[Please label comments about this section with the subject: “Relationship to State laws”]
Congress addressed the issue of preemption of State law explicitly in the statute, in section 1178 of the Act. Consonant with the underlying statutory purpose to simplify the financial and administrative transactions associated with the provision of health care, the new section 1178(a)(1) sets out a “general rule” that State law provisions that are contrary to the provisions or requirements of part C of title XI or the standards or implementation specifications adopted or established thereunder are preempted by the federal requirements. The statute provides three exceptions to this general rule: (1) for State laws which the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate State regulation of insurance and health plans, for State reporting on health care delivery, and other purposes; (2) for State laws which address controlled substances; and (3) for State laws relating to the privacy of individually identifiable health information which, as provided for by the related provision of section 264(c)(2), are contrary to and more stringent than the federal requirements. Section 1178 also carves out, in sections 1178(b) and 1178(c), certain areas of State authority which are not limited or invalidated by the provisions of part C of title XI; these areas relate to public health and State regulation of health plans.
Section 264 of HIPAA contains a related preemption provision. Section 264(c)(2) is, as discussed above, an exception to the “general rule” that the federal standards and requirements preempt contrary State law. Section 264(c)(2) provides, instead, that contrary State laws that relate to the privacy of individually identifiable health information will not be preempted by the federal requirements, if they are “more stringent” than those requirements. This policy, under which the federal privacy protections act as a floor, but not a ceiling on, privacy protections, is consistent with the Secretary’s Recommendations.
Aside from the cross-reference to section 264(c)(2) in section 1178(a)(2)(B), several provisions of section 1178 relate to the proposed privacy standards. These include the general preemption rule of section 1178(a)(1), the carve-out for public health and related reporting under section 1178(b), and the carve-out for reporting and access to records for the regulation of health plans by States under section 1178(c). Other terms that occur in section 264(c)(2) also appear in section 1178: the underlying test for preemption – whether a State law is “contrary” to the federal standards, requirements or implementation specifications – appears throughout section 1178(a), while the issue of what is a “State law” for preemption purposes applies throughout section 1178. In light of these factors, it seems logical to develop a regulatory framework that addresses the various issues raised by section 1178, not just those parts of it implicated by section 264(c)(2). Accordingly, the rules proposed below propose regulatory provisions covering these issues as part of the general provisions in proposed part 160, with sections made specifically applicable to the proposed privacy standard where appropriate.
Section 1178(a)(1) provides the following “general rule” for the preemption of State law:
Except as provided in paragraph (2), a provision or requirement under this part [part C of title XI], or a standard or implementation specification adopted or established under sections 1172 through 1174, shall supersede any contrary provision of State law, including a provision of State law that requires medical or health plan records (including billing information) to be maintained or transmitted in written rather than electronic form.
As we read this provision, the provisions and requirements of part C of title XI, along with the standards and implementation specifications adopted thereunder, do not supplant State law, except to the extent such State law is “contrary” to the federal statutory or regulatory scheme. Moreover, the provisions and requirements of part C of title XI, along with the standards and implementation specifications adopted thereunder, do not preempt contrary State law where one of the exceptions provided for by section 1178(a)(2) applies or the law in question lies within the scope of the carve-outs made by sections 1178(b) and (c). Thus, States may continue to regulate in the area covered by part C of title XI and the regulations and implementation specifications adopted or established thereunder, except to the extent States adopt laws that are contrary to the federal statutory and regulatory scheme, and even those contrary State laws may continue to be enforceable, if they come within the statutory exceptions or carve-outs.
We note, however, that many of the Administrative Simplifications regulations will have preemptive effect. The structure of many of the regulations, particularly those addressing the various administrative transactions, is to prescribe the use of a particular form or format for the transaction in question. Where the prescribed form or format is used, covered entities are required to accept the transaction. A State may well not be able to require additional requirements for such transactions consistent with the federally prescribed form or format.
Section 1178(a)(2) lists several exceptions to the general preemption rule of section 1178(a)(1). The first set of exceptions are those listed at sections 1178(a)(2)(A)(i) and 1178(a)(2)(A)(ii). These exceptions are for provisions of State law which the Secretary determines are necessary: (1) to prevent fraud and abuse; (2) to ensure appropriate State regulation of insurance and health plans; (3) for State reporting on health care delivery or costs; (4) for other purposes; or (5) which address controlled substances.
Proposed § 160.203(a) below provides for determinations under these statutory provisions. The criteria at proposed § 160.203(a) follow the statute. As is more fully discussed below, however, two of the terms used in this section of the proposed rules are defined terms: “contrary” and “State law.” The process for making such determinations is discussed below.
