's privacy official, responsible for the implementation and development of the entity's privacy policies and procedures. We also proposed that covered entities be required to designate a contact person to receive complaints about privacy and provide information about the matters covered by the entity's notice. We indicated that the contact person could be, but was not required to be, the person designated as the privacy official. We proposed to leave implementation details to the discretion of the covered entity. We expected implementation to vary widely depending on the size and nature of the covered entity, with small offices assigning this as an additional duty to an existing staff person, and large organizations creating a full-time privacy official. In proposed Sec. 164.512, we also proposed to require the covered plan or provider's privacy notice to include the name of a contact person for privacy matters. The final regulation retains the requirements for a privacy official and contact person as specified in the NPRM. These designations must be documented. The designation of privacy official and contact person positions within affiliated entities will depend on how the covered entity chooses to designate the covered entity(ies) under Sec. 164.504(b). If a subsidiary is defined as a covered entity under this regulation, then a separate privacy official and contact person is required for that covered entity. If several subsidiaries are designated as a single covered entity, pursuant to Sec. 164.504(b), then together they need have only a single privacy officer and contact person. If several covered entities share a notice for services provided on the same premises, pursuant to Sec. 164.520(d), that notice need designate only one privacy official and contact person for the information collected under that notice. These requirements are consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and the National Committee for Quality Assurance, in its paper ``Protecting Personal Health Information; A framework for Meeting the Challenges in a Managed Care Environment.'' This paper notes that ``accountability is enhanced by having focal points who are responsible for assessing compliance with policies and procedures * * * '' (p. 29) Training In Sec. 164.518(b) of the NPRM we proposed to require that covered entities provide training on the entities' policies and procedures to all members of the workforce likely to have access to protected health information. Each entity would be required to provide initial training by the date on which this rule became applicable. After that date, each covered entity would have to provide training to new members of the workforce within a reasonable time after joining the entity. In addition, we proposed that when a covered entity made material changes in its privacy policies or procedures, it would be required to retrain those members of the workforce whose duties were related to the change within a reasonable time of making the change. The NPRM would have required that, upon completion of the training, the trainee would be required to sign a statement certifying that he or she received the privacy training and would honor all of the entity's privacy policies and procedures. Entities would determine the most effective means of achieving this training requirement for their workforce. We also proposed that, at least every three years after the initial training, covered entities would be required to have each member of the workforce sign a new statement certifying that he or she would honor all of the entity's privacy policies and procedures. The covered entity would have been required to document its policies and procedures for complying with the training requirements. The final regulation requires covered entities to train all members of their workforce on the policies and procedures with respect to protected health information required by this rule, as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity. We do not change the proposed time lines for training existing and new members of the workforce, or for training due to material changes in the covered entity's policies and procedures. We eliminate both the requirement for employees to sign a certification following training and the triennial re-certification requirement. Covered entities are responsible for implementing policies and procedures to meet these requirements and for documenting that training has been provided. Safeguards In Sec. 164.518(c) of the NPRM, we proposed to require covered entities to put in place administrative, technical, and physical safeguards to protect the privacy of protected health information. We made reference in the preamble to similar requirements proposed for certain electronic information in the Notice of Proposed Rulemaking entitled the Security and Electronic Signature Standards (HCFA-0049-P). We stated that we were proposing parallel and consistent requirements for safeguarding the privacy of protected health information. In Sec. 164.518(c)(3) of the NPRM, we required covered entities to have safeguards to ensure that information was not used in violation of the requirements of this subpart or by people who did not have proper authorization to access the information. We do not change the basic proposed requirements that covered entities have administrative, technical and physical safeguards to protect the privacy of protected health information. We combine the proposed requirements into a single standard that requires covered entities to safeguard protected health information from accidental or intentional use or disclosure that is a violation of the requirements of this rule [[Page 82562]] and to protect against the inadvertent disclosure of protected health information to persons other than the intended recipient. Limitations on access to protected health information by the covered entities workforce will also be covered by the policies and procedures for ``minimum necessary'' use of protected health information, pursuant to Sec. 164.514(d). We expect these provisions to work in tandem. We do not prescribe the particular measures that covered entities must take to meet this standard, because the nature of the required policies and procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. (That is, as with other provisions of this rule, this requirement is ``scalable.'') Examples of appropriate safeguards include requiring that documents containing protected health information be shredded prior to disposal, and requiring that doors to medical records departments (or to file cabinets housing such records) remain locked and limiting which personnel are authorized to have the key or pass- code. We intend this to be a common sense, scalable, standard. We do not require covered entities to guarantee the safety of protected health information against all assaults. Theft of protected health information may or may not signal a violation of this rule, depending on the circumstances and whether the covered entity had reasonable policies to protect against theft. Organizations such as the Association for Testing and Materials (ASTM) and the American Health Information Management Association (AHIMA) have developed a body of recommended practices for handling of protected health information that covered entities may find useful. We note that the proposed HIPAA Security Standards would require covered entities to safeguard the privacy and integrity of health information. For electronic information, compliance with both regulations will be required. In Sec. 164.518(c)(2) of the NPRM we proposed requirements for verification procedures to establish identity and authority for permitted disclosures of protected health information. In the final rule, this material has been moved to Sec. 164.514(h). Use or Disclosure of Protected Health Information by Whistleblowers In Sec. 164.518(c)(4) of the NPRM, this provision was entitled ``Implementation Specification: Disclosures by whistleblowers.'' It is now retitled ``Disclosures by whistleblowers,'' with certain changes, and moved to Sec. 164.502(j)(1). Complaints to the Covered Entity In Sec. 164.518(d) of the NPRM, we proposed to require covered entities to have a mechanism for receiving complaints from individuals regarding the health plan's or provider's compliance with the requirements of this proposed rule. We did not require that the health plan or provider develop a formal appeals mechanism, nor that ``due process'' or any similar standard be applied. Additionally, there was no requirement to respond in any particular manner or time frame. We proposed two basic requirements for the complaint process. First, the covered health plan or health care provider would be required to identify in the notice of information practices a contact person or office for receiving complaints. Second, the health plan or provider would be required to maintain a record of the complaints that are filed and a brief explanation of their resolution, if any. In the final rule, we retain the requirement for an internal complaint process for compliance with this rule, including the two basic requirements of identifying a contact person and documenting complaints received and their dispositions, if any. We expand the scope of complaints that covered entities must have a means of receiving to include complaints concerning violations of the covered entity's privacy practices, not just violations of the rule. For example, a covered entity must have a mechanism for receiving a complaint that patient information is used at a nursing station in a way that it can also be viewed by visitors to the hospital, regardless of whether the practices at the nursing stations might constitute a violation of this rule. Sanctions In Sec. 164.518(e) of the NPRM, we proposed to require all covered entities to develop, and apply when appropriate, sanctions against members of its workforce who failed to comply with privacy policies or procedures of the covered entity or with the requirements of the rule. Covered entities would be required to develop and impose sanctions appropriate to the nature of the violation. The preamble stated that the type of sanction applied would vary depending on factors such as the severity of the violation, whether the violation was intentional or unintentional, and whether the violation indicated a pattern or practice of improper use or disclosure of protected health information. Sanctions could range from a warning to termination. The NPRM preamble language also stated that covered entities would be required to apply sanctions against business associates that violated the proposed rule. In the final rule, we retain the requirement for sanctions against members of a covered entity's workforce. We also require a covered entity to have written policies and procedures for the application of appropriate sanctions for violations of this subpart and to document those sanctions. These sanctions do not apply to whistleblower activities that meet the provisions of Sec. 164.502(j) or complaints, investigations, or opposition that meet the provisions of Sec. 164.530(g)(2). We eliminate language regarding business associates from this section. Requirements with respect to business associates are stated in Sec. 164.504. Duty To Mitigate In proposed Sec. 164.518(f), we would have required covered entities to have policies and procedures for mitigating, to the extent practicable, any deleterious effect of a use or disclosure of protected health information in violation of the requirements of this subpart. The NPRM preamble also included specific language applying this requirement to harm caused by members of the covered entity's workforce and business associates. With respect to business associates, the NPRM preamble but not the NPRM rule text, stated that covered entities would have a duty to take reasonable steps in response to breaches of contract terms. Covered entities generally would not be required to monitor the activities of their business associates, but would be required to take steps to address problems of which they become aware, and, where the breach was serious or repeated, would also be required to monitor the business associate's performance to ensure that the wrongful behavior had been remedied. Termination of the arrangement would be required only if it became clear that a business associate could not be relied upon to maintain the privacy of protected health information provided to it. In the final rule, we clarify this requirement by imposing a duty for covered entities to mitigate any harmful effect of a use or disclosure of protected health information that is known to the covered entity. We apply the duty to mitigate to a violation of the covered entity's policies and procedures, not just a violation of the requirements of the subpart. We resolve the ambiguities in the NPRM by imposing this duty on covered entities for harm caused by [[Page 82563]] either members of their workforce or by their business associates. We eliminate the language regarding potential breaches of business associate contracts from this section. All other requirements with respect to business associates are stated in Sec. 164.504. Refraining from Intimidating or Retaliatory Acts In Sec. 164.522(d)(4) of the NPRM, in the Compliance and Enforcement section, we proposed that one of the responsibilities of a covered entity would be to refrain from intimidating or retaliatory acts. Specifically, the rule provided that ``[a] covered entity may not intimidate, threaten, coerce, discriminate against, or take other retaliatory action against any individual for the filing of a complaint under this section, for testifying, assisting, participating in any manner in an investigation, compliance review, proceeding or hearing under this Act, or opposing any act or practice made unlawful by this subpart.'' In the final rule, we continue to require that entities refrain from intimidating or retaliatory acts; however, the provisions have been moved to the Administrative Requirements provisions in Sec. 164.530. This change is not just clerical; in making this change, we apply this provision to the privacy rule alone rather than to all the HIPAA administrative simplification rules. (The compliance and enforcement provisions that were in Sec. 164 are now in Part 160, Subpart C.) We continue to prohibit retaliation against individuals for filing a complaint with the Secretary, but also prohibit retaliation against any other person who files such a complaint. This is the case because the term ``individual'' is generally limited to the person who is the subject of the information. The final rule prohibits retaliation against persons, not just individuals, for testifying, assisting, or participating in an investigation, compliance review, proceeding or hearing under Part C of Title XI. The proposed regulation referenced the ``Act,'' which is defined in Part 160 as the Social Security Act. Because we only intend to protect activities such as participation in investigations and hearings under the Administrative Simplification provisions of HIPAA, the final rule references Part C of Title XI of the Social Security Act. The proposed rule would have prohibited retaliatory actions against individuals for opposing any act or practice made unlawful by this subpart. The final rule retains this provision, but applies it to any person, only if the person ``has a good faith belief that the practice opposed is unlawful, the manner of the opposition is reasonable and does not involve a disclosure of protected health information in violation of this subpart.'' The final rule provides additional protections, which had been included in the preamble to the proposed rule. Specifically, we prohibit retaliatory actions against individuals who exercise any right, or participate in any process established by the privacy rule (Part 164 Subpart E), and include as an example the filing of a complaint with the covered entity. Waiver of Rights In the final regulation, but not in the proposed regulation, we provide that a covered entity may not require individuals to waive their rights to file a complaint with the Secretary or their other rights under this rule as a condition of the provision of treatment, payment, enrollment in a health plan or eligibility for benefits. This provision ensures that covered entities do not take away the rights that individuals have been provided in Parts 160 and 164. Requirements for Policies and Procedures, and Documentation Requirements In Sec. 164.520 of the NPRM, we proposed to require covered entities to develop and document their policies and procedures for implementing the requirements of the rule. In the final regulation we retain this approach, but specify which standards must be documented in each of the relevant sections. In this section, we state the general administrative requirements applicable to all policies and procedures required throughout the regulation. In Sec. 164.530(i), (j), and (k) of the final rule, we amend the NPRM language in several respects. In Sec. 164.530(i) we require that the policies and procedures be reasonably designed to comply with the standards, implementation specifications, and other requirements of the relevant part of the regulation, taking into account the size of the covered entity and the nature of the activities undertaken by the covered entity that relate to protected health information. However, we clarify that the requirements that policies and procedures be reasonably designed may not be interpreted to permit or excuse any action that violates the privacy regulation. Where the covered entity has stated in its notice that it reserves the right to change information practices, we allow the new practice to apply to information created or collected prior to the effective date of the new practice and establish requirements for making this change. We also establish the conditions for making changes if the covered entity has not reserved the right to change its practices. We require covered entities to modify in a prompt manner their policies and procedures to comply with changes in relevant law and, where the change also affects the practices stated in the notice, to change the notice. We make clear that nothing in our requirements regarding changes to policies and procedures or changes to the notice may be used by a covered entity to excuse a failure to comply with applicable law. In Sec. 164.530(j), we require that the policies and procedures required throughout the regulation be maintained in writing, and that any other communication, action, activity, or designation that must be documented under this regulation be documented in writing. We note that ``writing'' includes electronic storage; paper records are not required. We also note that, if a covered entity is required to document the title of a person, we mean the job title or similar description of the relevant position or office. We require covered entities to retain any documentation required under this rule for at least six years (the statute of limitations period for the civil penalties) from the date of the creation of the documentation, or the date when the document was last in effect, which ever is later. This generalizes the NPRM provision to cover all documentation required under the rule. The language on ``last was in effect'' is a change from the NPRM which was worded ``unless a longer period applies under this subpart.'' This approach is consistent with the approach recommended by the Joint Commission on Accreditation of Healthcare Organizations, and the National Committee for Quality Assurance, in its paper ``Protecting Personal Health Information; A framework for Meeting the Challenges in a Managed Care Environment.'' This paper notes that ``MCOs [Managed Care Organizations] should have clearly defined policies and procedures for dealing with confidentiality issues.'' (p. 29). Standards for Certain Group Health Plans We add a new provision (Sec. 164.530(k)) to clarify the administrative responsibilities of group health plans that offer benefits through issuers and HMOs. Specifically, a group health plan that provides benefits solely through an issuer or HMO, and that does not create, receive or maintain protected health [[Page 82564]] information other than summary health information or information regarding enrollment and disenrollment, is not subject to the requirements of this section regarding designation of a privacy official and contact person, workforce training, safeguards, complaints, mitigation, or policies and procedures. Such a group health plan is only subject to the requirements of this section regarding documentation with respect to its plan documents. Issuers and HMOs are covered entities under this rule, and thus have independent obligations to comply with this section with respect to the protected health information they maintain about the enrollees in such group health plans. The group health plans subject to this provision will have only limited protected health information. Therefore, imposing these requirements on the group health plan would impose burdens not outweighed by a corresponding enhancement in privacy protections. Section 164.532--Transition Provisions In the NPRM, we did not address the effect of the regulation on consents and authorizations covered entities obtained prior to the compliance date of the regulation. In the final rule, we clarify that, in certain circumstances, a covered entity may continue to rely upon consents, authorizations, or other express legal permissions obtained prior to the compliance date of this regulation to use or disclose protected health information even if these consents, authorizations, or permissions do not meet the requirements set forth in Secs. 164.506 or 164.508. We realize that a covered entity may wish to rely upon a consent, authorization, or other express legal permission obtained from an individual prior to the compliance date of this regulation which permits the use or disclosure of individually identifiable health information for activities that come within treatment, payment, or health care operations (as defined in Sec. 164.501), but that do not meet the requirements for consents set forth in Sec. 164.506. In the final rule, we permit a covered entity to rely upon such consent, authorization, or permission to use or disclose protected health information that it created or received before the applicable compliance date of the regulation to carry out the treatment, payment, or health care operations as long as it meets two requirements. First, the covered entity may not make any use or disclosure that is expressly excluded from the consent, authorization, or permission. Second, the covered entity must comply with all limitations expressed in the consent, authorization, or permission. Thus, we do not require a covered entity to obtain a consent that meets the requirements of Sec. 164.506 to use or disclose this previously obtained protected health information as long as the use or disclosure is consistent with the requirements of this section. However, a covered entity will need to obtain a consent that meets the requirements of Sec. 164.506 to the extent that it is required to obtain a consent under Sec. 164.506 from an individual before it may use or disclose any protected health information it creates or receives after the date by which it must comply with this rule. Similarly, we recognize that a covered entity may wish to rely upon a consent, authorization, or other express legal permission obtained from an individual prior to the applicable compliance date of this regulation that specifically permits the covered entity to use or disclose individually identifiable health information for activities other than to carry out treatment, payment, or health care operations. In the final rule, we permit a covered entity to rely upon such a consent, authorization, or permission to use or disclose protected health information that it created or received before the applicable compliance date of the regulation for the specific activities described in the consent, authorization, or permission as long as the covered entity complies with two requirements. First, the covered entity may not make any use or disclosure that is expressly excluded from the consent, authorization, or permission. Second, the covered entity must comply with all limitations expressed in the consent, authorization, or permission. Thus, we do not required a covered entity to obtain an authorization that meets the requirements of Sec. 164.508 to use or disclose this previously obtained protected health information so long as the use or disclosure is consistent with the requirements of this section. However, a covered entity will need to obtain an authorization that meets the requirements of Sec. 164.508, to the extent that it is required to obtain an authorization under this rule, from an individual before it may use or disclose any protected health information it creates or receives after the date by which it must comply with this rule. Additionally, the final rule acknowledges that covered entities may wish to rely upon consents, authorizations, or other express legal permission obtained from an individual prior to the applicable compliance date for a specific research project that includes the treatment of individuals, such as clinical trials. These consents, authorizations, or permissions may specifically permit a use or disclosure of individually identifiable health information for purposes of the project. Alternatively, they may be general consents to participate in the project. A covered entity may use or disclose protected health information it created or received before or after to the applicable compliance date of this rule for purposes of the project provided that the covered entity complies with all limitations expressed in the consent, authorization, or permission. If, pursuant to this section, a covered entity relies upon a previously obtained consent, authorization, or other express legal permission and agrees to a request for a restriction by an individual under Sec. 164.522(a), any subsequent use or disclosure under that consent, authorization, or permission must comply with the agreed upon restriction as well. We believe it is necessary to grandfather in previously obtained consents, authorizations, or other express legal permissions in these circumstances to ensure that important functions of the health care system are not impeded. We link the effectiveness of such consents, authorizations, or permissions in these circumstances to the applicable compliance date to give covered entities sufficient notice of the requirements set forth in Secs. 164.506 and 164.508. The rule does not change the past effectiveness of consents, authorizations, or other express legal permissions that do not come within this section. This means that uses or disclosures of individually identifiable health information made prior to the compliance date of this regulation are not subject to sanctions, even if they were made pursuant to documents or permissions that do not meet the requirements of this rule or were made without permission. This rule alters only the future effectiveness of the previously obtained consents, authorizations, or permissions. Covered entities are not required to rely upon these consents, authorizations, or permissions and may obtain new consents or authorizations that meet the applicable requirements of Secs. 164.506 and 164.508. When reaching this decision, we considered requiring all covered entities to obtain new consents or authorizations consistent with the requirements of Secs. 164.506 and 164.508 before they would be able to use or disclose protected health information obtained [[Page 82565]] after the compliance date of these rules. We rejected this option because we recognize that covered entities may not always be able to obtain new consents or authorizations consistent with the requirements of Secs. 164.506 and 164.508 from all individuals upon whose information they rely. We also refrained from impeding the rights of covered entities to exercise their interests in the records they have created. We do not require covered entities with existing records or databases to destroy or remove the protected health information for which they do not have valid consents or authorizations that meet the requirements of Secs. 164.506 and 164.508. Covered entities may rely upon the consents, authorizations, or permissions they obtained from individuals prior to the applicable compliance date of this regulation consistent with the constraints of those documents and the requirements discussed above. We note that if a covered entity obtains before the applicable compliance date of this regulation a consent that meets the requirements of Sec. 164.506, an authorization that meets the requirements of Sec. 164.508, or an IRB or privacy board waiver of authorization that meets the requirements of Sec. 164.512(i), the consent, authorization, or waiver is effective for uses or disclosures that occur after the compliance date and that are consistent with the terms of the consent, authorization, or waiver. Section 164.534--Compliance Dates for Initial Implementation of the Privacy Standards In the NPRM, we provided that a covered entity must be in compliance with this subpart not later than 24 months following the effective date of this rule, except that a covered entity that is a small health plan must be in compliance with this subpart not later than 36 months following the effective date of the rule. The final rule did not make any substantive changes. The format is changed so as to more clearly present the various compliance dates. The final rule lists the types of covered entities and then the various dates that would apply to each of these entities. III. Section-by-Section Discussion of Comments The following describes the provisions in the final regulation, and the changes we make to the proposed provisions section-by-section. Following each section are our responses to the comments to that section. This section of the preamble is organized to follow the corresponding section of the final rule, not the NPRM. General Comments We received many comments on the rule overall, not to a particular provision. We respond to those comments here. Similar comments, but directed to a specific provision in the proposed rule, are answered below in the corresponding section of this preamble. Comments on the Need for Privacy Standards, and Effects of this Regulation on Current Protections Comment: Many commenters expressed the opinion that federal legislation is necessary to protect the privacy of individuals' health information. One comment advocated Congressional efforts to provide a comprehensive federal health privacy law that would integrate the substance abuse regulations with the privacy regulation. Response: We agree that comprehensive privacy legislation is urgently needed. This administration has urged the Congress to pass such legislation. While this regulation will improve the privacy of individuals' health information, only legislation can provide the full array of privacy protection that individuals need and deserve. Comment: Many commenters noted that they do not go to a physician, or do not completely share health information with their physician, because they are concerned about who will have access to that information. Many physicians commented on their patients' reluctance to share information because of fear that their information will later be used against them. Response: We agree that strong federal privacy protections are necessary to enhance patients' trust in the health care system. Comment: Many commenters expressed concerns that this regulation will allow access to health information by those who today do not have such access, or would allow their physician to disclose information which may not lawfully be disclosed today. Many of these commenters stated that today, they consent to every disclosure of health information about them, and that absent their consent the privacy of their health information is ``absolute.'' Others stated that, today, health information is disclosed only pursuant to a judicial order. Several commenters were concerned that this regulation would override stronger state privacy protection. Response: This regulation does not, and cannot, reduce current privacy protections. The statutory language of the HIPAA specifically mandates that this regulation does not preempt state laws that are more protective of privacy. As discussed in more detail in later this preamble, while many people believe that they must be asked permission prior to any release of health information about them, current laws generally do not impose such a requirement. Similarly, as discussed in more detail later in this preamble, judicial review is required today only for a small proportion of releases of health information. Comment: Many commenters asserted that today, medical records ``belong'' to patients. Others asserted that patients own their medical information and health care providers and insurance companies who maintain health records should be viewed as custodians of the patients' property. Response: We do not intend to change current law regarding ownership of or responsibility for medical records. In developing this rule we reviewed current law on this and related issues, and built on that foundation. Under state laws, medical records are often the property of the health care provider or medical facility that created them. Some state laws also provide patients with access to medical records or an ownership interest in the health information in medical records. However, these laws do not divest the health care provider or the medical facility of its ownership interest in medical records. These statutes typically provide a patient the right to inspect or copy health information from the medical record, but not the right to take the provider's original copy of an item in the medical record. If a particular state law provides greater ownership rights, this regulation leaves such rights in place. Comment: Some commenters argued that the use and disclosure of sensitive personal information must be strictly regulated, and violation of such regulations should subject an entity to significant penalties and sanctions. Response: We agree, and share the commenters' concern that the penalties in the HIPAA statute are not sufficient to fully protect individuals' privacy interests. The need for stronger penalties is among the reasons we believe Congress should pass comprehensive privacy legislation. Comment: Many commenters expressed the opinion that the proposed ruled should provide stricter privacy protections. [[Page 82566]] Response: We received nearly 52,000 comments on the proposed regulation, and make substantial changes to the proposal in response to those comments. Many of these changes will strengthen the protections that were proposed in the NPRM. Comment: Many comments express concerns that their health information will be given to their employers. Response: We agree that employer access to health information is a particular concern. In this final regulation, we make significant changes to the NPRM that clarify and provide additional safeguards governing when and how the health plans covered by this regulation may disclose health information to employers. Comment: Several commenters argued that individuals should be able to sue for breach of privacy. Response: We agree, but do not have the legislative authority to grant a private right of action to sue under this statute. Only Congress can grant that right. Objections to Government Access to Protected Health Information Comment: Many commenters urged the Department not to create a government database of health information, or a tracking system that would enable the government to track individuals health information. Response: This regulation does not create such a database or tracking system, nor does it enable future creation of such a database. This regulation describes the ways in which health plans, health care clearinghouses, and certain health care providers may use and disclose identifiable health information with and without the individual's consent. Comment: Many commenters objected to government access to or control over their health information, which they believe the proposed regulation would provide. Response: This regulation does not increase current government access to health information. This rule sets minimum privacy standards. It does not require disclosure of health information, other than to the subject of the records or for enforcement of this rule. Health plans and health care providers are free to use their own professional ethics and judgement to adopt stricter policies for disclosing health information. Comment: Some commenters viewed the NPRM as creating fewer hurdles for government access to protected health information than for access to protected health information by private organizations. Some health care providers commented that the NPRM would impose substantial new restrictions on private sector use and disclosure of protected health information, but would make government access to protected health information easy. One consumer advocacy group made the same observation. Response: We acknowledge that many of the national priority purposes for which we allow disclosure of protected health information without consent or authorization are for government functions, and that many of the governmental recipients of such information are not governed by this rule. It is the role of government to undertake functions in the broader public interest, such as public health activities, law enforcement, identification of deceased individuals through coroners' offices, and military activities. It is these public purposes which can sometimes outweigh an individual's privacy interest. In this rule, we specify the circumstances in which that balance is tipped toward the public interest with respect to health information. We discuss the rationale behind each of these permitted disclosures in the relevant preamble sections below. Miscellaneous Comments Comment: Many commenters objected to the establishment of a unique identifier for health care or other purposes. Response: This regulation does not create an identifier. We assume these comments refer to the unique health identifier that Congress directed the Secretary to promulgate under section1173(b) of the Social Security Act, added by section 262 of the HIPAA. Because of the public concerns about such an identifier, in the summer of 1998 Vice President Gore announced that the Administration would not promulgate such a regulation until comprehensive medical privacy protections were in place. In the fall of that year, Congress prohibited the Department from promulgating such an identifier, and that prohibition remains in place. The Department has no plans to promulgate a unique health identifier. Comment: Many commenters asked that we withdraw the proposed regulation and not publish a final rule. Response: Under section 264 of the HIPAA, the Secretary is required by Congress to promulgate a regulation establishing standards for health information privacy. Further, for the reasons explained throughout this preamble above, we believe that the need to protect health information privacy is urgent and that this regulation is in the public's interest. Comment: Many commenters express the opinion that their consent should be required for all disclosure of their health information. Response: We agree that consent should be required prior to release of health information for many purposes, and impose such a requirement in this regulation. Requiring consent prior to all release of health information, however, would unduly jeopardize public safety and make many operations of the health care system impossible. For example, requiring consent prior to release of health information to a public health official who is attempting to track the source of an outbreak or epidemic could endanger thousands of lives. Similarly, requiring consent before an oversight official could audit a health plan would make detection of health care fraud all but impossible; it could take health plans months or years to locate and obtain the consent of all current and past enrollees, and the health plan would not have a strong incentive to do so. These uses of medical information are clearly in the public interest. In this regulation, we must balance individuals' privacy interests against the legitimate public interests in certain uses of health information. Where there is an important public interest, this regulation imposes procedural safeguards that must be met prior to release of health information, in lieu of a requirement for consent. In some instances the procedural safeguards consist of limits on the circumstances in which information may be disclosed, in others the safeguards consist of limits on what information may be disclosed, and in other cases we require some form of legal process (e.g., a warrant or subpoena) prior to release of health information. We also allow disclosure of health information without consent where other law mandates the disclosures. Where such other law exists, another public entity has made the determination that the public interests outweigh the individual's privacy interests, and we do not upset that determination in this regulation. In short, we tailor the safeguards to match the specific nature of the public purpose. The specific safeguards are explained in each section of this regulation below. Comment: Many comments address matters not relevant to this regulation, such as alternative fuels, hospital reimbursement, and gulf war syndrome. Response: These and similar matters are not relevant to this regulation and will not be addressed further. [[Page 82567]] Comment: A few commenters questioned why this level of detail is needed in response to the HIPAA Congressional mandate. Response: This level of detail is necessary to ensure that individuals' rights with respect to their health information are clear, while also ensuring that information necessary for important public functions, such as protecting public health, promoting biomedical research, fighting health care fraud, and notifying family members in disaster situations, will not be impaired by this regulation. We designed this rule to reflect current practices and change some of them. The comments and our fact finding revealed the complexity of current health information practices, and we believe that the complexity entailed in reflecting those practices is better public policy than a perhaps simpler rule that disturbed important information flows. Comment: A few comments stated that the goal of administrative simplification should never override the privacy of individuals. Response: We believe that privacy is a necessary component of administrative simplification, not a competing interest. Comment: At least one commenter said that the goal of administrative simplification is not well served by the proposed rule. Response: Congress recognized that privacy is a necessary component of administrative simplification. The standardization of electronic health information mandated by the HIPAA that make it easier to share that information for legitimate purposes also make the inappropriate sharing of that information easier. For this reason, Congress included a mandate for privacy standards in this section of the HIPAA. Without appropriate privacy protections, public fear and instances of abuse would make it impossible for us to take full advantage of the administrative and costs benefits inherent in the administrative simplification standards. Comment: At least one commenter asked us to require psychotherapists to assert any applicable legal privilege on patients' behalf when protected health information is requested. Response: Whether and when to assert a claim of privilege on a patient's behalf is a matter for other law and for the ethics of the individual health care provider. This is not a decision that can or should be made by the federal government. Comment: One commenter called for HHS to consider the privacy regulation in conjunction with the other HIPAA standards. In particular, this comment focused on the belief that the Security Standards should be compatible with the existing and emerging health care and information technology industry standards. Response: We agree that both this regulation and the final Security Regulation should be compatible with existing and emerging technology industry standards. This regulation is ``technology neutral.'' We do not mandate the use of any particular technologies, but rather set standards which can be met through a variety of means. Comment: Several commenters claimed that the statutory authority given under HIPAA cannot provide meaningful privacy protections because many entities with access to protected health information, such as employers, worker's compensation carriers, and life insurance companies, are not covered entities. These commenters expressed support for comprehensive legislation to close many of the existing loopholes. Response: We agree with the commenters that comprehensive legislation is necessary to provide full privacy protection