[Please label comments about this section with the subject: “Summary and purpose”]
The following outlines the provisions and operations of this proposed rule and is intended to provide a framework for the following preamble. A more detailed discussion of the authority, rationale, and implementation can be found in Section II of the preamble, Provisions of the Proposed Rule.
As described in more detail in preamble section I.B, above, the HIPAA requires the Secretary of HHS to promulgate a series of standards relating to the electronic exchange of health information. Collectively these are known as the Administrative Simplification provisions. In addition to those standards, the Secretary was required to develop and submit to the Congress recommendations for the privacy rights that an individual who is a subject of individually identifiable health information should have, the procedures that should be established for the exercise of such rights, and the uses and disclosures of such information that should be authorized.
On September 11, 1997, the Secretary presented to the Congress her Recommendations for protecting the “Confidentiality of Individually-Identifiable Health Information” (the “Recommendations”), as required by section 264 (a) of HIPAA. In those Recommendations, the Secretary called for new federal legislation to create a national floor of standards that provide fundamental privacy rights for patients, and that define responsibilities for those who use and disclose identifiable health information.
The Recommendations elaborated on the components that should be included in privacy legislation. These components included new restrictions on the use and disclosure of health information, the establishment of new consumer rights, penalties for misuse of information, and redress for those harmed by misuse of their information. The Recommendations served, to the extent possible under the HIPAA legislative authority, as a template for the rules proposed below. They are available on the HHS website at http://aspe.hhs.gov/admnsimp/pvcrec.htm.
The Secretary’s Recommendations set forth the a framework for federal privacy legislation. Such legislation should:
We believed then, and still believe, that there is an urgent need for legislation to establish comprehensive privacy standards for all those who pay and provide for health care, and those who receive information from them.
This proposed rule implements many of the policies set forth in the Recommendations. However, the HIPAA legislative authority is more limited in scope than the federal statute we recommend, and does not always permit us to propose the policies that we believe are optimal. Our major concerns with the scope of the HIPAA authority include the limited number of entities to whom the proposed rule would be applicable, and the absence of strong enforcement provisions and a private right of action for individuals whose privacy rights are violated.
The Recommendations call for legislation that applies to health care providers and payers who obtain identifiable health information from individuals and, significantly, to those who receive such information from providers and payers. The Recommendations follow health information from initial creation by a health plan or health care provider, through various uses and disclosures, and would establish protections at each step: “We recommend that everyone in this chain of information handling be covered by the same rules.” However, the HIPAA limits the application of our proposed rule to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (the “covered entities”). Unfortunately, this leaves many entities that receive, use and disclose protected health information outside of the system of protection that we propose to create.
In particular, the proposed regulation does not directly cover many of the persons who obtain identifiable health information from the covered entities. In this proposed rule we are, therefore, faced with creating new regulatory permissions for covered entities to disclose health information, but cannot directly put in place appropriate restrictions on how many likely recipients of such information may use and re-disclose such information. For example, the Secretary’s Recommendations proposed that protected health information obtained by researchers not be further disclosed except for emergency circumstances, for a research project that meets certain conditions, and for oversight of research. In this proposed rule, however, we cannot impose such restrictions. Additional examples of persons who receive this information include workers compensation carriers, researchers, life insurance issuers, employers and marketing firms. We also do not have the authority to directly regulate many of the persons that covered entities hire to perform administrative, legal, accounting, and similar services on their behalf, and who would obtain health information in order to perform their duties. This inability to directly address the information practices of these groups leaves an important gap in the protections provided by the proposed rule.
In addition, only those providers who engage in the electronic administrative simplification transactions can be covered by this rule. Any provider who maintains a solely paper information system would not be subject to these privacy standards, thus leaving another gap in the system of protection we propose to create.
The need to match a regulation limited to a narrow range of covered entities with the reality of information sharing among a wide range of entities leads us to consider limiting the type or scope of the disclosures permitted under this regulation. The disclosures we propose to allow in this rule are, however, necessary for smooth operation of the health care system and for promoting key public goals such as research, public health, and law enforcement. Any limitation on such disclosures could do more harm than good.