The third exception to the “general rule” that the federal requirements, standards, and implementation specifications preempt contrary State law concerns State laws relating to the privacy of individually identifiable health information. Section 1178(a)(2)(B) provides that a State law is excepted from this general rule, which, “subject to section 264(c)(2) of the Health Insurance Portability and Accountability Act of 1996, relates to the privacy of individually identifiable health information.” Section 264(c)(2) of HIPAA provides that the HIPAA privacy regulation, which is proposed in the accompanying proposed subpart B of proposed part 160, will not supersede “a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed” under the regulation at proposed subpart E of proposed part 164.
It is recognized that States generally have laws that relate to the privacy of individually identifiable health information. These laws continue to be enforceable, unless they are contrary to part C of title XI or the standards, requirements, or implementation specifications adopted or established pursuant to the proposed subpart x. Under section 264(c)(2), not all contrary provisions of State privacy laws are preempted; rather, the law provides that contrary provisions that are also “more stringent” than the federal regulatory requirements or implementation specifications will continue to be enforceable.
There are a number of ambiguities in sections 1178(a)(2)(B) and 264(c)(2) of HIPAA. Clarifying the statute through the regulations will generally provide substantially more guidance to the regulated entities and the public as to which requirements, standards, and implementation specifications apply. For these reasons, the rules propose below to interpret several ambiguous statutory terms by regulation.
There are five definitional questions that arise in considering whether or not a State law is preempted under section 264(c)(2): (1) What is a “provision” of State law? (2) What is a “State law”? (3) What kind of State law, under section 1178(a)(2)(B), “relates to the privacy of individually identifiable health information?” (4) When is a provision of State law at issue “contrary” to the analogous provision of the federal regulations? (5) When is a provision of State law “more stringent than” the analogous provision of the federal regulations? We discuss these questions and our proposed regulatory answers below.
The initial question that arises in the preemption analysis is, what does one compare? The statute directs this analysis by requiring the comparison of a “provision of State law [that] imposes requirements, standards, or implementations specifications” with “the requirements, standards, or implementation specifications imposed under” the federal regulation. The statute thus appears to contemplate that what will be compared are the State and federal requirements that are analogous, i.e., that address the same subject matter. Accordingly, a dictionary-type definition of the term “provision” does not seem appropriate, as the contours of a given “provision” will be largely defined by the contours of the specific “requirement[], standard[], or implementation specification” at issue.
What does one do when there is a State provision and no comparable or analogous federal provision, or the converse is the case? The short answer would seem to be that, since there is nothing to compare, there cannot be an issue of a “contrary” requirement, and so the preemption issue is not presented. Rather, the stand-alone requirement – be it State or federal -- is effective. There may, however, be situations in which there is a federal requirement with no directly analogous State requirement, but where several State requirements in combination would seem to be contrary in effect to the federal requirement. This situation usually will be addressed through the tests for “contrary,” discussed below.
At this juncture, it is difficult to frame options for dealing with this issue, because it is not clear that more of a structure is needed than the statute already provides. Rather, we solicit comment on how the term “provision” might be best defined for the purpose of the preemption analysis under the statute, along with examples of possible problems in making the comparison between a provision of State law and the federal regulations.
It is unclear what the term “provision of State law” in sections 1178 and 264(c) means. The question is whether the provision in question must, in order to be considered to have preemptive effect, be legislatively enacted or whether administratively adopted or judicially decided State requirements must also be considered. Congress explicitly addressed the same issue in a different part of HIPAA, section 102. Section 102 enacted section 2723 of the Public Health Service Act, which is a preemption provision that applies to issuers of health insurance to ERISA plans. Section 2723 contains in subsection (d)(1) the following definition of “State law”: “The term “State law” includes all laws, decisions, rules, regulations, or other State action having the effect of law, of any State. A law of the United States applicable only to the District of Columbia shall be treated as a State law rather than a law of the United States.
By contrast, Congress provided no definition of the term “State law” in section 264. This omission suggests two policy options. One is to adopt the above definition, as a reasonable definition of the term and as an indication of what Congress probably intended in the preemption context (the policy embodied in section 2723 is analogous to that embodied in section 264(c)(2), in the sense that the State laws that are not preempted are ones that provide protections to individuals that go above and beyond the federal requirements). The other option is to argue by negative implication that, since Congress could have but did not enact the above definition in connection with sections 264 and 1178, it intended that a different definition be used, and that the most reasonable alternative is to limit the State laws to be considered to those that have been legislatively enacted.