and have called for members of Congress to pass such legislation to prevent unauthorized and potentially harmful uses and disclosures of information. Part 160--Subpart A--General Provisions Section 160.103--Definitions Business Associate The response to comments on the definition of ``business partner,'' renamed in this rule as ``business associate,'' is included in the response to comments on the requirements for business associates in the preamble discussion of Sec. 164.504. Covered Entity Comment: A number of commenters urged the Department to expand or clarify the definition of ``covered entity'' to include certain entities other than health care clearinghouses, health plans, and health care providers who conduct standard transactions. For example, several commenters asked that the Department generally expand the scope of the rule to cover all entities that receive or maintain individually identifiable health information; others specifically urged the Department to cover employers, marketing firms, and legal entities that have access to individually identifiable health information. Some commenters asked that life insurance and casualty insurance carriers be considered covered entities for purposes of this rule. One commenter recommended that Pharmacy Benefit Management (PBM) companies be considered covered entities so that they may use and disclose protected health information without authorization. In addition, a few commenters asked the Department to clarify that the definition includes providers who do not directly conduct electronic transactions if another entity, such as a billing service or hospital, does so on their behalf. Response: We understand that many entities may use and disclose individually identifiable health information. However, our jurisdiction under the statute is limited to health plans, health care clearinghouses, and health care providers who transmit any health information electronically in connection with any of the standard financial or administrative transactions in section 1173(a) of the Act. These are the entities referred to in section 1173(a)(1) of the Act and thus listed in Sec. 160.103 of the final rule. Consequently, once protected health information leaves the purview of one of these covered entities, their business associates, or other related entities (such as plan sponsors), the information is no longer afforded protection under this rule. We again highlight the need for comprehensive federal legislation to eliminate such gaps in privacy protection. We also provide the following clarifications with regard to specific entities. We clarify that employers and marketing firms are not covered entities. However, employers may be plan sponsors of a group health plan that is a covered entity under the rule. In such a case, specific requirements apply to the group health plan. See the preamble on Sec. 164.504 for a discussion of specific ``firewall'' and other organizational requirements for group health plans and their employer sponsors. The final rule also contains provisions addressing when an insurance issuer providing benefits under a group health plan may disclose summary health information to a plan sponsor. With regard to life and casualty insurers, we understand that such benefit providers may use and disclose individually identifiable health information. However, Congress did not include life insurers and casualty insurance carriers as ``health plans'' for the purposes of this rule and therefore they are not covered entities. See the discussion regarding the definition of ``health plan'' and excepted benefits. [[Page 82568]] In addition, we clarify that a PBM is a covered entity only to the extent that it meets the definition of one or more of the entities listed in Sec. 160.102. When providing services to patients through managed care networks, it is likely that a PBM is acting as a business associate of a health plan, and may thus use and disclose protected health information pursuant to the relevant provisions of this rule. PBMs may also be business associates of health care providers. See the preamble sections on Secs. 164.502, 164.504, and 164.506 for discussions of the specific requirements related to business associates and consent. Lastly, we clarify that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. The provider could not circumvent these requirements by assigning the task to a contractor. Comment: Many commenters urged the Department to restrict or clarify the definition of ``covered entity'' to exclude certain entities, such as department-operated hospitals (public hospitals); state Crime Victim Compensation Programs; employers; and certain lines of insurers, such as workers' compensation insurers, property and casualty insurers, reinsurers, and stop-loss insurers. One commenter expressed concern that clergy, religious practitioners, and other faith-based service providers would have to abide by the rule and asked that the Department exempt prayer healing and non-medical health care. Response: The Secretary provides the following clarifications in response to these comments. To the extent that a ``department-operated hospital'' meets the definition of a ``health care provider'' and conducts any of the standard transactions, it is a covered entity for the purposes of this rule. We agree that a state Crime Victim Compensation Program is not a covered entity if it is not a health care provider that conducts standard transactions, health plan, or health care clearinghouse. Further, as described above, employers are not covered entities. In addition, we agree that workers' compensation insurers, property and casualty insurers, reinsurers, and stop-loss insurers are not covered entities, as they do not meet the statutory definition of ``health plan.'' See further discussion in the preamble on Sec. 160.103 regarding the definition of ``health plan.'' However, activities related to ceding, securing, or placing a contract for reinsurance, including stop-loss insurance, are health care operations in the final rule. As such, reinsurers and stop-loss insurers may obtain protected health information from covered entities. Also, in response to the comment regarding religious practitioners, the Department clarifies that ``health care'' as defined under the rule does not include methods of healing that are solely spiritual. Therefore, clergy or other religious practitioners that provide solely religious healing services are not health care providers within the meaning of this rule, and consequently not covered entities for the purposes of this rule. Comment: A few commenters expressed general uncertainty and requested clarification as to whether certain entities were covered entities for the purposes of this rule. One commenter was uncertain as to whether the rule applies to certain social service entities, in addition to clinical social workers that the commenter believes are providers. Other commenters asked whether researchers or non- governmental entities that collect and analyze patient data to monitor and evaluate quality of care are covered entities. Another commenter requested clarification regarding the definition's application to public health agencies that also are health care providers as well as how the rule affects public health agencies in their data collection from covered entities. Response: Whether the professionals described in these comments are covered by this rule depends on the activities they undertake, not on their profession or degree. The definitions in this rule are based on activities and functions, not titles. For example, a social service worker whose activities meet this rule's definition of health care will be a health care provider. If that social service worker also transmits information in a standard HIPAA transaction, he or she will be a covered health entity under this rule. Another social service worker may provide services that do not meet the rule's definition of health care, or may not transmit information in a standard transaction. Such a social service worker is not a covered entity under this rule. Similarly, researchers in and of themselves are not covered entities. However, researchers may also be health care providers if they provide health care. In such cases, the persons, or entities in their role as health care providers may be covered entities if they conduct standard transactions. With regard to public health agencies that are also health care providers, the health care provider ``component'' of the agency is the covered entity if that component conducts standard transactions. See discussion of ``health care components'' below. As to the data collection activities of a public health agency, the final rule in Sec. 164.512(b) permits a covered entity to disclose protected health information to public health authorities under specified circumstances, and permits public health agencies that are also covered entities to use protected health information for these purposes. See Sec. 164.512(b) for further details. Comment: A few commenters requested that the Department clarify that device manufacturers are not covered entities. They stated that the proposal did not provide enough guidance in cases where the ``manufacturer supplier'' has only one part of its business that acts as the ``supplier,'' and additional detail is needed about the relationship of the ``supplier component'' of the company to the rest of the business. Similarly, another commenter asserted that drug, biologics, and device manufacturers should not be covered entities simply by virtue of their manufacturing activities. Response: We clarify that if a supplier manufacturer is a Medicare supplier, then it is a health care provider, and it is a covered entity if it conducts standard transactions. Further, we clarify that a manufacturer of supplies related to the health of a particular individual, e.g., prosthetic devices, is a health care provider because the manufacturer is providing ``health care'' as defined in the rule. However, that manufacturer is a covered entity only if it conducts standard transactions. We do not intend that a manufacturer of supplies that are generic and not customized or otherwise specifically designed for particular individuals, e.g., ace bandages for a hospital, is a health care provider. Such a manufacturer is not providing ``health care'' as defined in the rule and is therefore not a covered entity. We note that, even if such a manufacturer is a covered entity, it may be an ``indirect treatment provider'' under this rule, and thus not subject to all of the rule's requirements. With regard to a ``supplier component,'' the final rule addresses the status of the unit or unit(s) of a larger entity that constitute a ``health care component.'' See further discussion under Sec. 164.504 of this preamble. Finally, we clarify that drug, biologics, and device manufacturers are not health care providers simply by virtue of their manufacturing activities. The manufacturer must be providing health care consistent with the final [[Page 82569]] rule's definition in order to be considered a health care provider. Comment: A few commenters asked that the Department clarify that pharmaceutical manufacturers are not covered entities. It was explained that pharmaceutical manufacturers provide support and guidance to doctors and patients with respect to the proper use of their products, provide free products for doctors to distribute to patients, and operate charitable programs that provide pharmaceutical drugs to patients who cannot afford to buy the drugs they need. Response: A pharmaceutical manufacturer is only a covered entity if the manufacturer provides ``health care'' according to the rule's definition and conducts standard transactions. In the above case, a pharmaceutical manufacturer that provides support and guidance to doctors and patients regarding the proper use of their products is providing ``health care'' for the purposes of this rule, and therefore, is a health care provider to the extent that it provides such services. The pharmaceutical manufacturer that is a health care provider is only a covered entity, however, if it conducts standard transactions. We note that this rule permits a covered entity to disclose protected health information to any person for treatment purposes, without specific authorization from the individual. Therefore, a covered health care provider is permitted to disclose protected health information to a pharmaceutical manufacturer for treatment purposes. Providing free samples to a health care provider does not in itself constitute health care. For further analysis of pharmacy assistance programs, see response to comment on Sec. 164.501, definition of ``payment.'' Comment: Several commenters asked about the definition of ``covered entity'' and its application to health care entities within larger organizations. Response: A detailed discussion of the final rule's organizational requirements and firewall restrictions for ``health care components'' of larger entities, as well as for affiliated, and other entities is found at the discussion of Sec. 164.504 of this preamble. The following responses to comments provide additional information with respect to particular ``component entity'' circumstances. Comment: Several commenters asked that we clarify the definition of covered entity to state that with respect to persons or organizations that provide health care or have created health plans but are primarily engaged in other unrelated businesses, the term ``covered entity'' encompasses only the health care components of the entity. Similarly, others recommended that only the component of a government agency that is a provider, health plan, or clearinghouse should be considered a covered entity. Other commenters requested that we revise proposed Sec. 160.102 to apply only to the component of an entity that engages in the transactions specified in the rule. Commenters stated that companies should remain free to employ licensed health care providers and to enter into corporate relationships with provider institutions without fear of being considered to be a covered entity. Another commenter suggested that the regulation not apply to the provider-employee or employer when neither the provider nor the company are a covered entity. Some commenters specifically argued that the definition of ``covered entity'' did not contemplate an integrated health care system and one commenter stated that the proposal would disrupt the multi- disciplinary, collaborative approach that many take to health care today by treating all components as separate entities. Commenters, therefore, recommended that the rule treat the integrated entity, not its constituent parts, as the covered entity. A few commenters asked that the Department further clarify the definition with respect to the unique organizational models and relationships of academic medical centers and their parent universities and the rules that govern information exchange within the institution. One commenter asked whether faculty physicians who are paid by a medical school or faculty practice plan and who are on the medical staff of, but not paid directly by, a hospital are included within the covered entity. Another commenter stated that it appears that only the health center at an academic institution is the covered entity. Uncertainty was also expressed as to whether other components of the institution that might create protected health information only incidentally through the conduct of research would also be covered. Response: The Department understands that in today's health care industry, the relationships among health care entities and non-health care organizations are highly complex and varied. Accordingly, the final rule gives covered entities some flexibility to segregate or aggregate its operations for purposes of the application of this rule. The new component entity provision can be found at Secs. 164.504(b)- (c). In response to the request for clarification on whether the rule would apply to a research component of the covered entity, we point out that if the research activities fall outside of the health care component they would not be subject to the rule. One organization may have one or several ``health care component(s)'' that each perform one or more of the health care functions of a covered entity, i.e., health care provider, health plan, health care clearinghouse. In addition, the final rule permits covered entities that are affiliated, i.e., share common ownership or control, to designate themselves, or their health care components, together to be a single covered entity for purposes of the rule. It appears from the comments that there is not a common understanding of the meaning of ``integrated delivery system.'' Arrangements that apply this label to themselves operate and share information many different ways, and may or may not be financially or clinically integrated. In some cases, multiple entities hold themselves out as one enterprise and engage together in clinical or financial activities. In others, separate entities share information but do not provide treatment together or share financial risk. Many health care providers participate in more than one such arrangement. Therefore, we do not include a separate category of ``covered entity'' under this rule for ``integrated delivery systems'' but instead accommodate the operations of these varied arrangements through the functional provisions of the rule. For example, covered entities that operate as ``organized health care arrangements'' as defined in this rule may share protected health information for the operation of such arrangement without becoming business associates of one another. Similarly, the regulation does not require a business associate arrangement when protected health information is shared for purposes of providing treatment. The application of this rule to any particular ``integrated system'' will depend on the nature of the common activities the participants in the system perform. When the participants in such an arrangement are ``affiliated'' as defined in this rule, they may consider themselves a single covered entity (see Sec. 164. 504). The arrangements between academic health centers, faculty practice plans, universities, and hospitals are similarly diverse. We cannot describe a blanket rule that covers all such arrangements. The application of this rule will depend on the purposes for which the participants in such arrangements share protected health information, whether some or all participants are under common ownership or control, and similar matters. We note that physicians who have staff privileges at a covered [[Page 82570]] hospital do not become part of that hospital covered entity by virtue of having such privileges. We reject the recommendation to apply the rule only to components of an entity that engage in the transactions. This would omit as covered entities, for example, the health plan components that do not directly engage in the transactions, including components that engage in important health plan functions such as coverage determinations and quality review. Indeed, we do not believe that the statute permits this result with respect to health plans or health care clearinghouses as a matter of negative implication from section 1172(a)(3). We clarify that only a health care provider must conduct transactions to be a covered entity for purposes of this rule. We also clarify that health care providers (such as doctors or nurses) who work for a larger organization and do not conduct transactions on their own behalf are workforce members of the covered entity, not covered entities themselves. Comment: A few commenters asked the Department to clarify the definition to provide that a multi-line insurer that sells insurance coverages, some of which do and others which do not meet the definition of ``health plan,'' is not a covered entity with respect to actions taken in connection with coverages that are not ``health plans.'' Response: The final rule clarifies that the requirements below apply only to the organizational unit or units of the organization that are the ``health care component'' of a covered entity, where the ``covered functions'' are not the primary functions of the entity. Therefore, for a multi-line insurer, the ``health care component'' is the insurance line(s) that conduct, or support the conduct of, the health care function of the covered entity. Also, it should be noted that excepted benefits, such as life insurance, are not included in the definition of ``health plan.'' (See preamble discussion of Sec. 164.504). Comment: A commenter questioned whether the Health Care Financing Administration (HCFA) is a covered entity and how HCFA will share data with Medicare managed care organizations. The commenter also questioned why the regulation must apply to Medicaid since the existing Medicaid statute requires that states have privacy standards in place. It was also requested that the Department provide a definition of ``health plan'' to clarify that state Medicaid Programs are considered as such. Response: HCFA is a covered entity because it administers Medicare and Medicaid, which are both listed in the statute as health plans. Medicare managed care organizations are also covered entities under this regulation. As noted elsewhere in this preamble, covered entities that jointly administer a health plan, such as Medicare + Choice, are both covered entities, and are not business associates of each other by virtue of such joint administration. We do not exclude state Medicaid programs. Congress explicitly included the Medicaid program as a covered health plan in the HIPAA statute. Comment: A commenter asked the Department to provide detailed guidance as to when providers, plans, and clearinghouses become covered entities. The commenter provided the following example: if a provider submits claims only in paper form, and a coordination of benefits (COB) transaction is created due to other insurance coverage, will the original provider need to be notified that the claim is now in electronic form, and that it has become a covered entity? Another commenter voiced concern as to whether physicians who do not conduct electronic transactions would become covered entities if another entity using its records downstream transmits information in connection with a standard transaction on their behalf. Response: We clarify that health care providers who submit the transactions in standard electronic form, health plans, and health care clearinghouses are covered entities if they meet the respective definitions. Health care providers become subject to the rule if they conduct standard transactions. In the above example, the health care provider would not be a covered entity if the coordination of benefits transaction was generated by a payor. We also clarify that health care providers who do not submit transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on the providers' behalf. However, where the downstream transaction is not conducted on behalf of the health care provider, the provider does not become a covered entity due to the downstream transaction. Comment: Several commenters discussed the relationship between section 1179 of the Act and the privacy regulations. One commenter suggested that HHS retain the statement that a covered entity means ``the entities to which part C of title XI of the Act applies.'' In particular, the commenter observed that section 1179 of the Act provides that part C of title XI of the Act does not apply to financial institutions or to entities acting on behalf of such institutions that are covered by the section 1179 exemption. Thus, under the definition of covered entity, they comment that financial institutions and other entities that come within the scope of the section 1179 exemption are appropriately not covered entities. Other commenters maintained that section 1179 of the Act means that the Act's privacy requirements do not apply to the request for, or the use or disclosure of, information by a covered entity with respect to payment: (a) For transferring receivables; (b) for auditing; (c) in connection with--(i) a customer dispute; or (ii) an inquiry from or to a customer; (d) in a communication to a customer of the entity regarding the customer's transactions payment card, account, check, or electronic funds transfer; (e) for reporting to consumer reporting agencies; or (f) for complying with: (i) a civil or criminal subpoena; or (ii) a federal or state law regulating the entity. These companies expressed concern that the proposed rule did not include the full text of section 1179 when discussing the list of activities that were exempt from the rule's requirements. Accordingly, they recommended including in the final rule either a full listing of or a reference to section 1179's full list of exemptions. Furthermore, these firms opposed applying the proposed rule's minimum necessary standard for disclosure of protected health information to financial institutions because of section 1179. These commenters suggest that in light of section 1179, HHS lacks the authority to impose restrictions on financial institutions and other entities when they engage in activities described in that section. One commenter expressed concern that even though proposed Sec. 164.510(i) would have permitted covered entities to disclose certain information to financial institutions for banking and payment processes, it did not state clearly that financial institutions and other entities described in section 1179 are exempt from the rule's requirements. Response: We interpret section 1179 of the Act to mean that entities engaged in the activities of a financial institution, and those acting on behalf of a financial institution, are not subject to this regulation when they are engaged in authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution. The statutory reference to 12 U.S.C. 3401 indicates that Congress chose to adopt the definition of financial institutions found [[Page 82571]] in the Right to Financial Privacy Act, which defines financial institutions as any office of a bank, savings bank, card issuer, industrial loan company, trust company, savings association, building and loan, homestead association, cooperative bank, credit union, or consumer finance institution located in the United States or one of its Territories. Thus, when we use the term ``financial institution'' in this regulation, we turn to the definition with which Congress provided us. We interpret this provision to mean that when a financial institution, or its agent on behalf of the financial institution, conducts the activities described in section 1179, the privacy regulation will not govern the activity. If, however, these activities are performed by a covered entity or by another entity, including a financial institution, on behalf of a covered entity, the activities are subject to this rule. For example, if a bank operates the accounts payable system or other ``back office'' functions for a covered health care provider, that activity is not described in section 1179. In such instances, because the bank would meet the rule's definition of ``business associate,'' the provider must enter into a business associate contract with the bank before disclosing protected health information pursuant to this relationship. However, if the same provider maintains an account through which he/she cashes checks from patients, no business associate contract would be necessary because the bank's activities are not undertaken for or on behalf of the covered entity, and fall within the scope of section 1179. In part to give effect to section 1179, in this rule we do not consider a financial institution to be acting on behalf of a covered entity when it processes consumer-conducted financial transactions by debit, credit or other payment card, clears checks, initiates or processes electronic funds transfers, or conducts any other activity that directly facilitates or effects the transfer of funds for compensation for health care. We do not agree with the comment that section 1179 of the Act means that the privacy regulation's requirements cannot apply to the activities listed in that section; rather, it means that the entities expressly mentioned, financial institutions (as defined in the Right to Financial Privacy Act), and their agents that engage in the listed activities for the financial institution are not within the scope of the regulation. Nor do we interpret section 1179 to support an exemption for disclosures to financial institutions from the minimum necessary provisions of this regulation. Comment: One commenter recommended that HHS include a definition of ``entity'' in the final rule because HIPAA did not define it. The commenter explained that in a modern health care environment, the organization acting as the health plan or health care provider may involve many interrelated corporate entities and that this could lead to difficulties in determining what ``entities'' are actually subject to the regulation. Response: We reject the commenter's suggestion. We believe it is clear in the final rule that the entities subject to the regulation are those listed at Sec. 160.102. However, we acknowledge that how the rule applies to integrated or other complex health systems needs to be addressed; we have done so in Sec. 164.504 and in other provisions, such as those addressing organized health care arrangements. Comment: The preamble should clarify that self-insured group health and workmen's compensation plans are not covered entities or business partners. Response: In the preamble to the proposed rule we stated that certain types of insurance entities, such as workers' compensation, would not be covered entities under the rule. We do not change this position in this final rule. The statutory definition of health plan does not include workers' compensation products, and the regulatory definition of the term specifically excludes them. However, HIPAA specifically includes most group health plans within the definition of ``health plan.'' Comment: A health insurance issuer asserted that health insurers and third party administrators are usually required by employers to submit reports describing the volume, amount, payee, basis for services rendered, types of claims paid and services for which payment was requested on behalf of it covered employees. They recommended that the rule permit the disclosure of protected health information for such purposes. Response: We agree that health plans should be able to disclose protected health information to employers sponsoring health plans under certain circumstances. Section 164.504(f) explains the conditions under which protected health information may be disclosed to plan sponsors. We believe that this provision gives sponsors access to the information they need, but protects individual's information to the extent possible under our legislative authority. Group Health Plan For response to comments relating to ``group health plan,'' see the response to comments on ``health plan'' below and the response to comments on Sec. 164.504. Health Care Comment: A number of commenters asked that we include disease management activities and other similar health improvement programs, such as preventive medicine, health education services and maintenance, health and case management, and risk assessment, in the definition of ``health care.'' Commenters maintained that the rule should avoid limiting technological advances and new health care trends intended to improve patient ``health care.'' Response: Review of these and other comments, and our fact-finding, indicate that there are multiple, different, understandings of the definition of these terms. Therefore, rather than create a blanket rule that includes such terms in or excludes such terms from the definition of ``health care,'' we define health care based on the underlying activities that constitute health care. The activities described by these commenters are considered ``health care'' under this rule to the extent that they meet this functional definition. Listing activities by label or title would create the risk that important activities would be left out and, given the lack of consensus on what these terms mean, could also create confusion. Comment: Several commenters urged that the Department clarify that the activities necessary to procure and distribute eyes and eye tissue will not be hampered by the rule. Some of these commenters explicitly requested that we include ``eyes and eye tissue'' in the list of procurement biologicals as well as ``eye procurement'' in the definition of ``health care.'' In addition, it was argued that ``administration to patients'' be excluded in the absence of a clear definition. Also, commenters recommended that the definition include other activities associated with the transplantation of organs, such as processing, screening, and distribution. Response: We delete from the definition of ``health care'' activities related to the procurement or banking of blood, sperm, organs, or any other tissue for administration to patients. We do so because persons who make such donations are not seeking to be treated, diagnosed, or assessed or otherwise seeking health care for themselves, but are seeking to contribute to the health care of others. In addition, the nature of [[Page 82572]] these activities entails a unique kind of information sharing and tracking necessary to safeguard the nation's organ and blood supply, and those seeking to donate are aware that this information sharing will occur. Consequently, such procurement or banking activities are not considered health care and the organizations that perform such activities are not considered health care providers for purposes of this rule. With respect to disclosure of protected health information by covered entities to facilitate cadaveric organ and tissue donation, the final rule explicitly permits a covered entity to disclose protected health information without authorization, consent, or agreement to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating donation and transplantation. See Sec. 164.512(h). We do not include blood or sperm banking in this provision because, for those activities, there is direct contact with the donor, and thus opportunity to obtain the individual's authorization. Comment: A large number of commenters urged that the term ``assessment'' be included in the list of services in the definition, as ``assessment'' is used to determine the baseline health status of an individual. It was explained that assessments are conducted in the initial step of diagnosis and treatment of a patient. If assessment is not included in the list of services, they pointed out that the services provided by occupational health nurses and employee health information may not be covered. Response: We agree and have added the term ``assessment'' to the definition to clarify that this activity is considered ``health care'' for the purposes of the rule. Comment: One commenter asked that we revise the definition to explicitly exclude plasmapheresis from paragraph (3) of the definition. It was explained that plasmapheresis centers do not have direct access to health care recipients or their health information, and that the limited health information collected about plasma donors is not used to provide health care services as indicated by the definition of health care. Response: We address the commenters' concerns by removing the provision related to procurement and banking of human products from the definition. Health Care Clearinghouse Comment: The largest set of comments relating to health care clearinghouses focused on our proposal to exempt health care clearinghouses from the patient notice and access rights provisions of the regulation. In our NPRM, we proposed to exempt health care clearinghouses from certain provisions of the regulation that deal with the covered entities' notice of information practices and consumers' rights to inspect, copy, and amend their records. The rationale for this exemption was based on our belief that health care clearinghouses engage primarily in business-to-business transactions and do not initiate or maintain direct relationships with individuals. We proposed this position with the caveat that the exemptions would be void for any health care clearinghouse that had direct contact with individuals in a capacity other than that of a business partner. In addition, we indicated that, in most instances, clearinghouses also would be considered business partners under this rule and would be bound by their contracts with covered plans and providers. They also would be subject to the notice of information practices developed by the plans and providers with whom they contract. Commenters stated that, although health care clearinghouses do not have direct contact with individuals, they do have individually identifiable health information that may be subject to misuse or inappropriate disclosure. They expressed concern that we were proposing to exempt health care clearinghouses from all or many aspects of the regulation. These commenters suggested that we either delete the exemption or make it very narrow, specific and explicit in the final regulatory text. Clearinghouse commenters, on the other hand, were in agreement with our proposal, including the exemption provision and the provision that the exemption is voided when the entity does have direct contact with individuals. They also stated that a health care clearinghouse that has a direct contact with individuals is no longer a health care clearinghouse as defined and should be subject to all requirements of the regulation. Response: In the final rule, where a clearinghouse creates or receives protected health information as a business associate of another covered entity, we maintain the exemption for health care clearinghouses from certain provisions of the regulation dealing with the notice of information practices and patient's direct access rights to inspect, copy and amend records (Secs. 164.524 and 164.526), on the grounds that a health care clearinghouse is engaged in business-to- business operations, and is not dealing directly with individuals. Moreover, as business associates of plans and providers, health care clearinghouses are bound by the notices of information practices of the covered entities with whom they contract. Where a health care clearinghouse creates or receives protected health information other than as a business associate, however, it must comply with all the standards, requirements, and implementation specifications of the rule. We describe and delimit the exact nature of the exemption in the regulatory text. See Sec. 164.500(b). We will monitor developments in this sector should the basic business-to- business relationship change. Comment: A number of comments relate to the proposed definition of health care clearinghouse. Many commenters suggested that we expand the definition. They suggested that additional types of entities be included in the definition of health care clearinghouse, specifically medical transcription services, billing services, coding services, and ``intermediaries.'' One commenter suggested that the definition be expanded to add entities that receive standard transactions, process them and clean them up, and then send them on, without converting them to any standard format. Another commenter suggested that the health care clearinghouse definition be expanded to include entities that do not perform translation but may receive protected health information in a standard format and have access to that information. Another commenter stated that the list of covered entities should include any organization that receives or maintains individually identifiable health information. One organization recommended that we expand the health care clearinghouse definition to include the concept of a research data clearinghouse, which would collect individually identifiable health information from other covered entities to generate research data files for release as de-identified data or with appropriate confidentiality safeguards. One commenter stated that HHS had gone beyond Congressional intent by including billing services in the definition. Response: We cannot expand the definition of ``health care clearinghouse'' to cover entities not covered by the definition of this term in the statute. In the final regulation, we [[Page 82573]] make a number of changes to address public comments relating to definition. We modify the definition of health care clearinghouse to conform to the definition published in the Transactions Rule (with the addition of a few words, as noted above). We clarify in the preamble that, while the term ``health care clearinghouse'' may have other meanings and connotations in other contexts, for purposes of this regulation an entity is considered a health care clearinghouse only to the extent that it actually meets the criteria in our definition. Entities performing other functions but not meeting the criteria for a health care clearinghouse are not clearinghouses, although they may be business associates. Billing services are included in the regulatory definition of ``health care clearinghouse,'' if they perform the specified clearinghouse functions. Although we have not added or deleted any entities from our original definition, we will monitor industry practices and may add other entities in the future as changes occur in the health system. Comment: Several commenters suggested that we clarify that an entity acting solely as a conduit through which individually identifiable health information is transmitted or through which protected health information flows but is not stored is not a covered entity, e.g., a telephone company or Internet Service Provider. Other commenters indicated that once a transaction leaves a provider or plan electronically, it may flow through several entities before reaching a clearinghouse. They asked that the regulation protect the information in that interim stage, just as the security NPRM established a chain of trust arrangement for such a network. Others noted that these ``conduit'' entities are likely to be business partners of the provider, clearinghouse or plan, and we should clarify that they are subject to business partner obligations as in the proposed Security Rule. Response: We clarify that entities acting as simple and routine communications conduits and carriers of information, such as telephone companies and Internet Service Providers, are not clearinghouses as defined in the rule unless they carry out the functions outlined in our definition. Similarly, we clarify that value added networks and switches are not health care clearinghouses unless they carry out the functions outlined in the definition, and clarify that such entities may be business associates if they meet the definition in the regulation. Comment: Several commenters, including the large clearinghouses and their trade associations, suggested that we not treat health care clearinghouses as playing a dual role as covered entity and business partner in the final rule because such a dual role causes confusion as to which rules actually apply to clearinghouses. In their view, the definition of health care clearinghouse is sufficiently clear to stand alone and identify a health care clearinghouse as a covered entity, and allows health care clearinghouses to operate under one consistent set of rules. Response: For reasons explained in Sec. 164.504 of this preamble, we do not create an exception to the business associate requirements when the business associate is also a covered entity. We retain the concept that a health care clearinghouse may be a covered entity and a business associate of a covered entity under the regulation. As business associates, they would be bound by their contracts with covered plans and providers. Health Care Provider Comment: One commenter pointed out that the preamble referred to the obligations of providers and did not use the term, ``covered entity,'' and thus created ambiguity about the obligations of health care providers who may be employed by persons other than covered entities, e.g., pharmaceutical companies. It was suggested that a better reading of the statute and rule is that where neither the provider nor the company is a covered entity, the rule does not impose an obligation on either the provider-employee or the employer. Response: We agree. We use the term ``covered entity'' whenever possible in the final rule, except for the instances where the final rule treats the entities differently, or where use of the term ``health care provider'' is necessary for purposes of illustrating an example. Comment: Several commenters stated that the proposal's definition was broad, unclear, and/or confusing. Further, we received many comments requesting clarification as to whether specific entities or persons were ``health care providers'' for the purposes of our rule. One commenter questioned whether affiliated members of a health care group (even though separate legal entities) would be considered as one primary health care provider. Response: We permit legally distinct covered entities that share common ownership or control to designate themselves together to be a single covered