Requirements to protect individually identifiable health information must be supported by real and significant penalties for violations. We recommend federal legislation that would include punishment for those who misuse personal health information and redress for people who are harmed by its misuse. We believe there should be criminal penalties (including fines and imprisonment) for obtaining health information under false pretenses, and for knowingly disclosing or using protected health information in violation of the federal privacy law. We also believe that there should be civil monetary penalties for other violations of the law and that any individual whose rights under the law have been violated, whether negligently or knowingly, should be permitted to bring an action for actual damages and equitable relief. Only if we put the force of law behind our rhetoric can we expect people to have confidence that their health information is protected, and ensure that those holding health information will take their responsibilities seriously.
In HIPAA, Congress did not provide such enforcement authority. There is no private right of action for individuals to enforce their rights, and we are concerned that the penalty structure does not reflect the importance of these privacy protections and the need to maintain individuals’ trust in the system. For these and other reasons, we continue to call for federal legislation to ensure that privacy protection for health information will be strong and comprehensive.
Under section 1172(a) of the Act, the provisions of this proposed rule apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (the “covered entities”). The terms health plan, health care provider, and health care clearinghouse are defined in proposed § 160.103.
As noted above, because we do not have the authority to apply these standards directly to any entity that is not a covered entity, the proposed rule does not directly cover many of the persons who obtain identifiable health information from the covered entities. Examples of persons who receive this information include contractors, third-party administrators, researchers, public health officials, life insurance issuers, employers and marketing firms. We would attempt to fill this gap in our legislative authority in part by requiring covered entities to apply many of the provisions of rule to the entities with whom they contract for administrative and other services. The proposed provision is outlined in more detail below in the discussion of business partners.
We propose to apply the requirements of this rule to the subset of individual identifiable health information which is maintained or transmitted by covered entities and which is or has been in electronic form. The provisions of the rule would apply to the information itself, referred to as protected health information in this rule, and not to the particular records in which the information is contained. Once information has been maintained or transmitted electronically by a covered entity, the protections would follow the information in whatever form, including paper records, in which it exists (while it is held by a covered entity).
We understand that our proposal would create a situation in which some health information would be protected while other similar information (e.g., health information contained in paper records that has not been maintained or transmitted electronically) would not be protected. We are concerned about the potential confusion that such a system might entail, but we believe that applying the provisions of the rule to information only in electronic form would result in no real protection for health care consumers. We have requested comment on whether we should extend the scope of the rule to all individually identifiable health information, including purely paper records, maintained by covered entities. Although we are concerned that extending our regulatory coverage to all records might be inconsistent with the intent of the provisions in the HIPAA, we believe that we do have the authority to do so and that there are sound rationale for providing a consistent level of protection to all individually identifiable health information held by covered entities.
The purpose of our proposal is to define and limit the circumstances in which an individual’s protected heath information may be used or disclosed by others. We are proposing to make the use and exchange of protected health information relatively easy for health care purposes, and more difficult for purposes other than health care.
Covered entities would be prohibited from using or disclosing protected health information except as provided in the proposed rule. Under the rule, covered entities could use or disclose protected health information with individual authorization, as provided in proposed § 164.508. Covered entities could use or disclose protected health information without authorization for treatment, payment and health care operations, as provided in § 164.506(a). (The terms “treatment,” “payment” and “health care operations” are defined in proposed § 164.504). Covered entities also would be permitted to use or disclose a patient’s protected health information without authorization for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners, as provided in proposed § 164.510. Covered entities would be permitted to use and disclose protected health information when required to do so by other law, such as mandatory reporting under state law or pursuant to a search warrant.
Covered entities would be required by this rule to disclose protected health information for only two purposes: to permit individuals to inspect and copy protected health information about them, pursuant to proposed § 164.514, and for enforcement of this rule pursuant to proposed § 164.522.
Under our proposal, most uses and disclosures of an individual’s protected health information would not require explicit authorization by the individual, but would be restricted by the provisions of the rule. As discussed in section II.C. of this preamble, we propose to substitute regulatory protections for the pro forma authorizations that are used today. The rules would create a sphere of privacy protection that includes covered entities who engage in treatment or payment, and the business partners they hire to assist them. While written consent for these activities would not be required, new restrictions on both internal uses and external disclosures would be put in place to protect the information.