entity. Such organizations may promulgate a single shared notice of information practices and a consent form. For more detailed information, see the preamble discussion of Sec. 164.504(d). We understand the need for additional guidance on whether specific entities or persons are health care providers under the final rule. We provide guidance below and will provide additional guidance as the rule is implemented. Comment: One commenter observed that sections 1171(3), 1861(s) and 1861(u) of the Act do not include pharmacists in the definition of health care provider or pharmacist services in the definition of ``medical or other health services,'' and questioned whether pharmacists were covered by the rule. Response: The statutory definition of ``health care provider'' at section 1171(3) includes ``any other person or organization who furnishes, bills, or is paid for health care in the normal course of business.'' Pharmacists' services are clearly within this statutory definition of ``health care.'' There is no basis for excluding pharmacists who meet these statutory criteria from this regulation. Comment: Some commenters recommended that the scope of the definition be broadened or clarified to cover additional persons or organizations. Several commenters argued for expanding the reach of the health care provider definition to cover entities such as state and local public health agencies, maternity support services (provided by nutritionists, social workers, and public health nurses and the Special Supplemental Nutrition Program for Women, Infants and Children), and those companies that conduct cost-effectiveness reviews, risk management, and benchmarking studies. One commenter queried whether auxiliary providers such as child play therapists, and speech and language therapists are considered to be health care providers. Other commenters questioned whether ``alternative'' or ``complementary'' providers, such as naturopathic physicians and acupuncturists would be considered health care providers covered by the rule. Response: As with other aspects of this rule, we do not define ``health care provider'' based on the title or label of the professional. The professional activities of these kinds of providers vary; a person is a ``health care provider'' if those activities are consistent with the rule's definition of ``health care provider.'' Thus, health care providers include persons, such as those noted by the commenters, to the extent that they meet the definition. We note that health care providers are only [[Page 82574]] subject to this rule if they conduct certain transactions. See the definition of ``covered entity.'' However companies that conduct cost-effectiveness reviews, risk management, and benchmarking studies are not health care providers for the purposes of this rule unless they perform other functions that meet the definition. These entities would be business associates if they perform such activities on behalf of a covered entity. Comment: Another commenter recommended that the Secretary expand the definition of health care provider to cover health care providers who transmit or ``or receive'' any health care information in electronic form. Response: We do not accept this suggestion. Section 1172(a)(3) states that providers that ``transmit'' health information in connection with one of the HIPAA transactions are covered, but does not use the term ``receive'' or a similar term. Comment: Some comments related to online companies as health care providers and covered entities. One commenter argued that there was no reason ``why an Internet pharmacy should not also be covered'' by the rule as a health care provider. Another commenter stated that online health care service and content companies, including online medical record companies, should be covered by the definition of health care provider. Another commenter pointed out that the definitions of covered entities cover ``Internet providers who `bill' or are `paid' for health care services or supplies, but not those who finance those services in other ways, such as through sale of identifiable health information or advertising.'' It was pointed out that thousands of Internet sites use information provided by individuals who access the sites for marketing or other purposes. Response: We agree that online companies are covered entities under the rule if they otherwise meet the definition of health care provider or health plan and satisfy the other requirements of the rule, i.e., providers must also transmit health information in electronic form in connection with a HIPAA transaction. We restate here the language in the preamble to the proposed rule that ``An individual or organization that bills and/or is paid for health care services or supplies in the normal course of business, such as * * * an ``online'' pharmacy accessible on the Internet, is also a health care provider for purposes of this statute'' (64 FR 59930). Comment: We received many comments related to the reference to ``health clinic or licensed health care professional located at a school or business in the preamble's discussion of ``health care provider.'' It was stated that including ``licensed health care professionals located at a school or business'' highlights the need for these individuals to understand they have the authority to disclose information to the Social Security Administration (SSA) without authorization. However, several commenters urged HHS to create an exception for or delete that reference in the preamble discussion to primary and secondary schools because of employer or business partner relationships. One federal agency suggested that the reference ``licensed health care professionals located at a [school]'' be deleted from the preamble because the definition of health care provider does not include a reference to schools. The commenter also suggested that the Secretary consider: adding language to the preamble to clarify that the rules do not apply to clinics or school health care providers that only maintain records that have been excepted from the definition of protected health information, adding an exception to the definition of covered entities for those schools, and limiting paperwork requirements for these schools. Another commenter argued for deleting references to schools because the proposed rule appeared to supersede or create ambiguity as to the Family Educational Rights and Privacy Act (FERPA), which gives parents the right to access ``education'' and health records of their unemancipated minor children. However, in contrast, one commenter supported the inclusion of health care professionals who provide services at schools or businesses. Response: We realize that our discussion of schools in the NPRM may have been confusing. Therefore, we address these concerns and set forth our policy regarding protected health information in educational agencies and institutions in the ``Relationship to Other Federal Laws'' discussion of FERPA, above. Comment: Many commenters urged that direct contact with the patient be necessary for an entity to be considered a health care provider. Commenters suggested that persons and organizations that are remote to the patient and have no direct contact should not be considered health care providers. Several commenters argued that the definition of health care provider covers a person that provides health care services or supplies only when the provider furnishes to or bills the patient directly. It was stated that the Secretary did not intend that manufacturers, such as pharmaceutical, biologics, and device manufacturers, health care suppliers, medical-surgical supply distributors, health care vendors that offer medical record documentation templates and that typically do not deal directly with the patient, be considered health care providers and thus covered entities. However, in contrast, one commenter argued that, as an in vitro diagnostics manufacturer, it should be covered as a health care provider. Response: We disagree with the comments that urged that direct dealings with an individual be a prerequisite to meeting the definition of health care provider. Many providers included in the statutory definition of provider, such as clinical labs, do not have direct contact with patients. Further, the use and disclosure of protected health information by indirect treatment providers can have a significant effect on individuals' privacy. We acknowledge, however, that providers who treat patients only indirectly need not have the full array of responsibilities as direct treatment providers, and modify the NPRM to make this distinction with respect to several provisions (see, for example Sec. 164.506 regarding consent). We also clarify that manufacturers and health care suppliers who are considered providers by Medicare are providers under this rule. Comment: Some commenters suggested that blood centers and plasma donor centers that collect and distribute source plasma not be considered covered health care providers because the centers do not provide ``health care services'' and the blood donors are not ``patients'' seeking health care. Similarly, commenters expressed concern that organ procurement organizations might be considered health care providers. Response: We agree and have deleted from the definition of ``health care'' the term ``procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.'' See prior discussion under ``health care.'' Comment: Several commenters proposed to restrict coverage to only those providers who furnished and were paid for services and supplies. It was argued that a salaried employee of a covered entity, such as a hospital-based provider, should not be covered by the rule because that provider would be subject both directly to the rule as a covered entity and indirectly as an employee of a covered entity. Response: The ``dual'' direct and indirect situation described in these comments can arise only when a health [[Page 82575]] care provider conducts standard HIPAA transactions both for itself and for its employer. For example, when the services of a provider such as a hospital-based physician are billed through a standard HIPAA transaction conducted for the employer, in this example the hospital, the physician does not become a covered provider. Only when the provider uses a standard transaction on its own behalf does he or she become a covered health care provider. Thus, the result is typically as suggested by this commenter. When a hospital-based provider is not paid directly, that is, when the standard HIPAA transaction is not on its behalf, it will not become a covered provider. Comment: Other commenters argued that an employer who provides health care services to its employees for whom it neither bills the employee nor pays for the health care should not be considered health care providers covered by the proposed rule. Response: We clarify that the employer may be a health care provider under the rule, and may be covered by the rule if it conducts standard transactions. The provisions of Sec. 164.504 may also apply. Comment: Some commenters were confused about the preamble statement: ``in order to implement the principles in the Secretary's Recommendations, we must impose any protections on the health care providers that use and disclose the information, rather than on the researcher seeking the information,'' with respect to the rule's policy that a researcher who provides care to subjects in a trial will be considered a health care provider. Some commenters were also unclear about whether the individual researcher providing health care to subjects in a trial would be considered a health care provider or whether the researcher's home institution would be considered a health care provider and thus subject to the rule. Response: We clarify that, in general, a researcher is also a health care provider if the researcher provides health care to subjects in a clinical research study and otherwise meets the definition of ``health care provider'' under the rule. However, a health care provider is only a covered entity and subject to the rule if that provider conducts standard transactions. With respect to the above preamble statement, we meant that our jurisdiction under the statute is limited to covered entities. Therefore, we cannot apply any restrictions or requirements on a researcher in that person's role as a researcher. However, if a researcher is also a health care provider that conducts standard transactions, that researcher/provider is subject to the rule with regard to its provider activities. As to applicability to a researcher/provider versus the researcher's home institution, we provide the following guidance. The rule applies to the researcher as a covered entity if the researcher is a health care provider who conducts standard transactions for services on his or her own behalf, regardless of whether he or she is part of a larger organization. However, if the services and transactions are conducted on behalf of the home institution, then the home institution is the covered entity for purposes of the rule and the researcher/ provider is a workforce member, not a covered entity. Comment: One commenter expressed confusion about those instances when a health care provider was a covered entity one day, and one who ``works under a contract'' for a manufacturer the next day. Response: If persons are covered under the rule in one role, they are not necessarily covered entities when they participate in other activities in another role. For example, that person could be a covered health care provider in a hospital one day but the next day read research records for a different employer. In its role as researcher, the person is not covered, and protections do not apply to those research records. Comment: One commenter suggested that the Secretary modify proposed Sec. 160.102, to add the following clause at the end (after (c)) (regarding health care provider), ``With respect to any entity whose primary business is not that of a health plan or health care provider licensed under the applicable laws of any state, the standards, requirements, and implementation specifications of this subchapter shall apply solely to the component of the entity that engages in the transactions specified in [Sec. ] 160.103.'' (Emphasis added.) Another commenter also suggested that the definition of ``covered entity'' be revised to mean entities that are ``primarily or exclusively engaged in health care-related activities as a health plan, health care provider, or health care clearinghouse.'' Response: The Secretary rejects these suggestions because they will impermissibly limit the entities covered by the rule. An entity that is a health plan, health care provider, or health care clearinghouse meets the statutory definition of covered entity regardless of how much time is devoted to carrying out health care-related functions, or regardless of what percentage of their total business applies to health care- related functions. Comment: Several commenters sought to distinguish a health care provider from a business partner as proposed in the NPRM. For example, a number of commenters argued that disease managers that provide services ``on behalf of'' health plans and health care providers, and case managers (a variation of a disease management service) are business partners and not ``health care providers.'' Another commenter argued that a disease manager should be recognized (presumably as a covered entity) because of its involvement from the physician-patient level through complex interactions with health care providers. Response: To the extent that a disease or case manager provides services on behalf of or to a covered entity as described in the rule's definition of business associate, the disease or case manager is a business associate for purposes of this rule. However, if services provided by the disease or case manager meet the definition of treatment and the person otherwise meets the definition of ``health care provider,'' such a person is a health care provider for purposes of this rule. Comment: One commenter argued that pharmacy employees who assist pharmacists, such as technicians and cashiers, are not business partners. Response: We agree. Employees of a pharmacy that is a covered entity are workforce members of that covered entity for purposes of this rule. Comment: A number of commenters requested that we clarify the definition of health care provider (``* * * who furnishes, bills, or is paid for health care services or supplies in the normal course of business'') by defining the various terms ``furnish'', ``supply'', and ``in the normal course of business.'' For instance, it was stated that this would help employers recognize when services such as an employee assistance program constituted health care covered by the rule. Response: Although we understand the concern expressed by the commenters, we decline to follow their suggestion to define terms at this level of specificity. These terms are in common use today, and an attempt at specific definition would risk the inadvertent creations of conflict with industry practices. There is a significant variation in the way employers structure their employee assistance programs (EAPs) and the type of services that they provide. If the EAP provides direct treatment to individuals, it may be a health care provider. [[Page 82576]] Health Information The response to comments on health information is included in the response to comments on individually identifiable health information, in the preamble discussion of Sec. 164.501. Health Plan Comment: One commenter suggested that to eliminate any ambiguity, the Secretary should clarify that the catch-all category under the definition of health plan includes ``24-hour coverage plans'' (whether insured or self-insured) that integrate traditional employee health benefits coverage and workers' compensation coverage for the treatment of on-the-job injuries and illnesses under one program. It was stated that this clarification was essential if the Secretary persisted in excluding workers' compensation from the final rule. Response: We understand concerns that such plans may use and disclose individually identifiable health information. We therefore clarify that to the extent that 24-hour coverage plans have a health care component that meets the definition of ``health plan'' in the final rule, such components must abide by the provisions of the final rule. In the final rule, we have added a new provision to Sec. 164.512 that permits covered entities to disclose information under workers' compensation and similar laws. A health plan that is a 24-hour plan is permitted to make disclosures as necessary to comply with such laws. Comment: A number of commenters urged that certain types of insurance entities, such as workers' compensation and automobile insurance carriers, property and casualty insurance health plans, and certain forms of limited benefits coverage, be included in the definition of ``health plan.'' It was argued that consumers deserve the same protection with respect to their health information, regardless of the entity using it, and that it would be inequitable to subject health insurance carriers to more stringent standards than other types of insurers that use individually identifiable health information. Response: The Congress did not include these programs in the definition of a ``health plan'' under section 1171 of the Act. Further, HIPAA's legislative history shows that the House Report's (H. Rep. 104- 496) definition of ``health plan'' originally included certain benefit programs, such as workers' compensation and liability insurance, but was later amended to clarify the definition and remove these programs. Thus, since the statutory definition of a health plan both on its face and through legislative history evidence Congress' intention to exclude such programs, we do not have the authority to require that these programs comply with the standards. We have added explicit language to the final rule which excludes the excepted benefit programs, as defined in section 2971(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1). Comment: Some commenters urged HHS to include entities such as stop loss insurers and reinsurers in the definition of ``health plan.'' It was observed that such entities have come to play important roles in managed care delivery systems. They asserted that increasingly, capitated health plans and providers contract with their reinsurers and stop loss carriers to medically manage their high cost outlier cases such as organ and bone marrow transplants, and therefore should be specifically cited as subject to the regulations. Response: Stop-loss and reinsurers do not meet the statutory definition of health plan. They do not provide or pay for the costs of medical care, as described in the statute, but rather insure health plans and providers against unexpected losses. Therefore, we cannot include them as health plans in the regulation. Comment: A commenter asserted that there is a significant discrepancy between the effect of the definition of ``group health plan'' as proposed in Sec. 160.103, and the anticipated impact in the cost estimates of the proposed rule at 64 FR 60014. Paragraph (1) of the proposed definition of ``health plan'' defined a ``group health plan'' as an ERISA-defined employee welfare benefit plan that provides medical care and that: ``(i) Has 50 or more participants, or (ii) Is administered by an entity other than the employer that established and maintains the plan[.]'' (emphasis added) According to this commenter, under this definition, the only insured or self-insured ERISA plans that would not be regulated ``health plans'' would be those that have less than 50 participants and are self administered. The commenter presumed that the we had intended to exclude from the definition of ``health plan'' (and from coverage under the proposed rule) all ERISA plans that are small (less than 50 participants) or are administered by a third party, whether large or small, based on the statement at 64 FR 60014, note 18. That footnote stated that the Department had ``not included the 3.9 million `other' employer-health plans listed in HCFA's administrative simplification regulations because these plans are administered by a third party. The proposed regulation will not regulate the employer plans but will regulate the third party administrators of the plan.'' The commenter urged us not to repeat the statutory definition, and to adopt the policy implied in the footnote. Response: We agree with the commenter's observation that footnote 18 (64 FR 60014) was inconsistent with the proposed definition. We erred in drafting that note. The definition of ``group health plan'' is adopted from the statutory definition at section 1171(5)(A), and excludes from the rule as ``health plans'' only the few insured or self-insured ERISA plans that have less than 50 participants and are self administered. We reject the commenter's proposed change to the definition as inconsistent with the statute. Comment: A number of insurance companies asked that long term care insurance policies be excluded from the definition of ``health plan.'' It was argued that such policies do not provide sufficiently comprehensive coverage of the cost of medical care, and are limited benefit plans that provide or pay for the cost of custodial and other related services in connection with a long term, chronic illness or disability. These commenters asserted that HIPAA recognizes this nature of long term care insurance, observing that, with respect to HIPAA's portability requirements, Congress enacted a series of exclusions for certain defined types of health plan arrangements that do not typically provide comprehensive coverage. They maintained that Congress recognized that long term care insurance is excluded, so long as it is not a part of a group health plan. Where a long term care policy is offered separately from a group health plan it is considered an excepted benefit and is not subject to the portability and guarantee issue requirements of HIPAA. Although this exception does not appear in the Administrative Simplification provisions of HIPAA, it was asserted that it is guidance with respect to the treatment of long term care insurance as a limited benefit coverage and not as coverage that is so ``sufficiently comprehensive'' that it is to be treated in the same manner as a typical, comprehensive major medical health plan arrangement. Another commenter offered a different perspective observing that there are some long-term care policies--that do not pay for medical care and therefore are not ``health plans.'' It was noted that most long-term care policies are reimbursement policies--that is, [[Page 82577]] they reimburse the policyholder for the actual expenses that the insured incurs for long-term care services. To the extent that these constitute ``medical care,'' this commenter presumed that these policies would be considered ``health plans.'' Other long-term care policies, they pointed out, simply pay a fixed dollar amount when the insured becomes chronically ill, without regard to the actual cost of any long-term care services received, and thus are similar to fixed indemnity critical illness policies. The commenter suggested that while there was an important distinction between indemnity based long-term care policies and expenses based long-term care policies, it may be wise to exclude all long-term care policies from the scope of the rule to achieve consistency with HIPAA. Response: We disagree. The statutory language regarding long-term care policies in the portability title of HIPAA is different from the statutory language regarding long-term care policies in the Administrative Simplification title of HIPAA. Section 1171(5)(G) of the Act means that issuers of long-term care policies are considered health plans for purposes of administrative simplification. We also interpret the statute as authorizing the Secretary to exclude nursing home fixed- indemnity policies, not all long-term care policies, from the definition of ``health plan,'' if she determines that these policies do not provide ``sufficiently comprehensive coverage of a benefit'' to be treated as a health plan (see section 1171 of the Act). We interpret the term ``comprehensive'' to refer to the breadth or scope of coverage of a policy. ``Comprehensive'' policies are those that cover a range of possible service options. Since nursing home fixed indemnity policies are, by their own terms, limited to payments made solely for nursing facility care, we have determined that they should not be included as health plans for the purposes of the HIPAA regulations. The Secretary, therefore, explicitly excluded nursing home fixed-indemnity policies from the definition of ``health plan'' in the Transactions Rule, and this exclusion is thus reflected in this final rule. Issuers of other long-term care policies are considered to be health plans under this rule and the Transactions Rule. Comment: One commenter was concerned about the potential impact of the proposed regulations on ``unfunded health plans,'' which the commenter described as programs used by smaller companies to provide their associates with special employee discounts or other membership incentives so that they can obtain health care, including prescription drugs, at reduced prices. The commenter asserted that if these discount and membership incentive programs were covered by the regulation, many smaller employers might discontinue offering them to their employees, rather than deal with the administrative burdens and costs of complying with the rule. Response: Only those special employee discounts or membership incentives that are ``employee welfare benefit plans'' as defined in section 3(1) of the Employee Retirement Income Security Act of 1974, 29 U.S.C. 1002(1), and provide ``medical care'' (as defined in section 2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(2)), are health plans for the purposes of this rule. Discount or membership incentive programs that are not group health plans are not covered by the rule. Comment: Several commenters agreed with the proposal to exclude ``excepted benefits'' such as disability income insurance policies, fixed indemnity critical illness policies, and per diem long-term care policies from the definition of ``health plan,'' but were concerned that the language of the proposed rule did not fully reflect this intent. They asserted that clarification was necessary in order to avoid confusion and costs to both consumers and insurers. One commenter stated that, while HHS did not intend for the rule to apply to every type of insurance coverage that paid for medical care, the language of the proposed rule did not bear this out. The problem, it was asserted, is that under the proposed rule any insurance policy that pays for ``medical care'' would technically be a ``health plan.'' It was argued that despite the statements in the narrative, there are no provisions that would exempt any of the ``excepted benefits'' from the definition of ``health care.'' It was stated that: Although (with the exception of long-term care insurance), the proposed rule does not include the `excepted benefits' in its list of sixteen examples of a health plan (proposed 45 CFR 160.104), it does not explicitly exclude them either. Because these types of policies in some instances pay benefits that could be construed as payments for medical care, we are concerned by the fact that they are not explicitly excluded from the definition of `health plan' or the requirements of the proposed rule.'' Several commenters proposed that HHS adopt the same list of ``excepted benefits'' contained in 29 U.S.C. 1191b, suggesting that they could be adopted either as exceptions to the definition of ``health plan'' or as exceptions to the requirements imposed on ``health plans.'' They asserted that this would promote consistency in the federal regulatory structure for health plans. It was suggested that HHS clarify whether the definition of health plan, particularly the ``group health plan'' and ``health insurance issuer'' components, includes a disability plan or disability insurer. It was noted that a disability plan or disability insurer may cover only income lost from disability and, as mentioned above, some rehabilitation services, or a combination of lost income, rehabilitation services and medical care. The commenter suggested that in addressing this coverage issue, it may be useful to refer to the definitions of group health plan, health insurance issuer and medical care set forth in Part I of HIPAA, which the statutory provisions of the Administrative Simplification subtitle expressly reference. See 42 U.S.C. 1320d(5)(A) and (B). Response: We agree that the NPRM may have been ambiguous regarding the types of plans the rule covers. To remedy this confusion, we have added language that specifically excludes from the definition any policy, plan, or program providing or paying the cost of the excepted benefits, as defined in section 2971(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1). As defined in the statute, this includes but is not limited to benefits under one or more (or any combination thereof) of the following: coverage only for accident, or disability income insurance, or any combination thereof; liability insurance, including general liability insurance and automobile liability insurance; and workers' compensation or similar insurance. However, the other excepted benefits as defined in section 2971(c)(2) of the PHS Act, 42 U.S.C. 300gg-91(c)(2), such as limited scope dental or vision benefits, not explicitly excepted from the regulation could be considered ``health plans'' under paragraph (1)(xvii) of the definition of ``health plan'' in the final rule if and to the extent that they meet the criteria for the definition of ``health plan.'' Such plans, unlike the programs and plans listed at section 2971(c)(1), directly and exclusively provide health insurance, even if limited in scope. Comment: One commenter recommended that the Secretary clarify that ``health plan'' does not include property and casualty benefit providers. The commenter stated that the clarifying language is needed given the ``catchall'' category of entities defined as ``any other individual plan or group health plan, or combination thereof, that [[Page 82578]] provides or pays for the cost of medical care,'' and asserted that absent clarification there could be serious confusion as to whether property and casualty benefit providers are ``health plans'' under the rule. Response: We agree and as described above have added language to the final rule to clarify that the ``excepted benefits'' as defined under 42 U.S.C. 300gg-91(c)(1), which includes liability programs such as property and casualty benefit providers, are not health plans for the purposes of this rule. Comment: Some commenters recommended that the Secretary replace the term ``medical care'' with ``health care.'' It was observed that ``health care'' was defined in the proposal, and that this definition was used to define what a health care provider does. However, they observed that the definition of ``health plan'' refers to the provision of or payment for ``medical care,'' which is not defined. Another commenter recommended that HHS add the parenthetical phrase ``as such term is defined in section 2791 of the Public Health Service Act'' after the phrase ``medical care.'' Response: We disagree with the first recommendation. We understand that the term ``medical care'' can be easily confused with the term ``health care.'' However, the two terms are not synonymous. The term ``medical care'' is a statutorily defined term and its use is critical in making a determination as to whether a health plan is considered a ``health plan'' for purposes of administrative simplification. In addition, since the term ``medical care'' is used in the regulation only in the context of the definition of ``health plan'' and we believe that its inclusion in the regulatory text may cause confusion, we did not add a definition of ``medical care'' in the final rule. However, consistent with the second recommendation above, the statutory cite for ``medical care'' was added to the definition of ``health plan'' in the Transactions Rule, and thus is reflected in this final rule. Comment: A number of commenters urged that the Secretary define more narrowly what characteristics would make a government program that pays for specific health care services a ``health plan.'' Commenters argued that there are many ``payment'' programs that should not be included, as discussed below, and that if no distinctions were made, ``health plan'' would mean the same as ``purchaser'' or even ``payor.'' Commenters asserted that there are a number of state programs that pay for ``health care'' (as defined in the rule) but that are not health plans. They said that examples include the WIC program (Special Supplemental Nutrition Program for Women, Infants, and Children) which pays for nutritional assessment and counseling, among other services; the AIDS Client Services Program (including AIDS prescription drug payment) under the federal Ryan White Care Act and state law; the distribution of federal family planning funds under Title X of the Public Health Services Act; and the breast and cervical health program which pays for cancer screening in targeted populations. Commenters argued that these are not insurance plans and do not fall within the ``health plan'' definition's list of examples, all of which are either insurance or broad-scope programs of care under a contract or statutory entitlement. However, paragraph (16) in that list opens the door to broader interpretation through the catchall phrase, ``any other individual or group plan that provides or pays for the cost of medical care.'' Commenters assert that clarification is needed. A few commenters stated that other state agencies often work in partnership with the state Medicaid program to implement certain Medicaid benefits, such as maternity support services and prenatal genetics screening. They concluded that while this probably makes parts of the agency the ``business partner'' of a covered entity, they were uncertain whether it also makes the same agency parts a ``health plan'' as well. Response: We agree with the commenters that clarification is needed as to the rule's application to government programs that pay for health care services. Accordingly, in the final rule we have excepted from the definition of ``health plan'' a government funded program which does not have as its principal purpose the provision of, or payment for, the cost of health care or which has as its principal purpose the provision, either directly or by grant, of health care. For example, the principal purpose of the WIC program is not to provide or pay for the cost of health care, and thus, the WIC program is not a health plan for purposes of this rule. The program of health care services for individuals detained by the INS provides health care directly, and so is not a health plan. Similarly, the family planning program authorized by Title X of the Public Health Service Act pays for care exclusively through grants, and so is not a health plan under this rule. These programs (the grantees under the Title X program) may be or include health care providers and may be covered entities if they conduct standard transactions. We further clarify that, where a public program meets the definition of ``health plan,'' the government agency that administers the program is the covered entity. Where two agencies administer a program jointly, they are both a health plan. For example, both the Health Care Financing Administration and the insurers that offers a Medicare+Choice plan are ``health plans'' with respect to Medicare beneficiaries. An agency that does not administer a program but which provides services for such a program is not a covered entity by virtue of providing such services. Whether an agency providing services is a business associate of the covered entity depends on whether its functions for the covered entity meet the definition of business associate in Sec. 164.501 and, in the example described by this comment, in particular on whether the arrangement falls into the exception in Sec. 164.504(e)(1)(ii)(C) for government agencies that collect eligibility or enrollment information for covered government programs. Comment: Some commenters expressed support for retaining the category in paragraph (16) of the proposal's definition: ``Any other individual or group health plan, or combination thereof, that provides or pays for the cost of medical care.'' Others asked that the Secretary clarify this category. One commenter urged that the final rule clearly define which plans would meet the criteria for this category. Response: As described in the proposed rule, this category implements the language at the beginning of the statutory definition of the term ``health plan'': ``The term `health plan' means an individual or group plan that provides, or pays the cost of, medical care * * * Such term includes the following, and any combination thereof * * *'' This statutory language is general, not specific, and as such, we are leaving it general in the final rule. However, as described above, we add explicit language which excludes certain ``excepted benefits'' from the definition of ``health plan'' in an effort to clarify which plans are not health plans for the purposes of this rule. Therefore, to the extent that a certain benefits plan or program otherwise meets the definition of ``health plan'' and is not explicitly excepted, that program or plan is considered a ``health plan'' under paragraph (1)(xvii) of the final rule. Comment: A commenter explained that HIPAA defines a group health plan by expressly cross-referencing the statutory sections in the PHS Act and the Employee Retirement Income [[Page 82579]] Security Act of 1974 (ERISA), 29 U.S.C. 1001, et seq., which define the terms ``group health plan,'' ``employee welfare benefit plan'' and ``participant.'' See 29 U.S.C. 1002(l) (definition of ``employee welfare benefit plan,'' which is the core of the definition of group health plan under both ERISA and the PHS Act); 29 U.S.C. 100217) (definition of participant); 29 U.S.C. 1193(a) (definition of ``group health plan,'' which is identical to that in section 2791(a) of the PHS Act). It was pointed out that the preamble and the text of the proposed rule both limit the definition of all three terms to their current definitions. The commenter reasoned that since the ERISA definitions may change over time through statutory amendment, Department of Labor regulations or judicial interpretation, it would not be clear what point in time is to be considered current. Therefore, they suggested deleting references to ``current'' or ``currently'' in the preamble and in the regulation with respect to these three ERISA definitions. In addition, the commenter stated that as the preamble to the NPRM correctly reflected, HIPAA expressly cross-references ERISA's definition of ``participant'' in section 3(7) of ERISA, 29 U.S.C. 1002(7). 42 U.S.C. 1320d(5)(A). The text of the privacy regulation, however, omits this cross-reference. It was suggested that the reference to section 3(7) of ERISA, defining ``participant,'' be included in the regulation. Finally, HIPAA incorporates the definition of a group health plan as set forth in section 2791(a) of the PHS Act, 42 U.S.C. 300gg- 91(a)(l). That definition refers to the provision of medical care ``directly or through insurance, reimbursement, or otherwise.'' The word ``reimbursement'' is omitted in both the preamble and the text of the regulation; the commenter suggested restoring it to both. Response: We agree. These changes were made to the definition of ``health plan'' as promulgated in the Transactions Rule, and are reflected in this final rule. Small Health Plan Comment: One commenter recommended that we delete the reference to $5 million in the definition and instead define a ``small health plan'' as a health plan with fewer than 50 participants. It was stated that using a dollar limitation to define a ``small health plan'' is not meaningful for self-insured plans and some other types of health plan coverage arrangements. A commenter pointed out that the general definition of a health plan refers to ``50 or more participants,'' and that using a dollar factor to define a ``small health plan'' would be inconsistent with this definition. Response: We disagree. The Small Business Administration (SBA) promulgates size standards that indicate the maximum number of employees or annual receipts allowed for a concern (13 CFR 121.105) and its affiliates to be considered ``small.'' The size standards themselves are expressed either in number of employees or annual receipts (13 CFR 121.201). The size standards for compliance with programs of other agencies are those for SBA programs which are most comparable to the programs of such other agencies, unless otherwise agreed by the agency and the SBA (13 CFR 121.902). With respect to the insurance industry, the SBA has specified that annual receipts of $5 million is the maximum allowed for a concern and its affiliates to be considered small (13 CFR 121.201). Consequently, we retain the proposal's definition in the final rule to be consistent with SBA requirements. We understand there may be some confusion as to the meaning of ``annual receipts'' when applied to a health plan. For our purposes, therefore, we consider ``pure premiums'' to be equivalent to ``annual receipts.'' Workforce Comment: Some commenters requested that we exclude ``volunteers'' from the definition of workforce. They stated that volunteers are important contributors within many covered entities, and in particular hospitals. They argued that it was unfair to ask that these people donate their time and at the same time subject them to the penalties placed upon the paid employees by these regulations, and that it would discourage people from volunteering in the health care setting. Response: We disagree. We believe that differentiating those persons under the direct control of a covered entity who are paid from those who are not is irrelevant for the purposes of protecting the privacy of health information, and for a covered entity's management of its workforce. In either case, the person is working for the covered entity. With regard to implications for the individual, persons in a covered entity's workforce are not held personally liable for violating the standards or requirements of the final rule. Rather, the Secretary has the authority to impose civil monetary penalties and in some cases criminal penalties for such violations on only the covered entity. Comment: One commenter asked that the rule clarify that employees administering a group health or other employee welfare benefit plan on their employers' behalf are considered part of the covered entity's workforce. Response: As long as the employees have been identified by the group health plan in plan documents as performing functions related to the group health plan (consistent with the requirements of Sec. 164.504(f)), those employees may have access to protected health information. However, they are not permitted to use or disclose protected health information for employment-related purposes or in connection with any other employee benefit plan or employee benefit of the plan sponsor. Part 160--Subpart B--Preemption of State Law We summarize and respond below to comments received in the Transactions rulemaking on the issue of preemption, as well as those received on this topic in the Privacy rulemaking. Because no process was proposed in the Transactions rulemaking for granting exceptions under section 1178(a)(2)(A), a process for making exception determinations was not adopted in the Transactions Rule. Instead, since a process for making exception determinations was proposed in the Privacy rulemaking, we decided that the comments received in the Transactions rulemaking should be considered and addressed in conjunction with the comments received on the process proposed in the Privacy rulemaking. See 65 FR 50318 for a fuller discussion. Accordingly, we discuss the preemption comments received in the Transactions rulemaking where relevant below. Comment: The majority of comments on preemption addressed the subject in general terms. Numerous comments, particularly from plans and providers, argued that the proposed preemption provisions were burdensome, ineffective, or insufficient, and that complete federal preemption of the ``patchwork'' of state privacy laws is needed. They also argued that the proposed preemption provisions are likely to invite litigation. Various practical arguments in support of this position were made. Some of these comments recognized that the Secretary's authority under section 1178 of the Act is limited and acknowledged that the Secretary's proposals were within her statutory authority. One commenter suggested that the exception determination process would result in a very costly and laborious and sometimes inconsistent analysis of the occasions in which state law would [[Page 82580]] survive federal preemption, and thus suggested the final privacy regulations preempt state law with only limited exceptions, such as reporting child abuse. Many other comments, however, recommended changing the proposed preemption provisions to preempt state privacy laws on as blanket a basis as possible. One comment argued that the assumption that more stringent privacy laws are better is not necessarily true, citing a 1999 GAO report finding evidence that the stringent state confidentiality laws of Minnesota halted the collection of comparative information on health care quality. Several comments in this vein were also received in the Transactions rulemaking. The majority of these comments took the position that exceptions to the federal standards should either be prohibited or discouraged. It was argued that granting exceptions to the standards, particularly the transactions standards, would be inconsistent with the statute's objective of promoting administrative simplification through the use of uniform transactions. Many other commenters, however, endorsed the ``federal floor'' approach of the proposed rules. (These comments were made in the context of the proposed privacy regulations.) These comments argued that this approach was preferable because it would not impair the effectiveness of state privacy laws that are more protective of privacy, while raising the protection afforded medical information in states that do not enact laws that are as protective as the rules below. Some comments argued, however, that the rules should give even more deference to state law, questioning in particular the definitions and the proposed addition to the ``other purposes'' criterion for exception determinations in this regard. Response: With respect to the exception process provided for by section 1178(a)(2)(A), the contention that the HIPAA standards should uniformly control is an argument that should be addressed to the Congress, not this agency. Section 1178 of the Act expressly gives the Secretary authority to grant exceptions to the general rule that the HIPAA standards preempt contrary state law in the circumstances she determines come within the provisions at section 1178(a)(2)(A). We agree that the underlying statutory goal of standardizing financial and administrative health care transactions dictates that exceptions should be granted only on narrow grounds. Nonetheless, Congress clearly intended to accommodate some state laws in these areas, and the Department is not free to disregard this Congressional choice. As is more fully explained below, we have interpreted the statutory criteria for exceptions under section 1178(a)(2)(A) to balance the need for relative uniformity with respect to the HIPAA standards with state needs to set certain policies in the statutorily defined areas. The situation is different with respect to state laws relating to the privacy of protected health information. Many of the comments arguing for uniform standards were particularly concerned with discrepancies between the federal privacy standards and various state privacy requirements. Unlike the situation with respect to the transactions standards, where states have generally not entered the field, all states regulate the privacy of some medical information to a greater or lesser extent. Thus, we understand the private sector's concern at having to reconcile differing state and federal privacy requirements. This is, however, likewise an area where the policy choice has been made by Congress. Under section 1178(a)(2)(B) of the Act and section 264(c)(2) of HIPAA, provisions of state privacy laws that are contrary to and more stringent than the corresponding federal standard, requirement, or implementation specification are not preempted. The effect of these provisions is to let the law that is most protective of privacy control (the ``federal floor'' approach referred to by many commenters), and this policy choice is one with which we agree. Thus, the statute makes it impossible for the Secretary to accommodate the requests to establish uniformly controlling federal privacy standards, even if doing so were viewed as desirable. Comment: Numerous comments stated support for the proposal at proposed Subpart B to issue advisory opinions with respect to the preemption of state laws relating to the privacy of individually identifiable health information. A number of these comments appeared to assume that the Secretary's advisory opinions would be dispositive of the issue of whether or not a state law was preempted. Many of these commenters suggested what they saw as improvements to the proposed process, but supported the proposal to have the Department undertake this function. Response: Despite the general support for the advisory opinion proposal, we decided not to provide specifically for the issuance of such opinions. The following considerations led to this decision. First, the assumption by commenters that an advisory opinion would establish what law applied in a given situation and thereby simplify the task of ascertaining what legal requirements apply to a covered entity or entities is incorrect. Any such opinion would be advisory only. Although an advisory opinion issued by the Department would indicate to covered entities how the Department would resolve the legal conflict in question and would apply the law in determining compliance, it would not bind the courts. While we assume that most courts would give such opinions deference, the outcome could not be guaranteed. Second, the thousands of questions raised in the public comment about the interpretation, implications, and consequences of all of the proposed regulatory provisions have led us to conclude that significant advice and technical assistance about all of the regulatory requirements will have to be provided on an ongoing basis. We recognize that the preemption concerns that would have been addressed by the proposed advisory opinions were likely to be substantial. However, there is no reason to assume that they will be the most substantial or urgent of the questions that will most likely need to be addressed. It is our intent to provide as much technical advice and assistance to the regulated community as we can with the resources available. Our concern is that setting up an advisory opinion process for just one of the many types of issues that will have to be addressed will lead to a non- optimal allocation of those resources. Upon careful consideration, therefore, we have decided that we will be better able to prioritize our workload and be better able to be responsive to the most urgent and substantial questions raised to the Department, if we do not provide for a formal advisory opinion process on preemption as proposed. Comment: A few commenters argued that the Privacy Rule should preempt state laws that would impose more stringent privacy requirements for the conduct of clinical trials. One commenter asserted that the existing federal regulations and guidelines for patient informed consent, together with the proposed rule, would adequately protect patient privacy. Response: The Department does not have the statutory authority under HIPAA to preempt state laws that would impose more stringent privacy requirements on covered entities. HIPAA provides that the rule promulgated by the Secretary may not preempt state laws that are in conflict [[Page 82581]] with the regulatory requirements and that provide greater privacy protections. Section 160.201--Applicability Comment: Several commenters indicated that the guidance provided by the definitions at proposed Sec. 160.202 would be of substantial benefit both to regulated entities and to the public. However, these commenters argued that the applicability of such definitions would be too limited as drafted, since proposed Sec. 160.201 provided that the definitions applied only to ``determinations and advisory opinions issued by the Secretary pursuant to 42 U.S.C. 1320d-7.'' The commenters stated that it would be far more helpful to make the definitions in proposed Sec. 160.202 more broadly applicable, to provide general guidance on the issue of preemption. Response: We agree with the comments on this issue, and have revised the applicability provision of subpart B below accordingly. Section 160.201 below sets out that Subpart B implements section 1178. This means, in our view, that the definitions of the statutory terms at Sec. 160.202 are legislative rules that apply when those statutory terms are employed, whether by HHS, covered entities, or the courts. Section 160.202--Definitions Contrary Comment: Some commenters asserted that term ``contrary'' as defined at Sec. 160.202 was overly broad and that its application would be time-consuming and confusing for states. These commenters argued that, under the proposed definition, a state would be required to examine all of its laws relating to health information privacy in order to determine whether or not its law were contrary to the requirements proposed. It was also suggested that the definition contain examples of how it would work in practical terms. A few commenters, however, argued that the definition of ``contrary'' as proposed was too narrow. One commenter argued that the Secretary erred in her assessment of the case law analyzing what is known as ``conflict preemption'' and which is set forth in shorthand in the tests set out at Sec. 160.202. Response: We believe that the definition proposed represents a policy that is as clear as is feasible and which can be applied nationally and uniformly. As was noted in the preamble to the proposed rules (at 64 FR 59997), the tests in the proposed definition of ``contrary'' are adopted from the jurisprudence of ``conflict preemption.'' Since preemption is a judicially developed doctrine, it is reasonable to interpret this term as indicating that the statutory analysis should tie in to the analytical formulations employed by the courts. Also, while the court-developed tests may not be as clear as commenters would like, they represent a long-term, thoughtful consideration of the problem of defining when a state/federal conflict exists. They will also, we assume, generally be employed by the courts when conflict issues arise under the rules below. We thus see no practical alternative to the proposed definition and have retained it unchanged. With respect to various suggestions for shorthand versions of the proposed tests, such as the arguably broader term ``inconsistent with,'' we see no operational advantages to such terms. Comment: One comment asked that the Department clarify that if state law is not preempted, then the federal law would not also apply. Response: This comment raises two issues, both of which deserve discussion. First, a state law may not be preempted because there is no conflict with the analogous federal requirement; in such a situation, both laws can, and must, be complied with. We thus do not accept this suggestion, to the extent that it suggests that the federal law would give way in this situation. Second, a state law may also not be preempted because it comes within section 1178(a)(2)(B), section 1178(b), or section 1178(c); in this situation, a contrary federal law would give way. Comment: One comment urged the Department to take the position that where state law exists and no analogous federal requirement exists, the state requirement would not be ``contrary to'' the federal requirement and would therefore not trigger preemption. Response: We agree with this comment. Comment: One commenter criticized the definition as unhelpful in the multi-state transaction context. For example, it was asked whether the issue of whether a state law was ``contrary to'' should be determined by the law of the state where the treatment is provided, where the claim processor is located, where the payment is issued, or the data maintained, assuming all are in different states. Response: This is a choice of law issue, and, as is discussed more fully below, is a determination that is routinely made today in connection with multi-state transactions. See discussion below under Exception Determinations (Criteria for Exception Determinations). State Law Comment: Comments noted that the definition of ``state law'' does not explicitly include common law and recommended that it be revised to do so or to clarify that the term includes evidentiary privileges recognized at state law. Guidance concerning the impact of state privileges was also requested. Response: As requested, we clarify that the definition of ``state law'' includes common law by including the term ``common law.'' In our view, this phrase encompasses evidentiary privileges recognized at state law (which may also, we note, be embodied in state statutes). Comment: One comment criticized this definition as unwieldy, in that locating state laws pertaining to privacy is likely to be difficult. It was noted that Florida, for example, has more than 60 statutes that address health privacy. Response: To the extent that state laws currently apply to covered entities, they have presumably determined what those laws require in order to comply with them. Thus, while determining which laws are ``contrary'' to the federal requirements will require additional work in terms of comparing state law with the federal requirements, entities should already have acquired the knowledge of state law needed for this task in the ordinary course of doing business. Comment: The New York City Department of Health noted that in many cases, provisions of New York State law are inapplicable within New York City, because the state legislature has recognized that the local code is tailored to the particular needs of the City. It urged that the New York City Code be treated as state law, for preemption purposes. Response: We agree that, to the extent a state treats local law as substituting for state law it could be considered to be ``state law'' for purposes of this definition. If, however, a local law is local in scope and effect, and a tier of state law exists over the same subject matter, we do not think that the local law could or should be treated as ``state law'' for preemption purposes. We do not have sufficient information to assess the situation raised by this comment with respect to this principle, and so express no opinion thereon. More Stringent Comment: Many commenters supported the policy in the proposed definition of ``individual'' at proposed Sec. 164.502, which would have permitted unemancipated minors to exercise, on [[Page 82582]] their own behalf, rights granted to individuals in cases where they consented to the underlying health care. Commenters stated, however, that the proposed preemption provision would leave in place state laws authorizing or prohibiting disclosure to parents of the protected health information of their minor children and would negate the proposed policy for the treatment of minors under the rule. The comments stated that such state laws should be treated like other state laws, and preempted to the extent that they are less protective of the privacy of minors. Other commenters supported the proposed preemption provision--not to preempt a state law to the extent it authorizes or prohibits disclosure of protected health information regarding a minor to a parent. Response: Laws regarding access to health care for minors and confidentiality of their medical records vary widely; this regulation recognizes and respects the current diversity of state law in this area. Where states have considered the balance involved in protecting the confidentiality of minors' health information and have explicitly acted, for example, to authorize disclosure, defer the decision to disclose to the discretion of the health care provider, or prohibit disclosure of minor's protected health information to a parent, the rule defers to these decisions to the extent that they regulate such disclosures. Comment: The proposed definition of ``more stringent'' was criticized as affording too much latitude to for granting exceptions for state laws that are not protective of privacy. It was suggested that the test should be ``most protective of the individual's privacy.'' Response: We considered adopting this test. However, for the reasons set out at 64 FR 59997, we concluded that this test would not provide sufficient guidance. The comments did not address the concerns we raised in this regard in the preamble to the proposed rules, and we continue to believe that they are valid. Comment: A drug company expressed concern with what it saw as the expansive definition of this term, arguing that state governments may have less experience with the special needs of researchers than federal agencies and may unknowingly adopt laws that have a deleterious effect on research. A provider group expressed concern that allowing stronger state laws to prevail could result in diminished ability to get enough patients to complete high quality clinical trials. Response: These concerns are fundamentally addressed to the ``federal floor'' approach of the statute, not to the definition proposed: even if the definition of ``more stringent'' were narrowed, these concerns would still exist. As discussed above, since the ``federal floor'' approach is statutory, it is not within the Secretary's authority to change the dynamics that are of concern. Comment: One comment stated that the proposed rule seemed to indicate that the ``more stringent'' and ``contrary to'' definitions implied that these standards would apply to ERISA plans as well as to non-ERISA plans. Response: The concern underlying this comment is that ERISA plans, which are not now subject to certain state laws because of the ``field'' preemption provision of ERISA but which are subject to the rules below, will become subject to state privacy laws that are ``more stringent'' than the federal requirements, due to the operation of section 1178(a)(2)(B), together with section 264(c)(2). We disagree that this is the case. While the courts will have the final say on these questions, it is our view that these sections simply leave in place more stringent state laws that would otherwise apply; to the extent that such state laws do not apply to ERISA plans because they are preempted by ERISA, we do not think that section 264(c)(2) overcomes the preemption effected by section 514(a) of ERISA. For more discussion of this point, see 64 FR 60001. Comment: The Lieutenant Governor's Office of the State of Hawaii requested a blanket exemption for Hawaii from the federal rules, on the ground that its recently enacted comprehensive health privacy law is, as a whole, more stringent than the proposed federal standards. It was suggested that, for example, special weight should be given to the severity of Hawaii's penalties. It was suggested that a new definition (``comprehensive'') be added, and that ``more stringent'' be defined in that context as whether the state act or code as a whole provides greater protection. An advocacy group in Vermont argued that the Vermont legislature was poised to enact stronger and more comprehensive privacy laws and stated that the group would resent a federal prohibition on that. Response: The premise of these comments appears to be that the provision-by-provision approach of Subpart B, which is expressed in the definition of the term ``contrary'', is wrong. As we explained in the preamble to the proposed rules (at 64 FR 59995), however, the statute dictates a provision-by-provision comparison of state and federal requirements, not the overall comparison suggested by these comments. We also note that the approach suggested would be practically and analytically problematic, in that it would be extremely difficult, if not impossible, to determine what is a legitimate stopping point for the provisions to be weighed on either the state side or the federal side of the scale in determining which set of laws was the ``more stringent.'' We accordingly do not accept the approach suggested by these comments. With respect to the comment of the Vermont group, nothing in the rules below prohibits or places any limits on states enacting stronger or more comprehensive privacy laws. To the extent that states enact privacy laws that are stronger or more comprehensive than contrary federal requirements, they will presumably not be preempted under section 1178(a)(2)(B). To the extent that such state laws are not contrary to the federal requirements, they will act as an overlay on the federal requirements and will have effect. Comment: One comment raised the issue of whether a private right of action is a greater penalty, since the proposed federal rule has no comparable remedy. Response: We have reconsidered the proposed ``penalty'' provision of the proposed definition of ``more stringent'' and have eliminated it. The HIPAA statute provides for only two types of penalties: fines and imprisonment. Both types of penalties could be imposed in addition to the same type of penalty imposed by a state law, and should not interfere with the imposition of other types of penalties that may be available under state law. Thus, we think it is unlikely that there would be a conflict between state and federal law in this respect, so that the proposed criterion is unnecessary and confusing. In addition, the fact that a state law allows an individual to file a lawsuit to protect privacy does not conflict with the HIPAA penalty provisions. Relates to the Privacy of Individually Identifiable Health Information Comment: One comment criticized the definition of this term as too narrow in scope and too uncertain. The commenter argued that determining the specific purpose of a state law may be difficult and speculative, because many state laws have incomplete, inaccessible, or non-existent legislative histories. It was suggested that the definition be revised by deleting the word ``specific'' before the word ``purpose.'' Another commenter argued [[Page 82583]] that the definition of this term should be narrowed to minimize reverse preemption by more stringent state laws. One commenter generally supported the proposed definition of this term. Response: We are not accepting the first comment. The purpose of a given state enactment should be ascertainable, if not from legislative history or a purpose statement, then from the statute viewed as a whole. The same should be true of state regulations or rulings. In any event, it seems appropriate to restrict the field of state laws that may potentially trump the federal standards to those that are clearly intended to establish state public policy and operate in the same area as the federal standards. To the extent that the definition in the rules below does this, we have accommodated the second comment. We note, however, that we do not agree that the definition should be further restricted to minimize ``reverse preemption,'' as suggested by this comment, as we believe that state laws that are more protective of privacy than contrary federal standards should remain, in order to ensure that the privacy of individuals' health information receives the maximum legal protection available. Sections 160.203 and 160.204--Exception Determinations and Advisory Opinions Most of the comments received on proposed Subpart B lumped together the proposed process for exception determinations under section 1178(a)(2)(A) with the proposed process for issuing advisory opinions under section 1178(a)(2)(B), either because the substance of the comment applied to both processes or because the commenters did not draw a distinction between the two processes. We address these general comments in this section. Comment: Numerous commenters, particularly providers and provider groups, recommended that exception determinations and advisory opinions not be limited to states and advocated allowing all covered entities (including individuals, providers and insurers), or private sector organizations, to request determinations and opinions with respect to preemption of state laws. Several commenters argued that limiting requests to states would deny third party stakeholders, such as life and disability income insurers, any means of resolving complex questions as to what rule they are subject to. One commenter noted that because it is an insurer who will be liable if it incorrectly analyzes the interplay between laws and reaches an incorrect conclusion, there would be little incentive for the states to request clarification. It would also cause large administrative burdens which, it was stated, would be costly and confusing. It was also suggested that the request for the exception be made to the applicable state's attorney general or chief legal officer, as well as the Secretary. Various changes to the language were suggested, such as adding that ``a covered entity, or any other entity impacted by this rule'' be allowed to submit the written request. Response: We agree, and have changed Sec. 164.204(a) below accordingly. The decision to eliminate advisory opinions makes this issue moot with respect to those opinions. Comment: Several commenters noted that it was unclear under the proposed rule which state officials would be authorized to request a determination. Response: We agree that the proposed rule was unclear in this respect. The final rule clarifies who may make the request for a state, with respect to exception determinations. See, Sec. 160.204(a). The language adopted should ensure that the Secretary receives an authoritative statement from the state. At the same time, this language provides states with flexibility, in that the governor or other chief elected official may choose to designate other state officials to make such requests. Comment: Many commenters recommended that a process be established whereby HHS performs an initial state-by-state critical analysis to provide guidance on which state laws will not be preempted; most suggested that such an analysis (alternatively referred to as a database or clearinghouse) should be completed before providers would be required to come into compliance. Many of these comments argued that the Secretary should bear the cost for the analyses of state law, disagreeing with the premise stated in the preamble to the proposed rules that it is more efficient for the private market to complete the state-by-state review. Several comments also requested that HHS continue to maintain and monitor the exception determination process, and update the database over time in order to provide guidance and certainty on the interaction of the federal rules with newly enacted or amended state laws that are produced after the final rule. Some comments recommended that each state be required to certify agreement with the HHS analyses. In contrast, one hospital association noted concerns that the Secretary would conduct a nationwide analysis of state laws. The comment stated that implementation would be difficult since much of the law is a product of common law, and such state-specific research should only be attempted by experienced health care attorneys in each jurisdiction. Response: These comments seem to be principally concerned with potential conflicts between state privacy laws and the privacy standards, because, as is more fully explained below, preemption of contrary state laws not relating to privacy is automatic unless the Secretary affirmatively acts under section 1178(a)(2)(A) to grant an exception. We recognize that the provisions of sections 1178(b) (state public health laws), and 1178(c) (state regulation of health plans) similarly preserve state laws in those areas, but very little of the public comment appeared to be concerned with these latter statutory provisions. Accordingly, we respond below to what we see as the commenters' main concern. The Department will not do the kind of global analysis requested by many of these comments. What these comments are in effect seeking is a global advisory opinion as to when the federal privacy standards will control and when they will not. We understand the desire for certainty underlying these comments. Nonetheless, the reasons set out above as the basis for our decision not to establish a formal advisory opinion process apply equally to these requests. We also do not agree that the task of evaluating the requirements below in light of existing state law is unduly burdensome or unreasonable. Rather, it is common for new federal requirements to necessitate an examination by the regulated entities of the interaction between existing state law and the federal requirements incident to coming into compliance. We agree, however, that the case is different where the Secretary has affirmatively acted, either through granting an exception under section 1178(a)(2)(A) or by making a specific determination about the effect of a particular state privacy law in, for example, the course of determining an entity's compliance with the privacy standards. As is discussed below, the Department intends to make notice of exception determinations that it makes routinely available. We do not agree with the comments suggesting that compliance by covered entities be delayed pending completion of an analysis by the Secretary and that states be required to certify agreement with the Secretary's analysis, as we are not institutionalizing the advisory opinion/analysis process upon which these comments are predicated. [[Page 82584]] Furthermore, with respect to the suggestion regarding delaying the compliance date, Congress provided in section 1175(b) of the Act for a delay in when compliance is required to accommodate the needs of covered entities to address implementation issues such as those raised by these comments. With respect to the suggestion regarding requiring states to certify their agreement with the Secretary's analysis, we have no authority to do this. Comment: Several commenters criticized the proposed provision for annual publication of determinations and advisory opinions in the Federal Register as inadequate. They suggested that more frequent notices should be made and the regulation be changed accordingly, to provide for publication either quarterly or within a few days of a determination. A few commenters suggested that any determinations made, or opinions issued, by the Secretary be published on the Department's website within 10 days or a few days of the determination or opinion. Response: We agree that the proposed provision for annual publication was inadequate and have accordingly deleted it. Subpart B contains no express requirement for publication, as the Department is free to publish its determinations absent such a requirement. It is our intention to publish notice of exception determinations on a periodic basis in the Federal Register. We will also consider other avenues of making such decisions publicly available as we move into the implementation process. Comment: A few commenters argued that the process for obtaining an exception determination or an advisory opinion from the Secretary will result in a period of time in which there is confusion as to whether state or federal law applies. The proposed regulations say that the federal provisions will remain effective until the Secretary makes a determination concerning the preemption issue. This means that, for example, a state law that was enacted and enforced for many years will be preempted by federal law for the period of time during which it takes the Secretary to make a determination. Then if the Secretary determines that the state law is not preempted, the state law will again become effective. Such situations will result in confusion and unintended violations of the law. One of the commenters suggested that requests for exceptions be required only when a challenge is brought against a particular state law, and that a presumption of validity should lie with state laws. Another commenter, however, urged that ``instead of the presumption of preemption, the state laws in question would be presumed to be subject to the exception unless or until the Secretary makes a determination to the contrary.'' Response: It is true that the effect of section 1178(a)(2)(A) is that the federal standards will preempt contrary state law and that such preemption will not be removed unless and until the Secretary acts to grant an exception under that section (assuming, of course, that another provision of section 1178 does not apply). We do not agree, however, that confusion should result, where the issue is whether a given state law has been preempted under section 1178(a)(2)(A). Because preemption is automatic with respect to state laws that do not come within the other provisions of section 1178 (i.e., sections 1178(a)(2)(B), 1178(b), and 1178(c)), such state laws are preempted until the Secretary affirmatively acts to preserve them from preemption by granting an exception under section 1178(a)(2)(A). We cannot accept the suggestion that a presumption of validity attach to state laws, and that states not be required to request exceptions except in very narrow circumstances. The statutory scheme is the opposite: The statute effects preemption in the section 1178(a)(2)(A) context unless the Secretary affirmatively acts to except the contrary state law in question. With respect to preemption under sections 1178(b) and 1178(c) (the carve-outs for state public health laws and state regulation of health plans), we do not agree that preemption is likely to be a major cause of uncertainty. We have deferred to Congressional intent by crafting the permissible releases for public health, abuse, and oversight broadly. See, Secs. 164.512(b)--(d) below. Since there must first be a conflict between a state law and a federal requirement in order for an issue of preemption to even arise, we think that, as a practical matter, few preemption questions should arise with respect to sections 1178(b) and 1178(c). With respect to preemption of state privacy laws under section 1178(a)(2)(B), however, we agree that the situation may be more difficult to ascertain, because the Secretary does not determine the preemption status of a state law under that section, unlike the situation with respect to section 1178(a)(2)(A). We have tried to define the term ``more stringent'' to identify and particularize the factors to be considered by courts to those relevant to privacy interests. The more specific (than the statute) definition of this term at Sec. 160.202 below should provide some guidance in making the determination as to which law prevails. Ambiguity in the state of the law might also be a factor to be taken into account in determining whether a penalty should be applied. Comment: Several comments recommended that exception determinations or advisory opinions encompass a state act or code in its entirety (in lieu of a provision-specific evaluation) if it is considered more stringent as a whole than the regulation. It was argued that since the provisions of a given law are typically interconnected and related, adopting or overriding them on a provision-by-provision basis would result in distortions and/or unintended consequences or loopholes. For example, when a state law includes authorization provisions, some of which are consistent with the federal requirements and some which are not, the cleanest approach is to view the state law as inconsistent with the federal requirements and thus preempted in its entirety. Similarly, another comment suggested that state confidentiality laws written to address the specific needs of individuals served within a discreet system of care be considered as a whole in assessing whether they are as stringent or more stringent than the federal requirements. Another comment requested explicit clarification that state laws with a broader scope than the regulation will be viewed as more stringent and be allowed to stand. Response: We have not adopted the approach suggested by these comments. As discussed above with respect to the definition of the term ``more stringent,'' it is our view that the statute precludes the approach suggested. We also suggest that this approach ignores the fact that each separate provision of law usually represents a nuanced policy choice to, for example, permit this use or prohibit that disclosure; the aggregated approach proposed would fail to recognize and weigh such policy choices. Comment: One comment recommended that the final rule: permit requests for exception determinations and advisory opinions as of the date of publication of the final rule, require the Secretary to notify the requestor within a specified short period of time of all additional information needed, and prohibit enforcement action until the Secretary issues a response. Response: With respect to the first recommendation, we clarify that requests for exception determinations may be made at any time; since the process for issuing advisory opinions has not been adopted, this recommendation is moot as it pertains [[Page 82585]] to advisory opinions. With respect to the second recommendation, we will undertake to process exception requests as expeditiously as possible, but, for the reasons discussed below in connection with the comments relating to setting deadlines for those determinations, we cannot commit at this time to a ``specified short period of time'' within which the Secretary may request additional information. We see no reason to agree to the third recommendation. Because contrary state laws for which an exception is available only under section 1178(a)(2)(A) will be preempted by operation of law unless and until the Secretary acts to grant an exception, there will be an ascertainable compliance standard for compliance purposes, and enforcement action would be appropriate where such compliance did not occur. Sections 160.203(a) and 160.204(a)--Exception Determinations Section 160.203(a)--Criteria for Exception Determinations Comment: Numerous comments criticized the proposed criteria for their substance or lack thereof. A number of commenters argued that the effectiveness language that was added to the third statutory criterion made the exception so massive that it would swallow the rule. These comments generally expressed concern that laws that were less protective of privacy would be granted exceptions under this language. Other commenters criticized the criteria generally as creating a large loophole that would let state laws that do not protect privacy trump the federal privacy standards. Response: We agree with these comments. The scope of the statutory criteria is ambiguous, but they could be read so broadly as to largely swallow the federal protections. We do not think that this was Congress's intent. Accordingly, we have added language to most of the statutory criteria clarifying their scope. With respect to the criteria at 1178(a)(2)(A)(i), this clarifying language generally ties the criteria more specifically to the concern with protecting and making more efficient the health care delivery and payment system that underlies the Administrative Simplification provisions of HIPAA, but, with respect to the catch-all provision at section 1178(a)(2)(A)(i)(IV), also requires that privacy interests be balanced with such concerns, to the extent relevant. We require that exceptions for rules to ensure appropriate state regulation of insurance and health plans be stated in a statute or regulation, so that such exceptions will be clearly tied to statements of priorities made by publicly accountable bodies (e.g., through the public comment process for regulations, and by elected officials through statutes). With respect to the criterion at section 1178(a)(2)(A)(ii), we have further delineated what ``addresses controlled substances'' means. The language provided, which builds on concepts at 21 U.S.C. 821 and the Medicare regulations at 42 CFR 1001.2, delineates the area within which the government traditionally regulates controlled substances, both civilly and criminally; it is our view that HIPAA was not intended to displace such regulation. Comment: Several commenters urged that the request for determination by the Secretary under proposed Sec. 160.204(a) be limited to cases where an exception is absolutely necessary, and that in making such a determination, the Secretary should be required to make a determination that the benefits of granting an exception outweigh the potential harm and risk of disclosure in violation of the regulation. Response: We have not further defined the statutory term ``necessary'', as requested. We believe that the determination of what is ``necessary'' will be fact-specific and context dependent, and should not be further circumscribed absent such specifics. The state will need to make its case that the state law in question is sufficiently ``necessary'' to accomplish the particular statutory ground for exception that it should trump the contrary federal standard, requirement, or implementation specification. Comment: One commenter noted that a state should be required to explain whether it has taken any action to correct any less stringent state law for which an exception has been requested. This commenter recommended that a section be added to proposed Sec. 160.204(a) stating that ``a state must specify what, if any, action has been taken to amend the state law to comply with the federal regulations.'' Another comment, received in the Transactions rulemaking, took the position that exception determinations should be granted only if the state standards in question exceeded the national standards. Response: The first and last comments appear to confuse the ``more stringent'' criterion that applies under section 1178(a)(2)(B) of the Act with the criteria that apply to exceptions under section 1178(a)(2)(A). We are also not adopting the language suggested by the first comment, because we do not agree that states should necessarily have to try to amend their state laws as a precondition to requesting exceptions under section 1178(a)(2)(A). Rather, the question should be whether the state has made a convincing case that the state law in question is sufficiently necessary for one of the statutory purposes that it should trump the contrary federal policy. Comment: One commenter stated that exceptions for state laws that are contrary to the federal standards should not be preempted where the state and federal standards are found to be equal. Response: This suggestion has not been adopted, as it is not consistent with the statute. With respect to the administrative simplification standards in general, it is clear that the intent of Congress was to preempt contrary state laws except in the limited areas specified as exceptions or carve-outs. See, section 1178. This statutory approach is consistent with the underlying goal of simplifying health care transactions through the adoption of uniform national standards. Even with respect to state laws relating to the privacy of medical information, the statute shields such state laws from preemption by the federal standards only if they are ``more'' stringent than the related federal standard or implementation specification. Comment: One commenter noted that determinations would apply only to transactions that are wholly intrastate. Thus, any element of a health care transaction that would implicate more than one state's law would automatically preclude the Secretary's evaluation as to whether the laws were more or less stringent than the federal requirement. Other commenters expressed confusion about this proposed