Our proposal is based on the principle that a combination of strict limits on how plans and providers can use and disclose identifiable health information, adequate notice to patients about how such information will be used, and patients’ rights to inspect, copy and amend protected health information about them, will provide patients with better privacy protection and more effective control over the dissemination of their information than alternative approaches to patient protection and control.
A central aspect of this proposal is the principle of “minimum necessary” disclosure. (See proposed § 164.506(a)). With certain exceptions, permitted uses and disclosures of protected health information would be restricted to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed, taking into consideration practical and technological limitations (including the size and nature of the covered entity’s business) and costs. While we recognize that there are legitimate uses of protected health information for which patient authorization should not be required, the privilege of this access carries with it an obligation to safeguard the information. Covered entities would be required to take steps to limit the amount of protected health information used or disclosed to the information necessary to meet the purpose of the use or disclosure. These policies could include limiting access to the information to a subset of employees who need to use the information in the course of their work, and limiting the amount of information disclosed from a record to the information needed by the recipient to fulfill the purpose of the disclosure.
We propose that individuals be able to request that a covered entity restrict the protected health information that results from that encounter (with the exception of encounters for emergency treatment) from further use or disclosure for treatment, payment, and health care operations. (See proposed § 164.506(c)). Covered entities would not be required to agree to restrictions requested by individuals; the rule would only enforce a restriction that has been agreed to by the covered entity and the individual.
Today’s health care system is a complex business involving multiple individuals and organizations engaging in a variety of commercial relationships. An individual’s privacy should not be compromised when a covered entity engages in such normal business relationships. To accomplish this result, the rule would, with narrow exceptions, require covered entities to ensure that the business partners with which they share protected health information understand -- through contract requirements – that they are subject to standards regarding use and disclosure of protected health information and agree to abide by such rules. (See proposed § 164.506(e)). Other than for purposes of treatment consultation or referral, we would require a contract to exist between the covered entity and the business partner that would, among other specified provisions, limit the business partner’s uses and disclosures of protected health information to those permitted by the contract and would impose certain security, inspection and reporting requirements on the business partner.
We do not intend to interfere with business relationships in the health care industry, but rather to ensure that the privacy of the information shared in these relationships is protected. Business partners would not be permitted to use or disclose protected health information in ways that would not be permitted by the covered entity itself.
The privacy standards would need to be implemented by all covered entities, from the smallest provider to the largest, multi-state health plan. For this reason, we propose the privacy principles and standards that covered entities must meet, but leave the detailed policies and procedures for meeting these standards to the discretion of each covered entity. We intend that implementation of these standards be flexible and scalable, to account for nature of each covered entity’s business, as well as the covered entity’s size and resources. A single approach to implementation of these requirements would be neither economically feasible nor effective in safeguarding health information privacy. Instead, we would require that each covered entity assess its own needs and devise and implement privacy policies appropriate to its size, its information practices, and its business requirements. Examples of how implementation of these standards are scalable are provided in the relevant sections of this preamble. (See, also, the discussion in preamble sections II.C. and III.)
The rule would require that covered entities have authorization from individuals before using or disclosing their protected health information for any purpose not otherwise recognized by this rule. In § 164.508, we propose rules for obtaining authorizations. Authorizations are needed in a wide array of circumstances. Entities not covered by this rule often want access to individually identifiable health information . For example, a potential employer may require health information as part of a background check for security purposes, or the patient may request a plan or provider to disclose information to obtain eligibility for disability benefits or to an attorney for use in a law suit. Covered entities may also seek such an authorization in order to use protected health information for a purpose not otherwise permitted under this rule. For example, a health plan may wish to use a person’s records for developing a marketing strategy.
The proposed authorization requirements are intended to ensure that an individual’s authorization is truly voluntary. We would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes. We also would require authorizations to clearly and specifically describe the information to be disclosed. If an authorization is sought so that a covered entity may sell, barter, or otherwise exchange the information for purposes other than treatment, payment, or health care operations, the covered entity would have to disclose this fact on the authorization form. We would also require authorizations to be revocable. We do not seek to limit the purposes for which authorization of records disclosure may be sought, but rather to ensure that these authorizations are voluntary, fair, and enforceable.