requirement, noting that providers and plans operate now in a multi-state environment. Response: We agree with the commenters and have dropped the proposed requirement. As noted by the commenters, health care entities now typically operate in a multi-state environment, so already make the choice of law judgements that are necessary in multi-state transactions. It is the result of that calculus that will have to be weighed against the federal standards, requirements, and implementation specifications in the preemption analysis. Comment: One comment received in the Transactions rulemaking suggested that the Department should allow exceptions to the standard transactions to accommodate abbreviated transactions between state agencies, such as claims between a public health department and the state Medicaid [[Page 82586]] agency. Another comment requested an exception for Home and Community Based Waiver Services from the transactions standards. Response: The concerns raised by these comments would seem to be more properly addressed through the process established for maintaining and modifying the transactions standards. If the concerns underlying these comments cannot be addressed in this manner, however, there is nothing in the rules below to preclude states from requesting exceptions in such cases. They will then have to make the case that one or more grounds for exception applies. Section 160.204(a)--Process for Exception Determinations--Comments and Responses Comment: Several comments received in the Transactions rulemaking stated that the process for applying for and granting exception determinations (referred to as ``waivers'' by some) needed to be spelled out in the final rule. Response: We agree with these comments. As noted above, since no process was proposed in the Transactions rulemaking, a process for making exception determinations was not adopted in those final rules. Subpart B below adopts a process for making exception determinations, which responds to these comments. Comment: Comments stated that the exception process would be burdensome, unwieldy, and time-consuming for state agencies as well as the Department. One comment took the position that states should not be required to submit exception requests to the Department under proposed Sec. 160.203(a), but could provide documentation that the state law meets one of the conditions articulated in proposed Sec. 160.203. Response: We disagree that the process adopted at Sec. 164.204 below will be burdensome, unwieldy, or time-consuming. The only thing the regulation describes is the showings that a requestor must make as part of its submission, and all are relevant to the issue to be determined by the Secretary. How much information is submitted is, generally speaking, in the requestor's control, and the regulation places no restrictions on how the requestor obtains it, whether by acting directly, by working with providers and/or plans, or by working with others. With respect to the suggestion that states not be required to submit exception requests, we disagree that this suggestion is either statutorily authorized or advisable. We read this comment as implicitly suggesting that the Secretary must proactively identify instances of conflict and evaluate them. This suggestion is, thus, at bottom the same as the many suggestions that we create a database or compendium of controlling law, and it is rejected for the same reasons. Comment: Several comments urged that all state requests for non- preemption include a process for public participation. These comments believe that members of the public and other interested stakeholders should be allowed to submit comments on a state's request for exception, and that these comments should be reviewed and considered by the Secretary in determining whether the exception should be granted. One comment suggested that the Secretary at least give notice to the citizens of the state prior to granting an exception. Response: The revision to Sec. 160.204(a), to permit requests for exception determinations by any person, responds to these comments. Comment: Many commenters noted that the lack of a clear and reasonable time line for the Secretary to issue an exception determination would not provide sufficient assurance that the questions regarding what rules apply will be resolved in a time frame that will allow business to be conducted properly, and argued that this would increase confusion and uncertainty about which statutes and regulations should be followed. Timeframes of 60 or 90 days were suggested. One group suggested that, if a state does not receive a response from HHS within 60 days, the waiver should be deemed approved. Response: The workload prioritization and management considerations discussed above with respect to advisory opinions are also relevant here and make us reluctant to agree to a deadline for making exception determinations. This is particularly true at the outset, since we have no experience with such requests. We therefore have no basis for determining how long processing such requests will take, how many requests we will need to process, or what resources will be available for such processing. We agree that states and other requesters should receive timely responses and will make every effort to make determinations as expeditiously as possible, but we cannot commit to firm deadlines in this initial rule. Once we have experience in handling exception requests, we will consult with states and others in regard to their experiences and concerns and their suggestions for improving the Secretary's expeditious handling of such requests. We are not accepting the suggestion that requests for exception be deemed approved if not acted upon in some defined time period. Section 1178(a)(2)(A) requires a specific determination by the Secretary. The suggested policy would not be consistent with this statutory requirement. It is also inadvisable from a policy standpoint, in that it would tend to maximize exceptions. This would be contrary to the underlying statutory policy in favor of uniform federal standards. Comment: One commenter took exception to the requirement for states to seek a determination from the Department that a provision of state law is necessary to prevent fraud and abuse or to ensure appropriate state regulation of insurance plans, contending that this mandate could interfere with the Insurance Commissioners' ability to do their jobs. Another commenter suggested that the regulation specifically recognize the broad scope of state insurance department activities, such as market conduct examinations, enforcement investigations, and consumer complaint handling. Response: The first comment raises an issue that lies outside our legal authority to address, as section 1178(a)(2)(A) clearly mandates that the Secretary make a determination in these areas. With respect to the second comment, to the extent these concerns pertain to health plans, we believe that the provisions at Sec. 164.512 relating to oversight and disclosures required by law should address the concerns underlying this comment. Section 160.204(a)(4)--Period of Effectiveness of Exception Determinations Comment: Numerous commenters stated that the proposed three year limitation on the effectiveness of exception determinations would pose significant problems and should be limited to one year, since a one year limitation would provide more frequent review of the necessity for exceptions. The commenters expressed concern that state laws which provide less privacy protection than the federal regulation would be given exceptions by the Secretary and thus argued that the exceptions should be more limited in duration or that the Secretary should require that each request, regardless of duration, include a description of the length of time such an exception would be needed. One state government commenter, however, argued that the 3 year limit should be eliminated entirely, on the ground that requiring a redetermination [[Page 82587]] every three years would be burdensome for the states and be a waste of time and resources for all parties. Other commenters, including two state agencies, suggested that the exemption should remain effective until either the state law or the federal regulation is changed. Another commenter suggested that the three year sunset be deleted and that the final rule provide for automatic review to determine if changes in circumstance or law would necessitate amendment or deletion of the opinion. Other recommendations included deeming the state law as continuing in effect upon the submission of a state application for an exemption rather than waiting for a determination by the Secretary that may not occur for a substantial period of time. Response: We are persuaded that the proposed 3 year limit on exception determinations does not make sense where neither law providing the basis for the exception has changed in the interim. We also agree that where either law has changed, a previously granted exception should not continue. Section 160.205(a) below addresses these concerns. Sections 160.203(b) and 160.204(b)--Advisory Opinions Section 160.203(b)--Effect of Advisory Opinions Comment: Several commenters questioned whether or not DHHS has standing to issue binding advisory opinions and recommended that the Department clarify this issue before implementation of this regulation. One respondent suggested that the Department clarify in the final rule the legal issues on which it will opine in advisory opinion requests, and state that in responding to requests for advisory opinions the Department will not opine on the preemptive force of ERISA with respect to state laws governing the privacy of individually identifiable health information, since interpretations as to the scope and extent of ERISA's preemption provisions are outside of the Department's jurisdictional authority. One commenter asked whether a state could enforce a state law which the Secretary had indicated through an advisory opinion is preempted by federal law. This commenter also asked whether the state would be subject to penalties if it chose to continue to enforce its own laws. Response: As discussed above, in part for reasons raised by these comments, the Department has decided not to have a formal process for issuing advisory opinions, as proposed. Several of these concerns, however, raise issues of broader concern that need to be addressed. First, we disagree that the Secretary lacks legal authority to opine on whether or not state privacy laws are preempted. The Secretary is charged by law with determining compliance, and where state law and the federal requirements conflict, a determination of which law controls will have to be made in order to determine whether the federal standard, requirement, or implementation specification at issue has been violated. Thus, the Secretary cannot carry out her enforcement functions without making such determinations. It is further reasonable that, if the Secretary makes such determinations, she can make those determinations known, for whatever persuasive effect they may have. The questions as to whether a state could enforce, or would be subject to penalties if it chose to continue to enforce, its own laws following a denial by the Secretary of an exception request under Sec. 160.203 or a holding by a court of competent jurisdiction that a state privacy law had been preempted by a contrary federal privacy standard raise several issues. First, a state law is preempted under the Act only to the extent that it applies to covered entities; thus, a state is free to continue to enforce a ``preempted'' state law against non-covered entities to which the state law applies. If there is a question of coverage, states may wish to establish processes to ascertain which entities within their borders are covered entities within the meaning of these rules. Second, with respect to covered entities, if a state were to try to enforce a preempted state law against such entities, it would presumably be acting without legal authority in so doing. We cannot speak to what remedies might be available to covered entities to protect themselves against such wrongful state action, but we assume that covered entities could seek judicial relief, if all else failed. With respect to the issue of imposing penalties on states, we do not see this as likely. The only situation that we can envision in which penalties might be imposed on a state would be if a state agency were itself a covered entity and followed a preempted state law, thereby violating the contrary federal standard, requirement, or implementation specification. Section 160.204(b)--Process for Advisory Opinions Comment: Several commenters stated that it was unclear whether a state would be required to submit a request for an advisory opinion in order for the law to be considered more stringent and thus not preempted. The Department should clarify whether a state law could be non-preempted even without such an advisory opinion. Another commenter requested that the final rule explicitly state that the stricter rule always applies, whether it be state or federal, and regardless of whether there is any conflict between state and federal law. Response: The elimination of the proposed process for advisory opinions renders moot the first question. Also, the preceding response clarifies that which law preempts in the privacy context (assuming that the state law and federal requirement are ``contrary'') is a matter of which one is the ``more stringent.'' This is not a matter which the Secretary will ultimately determine; rather, this is a question about which the courts will ultimately make the final determination. With respect to the second comment, we believe that Sec. 160.203(b) below responds to this issue, but we would note that the statute already provides for this. Comment: Several commenters supported the decision to limit the parties who may request advisory opinions to the state. These commenters did not believe that insurers should be allowed to request an advisory opinion and open every state law up to challenge and review. Several commenters requested that guidance on advisory opinions be provided in all circumstances, not only at the Secretary's discretion. It was suggested that proposed Sec. 160.204(b)(2)(iv) be revised to read as follows: ``A state may submit a written request to the Secretary for an advisory opinion under this paragraph. The request must include the following information: the reasons why the state law should or should not be preempted by the federal standard, requirement, or implementation specification, including how the state law meets the criteria at Sec. 160.203(b).'' Response: The decision not to have a formal process for issuing advisory opinions renders these issues moot. Sections 160.203(c) and 160.203(d)--Statutory Carve-Outs Comment: Several commenters asked that the Department provide more specific examples itemizing activities traditionally regulated by the state that could constitute ``carve-out'' exceptions. These commenters also requested that the Department include language in the regulation stating that if a state law falls within several different exceptions, the state chooses which determination exception shall apply. [[Page 82588]] Response: We are concerned that itemizing examples in this way could leave out important state laws or create inadvertent negative implications that laws not listed are not included. However, as explained above, we have designed the types of activities that are permissive disclosures for public health under Sec. 164.512(b) below in part to come within the carve-out effected by section 1178(b); while the state regulatory activities covered by section 1178(c) will generally come within Sec. 164.512(d) below. With respect to the comments asking that a state get to ``choose'' which exception it comes under, we have in effect provided for this with respect to exceptions under section 1178(a)(2)(A), by giving the state the right to request an exception under that section. With respect to exceptions under section 1178(a)(2)(B), those exceptions occur by operation of law, and it is not within the Secretary's power to ``let'' the state choose whether an exception occurs under that section. Comment: Several commenters took the position that the Secretary should not limit the procedural requirements in proposed Sec. 160.204(a) to only those applications under proposed Sec. 160.203(a). They urged that the requirements of proposed Sec. 160.204(a) should also apply to preemption under sections 1178(a)(2)(B), 1178(b) and 1178(c). It was suggested that the rules should provide for exception determinations with respect to the matters covered by these provisions of the statute; such additional provisions would provide clear procedures for states to follow and ensure that requests for exceptions are adequately documented. A slightly different approach was taken by several commenters, who recommended that proposed Sec. 160.204(b) be amended to clarify that the Secretary will also issue advisory opinions as to whether a state law constitutes an exception under proposed Secs. 160.203(c) and 160.203(d). This change would, they argued, give states the same opportunity for guidance that they have under Sec. 160.203(a) and (b), and as such, avoid costly lawsuits to preserve state laws. Response: We are not taking either of the recommended courses of action. With respect to the recommendation that we expand the exception determination process to encompass exceptions under sections 1178(a)(2)(B), 1178(b), and 1178(c), we do not have the authority to grant exceptions under these sections. Under section 1178, the Secretary has authority to make exception determinations only with respect to the matters covered by section 1178(a)(2)(A); contrary state laws coming within section 1178(a)(2)(B) are preempted if not more stringent, while if a contrary state law comes within section 1178(b) or section 1178(c), it is not preempted. These latter statutory provisions operate by their own terms. Thus, it is not within the Secretary's authority to establish the determination process which these comments seek. With respect to the request seeking advisory opinions in the section 1178(b) and 1178(c) situations, we agree that we have the authority to issue such opinions. However, the considerations described above that have led us not to adopt a formal process for issuing advisory opinions in the privacy context apply with equal force and effect here. Comment: One commenter argued that it would be unnecessarily burdensome for state health data agencies (whose focus is on the cost of healthcare or improving Medicare, Medicaid, or the healthcare system) to obtain a specific determination from the Department for an exception under proposed Sec. 160.203(c). States should be required only to notify the Secretary of their own determination that such collection is necessary. It was also argued that cases where the statutory carve-outs apply should not require a Secretarial determination. Response: We clarify that no Secretarial determination is required for activities that fall into one of the statutory carve-outs. With respect to data collections for state health data agencies, we note that provision has been made for many of these activities in several provisions of the rules below, such as the provisions relating to disclosures required by law (Sec. 164.512(a)), disclosures for oversight (Sec. 164.512(d)), and disclosures for public health (Sec. 164.512(b)). Some disclosures for Medicare and Medicaid purposes may also come within the definition of health care operations. A fuller discussion of this issue appears in connection with Sec. 164.512 below. Constitutional Comments and Responses Comment: Several commenters suggested that as a general matter the rule is unconstitutional. Response: We disagree that the rule is unconstitutional. The particular grounds for this conclusion are set out with respect to particular constitutional issues in the responses below. With respect to the comments that simply made this general assertion, the lack of detail of the comments makes a substantive response impossible. Article II Comment: One commenter contended that the Secretary improperly delegated authority to private entities by requiring covered entities to enter into contracts with, monitor, and take action for violations of the contract against their business partners. These comments assert that the selection of these entities to ``enforce'' the regulations violates the Executive Powers Clause and the Appointments and Take Care Clauses. Response: We reject the assertion that the business associate provisions constitute an improper delegation of executive power to private entities. HIPAA provides HHS with authority to enforce the regulation against covered entities. The rules below regulate only the conduct of the covered entity; to the extent a covered entity chooses to conduct its funding through a business associate, those functions are still functions of the covered entity. Thus, no improper delegation has occurred because what is being regulated are the actions of the covered entity, not the actions of the business associate in its independent capacity. We also reject the suggestion that the business associates provisions constitute an improper appointment of covered entities to enforce the regulation and violate the Take Care Clause. Because the Secretary has not delegated authority to covered entities, the inference that she has appointed covered entities to exercise such authority misses the mark. Commerce Clause Comment: A few commenters suggested that the privacy regulation regulates activities that are not in interstate commerce and which are, therefore, beyond the powers the U.S. Constitution gives the federal government. Response: We disagree. Health care providers, health plans, and health care clearinghouses are engaged in economic and commercial activities, including the exchange of individually identifiable health information electronically across state lines. These activities constitute interstate commerce. Therefore, they come within the scope of Congress' power to regulate interstate commerce. Nondelegation Doctrine Comment: Some commenters objected to the manner by which Congress provided the Secretary authority to promulgate this regulation. These comments asserted that Congress violated the nondelegation doctrine by (1) not providing an ``intelligible principle'' to guide the agency, (2) not [[Page 82589]] establishing ``ascertainable standards,'' and (3) improperly permitting the Secretary to make social policy decisions. Response: We disagree. HIPAA clearly delineates Congress' general policy to establish strict privacy protections for individually identifiable health information to encourage electronic transactions. Congress also established boundaries limiting the Secretary's authority. Congress established these limitations in several ways, including by calling for privacy standards for ``individually identifiable health information''; specifying that privacy standards must address individuals' rights regarding their individually identifiable health information, the procedures for exercising those rights, and the particular uses and disclosures to be authorized or required; restricting the direct application of the privacy standards to ``covered entities,'' which Congress defined; requiring consultation with the National Committee on Vital and Health Statistics and the Attorney General; specifying the circumstances under which the federal requirements would supersede state laws; and specifying the civil and criminal penalties the Secretary could impose for violations of the regulation. These limitations also serve as ``ascertainable standards'' upon which reviewing courts can rely to determine the validity of the exercise of authority. Although Congress could have chosen to impose expressly an exhaustive list of specifications that must be met in order to achieve the protective purposes of the HIPAA, it was entirely permissible for Congress to entrust to the Secretary the task of providing these specifications based on her experience and expertise in dealing with these complex and technical matters. We disagree with the comments that Congress improperly delegated Congressional policy choices to her. Congress clearly decided to create federal standards protecting the privacy of ``individually identifiable health information'' and not to preempt state laws that are more stringent. Congress also determined over whom the Secretary would have authority, the type of information protected, and the minimum level of regulation. Separation of Powers Comment: Some commenters asserted that the federal government may not preempt state laws that are not as strict as the privacy regulation because to do so would violate the separation of powers in the U.S. Constitution. One comment suggested that the rules raised a substantial constitutional issue because, as proposed, they permitted the Secretary to make determinations on preemption, which is a role reserved for the judiciary. Response: We disagree. We note that this comment only pertains to determinations under section 1178(a)(2)(A); as discussed above, the rules below provide for no Secretarial determinations with respect to state privacy laws coming within section 1178(a)(2)(B). With respect to determinations under section 1178(a)(2)(A), however, the final rules, like the proposed rules, provide that at a state's request the Secretary may make certain determinations regarding the preemptive effect of the rules on a particular state law. As usually the case with any administrative decisions, these are subject to judicial review pursuant to the Administrative Procedure Act. First Amendment Comment: Some comments suggested that the rules violated the First Amendment. They asserted that if the rule included Christian Science practitioners as covered entities it would violate the separation of church and state doctrine. Response: We disagree. The First Amendment does not always prohibit the federal government from regulating secular activities of religious organizations. However, we address concerns relating to Christian Science practitioners more fully in the response to comments discussion of the definition of ``covered entity'' in Sec. 160.103. Fourth Amendment Comment: Many comments expressed Fourth Amendment concerns about various proposed provisions. These comments fall into two categories-- general concerns about warrantless searches and specific concerns about administrative searches. Several comments argued that the proposed regulations permit law enforcement and government officials access to protected health information without first requiring a judicial search warrant or an individual's consent. These comments rejected the applicability of any of the existing exceptions permitting warrantless searches in this context. Another comment argued that federal and state police should be able to obtain personal medical records only with the informed consent of an individual. Many of these comments also expressed concern that protected health information could be provided to government or private agencies for inclusion in a governmental health data system. Response: We disagree that the provisions of these rules that permit disclosures for law enforcement purposes and governmental health data systems generally violate the Fourth Amendment. The privacy regulation does not create new access rights for law enforcement. Rather, it refrains from placing a significant barrier in front of access rights that law enforcement currently has under existing legal authority. While the regulation may permit a covered entity to make disclosures in specified instances, it does not require the covered entity make the disclosure. Thus, because we are not modifying existing law regarding disclosures to law enforcement officials, except to strengthen the requirements related to requests already authorized under law, and are not requiring any such disclosures, the privacy regulation does not infringe upon individual's Fourth Amendment rights. We discuss the rationale underlying the permissible disclosures to law enforcement officials more fully in the preamble discussion relating to Sec. 164.512(f). We note that the proposed provision relating to disclosures to government health data systems has been eliminated in the final rule. However, to the extent that the comments can be seen as raising concern over disclosure of protected health information to government agencies for public health, health oversight, or other purposes permitted by the final rule, the reasoning in the previous paragraph applies. Comment: One commenter suggested that the rules violate the Fourth Amendment by requiring covered entities to provide access to the Secretary to their books, records, accounts, and facilities to ensure compliance with these rules. The commenter also suggested that the requirement that covered entities enter into agreements with their business partners to make their records available to the Secretary for inspection as well also violates the warrant requirement of the Fourth Amendment. Response: We disagree. These requirements are consistent with U.S. Supreme Court cases holding that warrantless administrative searches of commercial property are not per se violations of the Fourth Amendment. The provisions requiring that covered entities provide access to certain material to determine compliance with the regulation come within the well-settled exception regarding closely regulated businesses and industries to the warrant requirement. From state and local licensure laws to the federal fraud and abuse statutes and regulations, the health care industry is one of the most [[Page 82590]] tightly regulated businesses in the country. Because the industry has such an extensive history of government oversight and involvement, those operating within it have no reasonable expectation of privacy from the government such that a warrant would be required to determine compliance with the rules. In addition, the cases cited by the commenters concern unannounced searches of the premises and facilities of particular entities. Because our enforcement provisions only provide for the review of books, records, and other information and only during normal business hours with notice, except for exceptional situations, this case law does not apply. As for business associates, they voluntarily enter into their agreements with covered entities. This agreement, therefore, functions as knowing and voluntary consents to the search (even assuming it could be understood to be a search) and obviates the need for a warrant. Fifth Amendment Comment: Several comments asserted that the proposed rules violated the Fifth Amendment because in the commenters' views they authorized the taking of privacy property without just compensation or due process of law. Response: We disagree. The rules set forth below do not address the issue of who owns an individual's medical record. Instead, they address what uses and disclosures of protected health information may be made by covered entities with or without a consent or authorization. As described in response to a similar comment, medical records have been the property of the health care provider or medical facility that created them, historically. In some states, statutes directly provide these entities with ownership. These laws are limited by laws that provide patients or their representatives with access to the records or that provide the patient with an ownership interest in the information within the records. As we discuss, the final rule is consistent with current state law that provides patients access to protected health information, but not ownership of medical records. State laws that provide patients with greater access would remain in effect. Therefore, because patients do not own their records, no taking can occur. As for their interest in the information, the final rule retains their rights. As for covered entities, the final rule does not take away their ownership rights or make their ownership interest in the protected health information worthless. Therefore, no taking has occurred in these situations either. Ninth and Tenth Amendments Comment: Several comments asserted that the proposed rules violated the Ninth and Tenth Amendments. One commenter suggested that the Ninth Amendment prohibits long and complicated regulations. Other commenters suggested that the proposed rules authorized the compelled disclosure of individually identifiable health information in violation of State constitutional provisions, such as those in California and Florida. Similarly, a couple of commenters asserted that the privacy rules violate the Tenth Amendment. Response: We disagree. The Ninth and Tenth Amendments address the rights retained by the people and acknowledge that the States or the people are reserved the powers not delegated to the federal government and not otherwise prohibited by the Constitution. Because HHS is regulating under a delegation of authority from Congress in an area that affects interstate commerce, we are within the powers provided to Congress in the Constitution. Nothing in the Ninth Amendment, or any other provision of the Constitution, restricts the length or complexity of any law. Additionally, we do not believe the rules below impermissibly authorize behavior that violates State constitutions. This rule requires disclosure only to the individual or to the Secretary to enforce this rule. As noted in the preamble discussion of ``Preemption,'' these rules do not preempt State laws, including constitutional provisions, that are contrary to and more stringent, as defined at Sec. 160.502, than these rules. See the discussion of ``Preemption'' for further clarification. Therefore, if these State constitutions are contrary to the rule below and provide greater protection, they remain in full force; if they do not, they are preempted, in accordance with the Supremacy Clause of the Constitution. Right to Privacy Comment: Several comments suggested that the proposed regulation would violate the right to privacy guaranteed by the First, Fourth, Fifth, and Ninth Amendments because it would permit covered entities to disclose protected health information without the consent of the individual. Response: These comments did not provide specific facts or legal basis for the claims. We are, thus, unable to provide a substantive response to these particular comments. However, we note that the rule requires disclosures only to the individual or to the Secretary to determine compliance with this rule. Other uses or disclosures under this rule are permissive, not required. Therefore, if a particular use or disclosure under this rule is viewed as interfering with a right that prohibited the use or disclosure, the rule itself is not what requires the use or disclosure. Void for Vagueness Comment: One comment suggested that the Secretary's use of a ``reasonableness'' standard is unconstitutionally vague. Specifically, this comment objected to the requirement that covered entities use ``reasonable'' efforts to use or disclose the minimum amount of protected health information, to ensure that business partners comply with the privacy provisions of their contracts, to notify business partners of any amendments or corrections to protected health information, and to verify the identity of individuals requesting information, as well as charge only a ``reasonable'' fee for inspecting and copying health information. This comment asserted that the Secretary provided ``inadequate guidance'' as to what qualifies as ``reasonable.'' Response: We disagree with the comment's suggestion that by applying a ``reasonableness'' standard, the regulation has failed to provide for ``fair warning'' or ``fair enforcement.'' The ``reasonableness'' standard is well-established in law; for example, it is the foundation of the common law of torts. Courts also have consistently held as constitutional statutes that rely upon a ``reasonableness'' standard. Our reliance upon a ``reasonableness'' standard, thus, provides covered entities with constitutionally sufficient guidance. Criminal Intent Comment: One comment argued that the regulation's reliance upon a ``reasonableness'' standard criminalizes ``unreasonable efforts'' without requiring criminal intent or mens rea. Response: We reject this suggestion because HIPAA clearly provides the criminal intent requirement. Specifically, HIPPA provides that a ``person who knowingly and in violation of this part--(1) uses or causes to be used a unique health identifier; (2) obtains individually identifiable health information relating to an individual; or (3) discloses individually identifiable health information to another person, shall be punished as provided in subsection (b).'' HIPAA section 1177 (emphasis added). Subsection (b) also relies on a knowledge standard in [[Page 82591]] outlining the three levels of criminal sanctions. Thus, Congress, not the Secretary, established the mens rea by including the term ``knowingly'' in the criminal penalty provisions of HIPAA. Data Collection Comment: One commenter suggested that the U.S. Constitution authorized the collection of data on individuals only for the purpose of the census. Response: While it might be true that the U.S. Constitution expressly discusses the national census, it does not forbid federal agencies from collecting data for other purposes. The ability of agencies to collect non-census data has been upheld by the courts. Relationship to Other Federal Laws Comment: We received several comments that sought clarification of the interaction of various federal laws and the privacy regulation. Many of these comments simply listed federal laws and regulations with which the commenter currently must comply. For example, commenters noted that they must comply with regulations relating to safety, public health, and civil rights, including Medicare and Medicaid, the Americans with Disabilities Act, the Family and Medical Leave Act, the Federal Aviation Administration regulations, the Department of Transportation regulations, the Federal Highway Administration regulations, the Occupational Safety and Health Administration regulations, and the Environmental Protection Agency regulations, and alcohol and drug free workplace rules. These commenters suggested that the regulation state clearly and unequivocally that uses or disclosures of protected health information for these purposes were permissible. Some suggested modifying the definition of health care operations to include these uses specifically. Another suggestion was to add a section that permitted the transmission of protected health information to employers when reasonably necessary to comply with federal, state, or municipal laws and regulations, or when necessary for public or employee safety and health. Response: Although we sympathize with entities' needs to evaluate the existing laws with which they must comply in light of the requirements of the final regulation, we are unable to respond substantially to comments that do not pose specific questions. We offer, however, the following guidance: if an covered entity is required to disclose protected health information pursuant to a specific statutory or regulatory scheme, the covered entity generally will be permitted under Sec. 164.512(a) to make these disclosures without a consent or authorization; if, however, a statute or regulation merely suggests a disclosure, the covered entity will need to determine if the disclosure comes within another category of permissible disclosure under Secs. 164.510 or 164.512 or, alternatively, if the disclosure would otherwise come within Sec. 164.502. If not, the entity will need to obtain a consent or authorization for the disclosure. Comment: One commenter sought clarification as to when a disclosure is considered to be ``required'' by another law versus ``permitted'' by that law. Responses: We use these terms according to their common usage. By ``required by law,'' we mean that a covered entity has a legal obligation to disclose the information. For example, if a statute states that a covered entity must report the names of all individuals presenting with gun shot wounds to the emergency room or else be fined $500 for each violation, a covered entity would be required by law to disclose the protected health information necessary to comply with this mandate. The privacy regulation permits this type of disclosure, but does not require it. Therefore, if a covered entity chose not to comply with the reporting statute it would violate only the reporting statute and not the privacy regulation. On the other hand, if a statute stated that a covered entity may or is permitted to report the names of all individuals presenting with gun shot wounds to the emergency room and, in turn, would receive $500 for each month it made these reports, a covered entity would not be permitted by Sec. 164.512(a) to disclose the protected health information. Of course, if another permissible provision applied to these facts, the covered entity could make the disclosure under that provision, but it would not be considered to be a disclosure. See discussion under Sec. 164.512(a) below. Comment: Several commenters suggested that the proposed rule was unnecessarily duplicative of existing regulations for federal programs, such as Medicare, Medicaid, and the Federal Employee Health Benefit Program. Response: Congress specifically subjected certain federal programs, including Medicare, Medicaid, and the Federal Employee Health Benefit Program to the privacy regulation by including them within the definition of ``health plan.'' Therefore, covered entities subject to requirements of existing federal programs will also have to comply with the privacy regulation. Comment: One comment asserts that the regulation would not affect current federal requirements if the current requirements are weaker than the requirements of the privacy regulation. This same commenter suggested that current federal requirements will trump both state law and the proposed regulation, even if Medicaid transactions remain wholly intrastate. Response: We disagree. As noted in our discussion of ``Relationship to Other Federal Laws,'' each law or regulation will need to be evaluated individually. We similarly disagree with the second assertion made by the commenter. The final rule will preempt state laws only in specific instances. For a more detailed analysis, see the preamble discussion of ``Preemption.'' Administrative Subpoenas Comment: One comment stated that the final rule should not impose new standards on administrative subpoenas that would conflict with existing laws or administrative or judicial rules that establish standards for issuing subpoenas. Nor should the final rule conflict with established standards for the conduct of administrative, civil, or criminal proceedings, including the rules regarding the discovery of evidence. Other comments sought further restrictions on access to protected health information in this context. Response: Section 164.512(e) below addresses disclosures for judicial and administrative proceedings. The final rules generally do not interfere with these existing processes to the extent an individual served with a subpoena, court order, or other similar process is able to raise objections already available. See the discussion below under Sec. 164.512(e) for a fuller response. Americans with Disabilities Act Comment: Several comments discussed the intersection between the proposed Privacy Rule and the Americans with Disabilities Act (``ADA'') and sections 503 and 504 of the Rehabilitation Act of 1973. One comment suggested that the final rule explicitly allows disclosures authorized by the Americans with Disabilities Act without an individual's authorization, because this law, in the commenter's view, provides more than adequate protection for the confidentiality of medical records in the employment context. The comment noted that under these laws employers may receive information related to fitness for duty, pre- employment physicals, routine examinations, return to work examinations, examinations following other types of absences, examinations triggered by specific events, changes in [[Page 82592]] circumstances, requests for reasonable accommodations, leave requests, employee wellness programs, and medical monitoring. Other commenters suggested that the ADA requires the disclosure of protected health information to employers so that the employee may take advantage of the protections of these laws. They suggested that the final rules clarify that employment may be conditioned on obtaining an authorization for disclosure of protected health information for lawful purposes and provide guidance concerning the interaction of the ADA with the final regulation's requirements. Several commenters wanted clarification that the privacy regulation would not permit employers to request or use protected health information in violation of the ADA. Response: We disagree with the comment that the final rule should allow disclosures of protected health information authorized by the ADA without the individual's authorization. We learned from the comments that access to and use of protected health information by employers is of particular concern to many people. With regard to employers, we do not have statutory authority to regulate them. Therefore, it is beyond the scope of this regulation to prohibit employers from requesting or obtaining protected health information. Covered entities may disclose protected health information about individuals who are members of an employer's workforce with an authorization. Nothing in the privacy regulation prohibits employers from obtaining that authorization as a condition of employment. We note, however, that employers must comply with other laws that govern them, such as nondiscrimination laws. For example, if an employer receives a request for a reasonable accommodation, the employer may require reasonable documentation about the employee's disability and the functional limitations that require the reasonable accommodation, if the disability and the limitations are not obvious. If the individual provides insufficient documentation and does not provide the missing information in a timely manner after the employer's subsequent request, the employer may require the individual to go to an appropriate health professional of the employer's choice. In this situation, the employee does not authorize the disclosure of information to substantiate the disability and the need for reasonable accommodation, the employer need not provide the accommodation. We agree that this rule does not permit employers to request or use protected health information in violation of the ADA or other antidiscrimination laws. Appropriations Laws Comment: One comment suggested that the penalty provisions of HIPAA, if extended to the privacy regulation, would require the Secretary to violate ``Appropriations Laws'' because the Secretary could be in the position of assessing penalties against her own and other federal agencies in their roles as covered entities. Enforcing penalties on these entities would require the transfer of agency funds to the General Fund. Response: We disagree. Although we anticipate achieving voluntary compliance and resolving any disputes prior to the actual assessment of penalties, the Department of Justice's Office of Legal Counsel has determined in similar situations that federal agencies have authority to assess penalties against other federal agencies and that doing so is not in violation of the Anti-Deficiency Act, 31 U.S.C. 1341. Balanced Budget Act of 1997 Comment: One comment expressed concern that the regulation would place tremendous burdens on providers already struggling with the effects of the Balanced Budget Act of 1997. Response: We appreciate the costs covered entities face when complying with other statutory and regulatory requirements, such as the Balanced Budget Act of 1997. However, HHS cannot address the impact of the Balanced Budget Act or other statutes in the context of this regulation. Comment: Another comment stated that the regulation is in direct conflict with the Balanced Budget Act of 1997 (``BBA''). The comment asserts that the regulation's compliance date conflicts with the BBA, as well as Generally Acceptable Accounting Principles. According to the comment, covered entities that made capital acquisitions to ensure compliance with the year 2000 (``Y2K'') problem would not be able to account for the full depreciation of these systems until 2005. Because HIPAA requires compliance before that time, the regulation would force premature obsolescence of this equipment because while it is Y2K compliant, it may be HIPAA non-compliant. Response: This comment raises two distinct issues--(1) the investment in new equipment and (2) the compliance date. With regard to the first issue, we reject the comment's assertion that the regulation requires covered entities to purchase new information systems or information technology equipment, but realize that some covered entities may need to update their equipment. We have tried to minimize the costs, while responding appropriately to Congress' mandate for privacy rules. We have dealt with the cost issues in detail in the ``Regulatory Impact Analysis'' section of this Preamble. With regard to the second issue, Congress, not the Secretary, established the compliance data at section 1175(b) of the Act. Civil Rights of Institutionalized Persons Act Comment: A few comments expressed concern that the privacy regulation would inadvertently hinder the Department of Justice Civil Rights Divisions' investigations under the Civil Rights of Institutionalized Persons Act (``CRIPA''). These comments suggested clearly including civil rights enforcement activities as health care oversight. Response: We agree with this comment. We do not intend for the privacy rules to hinder CRIPA investigations. Thus, the final rule includes agencies that are authorized by law to ``enforce civil rights laws for which health information is relevant'' in the definition of ``health oversight agency'' at Sec. 164.501. Covered entities are permitted to disclose protected health information to health oversight agencies under Sec. 164.512(d) without an authorization. Therefore, we do not believe the final rule should hinder the Department of Justice's ability to conduct investigations pursuant to its authority in CRIPA. Clinical Laboratory Improvement Amendments Comment: One comment expressed concern that the proposed definition of health care operations did not include activities related to the quality control clinical studies performed by laboratories to demonstrate the quality of patient test results. Because the Clinical Laboratory Improvement Amendments of 1988 (``CLIA'') requires these studies that the comment asserted require the use of protected health information, the comment suggested including this specific activity in the definition of ``health care operations.'' Response: We do not intend for the privacy regulation to impede the ability of laboratories to comply with the requirements of CLIA. Quality control activities come within the definition of ``health care operations'' in Sec. 164.501 because they come within the meaning of the term ``quality assurance activities.'' To the extent they would not come within health care operations, but [[Page 82593]] are required by CLIA, the privacy regulation permits clinical laboratories that are regulated by CLIA to comply with mandatory uses and disclosures of protected health information pursuant to Sec. 164.512(a). Comment: One comment stated that the proposed regulation's right of access for inspection and copying provisions were contrary to CLIA in that CLIA permits laboratories to disclose lab test results only to ``authorized persons.'' This comment suggested that the final rule include language adopting this restriction to ensure that patients not obtain laboratory test results before the appropriate health care provider has reviewed and explained those results to the patients. A similar comment stated that the lack of preemption of state laws could create problems for clinical laboratories under CLIA. Specifically, this comment noted that CLIA permits clinical laboratories to perform tests only upon the written or electronic request of, and to provide the results to, an ``authorized person.'' State laws define who is an ``authorized person.'' The comment expressed concern as to whether the regulation would preempt state laws that only permit physicians to receive test results. Response: We agree that CLIA controls in these cases. Therefore, we have amended the right of access, Sec. 164.524(a), so that a covered entity that is subject to CLIA does not have to provide access to the individual to the extent such access would be prohibited by law. Because of this change, we believe the preemption concern is moot. Controlled Substance Act Comment: One comment expressed concern that the privacy regulation as proposed would restrict the Drug Enforcement Agency's (``the DEA'') enforcement of the Controlled Substances Act (``CSA''). The comment suggested including enforcement activities in the definition of ``health oversight agency.'' Response: In our view, the privacy regulation should not impede the DEA's ability to enforce the CSA. First, to the extent the CSA requires disclosures to the DEA, these disclosures would be permissible under Sec. 164.512(a). Second, some of the DEA's CSA activities come within the exception for health oversight agencies which permits disclosures to health oversight agencies for: Activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections * * * civil, administrative, or criminal proceedings or actions; and other activity necessary for appropriate oversight of the health care system. Therefore, to the extent the DEA is enforcing the CSA, disclosures to it in its capacity as a health oversight agency are permissible under Sec. 164.512(d). Alternatively, CSA required disclosures to the DEA for law enforcement purposes are permitted under Sec. 164.512(f). When acting as a law enforcement agency under the CSA, the DEA may obtain the information pursuant to Sec. 164.512(f). Thus, we do not agree that the privacy regulation will impede the DEA's enforcement of the CSA. See the preamble discussion of Sec. 164.512 for further explanation. Comment: One commenter suggested clarifying the provisions allowing disclosures that are ``required by law'' to ensure that the mandatory reporting requirements the CSA imposes on covered entities, including making available reports, inventories, and records of transactions, are not preempted by the regulation. Response: We agree that the privacy regulation does not alter covered entities' obligations under the CSA. Because the CSA requires covered entities manufacturing, distributing, and/or dispensing controlled substances to maintain and provide to the DEA specific records and reports, the privacy regulation permits these disclosures under Sec. 164.512(a). In addition, when the DEA seeks documents to determine an entity's compliance with the CSA, such disclosures are permitted under Sec. 164.512(d). Comment: The same commenter expressed concern that the proposed privacy regulation inappropriately limits voluntary reporting and would prevent or deter employees of covered entities from providing the DEA with information about violations of the CSA. Response: We agree with the general concerns expressed in this comment. We do not believe the privacy rules will limit voluntary reporting of violations of the CSA. The CSA requires certain entities to maintain several types of records that may include protected health information. Although reports that included protected health information may be restricted under these rules, reporting the fact that an entity is not maintaining proper reports is not. If it were necessary to obtain protected health information during the investigatory stages following such a voluntary report, the DEA would be able to obtain the information in other ways, such as by following the administrative procedures outlined in Sec. 164.512(e). We also agree that employees of covered entities who report violations of the CSA should not be subjected to retaliation by their employers. Under Sec. 164.502(j), we specifically state that a covered entity is not considered to have violated the regulation if a workforce member or business associate in good faith reports violations of laws or professional standards by covered entities to appropriate authorities. See discussion of Sec. 164.502(j) below. Department of Transportation Comment: Several commenters stated that the Secretary should recognize in the preamble that it is permissible for employers to condition employment on an individual's delivering a consent to certain medical tests and/or examinations, such as drug-free workplace programs and Department of Transportation (``DOT'')-required physical examinations. These comments also suggested that employers should be able to receive certain information, such as pass/fail test and examination results, fitness-to-work assessments, and other legally required or permissible physical assessments without obtaining an authorization. To achieve this goal, these comments suggested defining ``health information'' to exclude information such as information about how much weight a specific employee can lift. Response: We reject the suggestion to define ``health information,'' which Congress defined in HIPAA, so that it excludes individually identifiable health information that may be relevant to employers for these types of examinations and programs. We do not regulate employers. Nothing in the rules prohibit employers from conditioning employment on an individual signing the appropriate consent or authorization. By the same token, however, the rules below do not relieve employers from their obligations under the ADA and other laws that restrict the disclosure of individually identifiable health information. Comment: One commenter asserted that the proposed regulation conflicts with the DOT guidelines regarding positive alcohol and drug tests that require the employer be notified in writing of the results. This document contains protected health information. In addition, the treatment center records must be provided to the Substance Abuse Professional (``SAP'') and the employer must receive a report from SAP with random drug testing recommendations. Response: It is our understanding that DOT requires drug testing of all applicants for employment in safety-sensitive positions or individuals being transferred to such positions. [[Page 82594]] Employers, pursuant to DOT regulations, may condition an employee's employment or position upon first obtaining an authorization for the disclosure of results of these tests to the employer. Therefore, we do not believe the final rules conflict with the DOT requirements, which do not prohibit obtaining authorizations before such information is disclosed to employers. Developmental Disabilities Act Comment: One commenter urged HHS to ensure that the regulation would not impede access to individually identifiable health information to entities that are part of the Protection and Advocacy System to investigate abuse and neglect as authorized by the Developmental Disabilities Bill of Rights Act. Response: The Developmental Disabilities Assistance and Bill of Rights Act of 2000 (``DD Act'') mandates specific disclosures of individually identifiable health information to Protection and Advocacy systems designated by the chief elected official of the states and Territories. Therefore, covered entities may make these disclosures under Sec. 164.512(a) without first obtaining an individual's authorization, except in those circumstances in which the DD Act requires the individual's authorization. Therefore, the rules below will not impede the functioning of the existing Protection and Advocacy System. Employee Retirement Income Security Act of 1974 Comment: Several commenters objected to the fact that the NPRM did not clarify the scope of preemption of state laws under the Employee Retirement Income Security Act of 1974 (ERISA). These commenters asserted that the final rule must state that ERISA preempts all state laws (including those relating to the privacy of individually identifiable health information) so that multistate employers could continue to administer their group health plans using a single set of rules. In contrast, other commenters criticized the Department for its analysis of the current principles governing ERISA preemption of state law, pointing out that the Department has no authority to interpret ERISA. Response: This Department has no authority to issue regulations under ERISA as requested by some of these commenters, so the rule below does not contain the statement requested. See the discussion of this point under ``Preemption'' above. Comment: One commenter requested that the final rule clarify that section 264(c)(2) of HIPAA does not save state laws that would otherwise be preempted by the Federal Employees Health Benefits Program. The commenter noted that in the NPRM this statement was made with respect to Medicare and ERISA, but not the law governing the FEHBP. Response: We agree with this comment. The preemption analysis set out above with respect to ERISA applies equally to the Federal Employees Health Benefit Program. Comment: One commenter noted that the final rule should clarify the interplay between state law, the preemption standards in Subtitle A of Title I of HIPAA (Health Care Access, Portability and Renewability), and the preemption standards in the privacy requirements in Subtitle F of Title II of HIPAA (Administrative Simplification). Response: The NPRM described only the preemption standards that apply with respect to the statutory provisions of HIPAA that were implemented by the proposed rule. We agree that the preemption standards in Subtitle A of Title I of HIPAA are different. Congress expressly provided that the preemption provisions of Title I apply only to Part 7, which addresses portability, access, and renewability requirements for Group Health Plans. To the extent state laws contain provisions regarding portability, access, or renewability, as well as privacy requirements, a covered entity will need to evaluate the privacy provisions under the Title II preemption provisions, as explained in the preemption provisions of the rules, and the other provisions under the Title I preemption requirements. European Union Privacy Directive and U.S. Safe Harbors Comment: Several comments stated that the privacy regulation should be consistent with the European Union's Directive on Data Protection. Others sought guidance as to how to comply with both the E.U. Directive on Data Protection and the U.S. Safe Harbor Privacy Principles. Response: We appreciate the need for covered entities obtaining personal data from the European Union to understand how the privacy regulation intersects with the Data Protection Directive. We have provided guidance as to this interaction in the ``Other Federal Laws'' provisions of the preamble. Comment: A few comments expressed concern that the proposed definition of ``individual'' excluded foreign military and diplomatic personnel and their dependents, as well as overseas foreign national beneficiaries. They noted that the distinctions are based on nationality and are inconsistent with the stance of the E.U. Directive on Data Protection and the Department of Commerce's assurances to the European Commission. Response: We agree with the general principle that privacy protections should protect every person, regardless of nationality. As noted in the discussion of the definition of ``individual,'' the final regulation's definition does not exclude foreign military and diplomatic personnel, their dependents, or overseas foreign national beneficiaries from the definition of individual. As described in the discussion of Sec. 164.512 below, the final rule applies to foreign diplomatic personnel and their dependents like all other individuals. Foreign military personnel receive the same treatment under the final rule as U.S. military personnel do, as discussed with regard to Sec. 164.512 below. Overseas foreign national beneficiaries to the extent they receive care for the Department of Defense or a source acting on behalf of the Department of Defense remain generally excluded from the final rules protections. For a more detailed explanation, see Sec. 164.500. Fair Credit Reporting Act Comment: A few commenters requested that we exclude information maintained, used, or disclosed pursuant to the Fair Credit Reporting Act (``FCRA'') from the requirements of the privacy regulation. These commenters noted that the protection in the privacy regulation duplicate those in the FCRA. Response: Although we realize that some overlap between FCRA and the privacy rules may exist, we have chosen not to remove information that may come within the purview of FCRA from the scope of our rules because FCRA's focus is not the same as our Congressional mandate to protect individually identifiable health information. To the extent a covered entity seeks to engage in collection activities or other payment-related activities, it may do so pursuant to the requirements of this rule related to payment. See discussion of Secs. 164.501 and 164.502 below. We understand that some covered entities may be part of, or contain components that are, entities which meet the definition of ``consumer reporting agencies.'' As such, these entities are subject to the FCRA. As described in the preamble to Sec. 164.504, covered entities must designate what parts of their organizations will be treated as covered entities for the [[Page 82595]] purpose of these privacy rules. The covered entity component will need to comply with these rules, while the components that are consumer reporting agencies will need to comply with FCRA. Comment: One comment suggested that the privacy regulation would conflict with the FCRA if the regulation's requirement applied to information disclosed to consumer reporting agencies. Response: To the extent a covered entity is required to disclose protected health information to a consumer reporting agency, it may do so under Sec. 164.512(a). See also discussion under the definition of ``payment'' below. Fair Debt Collection and Practices Act Comment: Several comments expressed concern that health plans and health care providers be able to continue using debt collectors in compliance with the Fair Debt Collections Practices Act and related laws. Response: In our view, health plans and health care providers will be able to continue using debt collectors. Using the services of a debt collector to obtain payment for the provision of health care comes within the definition of ``payment'' and is permitted under the regulation. Thus, so long as the use of debt collectors is consistent with the regulatory requirements (such as, providers obtain the proper consents, the disclosure is of the minimum amount of information necessary to collect the debt, the provider or health plan enter into a business associate agreement with the debt collector, etc.), relying upon debt collectors to obtain reimbursement for the provision of health care would not be prohibited by the regulation. Family Medical Leave Act Comment: One comment suggested that the proposed regulation adversely affects the ability of an employer to determine an employee's entitlement to leave under the Family Medical Leave Act (``FMLA'') by affecting the employer's right to receive medical certification of the need for leave, additional certifications, and fitness for duty certification at the end of the leave. The commenter sought clarification as to whether a provider could disclose information to an employer without first obtaining an individual's consent or authorization. Another commenter suggested that the final rule explicitly exclude from the rule disclosures authorized by the FMLA, because, in the commenter's view, it provides more than adequate protection for the confidentiality of medical records in the employment context. Response: We disagree that the FMLA provides adequate privacy protections for individually identifiable health information. As we understand the FMLA, the need for employers to obtain protected health information under the statute is analogous to the employer's need for protected health information under the ADA. In both situations, employers may need protected health information to fulfill their obligations under these statutes, but neither statute requires covered entities to provide the information directly to the employer. Thus, covered entities in these circumstances will need an individual's authorizations before the disclosure is made to the employer. Federal Common Law Comment: One commenter did not want the privacy rules to interfere with the federal common law governing collective bargaining agreements permitting employers to insist on the cooperation of employees with medical fitness evaluations. Response: We do not seek to interfere with legal medical fitness evaluations. These rules require a covered entity to have an individual's authorization before the information resulting from such evaluations is disclosed to the employer unless another provision of the rule applies. We do not prohibit employers from conditioning employment, accommodations, or other benefits, when legally permitted to do so, upon the individual/employee providing an authorization that would permit the disclosure of protected health information to employers by covered entities. See Sec. 164.508(b)(4) below. Federal Educational Rights and Privacy Act Comment: A few commenters supported the exclusion of ``education records'' from the definition of ``protected health information.'' However, one commenter requested that ``treatment records'' of students who are 18 years or older attending post-secondary education institutions be excluded from the definition of ``protected health information'' as well to avoid confusion. Response: We agree with these commenters. See ``Relationship to Other Federal Laws'' for a description of our exclusion of FERPA ``education records'' and records defined at 20 U.S.C. 1232g(a)(4)(B)(iv), commonly referred to as ``treatment records,'' from the definition of ``protected health information.'' Comment: One comment suggested that the regulation should not apply to any health information that is part of an ``education record'' in any educational agency or institution, regardless of its FERPA status. Response: We disagree. As noted in our discussion of ``Relationship of Other Federal Laws,'' we exclude education records from the definition of protected health information because Congress expressly provided privacy protections for these records and explained how these records should be treated in FERPA. Comment: One commenter suggested eliminating the preamble language that describes school nurses and on-site clinics as acting as providers and subject to the privacy regulation, noting that this language is confusing and inconsistent with the statements provided in the preamble explicitly stating that HIPAA does not preempt FERPA. Response: We agree that this language may have been confusing. We have provided a clearer expression of when schools may be required to comply with the privacy regulation in the ``Relationship to Other Federal Laws'' section of the preamble. Comment: One commenter suggested adding a discussion of FERPA to the ``Relationship to Other Federal Laws'' section of the preamble. Response: We agree and have added FERPA to the list of federal laws discussed in ``Relationship to Other Federal Laws'' section of the preamble. Comment: One commenter stated that school clinics should not have to comply with the ``ancillary'' administrative requirements, such as designating a privacy official, maintaining documentation of their policies and procedures, and providing the Secretary of HHS with access. Response: We disagree. Because we have excluded education records and records described at 20 U.S.C. 1232g(a)(4)(B)(iv) held by educational agencies and institutions subject to FERPA from the definition of protected health information, only non-FERPA schools would be subject to the administrative requirements. Most of these school clinics will also not be covered entities because they are not engaged in HIPAA transactions and these administrative requirements will not apply to them. However, to the extent a school clinic is within the definition of a health care provider, as Congress defined the term, and the school clinic is engaged in HIPAA transactions, it will be a covered entity and must comply with the rules below. [[Page 82596]] Comment: Several commenters expressed concern that the privacy regulation would eliminate the parents' ability to have access to information in their children's school health records. Because the proposed regulation suggests that school-based clinics keep health records separate from other educational files, these comments argued that the regulation is contrary to the spirit of FERPA, which provides parents with access rights to their children's educational files. Response: As noted in the ``Relationship to Other Federal Laws'' provision of the preamble, to the extent information in school-based clinics is not protected health information because it is an education record, the FERPA access requirements apply and this regulation does not. For more detail regarding the rule's application to unemancipated minors, see the preamble discussion about ``Personal Representatives.'' Federal Employees Compensation Act Comment: One comment noted that the Federal Employees Compensation Act (``FECA'') requires claimants to sign a release form when they file a claim. This commenter suggested that the privacy regulation should not place additional restrictions on this type of release form. Response: We agree. In the final rule, we have added a new provision, Sec. 164.512(l), that permits covered entities to make disclosures authorized under workers' compensation and similar laws. This provision would permit covered entities to make disclosures authorized under FECA and not require a different release form. Federal Employees Health Benefits Program Comment: A few comments expressed concern about the preemption effect on FEHBP and wanted clarification that the privacy regulation does not alter the existing preemptive scope of the program. Response: We do not intend to affect the preemptive scope of the FEHBP. The Federal Employee Health Benefit Act of 1998 preempts any state law that ``relates to'' health insurance or plans. 5 U.S.C. 8902(m). The final rule does not attempt to alter the preemptive scope Congress has provided to the FEHBP. Comment: One comment suggested that in the context of FEHBP HHS should place the enforcement responsibilities of the privacy regulation with Office of Personnel Management, as the agency responsible for administering the program. Response: We disagree. Congress placed enforcement with the Secretary. See section 1176 of the Act. Federal Rules of Civil Procedure Comment: A few comments suggested revising proposed Sec. 164.510(d) so that it is consistent with the existing discovery procedure under the Federal Rules of Civil Procedure or local rules. Response: We disagree that the rules regarding disclosures and uses of protected health information for judicial and administrative procedures should provide only those protections that exist under existing discovery rules. Although the current process may be appropriate for other documents and information requested during the discovery process, the current system, as exemplified by the Federal Rules of Civil Procedure, does not provide sufficient protection for protected health information. Under current discovery rules, private attorneys, government officials, and others who develop such requests make the initial determinations as to what information or documentation should be disclosed. Independent third-party review, such as that by a court, only becomes necessary if a person of whom the request is made refuses to provide the information. If this happens, the person seeking discovery must obtain a court order or move to compel discovery. In our view this system does not provide sufficient protections to ensure that unnecessary and unwarranted disclosures of protected health information does not occur. For a related discuss, see the preamble regarding ``Disclosures for Judicial and Administrative Proceedings'' under Sec. 164.512(e). Federal Rules of Evidence Comment: Many comments requested clarification that the privacy regulation does not conflict or interfere with the federal or state privileges. In particular, one of these comments suggested that the final regulation provide that disclosures for a purpose recognized by the regulation not constitute a waiver of federal or state privileges. Response: We do not intend for the privacy regulation to interfere with federal or state rules of evidence that create privileges. Consistent with The Uniform Health-Care Information Act drafted by the National Conference of Commissioners on Uniform State Laws, we do not view a consent or an authorization to function as a waiver of federal or state privileges. For further discussion of the effect of consent or authorization on federal or state privileges, see preamble discussions in Secs. 164.506 and 164.508. Comment: Other comments applauded the Secretary's references to Jaffee v. Redman, 518 U.S. 1 (1996), which recognized a psychotherapist-patient privilege, and asked the Secretary to incorporate expressly this privilege into the final regulation. Response: We agree that the psychotherapist-patient relationship is an important one that deserves protection. However, it is beyond the scope our mandate to create specific evidentiary privileges. It is also unnecessary because the United States Supreme Court has adopted this privilege. Comment: A few comments discussed whether one remedy for violating the privacy regulation should be to exclude or suppress evidence obtained in violation of the regulation. One comment supported using this penalty, while another opposed it. Response: We do not have the authority to mandate that courts apply or not apply the exclusionary rule to evidence obtained in violation of the regulation. This issue is in the purview of the courts. Federal Tort Claims Act Comment: One comment contended that the proposed regulation's requirement mandating covered entities to name the subjects of protected health information disclosed under a business partner contract as third party intended beneficiaries under the contract would have created an impermissible right of action against the government under the Federal Tort Claims Act (``FTCA''). Response: Because we have deleted the third party beneficiary provisions from the final rules, this comment is moot. Comment: Another comment suggested the regulation would hamper the ability of federal agencies to disclose protected health information to their attorneys, the Department of Justice, during the initial stages of the claims brought under the FTCA. Response: We disagree. The regulation applies only to federal agencies that are covered entities. To the extent an agency is not a covered entity, it is not subject to the regulation; to the extent an agency is a covered entity, it must comply with the regulation. A covered entity that is a federal agency may disclose relevant information to its attorneys, who are business associates, for purposes of health care operations, which includes uses or disclosures for legal functions. See Sec. 164.501 (definitions of ``business associate'' and ``health care operations''). The final rule provides specific provisions describing how federal agencies may provide [[Page 82597]] adequate assurances for these types of disclosures of protected health information. See Sec. 164.504(e)(3). Food and Drug Administration Comment: A few comments expressed concerns about the use of protected health information for reporting activities to the Food and Drug Administration (``FDA''). Their concern focused on the ability to obtain or disclose protected health information for pre-and post- marketing adverse event reports, device tracking, and post-marketing safety and efficacy evaluation. Response: We agree with this comment and have provided that covered entities may disclose protected health information to persons subject to the jurisdiction of the FDA, to comply with the requirements of, or at the direction of, the FDA with regard to reporting adverse events (or similar reports with respect to dietary supplements), the tracking of medical devices, other post-marketing surveillance, or other similar requirements described at Sec. 164.512(b). Foreign Standards Comment: One comment asked how the regulation could be enforced against foreign countries (or presumably entities in foreign countries) that solicit medical records from entities in the United States. Response: We do not regulate solicitations of information. To the extent a covered entity wants to comply with a request for disclosure of protected health information to foreign countries or entities within foreign countries, it will need to comply with the privacy rules before making the disclosure. If the covered entity fails to comply with the rules, it will be subject to enforcement proceedings. Freedom of Information Act Comment: One comment asserted that the proposed privacy regulation conflicts with the Freedom of Information Act (``FOIA''). The comment argued that the proposed restriction on disclosures by agencies would not come within one of the permissible exemptions to the FOIA. In addition, the comment noted that only in exceptional circumstances would the protected health information of deceased individuals come within an exemption because, for the most part, death extinguishes an individual's right to privacy. Response: Section 164.512(a) below permits covered entities to disclose protected health information when such disclosures are required by other laws as long as they follow the requirements of those laws. Therefore, the privacy regulation will not interfere with the ability of federal agencies to comply with FOIA, when it requires the disclosure. We disagree, however, that most protected health information will not come within Exemption 6 of FOIA. See the discussion above under ``Relationship to Other Federal Laws'' for our review of FOIA. Moreover, we disagree with the comment's assertion that the protected health information of deceased individuals does not come within Exemption 6. Courts have recognized that a deceased individual's surviving relatives may have a privacy interest that federal agencies may consider when balancing privacy interests against the public interest in disclosure of the requested information. Federal agencies will need to consider not only the privacy interests of the subject of the protected health information in the record requested, but also, when appropriate, those of a deceased individual's family consistent with judicial rulings. If an agency receives a FOIA request for the disclosure of protected health information of a deceased individual, it will need to determine whether or not the disclosure comes within Exemption 6. This evaluation must be consistent with the court's rulings in this area. If the exemption applies, the federal agency will not have to release the information. If the federal agency determines that the exemption does not apply, may release it under Sec. 164.512(a) of this regulation. Comment: One commenter expressed concern that our proposal to protect the individually identifiable health information about the deceased for two years following death would impede public interest reporting and would be at odds with many state Freedom of Information laws that make death records and autopsy reports public information. The commenter suggested permitting medical information to be available upon the death of an individual or, at the very least, that an appeals process be permitted so that health information trustees would be allowed to balance the interests in privacy and in public disclosure and release or not release the information accordingly. Response: These rules permit covered entities to make disclosures that are required by state Freedom of Information Act (FOIA) laws under Sec. 164.512(a). Thus, if a state FOIA law designates death records and autopsy reports as public information that must be disclosed, a covered entity may disclose it without an authorization under the rule. To the extent that such information is required to be disclosed by FOIA or other law, such disclosures are permitted under the final rule. In addition, to the extent that death records and autopsy reports are obtainable from non-covered entities, such as state legal authorities, access to this information is not impeded by this rule. If another law does not require the disclosure of death records and autopsy reports generated and maintained by a covered entity, which are protected health information, covered entities are not allowed to disclose such information except as permitted or required by the final rule, even if another entity discloses them. Comment: One comment sought clarification of the relationship between the Freedom of Information Act, the Privacy Act, and the privacy rules. Response: We have provided this analysis in the ``Relationship to Other Federal Laws'' section of the preamble in our discussion of the Freedom of Information Act. Gramm-Leach-Bliley Comments: One commenter noted that the Financial Services Modernization Act, also known as Gramm-Leach-Bliley (``GLB''), requires financial institutions to provide detailed privacy notices to individuals. The commenter suggested that the privacy regulation should not require financial institutions to provide additional notice. Response: We disagree. To the extent a covered entity is required to comply with the notice requirements of GLB and those of our rules, the covered entity must comply with both. We will work with the FTC and other agencies implementing GLB to avoid unnecessary duplication. For a more detailed discussion of GLB and the privacy rules, see the ``Relationship to Other Federal Laws'' section of the preamble. Comment: A few commenters asked that the Department clarify that financial institutions, such as banks, that serve as payors are covered entities. The comments explained that with the enactment of the Gramm- Leach-Bliley Act, banks are able to form holding companies that will include insurance companies (that may be covered entities). They recommended that banks be held to the rule's requirements and be required to obtain authorization to conduct non-payment activities, such as for the marketing of health and non-health items and services or the use and disclosure to non-health related divisions of the covered entity. [[Page 82598]] Response: These comments did not provide specific facts that would permit us to provide a substantive response. An organization will need to determine whether it comes within the definition of ``covered entity.'' An organization may also need to consider whether or not it contains a health care component. Organizations that are uncertain about the application of the regulation to them will need to evaluate their specific facts in light of this rule. Inspector General Act Comment: One comment requested the Secretary to clarify in the preamble that the privacy regulation does not preempt the Inspector General Act. Response: We agree that to the extent the Inspector General Act requires uses or disclosures of protected health information, the privacy regulation does not preempt it. The final rule provides that to the extent required under section 201(a)(5) of the Act, nothing in this subchapter should be construed to diminish the authority of any Inspector General, including the authority provided in the Inspector General Act of 1978. See discussion of Sec. 160.102 above. Medicare and Medicaid Comment: One comment suggested possible inconsistencies between the regulation and Medicare/Medicaid requirements, such as those under the Quality Improvement System for Managed Care. This commenter asked that HHS expand the definition of health care operations to include health promotion activities and avoid potential conflicts. Response: We disagree that the privacy regulation would prohibit managed care plans operating in the Medicare or Medicaid programs from fulfilling their statutory obligations. To the extent a covered entity is required by law to use or disclose protected health information in a particular manner, the covered entity may make such a use or disclosure under Sec. 164.512(a). Additionally, quality assessment and improvement activities come within the definition of ``health care operations.'' Therefore, the specific example provided by the commenter would seem to be a permissible use or disclosure under Sec. 164.502, even if it were not a use or disclosure ``required by law.'' Comment: One commenter stated that Medicare should not be able to require the disclosure of psychotherapy notes because it would destroy a practitioner's ability to treat patients effectively. Response: If the Title XVIII of the Social Security Act requires the disclosure of psychotherapy notes, the final rule permits, but does not require, a covered entity to make such a disclosure under Sec. 164.512(a). If, however, the Social Security Act does not require such disclosures, Medicare does not have the discretion to require the disclosure of psychotherapy notes as a public policy matter because the final rule provides that covered entities, with limited exceptions, must obtain an individual's authorization before disclosing psychotherapy notes. See Sec. 164.508(a)(2). National Labor Relations Act Comment: A few comments expressed concern that the regulation did not address the obligation of covered entities to disclose protected health information to collective bargaining representatives under the National Labor Relations Act. Response: The final rule does not prohibit disclosures that covered entities must make pursuant to other laws. To the extent a covered entity is required by law to disclose protected health information to collective bargaining representatives under the NLRA, it may to so without an authorization. Also, the definition of ``health care operations'' at Sec. 164.501 permits disclosures to employee