While the provisions of this proposed rule are intended to make authorizations for treatment and payment purposes unnecessary, some States may continue to require them. This rule would not supersede such State requirements generally, but would impose a new requirement that such State-mandated authorizations must be physically separate from an authorization for other purposes described in this rule.
Under this rule, covered entities with limited exceptions would be permitted to use and disclose protected health information without individual authorization for treatment and payment purposes, and for related purposes that we have defined as health care operations. (See § 164.506.) We would construe the terms “treatment” and “payment” broadly. In section II.B. of this preamble, we describe the types of activities that would be considered health care operations.
Individually identifiable health information is needed to support certain national priority activities, such as reducing health care fraud, improving the quality of treatment through research, protecting the public health, and responding to emergency situations. In many cases, the need to obtain authorization for use of health information would create significant obstacles in efforts to fight crime, understand disease, and protect public health. We examined the many uses that the health professions, related industries, and the government make of health information and we are aware of the concerns of privacy and consumer advocates about these uses.
After balancing privacy and other social values, we are proposing rules that would permit use or disclosure of health information without individual authorization for the following national priority activities and activities that allow the health care system to operate smoothly:
The rule would specify conditions that would need to be met in order for the use or disclosure of protected health information to be permitted for each of these purposes. (See § 164.514) We have proposed conditions tailored to the need for each type of use or disclosure, and to the types of organizations involved in each such activity. These uses and disclosures, and the conditions under which they may occur, are discussed in section II. F of this preamble.
The uses and disclosures that would be permitted under proposed rule would be just that – permissible. Thus, for disclosures that are not compelled by other law, providers and payers would be free to disclose or not, according to their own policies and ethical principles. We propose these rules as a basic set of legal controls, but ethics and professional practice may dictate more guarded disclosure policies. At the same time, nothing in this rule would provide authority for a covered entity to restrict or refuse to make a disclosure mandated by other law.
We are proposing to establish several basic rights for individuals with respect to their protected health information. We propose that individuals be able to obtain access to protected health information about them, which would include a right to inspect and obtain a copy of such information. See proposed § 164.514. The right of access would extend to an accounting of disclosures of the protected health information for purposes other than treatment, payment, and health care operations. See proposed § 164.515.
In § 164.512, we also propose that individuals have a right to receive a written notice of information practices from covered entities. While the primary purpose of this notice would be to inform individuals about the uses and disclosures that a covered entity would intend to make with the information, the notice also would serve to limit the activities of the covered entity -- an otherwise lawful use or disclosure that does not appear in the entity’s notice would not be permitted. The covered entity’s uses and disclosures could be stated in broad terms, but an entity would not be able to make a use or disclosure that is not included in its notice. The covered entity could modify its notice at any time and apply revised practices to existing and new information held by the covered entity.
In addition, we propose that individuals have the right to request amendment or correction of protected health information that is inaccurate or incomplete. See proposed §164.516. We are proposing procedural requirements and deadlines to implement each of these individual rights.
In our Recommendations, we call for a federal law that requires holders of identifiable health information to implement safeguards to protect it from inappropriate access, use or disclosure. No legislation or rule can effectively specify how to do this for every holder of health information. But federal rules can and should require those who hold identifiable health information to develop and implement basic administrative procedures to protect that information and protect the rights of the individual with respect to that information.
To accomplish this goal, we propose that covered entities be required to designate a privacy official, develop a privacy training program for employees, implement safeguards to protect health information from intentional or accidental misuse, provide some means for individuals to lodge complaints about the covered entity’s information practices, and develop a system of sanctions for employees and business partners who violate the entity’s policies or procedures. (See proposed § 164.518.). We also propose, in § 164.520, to require covered entities to maintain documentation of their policies and procedures for complying with the requirements of this proposed rule. The purpose of these requirements is to ensure that covered entities make explicit decisions about who would have access to protected health information, how that information would be used within the entity, and when that information would or would not be disclosed to other entities.