representatives for purposes of grievance resolution. Organ Donation Comment: One commenter expressed concern about the potential impact of the regulation on the organ donation program under 42 CFR part 482. Response: In the final rule, we add provisions allowing the use or disclosure of protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating donation and transplantation. See Sec. 164.512(h). Privacy Act Comments Comment: One comment suggested that the final rule unambiguously permit the continued operation of the statutorily established or authorized discretionary routine uses permitted under the Privacy Act for both law enforcement and health oversight. Response: We disagree. See the discussion of the Privacy Act in ``Relationship to Other Federal Laws'' above. Public Health Services Act Comment: One comment suggested that the Public Health Service Act places more stringent rules regarding the disclosure of information on Federally Qualified Health Centers than the proposed privacy regulation suggested. Therefore, the commenter suggested that the final rule exempt Federally Qualified Health Centers from the rules requirements Response: We disagree. Congress expressly included Federally Qualified Health Centers, a provider of medical or other health services under the Social Security Act section 1861(s), within its definition of health care provider in section 1171 of the Act; therefore, we cannot exclude them from the regulation. Comment: One commenter noted that no conflicts existed between the proposed rule and the Public Health Services Act. Response: As we discuss in the ``Relationship to Other Federal Laws'' section of the preamble, the Public Health Service Act contains explicit confidentiality requirements that are so general as not to create problems of inconsistency. We recognized, however, that in some cases, that law or its accompanying regulations may contain greater restrictions. In those situations, a covered entity's ability to make what are permissive disclosures under this privacy regulation would be limited by those laws. Reporting Requirement Comment: One comment noted that federal agencies must provide information to certain entities pursuant to various federal statutes. For example, federal agencies must not withhold information from a Congressional oversight committee or the General Accounting Office. Similarly, some federal agencies must provide the Bureau of the Census and the National Archives and Records Administration with certain information. This comment expressed concern that the privacy regulation would conflict with these requirements. Additionally, the commenter asked whether the privacy notice would need to contain these uses and disclosures and recommended that a general statement that these federal agencies would disclose protected health information when required by law be considered sufficient to meet the privacy notice requirements. Response: To the extent a federal agency acting as a covered entity is required by federal statute to disclose protected health information, the regulation permits the disclosure as required by law under Sec. 164.512(a). The notice provisions at Sec. 164.520(b)(1)(ii)(B) require covered entities to provide a brief description of the purposes for which the covered [[Page 82599]] entity is permitted or required by the rules to use or disclose protected health information without an individual's written authorization. If these statutes require the disclosures, covered entities subject to the requirement may make the disclosure pursuant to Sec. 164.512(a). Thus, their notice must include a description of the category of these disclosures. For example, a general statement such as the covered entity ``will disclose your protected health information to comply with legal requirements'' should suffice. Comment: One comment stressed that the final rule should not inadvertently preempt mandatory reporting laws duly enacted by federal, state, or local legislative bodies. This commenter also suggested that the final rule not prevent the reporting of violations to law enforcement agencies. Response: We agree. Like the proposed rule, the final rule permits covered entities to disclose protected health information when required by law under Sec. 164.512(a). To the extent a covered entity is required by law to make a report to law enforcement agencies or is otherwise permitted to make a disclosure to a law enforcement agency as described in Sec. 164.512(f), it may do so without an authorization. Alternatively, a covered entity may always request that individuals authorize these disclosures. Security Standards Comment: One comment called for HHS to consider the privacy regulation in conjunction with the other HIPAA standards. In particular, this comment focused on the belief that the security standards should be compatible with the existing and emerging health care and information technology industry standards. Response: We agree that the security standards and the privacy rules should be compatible with one another and are working to ensure that the final rules in both areas function together. Because we are addressing comments regarding the privacy rules in this preamble, we will consider the comment about the security standard as we finalize that set of rules. Substance Abuse Confidentiality Statute and Regulations Comment: Several commenters noted that many health care providers are bound by the federal restrictions governing alcohol and drug abuse records. One commenter noted that the NPRM differed substantially from the substance abuse regulations and would have caused a host of practical problems for covered entities. Another commenter, however, supported the NPRM's analysis that stated that more stringent provisions of the substance abuse provisions would apply. This commenter suggested an even stronger approach of including in the text a provision that would preserve existing federal law. Yet, one comment suggested that the regulation as proposed would confuse providers by making it difficult to determine when they may disclose information to law enforcement because the privacy regulation would permit disclosures that the substance abuse regulations would not. Response: We appreciate the need of some covered entities to evaluate the privacy rules in light of federal requirements regarding alcohol and drug abuse records. Therefore, we provide a more detailed analysis in the ``Relationship to Other Federal Laws'' section of the preamble. Comment: Some of these commenters also noted that state laws contain strict confidentiality requirements. A few commenters suggested that HHS reassess the regulations to avoid inconsistencies with state privacy requirements, implying that problems exist because of conflicts between the federal and state laws regarding the confidentiality of substance abuse information. Response: As noted in the preamble section discussing preemption, the final rules do not preempt state laws that provide more privacy protections. For a more detailed analysis of the relationship between state law and the privacy rules, see the ``Preemption'' provisions of the preamble. Tribal Law Comments: One commenter suggested that the consultation process with tribal governments described in the NPRM was inadequate under Executive Order No. 13084. In addition, the commenter expressed concern that the disclosures for research purposes as permitted by the NPRM would conflict with a number of tribal laws that offer individuals greater privacy rights with respect to research and reflects cultural appropriateness. In particular, the commenter referenced the Health Research Code for the Navajo Nation which creates a entity with broader authority over research conducted on the Navajo Nation than the local IRB and requires informed consent by study participants. Other laws mentioned by the commenter included the Navajo Nation Privacy and Access to Information Act and a similar policy applicable to all health care providers within the Navajo Nation. The commenter expressed concern that the proposed regulation research provisions would override these tribal laws. Response: We disagree with the comment that the consultation with tribal governments undertaken prior to the proposed regulation is inadequate under Executive Order No. 13084. As stated in the proposed regulation, the Department consulted with representatives of the National Congress of American Indians and the National Indian Health Board, as well as others, about the proposals and the application of HIPAA to the Tribes, and the potential variations based on the relationship of each Tribe with the IHS for the purpose of providing health services. In addition, Indian and tribal governments had the opportunity to, and did, submit substantive comments on the proposed rules. Additionally, disclosures permitted by this regulation do not conflict with the policies as described by this commenter. Disclosures for research purposes under the final rule, as in the proposed regulation, are permissive disclosures only. The rule describes the outer boundaries of permissible disclosures. A covered health care provider that is subject to the tribal laws of the Navajo Nation must continue to comply with those tribal laws. If the tribal laws impose more stringent privacy standards on disclosures for research, such as requiring informed consent in all cases, nothing in the final rule would preclude compliance with those more stringent privacy standards. The final rule does not interfere with the internal governance of the Navajo Nation or otherwise adversely affect the policy choices of the tribal government with respect to the cultural appropriateness of research conducted in the Navajo Nation. TRICARE Comment: One comment expressed concern regarding the application of the ``minimum necessary'' standard to investigations of health care providers under the TRICARE (formerly the CHAMPUS) program. The comment also expressed concern that health care providers would be able to avoid providing their records to such investigators because the proposed Sec. 164.510 exceptions were not mandatory disclosures. Response: In our view, neither the minimum necessary standard nor the final Secs. 164.510 and 164.512 permissive disclosures will impede such investigations. The regulation requires covered entities to make all reasonable efforts not to disclose more than the minimum amount of protected health [[Page 82600]] information necessary to accomplish the intended purpose of the use or disclosure. This requirement, however, does not apply to uses or disclosures that are required by law. See Sec. 164.502(b)(2)(iv). Thus, if the disclosure to the investigators is required by law, the minimum necessary standard will not apply. Additionally, the final rule provides that covered entities rely, if such reliance is reasonable, on assertions from public officials about what information is reasonably necessary for the purpose for which it is being sought. See Sec. 164.514(d)(3)(iii). We disagree with the assertion that providers will be able to avoid providing their records to investigators. Nothing in this rule permits covered entities to avoid disclosures required by other laws. Veterans Affairs Comment: One comment sought clarification about how disclosures of protected health information would occur within the Veterans Affairs programs for veterans and their dependents. Response: We appreciate the commenter's request for clarification as to how the rules will affect disclosures of protected health information in the specific context of Veteran's Affairs programs. Veterans health care programs under 38 U.S.C. chapter 17 are defined as ``health plans.'' Without sufficient details as to the particular aspects of the Veterans Affairs programs that this comment views as problematic, we cannot comment substantively on this concern. Comment: One comment suggested that the final regulation clarify that the analysis applied to the substance abuse regulations apply to laws governing Veteran's Affairs health records. Response: Although we realize some difference may exist between the laws, we believe the discussion of federal substance abuse confidentiality regulations in the ``Relationship to Other Federal Laws'' preamble provides guidance that may be applied to the laws governing Veteran's Affairs (``VA'') health records. In most cases, a conflict will not exist between these privacy rules and the VA programs. For example, some disclosures allowed without patient consent or authorization under the privacy regulation may not be within the VA statutory list of permissible disclosures without a written consent. In such circumstances, the covered entity would have to abide by the VA statute, and no conflict exists. If the disclosures permitted by the VA statute come within the permissible disclosures of our rules, no conflict exists. In some cases, our rules may demand additional requirements, such as obtaining the approval of a privacy board or Institutional Review Board if a covered entity seeks to disclose protected health information for research purposes without the individual's authorization. A covered entity subject to the VA statute will need to ensure that it meets the requirements of both that statute and the regulation below. If a conflict arises, the covered entity should evaluate the specific potential conflicting provisions under the implied repeal analysis set forth in the ``Relationship to Other Federal Laws'' discussion in the preamble. WIC Comment: One comment called on other federal agencies to examine their regulations and policies regarding the use and disclosure of protected health information. The comment suggested that other agencies revise their regulations and policies to avoid duplicative, contradictory, or more stringent requirements. The comment noted that the U.S. Department of Agriculture's Special Supplemental Nutrition Program for Women, Infants, and Children (``WIC'') does not release WIC data. Because the commenter believed the regulation would not prohibit the disclosure of WIC data, the comment stated that the Department of Agriculture should now release such information. Response: We support other federal agencies to whom the rules apply in their efforts to review existing regulations and policies regarding protected health information. However, we do not agree with the suggestion that other federal agencies that are not covered entities must reduce the protections or access-related rights they provide for individually identifiable health information they hold. Part 160, Subpart C--Compliance and Enforcement Section 160.306(a)--Who Can File Complaints With the Secretary Comment: The proposed rule limited those who could file a complaint with the Secretary to individuals. A number of commenters suggested that other persons with knowledge of a possible violation should also be able to file complaints. Examples that were provided included a mental health care provider with first hand knowledge of a health plan improperly requiring disclosure of psychotherapy notes and an occupational health nurse with knowledge that her human resources manager is improperly reviewing medical records. A few comments raised the concern that permitting any person to file a complaint lends itself to abuse and is not necessary to ensure privacy rights and that the complainant should be a person for whom there is a duty to protect health information. Response: As discussed below, the rule defines ``individual'' as the person who is the subject of the individually identifiable health information. However, the covered entity may allow other persons, such as personal representatives, to exercise the rights of the individual under certain circumstances, e.g., for a deceased individual. We agree with the commenters that any person may become aware of conduct by a covered entity that is in violation of the rule. Such persons could include the covered entity's employees, business associates, patients, or accrediting, health oversight, or advocacy agencies or organizations. Many persons, such as the covered entity's employees, may, in fact, be in a better position than the ``individual'' to know that a violation has occurred. Another example is a state Protection and Advocacy group that may represent persons with developmental disabilities. We have decided to allow complaints from any person. The term ``person'' is not restricted here to human beings or natural persons, but also includes any type of association, group, or organization. Allowing such persons to file complaints may be the only way the Secretary may learn of certain possible violations. Moreover, individuals who are the subject of the information may not be willing to file a complaint because of fear of embarrassment or retaliation. Based on our experience with various civil rights laws, such as Title VI of the Civil Rights Act of 1964 and Title II of the Americans with Disabilities Act, that allow any person to file a complaint with the Secretary, we do not believe that this practice will result in abuse. Finally, upholding privacy protections benefits all persons who have or may be served by the covered entity as well as the general public, and not only the subject of the information. If a complaint is received from someone who is not the subject of protected health information, the person who is the subject of this information may be concerned with the Secretary's investigation of this complaint. While we did not receive comments on this issue, we want to protect the privacy rights of this individual. This might [[Page 82601]] involve the Secretary seeking to contact the individual to provide information as to how the Secretary will address individual's privacy concerns while resolving the complaint. Contacting all individuals may not be practicable in the case of allegations of systemic violations (e.g., where the allegation is that hundreds of medical records were wrongfully disclosed). Requiring That a Complainant Exhaust the Covered Entity's Internal Complaint Process Prior to Filing a Complaint With the Secretary Comment: A number of commenters, primarily health plans, suggested that individuals should not be permitted to file a complaint with the Secretary until they exhaust the covered entity's own complaint process. Commenters stated that covered entities should have a certain period of time, such as ninety days, to correct the violation. Some commenters asserted that providing for filing a complaint with the Secretary will be very expensive for both the public and private sectors of the health care industry to implement. Other commenters suggested requiring the Secretary to inform the covered entity of any complaint it has received and not initiate an investigation or ``take enforcement action'' before the covered entity has time to address the complaint. Response: We have decided, for a number of reasons, to retain the approach as presented in the proposed rule. First, we are concerned that requiring that complainants first notify the covered entity would have a chilling effect on complaints. In the course of investigating individual complaints, the Secretary will often need to reveal the identity of the complainant to the covered entity. However, in the investigation of cases of systemic violations and some individual violations, individual names may not need to be identified. Under the approach suggested by these commenters, the covered entity would learn the names of all persons who file complaints with the Secretary. Some individuals might feel uncomfortable or fear embarrassment or retaliation revealing their identity to the covered entity they believe has violated the regulation. Individuals may also feel they are being forced to enter into negotiations with this entity before they can file a complaint with the Secretary. Second, because some potential complainants would not bring complaints to the covered entity, possible violations might not become known to the Secretary and might continue. Third, the delay in the complaint coming to the attention of the Secretary because of the time allowed for the covered entity to resolve the complaint may mean that significant violations are not addressed expeditiously. Finally, the process proposed by these commenters is arguably unnecessary because an individual who believes that an agreement can be reached with the covered entity, can, through the entity's internal complaint process or other means, seek resolution before filing a complaint with the Secretary. Our approach is consistent with other laws and regulations protecting individual rights. None of the civil rights laws enforced by the Secretary require a complainant to provide any notification to the entity that is alleged to have engaged in discrimination (e.g., Americans with Disabilities Act, section 504 of the Rehabilitation Act, Title VI of the Civil Rights Act, and the Age Discrimination Act). The concept of ``exhaustion'' is used in laws that require individuals to pursue administrative remedies, such as that provided by a governmental agency, before bringing a court action. Under HIPAA, individuals do not have a right to court action. Some commenters seemed to believe that the Secretary would pursue enforcement action without notifying the covered entity. It has been the Secretary's practice in investigating cases under other laws, such as various civil rights laws, to inform entities that we have received a complaint against them and to seek early resolution if possible. In enforcing the privacy rule, the Secretary will generally inform the covered entity of the nature of any complaints it has received against the entity. (There may be situations where information is withheld to protect the privacy interests of the complainant or others or where revealing information would impede the investigation of the covered entity.) The Secretary will also generally afford the entity an opportunity to share information with the Secretary that may result in an early resolution. Our approach will be to seek informal resolution of complaints whenever possible, which includes allowing covered entities a reasonable amount of time to work with the Secretary to come into compliance before initiating action to seek civil monetary penalties. Section 160.306(b)(3)--Requiring That Complaints Be Filed With the Secretary Within a Certain Period of Time Comment: A number of commenters, primarily privacy and disability advocacy organizations, suggested that the regulation require that complaints be filed with the Secretary by a certain time. These commenters generally recommended that the time period for filing a complaint should commence to run from the time when the individual knew or had reason to know of the violation or omission. Another comment suggested that a requirement to file a complaint with the Secretary within 180 days of the alleged noncompliance is a problem because a patient may, because of his or her medical condition, be unable to access his or her records within that time frame. Response: We agree with the commenters that complainants should generally be required to submit complaints in a timely fashion. Federal regulations implementing Title VI of the Civil Rights Act of 1964 provide that ``[a] complaint must be filed not later than `180 days from the date of the alleged discrimination' unless the time for filing is extended by the responsible Department official or his designee.'' 45 CFR 80.7(b). Other civil rights laws, such as the Age Discrimination Act, section 504 of the Rehabilitation Act, and Title II of the Americans with Disabilities Act (ADA) (state and local government services), also use this approach. Under civil rights laws administered by the EEOC, individuals have 180 days of the alleged discriminatory act to file a charge with EEOC (or 300 days if there is a state or local fair employment practices agency involved). Therefore, in the final rule we require that complaints be filed within 180 days of when the complainant knew or should have known that the act or omission complained of occurred unless this time limit is waived by the Secretary for good cause shown. We believe that an investigation of a complaint is likely to be most effective if persons can be interviewed and documents reviewed as close to the time of the alleged violation as possible. Requiring that complaints generally be filed within a certain period of time increases the likelihood that the Secretary will have necessary and reliable information. Moreover, we are taking this approach in order to encourage complainants to file complaints as soon as possible. By receiving complaints in a timely fashion, we can, if such complaints prove valid, reduce the harm caused by the violation. Section 160.308--Basis for Conducting Compliance Reviews Comment: A number of comments expressed concern that the Secretary would conduct compliance reviews [[Page 82602]] without having received a complaint or having reason to believe there is noncompliance. A number of these commenters appeared to believe that the Secretary would engage in ``routine visits.'' Some commenters suggested that the Secretary should only be able to conduct compliance reviews if the Secretary has initiated an investigation of a complaint regarding the covered entity in the preceding twelve months. Some commenters suggested that there should only be compliance reviews based on established criteria for reviews (e.g., finding of ``reckless disregard''). Many of these commenters stated that cooperating with compliance reviews is potentially burdensome and expensive. One commenter asked whether the Secretary will have a process for reviewing all covered entities to determine how they are complying with requirements. This commenter questioned whether covered entities will be required to submit plans and wait for Departmental approval. Another commenter suggested that the Secretary specify a time limit for the completion of a compliance review. Response: We disagree with the commenters that the final rule should restrict the Secretary's ability to conduct compliance reviews. The Secretary needs to maintain the flexibility to conduct whatever reviews are necessary to ensure compliance with the rule. Section 160.310 (a) and (c)--The Secretary's Access to Information in Determining Compliance Comment: Some commenters raised objections to provisions in the proposed rule which required that covered entities maintain records and submit compliance reports as the Secretary determines is necessary to determine compliance and required that covered entities permit access by the Secretary during normal business hours to its books, records, accounts, and other sources of information, including protected health information, and its facilities, that are pertinent to ascertaining compliance with this subpart. One commenter stated that the Secretary's access to private health information without appropriate patient consent is contrary to the intent of HIPAA. Another commenter expressed the view that, because covered entities face criminal penalties for violations, these provisions violate the Fifth Amendment protections against forced self incrimination. Other commenters stated that covered entities should be given the reason the Secretary needs to have access to its books and records. Another commenter stated that there should be a limit to the frequency or extent of intrusion by the federal government into the business practices of a covered entity and that these provisions violate the Fourth Amendment of the Constitution. Finally, a coalition of church plans suggested that the Secretary provide church plans with additional procedural safeguards to reduce unnecessary intrusion into internal church operations. These suggested safeguards included permitting HHS to obtain records and other documents only if they are relevant and necessary to compliance and enforcement activities related to church plans, requiring a senior official to determine the appropriateness of compliance-related activities for church plans, and providing church plans with a self- correcting period similar to that Congress expressly provided in Title I of HIPAA under the tax code. Response: The final rule retains the proposed language in these two provisions with one change. The rule adds a provision indicating that the Secretary's access to information held by the covered entity may be at any time and without notice where exigent circumstances exist, such as where time is of the essence because documents might be hidden or destroyed. Thus, covered entities will generally receive notice before the Secretary seeks to access the entity's books or records. Other than the exigent circumstances language, the language in these two provisions is virtually the same as the language in this Department's regulation implementing Title VI of the Civil Rights Act of 1964. 45 CFR 80.6(b) and (c). The Title VI regulation is incorporated by reference in other Department regulations prohibiting discrimination of the basis of disability. 45 CFR 84.61. Similar provisions allowing this Department access to recipient information is found in the Secretary's regulation implementing the Age Discrimination Act. 45 CFR 91.34. These provisions have not proved to be burdensome to entities that are subject to these civil rights regulations (i.e., all recipients of Department funds). We do not interpret Constitutional case law as supporting the view that a federal agency's review of information pursuant to statutory mandate violates the Fifth Amendment protections against forced self incrimination. Nor would such a review of this information raise Fourth Amendment problems. See discussion above regarding Constitutional comments and responses. We appreciate the concern that the Secretary not involve herself unnecessarily into the internal operations of church plans. However, by providing health insurance or care to their employees, church plans are engaging in a secular activity. Under the regulation, church plans are subject to the same compliance and enforcement requirements with which other covered entities must comply. Because Congress did not carve out specific exceptions or require stricter standards for investigations related to church plans, incorporating such measures into the regulation would be inappropriate. Additionally, there is no indication that the regulation will directly interfere with the religious practices of church plans. Also, the regulation as written appropriately limits the ability of investigators to obtain information from covered entities. The regulation provides that the Secretary may obtain access only to information that is pertinent to ascertain compliance with the regulation. We do not anticipate asking for information that is not necessary to assess compliance with the regulation. The purpose of obtaining records and similar materials is to determine compliance, not to engage in any sort of review or evaluation of religious activities or beliefs. Therefore, we believe the regulation appropriately balances the need to access information to determine compliance with the desire of covered entities to avoid opening every record in their possession to the government. Provision of Technical Assistance Comment: A number of commenters inquired as to how a covered entity can request technical assistance from the Secretary to come into compliance. A number of commenters suggested that the Secretary provide interpretive guidance to assist with compliance. Others recommended that the Secretary have a contact person or privacy official, available by telephone or email, to provide guidance on the appropriateness of a disclosure or a denial of access. One commenter suggested that there be a formal process for a covered entity to submit compliance activities to the Secretary for prior approval and clarification. This commenter suggested that clarifications be published on a contemporaneous basis in the Federal Register to help correct any ambiguities and confusion in implementation. It was also suggested that the Secretary undertake an assessment of ``best practices'' of covered entities and document and promote the findings to serve as a convenient ``road map'' for other covered entities. Another commenter suggested that we work with providers to create implementation guidelines modeled after the interpretative [[Page 82603]] guidelines that HCFA creates for surveyors on the conditions of participation for Medicare and Medicaid contractors. Response: While we have not in the final rule committed the Secretary to any specific model of providing guidance or assistance, we do state our intent, subject to budget and staffing constraints, to develop a technical assistance program that will include the provision of written material when appropriate to assist covered entities in achieving compliance. We will consider other models including HCFA's Medicare and Medicaid interpretative guidelines. Further information regarding the Secretary's technical assistance program may be provided in the Federal Register and on the HHS Office for Civil Rights (OCR) Web Site. While OCR plans to have fully trained staff available to respond to questions, its ability to provide individualized advice in regard to such matters as the appropriateness of a particular disclosure or the sufficiency of compliance activities will be based on staff resources and demands. The idea of looking at ``best practices'' and sharing information with all covered entities is a good one and we will explore how best to do this. We note that a covered entity is not excused from compliance with the regulation because of any failure to receive technical assistance or guidance. Basis for Violation Findings and Enforcement Comment: A number of commenters asked that covered entities not be liable for violations of the rule if they have acted in good faith. One commenter indicated that enforcement actions should not be pursued against covered entities that make legitimate business decisions about how to comply with the privacy standards. Response: The commenters seemed to argue that even if a covered entity does not comply with a requirement of the rule, the covered entity should not be liable if there was an honest and sincere intention or attempt to fulfill its obligations. The final rule, however, does not take this approach but instead draws careful distinctions between what a covered entity must do unconditionally, and what a covered entity must make certain reasonable efforts to do. In addition, the final rule is clear as to the specific provisions where ``good faith'' is a consideration. For example, a covered entity is permitted to use and disclose protected health information without authorization based on criteria that includes a good faith belief that such use or disclosure is necessary to avert an imminent threat to health or safety (Sec. 164.512(j)(1)(i)). Therefore, covered entities need to pay careful attention to the specific language in each requirement. However, we note that many of these provisions can be implemented in a variety of ways; e.g, covered entities can exercise business judgement regarding how to conduct staff training. As to enforcement, a covered entity will not necessarily suffer a penalty solely because an act or omission violates the rule. As we discuss elsewhere, the Department will exercise discretion to consider not only the harm done, but the willingness of the covered entity to achieve voluntary compliance. Further, the Administrative Simplification provisions of HIPAA provide that whether a violation was known or not is relevant in determining whether civil or criminal penalties apply. In addition, if a civil penalty applies, HIPAA allows the Secretary, where the failure to comply was due to reasonable cause and not to willful neglect, to delay the imposition of the penalty to allow the covered entity to comply. The Department will develop and release for public comment an enforcement regulation applicable to all the administrative simplification regulations that will address these issues. Comment: One commenter asked whether hospitals will be vicariously liable for the violations of their employees and expressed concern that hospitals and other providers will be the ones paying large fines. Response: The enforcement regulation will address this issue. However, we note that section 1128A(1) of the Social Security Act, which applies to the imposition of civil monetary penalties under HIPAA, provides that a principal is liable for penalties for the actions of its agent acting within the scope of the agency. Therefore, a covered entity will generally be responsible for the actions of its employees such as where the employee discloses protected health information in violation of the regulation. Comment: A commenter expressed the concern that if a covered entity acquires a non-compliant health plan, it would be liable for financial penalties. This commenter suggested that, at a minimum, the covered entity be given a grace period of at least a year, but not less than six months to bring any acquisition up to standard. The commenter stated that the Secretary should encourage, not discourage, compliant companies to acquire non-compliant ones. Another commenter expressed a general concern about resolution of enforcement if an entity faced with a HIPAA complaint acquires or merges with an entity not covered by HIPAA. Response: As discussed above, the Secretary will encourage voluntary efforts to cure violations of the rule, and will consider that fact in determining whether to bring a compliance action. We do not agree, however, that we should limit our authority to pursue violations of the rule if the situation warrants it. Comment: One commenter was concerned about the ``undue risk'' of liability on originators of information, stemming from the fact that ``the number of covered entities is limited and they are unable to restrict how a recipient of information may use or re-disclose information * * *'' Response: Under this rule, we do not hold covered entities responsible for the actions of recipients of protected health information, unless the recipient is a business associate of the covered entity. We agree that it is not fair to hold covered entities responsible for the actions of persons with whom they have no on-going relationship, but believe it is fair to expect covered entities to hold their business associates to appropriate standards of behavior with respect to health information. Other Compliance and Enforcement Comments Comment: A number of comments raised questions regarding the Secretary's priorities for enforcement. A few commenters stated that they supported deferring enforcement until there is experience using the proposed standards. One organization asked that we clarify that the regulation does not replace or otherwise modify the self-regulatory/ consumer empowerment approach to consumer privacy in the online environment. Response: We have not made any decisions regarding enforcement priorities. It appears that some commenters believe that no enforcement action will be taken against a given covered entity until that entity has had some time to comply. Covered entities have two years to come into compliance with the regulation (three years in the case of small health plans). Some covered entities will have had experience using the standards prior to the compliance date. We do not agree that we should defer enforcement where violations of the rule occur. It would be wrong for covered entities to believe that enforcement action is based on their not having much experience in [[Page 82604]] using a particular standard or meeting another requirement. We support a self-regulation approach in that we recognize that most compliance will be achieved by the voluntary activities of covered entities rather than by our enforcement activities. Our emphasis will be on education, technical assistance, and voluntary compliance and not on finding violations and imposing penalties. We also support a consumer empowerment approach. A knowledgeable consumer is key to the effectiveness of this rule. A consumer familiar with the requirements of this rule will be equipped to make choices regarding which covered entity will best serve their privacy interests and will know their rights under the rule and how they can seek redress for violations of this rule. Privacy-minded consumers will seek to protect the privacy rights of others by bringing concerns to the attention of covered entities, the public, and the Secretary. However, we do not agree that we should defer enforcement where violations of the rule occur. Comment: One commenter expressed concern that by filing a complaint an individual would be required to reveal sensitive information to the public. Another commenter suggested that complaints regarding noncompliance in regard to psychotherapy notes should be made to a panel of mental health professionals designated by the Secretary. This commenter also proposed that all patient information be maintained as privileged, not be revealed to the public, and be kept under seal after the case is reviewed and closed. Response: We appreciate this concern and will seek to ensure that individually identifiable health information and other personal information contained in complaints will not be available to the public. The privacy regulation provides, at Sec. 160.310(c)(3), that protected health information obtained by the Secretary in connection with an investigation or compliance review will not be disclosed except if necessary for ascertaining or enforcing compliance with the regulation or if required by law. In addition, this Department generally seeks to protect the privacy of individuals to the fullest extent possible, while permitting the exchange of records required to fulfill its administrative and program responsibilities. The Freedom of Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45 CFR part 5, provide substantial protection for records about individuals where disclosure would constitute an unwarranted invasion of their personal privacy. In implementing the privacy regulation, OCR plans to continue its current practice of protecting its complaint files from disclosure. OCR treats these files as investigatory records compiled for law enforcement purposes. Moreover, OCR maintains that disclosing protected health information in these files generally constitutes an unwarranted invasion of personal privacy. It is not clear in regarding the use of mental health professionals, whether the commenter believes that such professionals should be involved because they would be best able to keep psychotherapy notes confidential or because such professionals can best understand the meaning or relevance of such notes. OCR anticipates that it will not have to obtain a copy or review psychotherapy notes in investigating most complaints regarding noncompliance in regard to such notes. There may be some cases where a review of the notes may be needed such as where we need to identify that the information a covered entity disclosed was in fact psychotherapy notes. If we need to obtain a copy of psychotherapy notes, we will keep these notes confidential and secure. OCR investigative staff will be trained to ensure that they fully respect the confidentiality of personal information. In addition, while the specific contents of these notes is generally not relevant to violations under this rule, if such notes are relevant, we will secure the expertise of mental health professionals if needed in reviewing psychotherapy notes. Comment: A member of Congress and a number of privacy and consumer groups expressed concern with whether OCR has adequate funding to carry out the major responsibility of enforcing the complaint process established by this rule. The Senator stated that ``[d]ue to the limited enforcement ability allowed for in this rule by HIPAA, it is essential that OCR have the capacity to enforce the regulations. Now is the time for OCR to begin building the necessary infrastructure to enforce the regulation effectively.'' Response: We agree and are committed to an effective enforcement program. We are working with Congress to ensure that the Secretary has the necessary funds to secure voluntary compliance through education and technical assistance, to investigate complaints and conduct compliance reviews, to provide states with exception determinations, and to use civil and criminal penalties when necessary. We will continue to work with Congress and within the new Administration in this regard. Coordination With Reviewing Authorities Comment: A number of commenters referenced other entities that already consider the privacy of health information. One commenter indicated opposition to the delegation of inspections to third party organizations, such as the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO). A few commenters indicated that state agencies are already authorized to investigate violations of state privacy standards and that we should rely on those agencies to investigate alleged violations of the privacy rules or delegate its complaint process to states that wish to carry out this responsibility or to those states that have a complaint process in place. Another commenter argued that individuals should be required to exhaust any state processes before filing a complaint with the Secretary. Others referenced the fact that state medical licensing boards investigate complaints against physicians for violating patient confidentiality. One group asked that the federal government streamline all of these activities so physicians can have a single entity to whom they must be responsive. Another group suggested that OMB should be given responsibility for ensuring that FEHB Plans operate in compliance with the privacy standards and for enforcement. A few commenters stated that the regulation might be used as a basis for violation findings and subsequent penalties under other Department authorities, such as under Medicare's Conditions of Participation related to patient privacy and right to confidentiality of medical records. One commenter wanted some assurance that this regulation will not be used as grounds for sanctions under Medicare. Another commenter indicated support for making compliance with the privacy regulation a Condition of Participation under Medicare. Response: HIPAA does not give the Secretary the authority to delegate her responsibilities to other private or public agencies such as JCAHO or state agencies. However, we plan to explore ways that we may benefit from current activities that also serve to protect the privacy of individually identifiable health information. For example, if we conduct an investigation or review of a covered entity, that entity may want to share information regarding findings of other bodies that conducted similar reviews. We would welcome such [[Page 82605]] information. In developing its enforcement program, we may explore ways it can coordinate with other regulatory or oversight bodies so that we can efficiently and effectively pursue our joint interests in protecting privacy. We do not accept the suggestion that individuals be required to exhaust their remedies under state law before filing a complaint with the Secretary. Our rationale is similar to that discussed above in regard to the suggestion that covered entities be required to exhaust a covered entity's internal complaint process before filing a complaint with the Secretary. Congress provided for federal privacy protection and we want to allow individuals the right to this protection without barriers or delay. Covered entities may in their privacy notice inform individuals of any rights they have under state law including any right to file privacy complaints. We do not have the authority to interfere with state processes and HIPAA explicitly provides that we cannot preempt state laws that provide greater privacy protection. We have not yet addressed the issue as to whether this regulation might be used as a basis for violation findings or penalties under other Department authorities. We note that Medicare conditions of participation require participating providers to have procedures for ensuring the confidentiality of patient records, as well as afford patients with the right to the confidentiality of their clinical records. Penalties Comment: Many commenters considered the statutory penalties insufficient to protect privacy, stating that the civil penalties are too weak to have the impact needed to reduce the risk of inappropriate disclosure. Some commenters took the opposing view and stated that large fines and prison sentences for violations would discourage physicians from transmitting any sort of health care information to any other agency, regardless of the medical necessity. Another comment expressed the concern that doctors will be at risk of going to jail for protecting the privacy of individuals (by not disclosing information the government believes should be released). Response: The enforcement regulation will address the application of the civil monetary and criminal penalties under HIPAA. The regulation will be published in the Federal Register as a proposed regulation and the public will have an opportunity to comment. We do not believe that our rule, and the penalties available under it, will discourage physicians and other providers from using or disclosing necessary information. We believe that the rule permits physicians to make the disclosures that they need to make under the health care system without exposing themselves to jeopardy under the rule. We believe that the penalties under the statute are woefully inadequate. We support legislation that would increase the amount of these penalties. Comment: A number of commenters stated that the regulations should permit individuals to sue for damages caused by breaches of privacy under these regulations. Some of these commenters specified that damages, equitable relief, attorneys fees, and punitive damages should be available. Conversely, one comment stated that strong penalties are necessary and would preclude the need for a private right of action. Another commenter stated that he does not believe that the statute intended to give individuals the equivalent of a right to sue, which results from making individuals third party beneficiaries to contracts between business partners. Response: We do not have the authority to provide a private right of action by regulation. As discussed below, the final rule deletes the third party beneficiary provision that was in the proposed rule. However, we believe that, in addition to strong civil monetary penalties, federal law should allow any individual whose rights have been violated to bring an action for actual damages and equitable relief. The Secretary's Recommendations, which were submitted to Congress on September 11, 1997, called for a private right of action to permit individuals to enforce their privacy rights. Comment: One comment stated that, in calculating civil monetary penalties, the criteria should include aggravating or mitigating circumstances and whether the violation is a minor or first time violation. Several comments stated that penalties should be tiered so that those that commit the most egregious violations face stricter civil monetary penalties. Response: As mentioned above, issues regarding civil fines and criminal penalties will be addressed in the enforcement regulation. Comment: One comment stated that the regulation should clarify whether a single disclosure that involved the health information of multiple parties would constitute a single or multiple infractions, for the purpose of calculating the penalty amount. Response: The enforcement regulation will address the calculation of penalties. However, we note that section 1176 subjects persons to civil monetary penalties of not more than $100 for each violation of a requirement or prohibition and not more than $25,000 in a calendar year for all violations of an identical requirement or prohibition. For example, if a covered entity fails to permit amendment of protected health information for 10 patients in one calendar year, the entity may be fined up to $1000 ($100 times 10 violations equals $1000). Part 164--Subpart A--General Requirements Part 164--Subpart B-D--Reserved Part 164--Subpart E--Privacy Section 164.500--Applicability Covered Entities The response to comments on covered entities is included in the response to comments on the definition of ``covered entity'' in the preamble discussion of Sec. 160.103. Covered Information The response to comments on covered information is included in the response to comments on the definition of ``protected health information'' in the preamble discussion of Sec. 164.501. Section 164.501--Definitions Designated record set Comment: Many commenters generally supported our proposed definition of designated record set. Commenters suggested different methods for narrowing the information accessible to individuals, such as excluding information obtained without face-to-face interaction (e.g., phone consultations). Other commenters recommended broadening the information accessible to individuals, such as allowing access to ``the entire medical record,'' not just a designated record set. Some commenters advocated for access to all information about individuals. A few commenters generally supported the provision but recommended that consultation and interpretative assistance be provided when the disclosure may cause harm or misunderstanding. Response: We believe individuals should have a right to access any protected health information that may be used to make decisions about them and modify the final rule to accomplish this result. This approach facilitates an open and cooperative relationship between individuals and covered health care providers and health plans and allows individuals fair opportunities to know what health information may be [[Page 82606]] used to make decisions about them. We list certain records that are always part of the designated record set. For covered providers these are the medical record and billing record. For health plans these are the enrollment, payment, claims adjudication, and case or medical management records. The purpose of these specified records is management of the accounts and health care of individuals. In addition, we include in the designated record set to which individuals have access any record used, in whole or in part, by or for the covered entity to make decisions about individuals. Only protected health information that is in a designated record set is covered. Therefore, if a covered provider has a phone conversation, information obtained during that conversation is subject to access only to the extent that it is recorded in the designated record set. We do not require a covered entity to provide access to all individually identifiable health information, because the benefits of access to information not used to make decisions about individuals is limited and is outweighed by the burdens on covered entities of locating, retrieving, and providing access to such information. Such information may be found in many types of records that include significant information not relevant to the individual as well as information about other persons. For example, a hospital's peer review files that include protected health information about many patients but are used only to improve patient care at the hospital, and not to make decisions about individuals, are not part of that hospital's designated record sets. We encourage but do not require covered entities to provide interpretive assistance to individuals accessing their information, because such a requirement could impose administrative burdens that outweigh the benefits likely to accrue. The importance to individuals of having the right to inspect and copy information about them is supported by a variety of industry groups and is recognized in current state and federal law. The July 1977 Report of the Privacy Protection Study Commission recommended that individuals have access to medical records and medical record information.\2\ The Privacy Act (5 U.S.C. 552a) requires government agencies to permit individuals to review records and have a copy made in a form comprehensible to the individual. In its report ``Best Principles for Health Privacy,'' the Health Privacy Working Group recommended that individuals should have the right to access information about them.\3\ The National Association of Insurance Commissioners' Health Information Privacy Model Act establishes the right of an individual to examine or receive a copy of protected health information in the possession of the carrier or a person acting on behalf of the carrier. --------------------------------------------------------------------------- \2\ Privacy Protection Study Commission, ``Personal Privacy in an Information Society,'' July 1977, p. 298-299. \3\ Health Privacy Working Group, ``Best Principles for Health Privacy,'' Health Privacy Project, Institute for Health Care Research and Policy, Georgetown University, July 1999. --------------------------------------------------------------------------- Many states also establish a right for individuals to access health information about them. For example, Alaska law (AK Code 18.23.005) entitles patients ``to inspect and copy any records developed or maintained by a health care provider or other person pertaining to the health care rendered to the patient.'' Hawaii law (HRS section 323C-11) requires health care providers and health plans, among others, to permit individuals to inspect and copy protected health information about them. Many other states have similar provisions. Industry and standard-setting organizations also have developed policies to enable individual access to health information. The National Committee for Quality Assurance and the Joint Commission on Accreditation of Healthcare Organizations issued recommendations stating, ``Patients' confidence in the protection of their information requires that they have the means to know what is contained in their records. The opportunity for patients to review their records will enable them to correct any errors and may provide them with a better understanding of their health status and treatment.'' \4\ Standards of the American Society for Testing and Materials state, ``The patient or his or her designated personal representative has access rights to the data and information in his or her health record and other health information databases except as restricted by law. An individual should be able to inspect or see his or her health information or request a copy of all or part of the health information, or both.'' \5\ We build on this well-established principle in this final rule. --------------------------------------------------------------------------- \4\ National Committee on Quality Assurance and the Joint Commission on Accreditation of Healthcare Organizations, ``Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment,'' 1998, p. 25. \5\ ASTM, ``Standard Guide for Confidentiality, Privacy, Access and Data Security, Principles for Health Information Including Computer-Based Patient Records,'' E 1869-97, Sec. 11.1.1. --------------------------------------------------------------------------- Comment: Several commenters advocated for access to not only information that has already been used to make decisions, but also information that may be used to make decisions. Other commenters believed accessible information should be more limited; for example, some commenters argued that accessible information should be restricted to only information used to make health care decisions. Response: We agree that it is desirable that individuals have access to information reasonably likely to be used to make decisions about them. On the other hand, it is desirable that the category of records covered be readily ascertainable by the covered entity. We therefore define ``designated record set'' to include certain categories of records (a provider's medical record and billing record, the enrollment records, and certain other records maintained by a health plan) that are normally used, and are reasonably likely to be used, to make decisions about individuals. We also add a category of other records that are, in fact, used, in whole or in part, to make decisions about individuals. This category includes records that are used to make decisions about any individuals, whether or not the records have been used to make a decision about the particular individual requesting access. We disagree that accessible information should be restricted to information used to make health care decisions, because other decisions by covered entities can also affect individuals' interests. For example, covered entities make financial decisions about individuals, such as whether an individual's deductible has been met. Because such decisions can significantly affect individuals' interests, we believe they should have access to any protected health information included in such records. Comment: Some commenters believed the rule should use the term ``retrievable'' instead of ``retrieved'' to describe information accessible to individuals. Other commenters suggested that the rule follow the Privacy Act's principle of allowing access only when entities retrieve records by individual identifiers. Some commenters requested clarification that covered entities are not required to maintain information by name or other patient identifier. Response: We have modified the proposed definition of the designated record set to focus on how information is used, not how it is retrieved. Information may be retrieved or retrievable by name, but if it is never used to make decisions about any [[Page 82607]] individuals, the burdens of requiring a covered entity to find it and to redact information about other individuals outweigh any benefits to the individual of having access to the information. When the information might be used to affect the individual's interests, however, that balance changes and the benefits outweigh the burdens. We confirm that this regulation does not require covered entities to maintain any particular record set by name or identifier. Comment: A few commenters recommended denial of access for information relating to investigations of claims, fraud, and misrepresentations. Many commenters suggested that sensitive, proprietary, and legal documents that are ``typical state law privileges'' be excluded from the right to access. Specific suggestions for exclusion, either from the right of access or from the definition of designated record set, include quality assurance activities, information related to medical appeals, peer review and credentialing, attorney-client information, and compliance committee activities. Some commenters suggested excluding information already supplied to individuals on previous requests and information related to health care operations. However, some commenters felt that such information was already excluded from the definition of designated record set. Other commenters requested clarification that this provision will not prevent patients from getting information related to medical malpractice. Response: We do not agree that records in these categories are never used to affect the interests of individuals. For example, while protected health information used for peer review and quality assurance activities typically would not be used to make decisions about individuals, and, thus, typically would not be part of a designated record set, we cannot say that this is true in all cases. We design this provision to be sufficiently flexible to work with the varying practices of covered entities. The rule addresses several of these comments by excepting from the access provisions (Sec. 164.524) information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. Similarly, nothing in this rule requires a covered entity to divulge information covered by physician-patient or similar privilege. Under the access provisions, a covered entity may redact information in a record about other persons or information obtained under a promise of confidentiality, prior to releasing the information to the individual. We clarify that nothing in this provision would prevent access to information needed to prosecute or defend a medical malpractice action; the rules of the relevant court determine such access. We found no persuasive evidence to support excluding information already supplied to individuals on previous requests. The burdens of tracking requests and the information provided pursuant to requests outweigh the burdens of providing the access requested. A covered entity may, however, discuss the scope of the request for access with the individual to facilitate the timely provision of access. For example, if the individual agrees, the covered entity could supply only the information created or received since the date access was last granted. Disclosure Comment: A number of commenters asked that the definition of ``disclosure'' be modified so that it is clear that it does not include the release, transfer, provision of access to, or divulging in any other manner of protected health information to the individual who is the subject of that information. It was suggested that we revise the definition in this way to clarify that a health care provider may release protected health information to the subject of the information without first requiring that the patient complete an authorization form. Response: We agree with the commenters' concern, but accomplish this result through a different provision in the regulation. In Sec. 164.502 of this final rule, we specify that disclosures of protected health information to the individual are not subject to the limitations on disclosure of protected health information otherwise imposed by this rule. Comment: A number of commenters stated that the regulation should not apply to disclosures occurring within or among different subsidiaries or components of the same entity. One commenter interpreted ``disclosure'' to mean outside the agency or, in the case of a state Department of Health, outside sister agencies and offices that directly assist the Secretary in performing Medicaid functions and are listed in the state plan as entitled to receive Medicaid data. Response: We agree that there are circumstances under which related organizations may be treated as a single covered entity for purposes of protecting the privacy of health information, and modify the rule to accommodate such circumstances. In Sec. 164.504 of the final rule, we specify the conditions under which affiliated companies may combine into a single covered entity and similarly describe which components of a larger organization must comply with the requirements of this rule. For example, transfers of information within the designated component or affiliated entity are uses while transfers of information outside the designated component or affiliated entity are disclosures. See the discussion of Sec. 164.504 for further information and rationale. It is not clear from these comments whether the particular organizational arrangements described could constitute a single covered entity. Comment: A commenter noted that the definition of ``disclosure'' should reflect that health plan correspondence containing protected health information, such as Explanation of Benefits (EOBs), is frequently sent to the policyholder. Therefore, it was suggested that the words ``provision of access to'' be deleted from the definition and that a ``disclosure'' be clarified to include the conveyance of protected health information to a third party. Response: The definition is, on its face, broad enough to cover the transfers of information described and so is not changed. We agree that health plans must be able to send EOBs to policyholders. Sending EOB correspondence to a policyholder by a covered entity is a disclosure for purposes of this rule, but it is a disclosure for purposes of payment. Therefore, subject to the provisions of Sec. 164.522(b) regarding Confidential Communications, it is permitted even if it discloses to the policyholder protected health information about another individual (see below). Health care operations Comment: Several commenters stated that the list of activities within the definition of health care operations was too broad and should be narrowed. They asserted that the definition should be limited to exclude activities that have little or no connection to the care of a particular patient or to only include emergency treatment situations or situations constituting a clear and present danger to oneself or others. Response: We disagree. We believe that narrowing the definition in the manner requested will place serious burdens on covered entities and impair their ability to conduct legitimate business and management functions. Comment: Many commenters, including physician groups, consumer groups, and privacy advocates, argued that we should limit the information that can be used for health care operations to de- identified data. They [[Page 82608]] argued that if an activity could be done with de-identified data, it should not be incorporated in the definition of health care operations. Response: We disagree. We believe that many activities necessary for the business and administrative operations of health plans and health care providers are not possible with de-identified information or are possible only under unduly burdensome circumstances. For example, identified information may be used or disclosed during an audit of claims, for a plan to contact a provider about alternative treatments for specific patients, and in reviewing the competence of health care professionals. Further, not all covered entities have the same ability to de-identify protected health information. Covered entities with highly automated information systems will be able to use de-identified data for many purposes. Other covered entities maintain most of their records on paper, so a requirement to de-identify information would place too great a burden on the legitimate and routine business functions included in the definition of health care operations. Small business, which are most likely to have largely paper records, would find such a blanket requirement particularly burdensome. Protected health information that is de-identified pursuant to Sec. 164.514(a) is not subject to this rule. We hope this provides covered entities capable of de-identifying information with the incentive to do so. Comment: Some commenters requested that we permit the use of demographic data (geographic, location, age, gender, and race) separate from all other data for health care operations. They argued that demographic data was needed to establish provider networks and monitor providers to ensure that the needs of ethnic and minority populations were being addressed. Response: The use of demographic data for the stated purposes is within the definition of health care operations; a special rule is not necessary. Comment: Some commenters pointed out that the definition of health care operations is similar to, and at times overlaps with, the definition of research. In addition, a number of commenters questioned whether or not research conducted by the covered entity or its business partner must only be applicable to and used within the covered entity to be considered health care operations. Others questioned whether such studies or research performed internal to a covered entity are ``health care operations'' even if generalizable results may be produced. Response: We agree that some health care operations have many of the characteristics of research studies and in the NPRM asked for comments on how to make this distinction. While a clear answer was not suggested in any of the comments, the comments generally together with our fact finding lead to the provisions in the final rule. The distinction between health care operations and research rests on whether the primary purpose of the study is to produce ``generalizable knowledge.'' We have modified the definition of health care operations to include ``quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.'' If the primary purpose of the activity is to produce generalizable knowledge, the activity fits within this rule's definition of ``research'' and the covered entity must comply with Secs. 164.508 or 164.512, including obtaining an authorization or the approval of an institutional review board or privacy board. If not and the activity otherwise meets the definition of health care operations, the activity is not research and may be conducted under the health care operations provisions of this rule. In some instances, the primary purpose of the activity may change as preliminary results are analyzed. An activity that was initiated as an internal outcomes evaluation may produce information that the covered entity wants to generalize. If the purpose of a study changes and the covered entity does intend to generalize the results, the covered entity should document the change in status of the activity to establish that they did not violate the requirements of this rule. (See definition of ``research,'' below, for further information on the distinction between ``research'' and ``health care operations.'') We note that the difficulty in determining when an activity is for the internal operations of an entity and when it is a research activity is a long-standing issue in the industry. The variation among commenters' views is one of many indications that, today, there is not consensus on how to draw this line. We do not resolve the larger issue here, but instead provide requirements specific to the information covered by this rule. Comment: Several commenters asked that disease management and disability management activities be explicitly included in the definition of health care operations. Many health plans asserted that they would not be able to provide disease management, wellness, and health promotion activities if the activity were solely captured in the rule's definition of ``treatment.'' They also expressed concern that ``treatment'' usually applies to an individual, not to a population, as is the practice for disease management. Response: We were unable to find generally accepted definitions of the terms ``disease management'' and ``disability management.'' Rather than rely on this label, we include many of the functions often included in discussions of disease management in this definition or in the definition of treatment, and modify both definitions to address the commenters' concerns. For example, we have revised the definition of health care operations to include population-based activities related to improving health or reducing health care costs. This topic is discussed further in the comment responses regarding the definition of ``treatment,'' below. Comment: Several commenters urged that the definition of health care operations be illustrative and flexible, rather than structured in the form of a list as in the proposed rule. They believed it would be impossible to identify all the activities that constitute health care operations. Commenters representing health plans were concerned that the ``static'' nature of the definition would stifle innovation and could not reflect the new functions that health plans may develop in the future that benefit consumers, improve quality, and reduce costs. Other commenters, expressed support for the approach taken in the proposed rule, but felt the list was too broad. Response: In the final rule, we revise the proposed definition of health care operations to broaden the list of activities included, but we do not agree with the comments asking for an illustrative definition rather than an inclusive list. Instead, we describe the activities that constitute health care operations in broad terms and categories, such as ``quality assessment'' and ``business planning and development.'' We believe the use of broadly stated categories will allow industry innovation, but without the privacy risks entailed in an illustrative approach. Comment: Several commenters noted that utilization review and internal quality review should be included in the definition. They pointed out that both of these activities were discussed in the preamble to the proposed rule but were not incorporated into the regulation text. [[Page 82609]] Response: We agree and have modified the regulation text to incorporate quality assessment and improvement activities, including the development of clinical guidelines and protocol development. Comment: Several commenters stated that the proposal did not provide sufficient guidance regarding compiling and analyzing information in anticipation of or for use in legal proceedings. In particular, they raised concerns about the lack of specificity as to when ``anticipation'' would be triggered. Response: We agree that this provision was confusing and have replaced it with a broader reference to conducting or arranging for legal services generally. Comment: Hospital representatives pointed out the pressure on health care facilities to improve cost efficiencies, make cost- effectiveness studies, and benchmark essential health care operations. They emphasized that such activities often use identifiable patient information, although the products of the analyses usually do not contain identifiable health information. Commenters representing state hospital associations pointed out that they routinely receive protected health information from hospitals for analyses that are used by member hospitals for such things as quality of care benchmark comparisons, market share analysis, determining physician utilization of hospital resources, and charge comparisons. Response: We have expanded the definition of health care operations to include use and disclosure of protected health information for the important functions noted by these commenters. We also allow a covered entity to engage a business associate to provide data aggregation services. See Sec. 164.504(e). Comment: Several commenters argued that many activities that are integral to the day-to-day operations of a health plan have not been included in the definition. Examples provided by the commenters include: issuing plan identification cards, customer service, computer maintenance, storage and back-up of radiologic images, and the installation and servicing of medical equipment or computer systems. Response: We agree with the commenters that there are activities not directly part of treatment or payment that are more closely associated with the administrative or clerical functions of the plan or provider that need to be included in the definition. To include such activities in the definition of health care operations, we eliminate the requirement that health care operations be directly related to treatment and payment, and we add to this definition the new categories of business management (including general administrative activities) and business planning activities. Comment: One commenter asked for clarification on whether cost- related analyses could also be done by providers as well as health plans. Response: Health care operations, including business management functions, are not limited to health plans. Any covered entity can perform health care operations. Comment: One commenter stated that the proposed rule did not address what happens to records when a covered entity is sold or merged with another entity. Response: We agree and add to the definition of health care operations disclosures of protected health information for due diligence to a covered entity that is a potential successor in interest. This provision includes disclosures pursuant to the sale of a covered entity's business as a going concern, mergers, acquisitions, consolidations, and other similar types of corporate restructuring between covered entities, including a division of a covered entity, and to an entity that is not a covered entity but will become a covered entity if the reorganization or sale is completed. Other types of sales of assets, or disclosures to organizations that are not and would not become covered entities, are not included in the definition of health care operations and could only occur if the covered entity obtained valid authorization for such disclosure in accordance with Sec. 164.508 or if the disclosure is otherwise permitted under this rule. Once a covered entity is sold or merged with another covered entity, the successor in interest becomes responsible for complying with this regulation with respect to the transferred information. Comment: Several commenters expressed concern that the definition of health care operations failed to include the use of protected health information for the underwriting of new health care policies and took issue with the exclusion of uses and disclosures of protected health information of prospective enrollees. They expressed the concern that limiting health care operations to the underwriting and rating of existing members places a health plan in the position of not being able to evaluate prudently and underwrite a consumer's health care risk. Response: We agree that covered entities should be able to use the protected health information of prospective enrollees to underwrite and rate new business and change the definition of health care operations accordingly. The definition of health care operations below includes underwriting, premium rating, and other activities related to the creation of a contract of health insurance. Comment: Several commenters stated that group health plans needed to be able to use and disclose protected health information for purposes of soliciting a contract with a new carrier and rate setting. Response: We agree and add ``activities relating to the * * * replacement of a contract of insurance'' to cover such disclosures. See Sec. 164.504 for the rules for plan sponsors of group health plans to obtain such information. Comment: Commenters from the business community supported our recognition of the importance of financial risk transfer mechanisms in the health care marketplace by including ``reinsurance'' in the definition of health care operations. However, they stated that the term ``reinsurance'' alone was not adequate to capture ``stop-loss insurance'' (also referred to as excess of loss insurance), another type of risk transfer insurance. Response: We agree with the commenters that stop-loss and excess of loss insurance are functionally equivalent to reinsurance and add these to the definition of health care operations. Comment: Commenters from the employer community explained that there is a trend among employers to contract with a single insurer for all their insurance needs (health, disability, workers' compensation). They stated that in these integrated systems, employee health information is shared among the various programs in the system. The commenters believed the existing definition poses obstacles for those employers utilizing an integrated health system because of the need to obtain authorizations before being permitted to use protected health information from the health plan to administer or audit their disability or workers' compensation plan. Other commenters representing employers stated that some employers wanted to combine health information from different insurers and health plans providing employee benefits to their workforces, including its group health plan, workers' compensation insurers, and disability insurers, so that they could have more information in order to better manage the occurrences of disability and illness among their workforces. They expressed concern [[Page 82610]] that the proposed rule would not permit such sharing of information. Response: While we agree that integrating health information from different benefit programs may produce efficiencies as well as benefits for individuals, the integration also raises significant privacy concerns, particularly if there are no safeguards on uses and disclosures from the integrated data. Under HIPAA, we do not have jurisdiction over many types of insurers that use health information, such as workers' compensation insurers or insurers providing disability income benefits, and we cannot address the extent to which they provide individually identifiable health information to a health plan, nor do we prohibit a health plan from receiving such information. Once a health plan receives identifiable health information, however, the information becomes protected and may only be used and disclosed as otherwise permitted by this rule. We clarify, however, that a covered entity may provide data and statistical analyses for its customers as a health care operation, provided that it does not disclose protected health information in a way that would otherwise violate this rule. A group health plan or health insurance issuer or HMO, or their business associate on their behalf, may perform such analyses for an employer customer and provide the results in de-identified form to the customer, using integrated data received from other insurers, as long as protected health information is not disclosed in violation of this rule. See the definition of ``health care operations,'' Sec. 164.501. If the employer sponsors more than one group health plan, or if its group health plan provides coverage through more than one health insurance issuer or HMO, the different covered entities may be an organized health care arrangement and be able to jointly participate in such an analysis as part of the health care operations of such organized health care arrangement. See the definitions of ``health care operations'' and ``organized health care arrangement,'' Sec. 164.501. We further clarify that a plan sponsor providing plan administration to a group health plan may participate in such an analysis, provided that the requirements of Sec. 164.504(f) and other parts of this rule are met. The results described above are the same whether the health information that is being combined is from separate insurers or from one entity that has a health component and also provides excepted benefits. See the discussion relating to health care components, Sec. 164.504. We note that under the arrangements described above, the final rule provides substantial flexibility to covered entities to provide general data and statistical analyses, resulting in the disclosure of de- identified information, to employers and other customers. An employer also may receive protected health information from a covered entity for any purpose, including those described in comment above, with the authorization of the individual. See Sec. 164.508. Comment: A number of commenters asserted that the proposed definition appeared to limit training and educational activities to that of health care professionals, students, and trainees. They asked that we expand the definition to include other education-related activities, such as continuing education for providers and training of non-health care professionals as needed for supporting treatment or payment. Response: We agree with the commenters that the definition of health care operations was unnecessarily limiting with respect to educational activities and expand the definition of health care operations to include ``conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.'' We clarify that medical rounds are considered treatment, not health care operations. Comment: A few commenters outlined the need to include the training of non-health care professionals, such as health data analysts, administrators, and computer programmers within the definition of health care operations. It was argued that, in many cases, these professionals perform functions which support treatment and payment and will need access to protected health information in order to carry out their responsibilities. Response: We agree and expand the definition of health care operations to include training of non-health care professionals. Comment: One commenter stated that the definition did not explicitly include physician credentialing and peer review. Response: We have revised the definition to specifically include ``licensing or credentialing activities.'' In addition, peer review activities are captured in the definition as reviewing the competence or qualifications of health care professionals and evaluating practitioner and provider performance. Health Oversight Agency Comment: Some commenters sought to have specific organizations defined as health oversight agencies. For example, some commenters asked that the regulation text, rather than the preamble, explicitly list state insurance departments as an example of health oversight agencies. Medical device manufacturers recommended expanding the definition to include government contractors such as coding committees, which provide data to HCFA to help the agency make reimbursement decisions. One federal agency sought clarification that several of its sub- agencies were oversight agencies; it was concerned about its status in part because the agency fits into more than one of the categories of health oversight agency listed in the proposed rule. Other commenters recommended expanding the definition of oversight agency to include private-sector accreditation organizations. One commenter recommended stating in the final rule that private companies providing information to insurers and employers are not included in the definition of health oversight agency. Response: Because the range of health oversight agencies is so broad, we do not include specific examples in the definition. We include many examples in the preamble above and provide further clarity here. As under the NPRM, state insurance departments are an example of a health oversight agency. A commenter concerned about state trauma registries did not describe the registries' activities or legal charters, so we cannot clarify whether such registries may be health oversight agencies. Government contractors such as coding committees, which provide data to HCFA to support payment processes, are not thereby health oversight agencies under this rule. We clarify that public agencies may fit into more than one category of health oversight agency. The definition of health oversight agency does not include private- sector accreditation organizations. While their work can promote quality in the health care delivery system, private accreditation organizations are not authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. Under the final rule, we consider private accrediting groups to be performing a health care operations function for covered entities. Thus, disclosures to private accrediting organizations are [[Continued on page 82611]]