The HIPAA provides that the rule promulgated by the Secretary may not preempt state laws that are in conflict with the regulatory requirements and that provide greater privacy protections. The HIPAA also provides that standards issued by the Secretary will not supercede certain other State laws, including: State laws relating to reporting of disease or injury, child abuse, birth or death, public health surveillance, or public health investigation or intervention; State regulatory reporting; State laws which the Secretary finds are necessary to prevent fraud and abuse, to ensure appropriate State regulation of insurance, for State reporting on health care delivery or costs, or for other purposes; or, State laws which the Secretary finds address controlled substances. These provisions are discussed in more detail in preamble section II.I.1.
This proposed rule also must be read in conjunction with other federal laws and regulations that address the use and disclosure of health information. These issues are discussed in preamble section II.I.2.
In general, the rule that we are proposing would create a federal floor of privacy protection, but would not supercede other applicable law that provide greater protection to the confidentiality of health information. In general, our rule would not make entities subject to a state laws to which they are not subject today.
The HIPAA grants the Secretary the authority to impose civil monetary penalties against covered entities which fail to comply with the requirements of this rule, and also establishes criminal penalties for certain wrongful disclosures of protected health information. The civil fines are capped at $25,000 for each calendar year for each provision that is violated. The criminal penalties are graduated, increasing if the offense is committed under false pretenses, or with intent to sell the information or reap other personal gain. The statute does not provide for a private right of action for individuals.
We propose to create a complaint system to permit individuals to make complaints to the Secretary about potential violations of this rule. We also propose that covered entities develop a process for receiving complaints from individuals about the entities’ privacy practices. (See § 164.522.) Our intent would be to work with covered entities to achieve voluntary compliance with the proposed standards.
Although the promise of these proposed standards cannot become reality for many patients because of the gaps in our authority, we believe they would provide important new protections. By placing strict boundaries around the ways covered entities could use and disclose information, these rules would protect health information at its primary sources: health plans and health care providers. By requiring covered entities to inform patients about how their information is being used and shared, by requiring covered entities to provide access to that information, and by ensuring that authorizations would be truly voluntary, these rules would provide patients with important new tools for understanding and controlling information about them. By requiring covered entities to document their privacy practices, this rule would focus attention on the importance of privacy, and reduce the ways in which privacy is compromised through inattention or misuse.
With the Secretary’s Recommendations and these proposed rules, we are attempting to further two important goals: to allow the free flow of health information needed to provide and promote high quality health care, while assuring that individuals’ health information is properly protected. We seek a balance that permits important uses of information privacy of people who seek care and healing. We believe our Recommendations find that balance, and have attempted to craft this proposed rule to strike that balance as well.
We continue to believe, however, that federal legislation is the best way to guarantee these protections. The HIPAA legislative authority does not allow full implementation of our recommended policies in this proposed rule. The legislation limits the entities that can be held responsible for their use of protected health information, and the ways in which the covered entities can be held accountable. For these and other reasons, we continue to call upon Congress to pass comprehensive federal privacy legislation. Publication of this proposed rule does not diminish our firm conviction that such legislation should be enacted as soon as possible.
We propose to establish a new subchapter C to title 45 of the Code of Federal Regulations. Although the rules proposed below would only establish two new parts (parts 160 and 164), we anticipate the new subchapter C will eventually contain three parts, part 160, 162, and 164, with parts 161 and 163 being reserved for future expansion, if needed. Part 160 will contain general requirements and provisions applicable to all of the regulations issued under sections 262 and 264 of Public Law 104-191 (the Administrative Simplification provisions of HIPAA). We anticipate that Part 162 will contain the Administrative Simplification regulations relating to transactions, code sets and identifiers. The new part 164 will encompass the rules relating to the security standards authorized by section 1173(d), the electronic signature standard authorized by section 1173(e), and the privacy rules proposed below.
The new part 164 will be composed of two subparts: subparts A and E, with B, C, and D being reserved. Subpart A will consist of general provisions and subpart E will consist of the final privacy rules. Because the new part 160 will apply to the privacy rules, as well as the other Administrative Simplification rules, it is set out below.