The Department does not consider the latter option to be a realistic one. It is legally questionable and is also likely to be extremely confusing and unworkable as a practical matter, as it will be difficult to divorce State “laws”from implementing administrative regulations or decisions or from judicial decisions. Also, much State “privacy law” – e.g., the law concerning the physician/patient privilege – is not found in statutes, but is rather in State common law. Finally, since health care providers and others are bound by State regulations and decisions, they would most likely find a policy that drew a line based on where a legal requirement originated very confusing and unhelpful. As a result, we conclude that the language in section 102 represents a legally supportable approach that is, for practical reasons, a realistic option, and it is accordingly proposed in proposed §160.202 below.
The meaning of the term “relate to” has been extensively adjudicated in a somewhat similar context, the issue of the preemption of State laws by ERISA. Section 514(a) of ERISA (29 U.S.C. 1144(a)) provides that ERISA “shall supersede any and all State laws insofar as they may now or hereafter relate to any employee benefit plan.” (Emphasis added.) The U.S. Supreme Court alone has decided 17 ERISA preemption cases, and there are numerous lower court cases. The term also has been interpreted in other contexts. Thus, there would seem to be several options for defining the term “relates to”: (1) by using the criteria developed by the Supreme Court as they evolve, (2) by using the criteria developed by the Supreme Court, but on a static basis, and (3) based on the legislative history, by setting federal criteria.
The first option would be based on the definition adopted in an early ERISA case, Shaw v. Delta Airlines, Inc., 463 U.S. 85 (1983), as it continues to evolve. In Shaw, a unanimous Supreme Court adopted a very broad reading of the term, holding that a law “relates to” an employee benefit plan “if it has a connection with or reference to” such a plan. Later cases have developed a more particularized and complex definition of this general definition. The Supreme Court has also applied the Shaw definition outside of the ERISA context. In Morales v. Trans World Airlines, 504 U.S. 374 (1992), the Court defined the term “relating to” in the Airline Deregulation Act by using the definition of the term “relates to” developed under the ERISA cases above. While this option would appear to be a supportable reading of the statutory term, tying the agency interpretation to an evolving court interpretation will make it more difficult to make judgments, and particular judgments may change as the underlying court interpretations change.
The second option we considered would “freeze” the definition of “relates to” as the Court has currently defined it. This option also is a supportable reading of the statutory term, but is less of a moving target than the prior option. The complexity of the underlying court definition presents problems.
The option selected and reflected in the rules proposed below grows out of the movement in recent years of the Supreme Court away from the literal, textual approach of Shaw and related cases to an analysis that looks more at the purposes and effects of the preemption statute in question. In New York State Conference of Blue Cross v. Travelers Insurance Co., 514 U.S. 645 (1995), the Court held that the proper inquiry in determining whether the State law in question related to an employee benefit plan was to look to the objectives of the [ERISA] statute as a guide to the scope of the State law that Congress understood would survive. The Court drew a similar line in Morales, concluding that State actions that affected airline rates, routes, or services in “too tenuous, remote, or peripheral a manner” would not be preempted. 504 U.S. at 384. The Court drew a conceptually consistent line with respect to the question of the effect of a State law in English v. General Electric Co., 496 U.S. 72, 84 (1990); see also, Gade v. National Solid Wastes Management Ass’n., 505 U.S. 88 (1992). The Court held that deciding which State laws were preempted by the OSH Act required also looking at the effect of the State law in question, and that those which regulated occupational safety and health in a “clear, direct, and substantial way” would be preempted. These cases suggest an approach that looks to the legislative history of HIPAA and seeks to determine what kinds of State laws Congress meant, in this area, to leave intact and also seeks to apply more of a “rule of reason” in deciding which State laws “relate to” privacy and which do not.
The legislative history of HIPAA offers some insight into the meaning of the term “relates to.” The House Report (House Rep. No. 496, 104th Cong., 2d Sess., at 103) states that –
The intent of this section is to ensure that State privacy laws that are more stringent than the requirements and standards contained in the bill are not superseded.
Based on this legislative history, one could argue that the “State laws” covered by the “relates to” clause are simply those that are specifically or explicitly designed to regulate the privacy of personal health information, and not ones that might have the incidental effect of doing so. Thus, the option selected below appears to be consistent with the Court’s approach in Travelers, and, together with the “effect” test, seems to be closer to how the Court is analyzing preemption issues. It makes sense on a common sense basis as well, and appears, from the little legislative history available, to be what Congress intended in this context.
The statute uses the same language in both section 1178(a)(1) and section 264(c)(2) to delineate the general precondition for preemption: the provision of State law must be “contrary” to the relevant federal requirement, standard, or implementation specification; the term “contrary,” however, is not defined. It should be noted that this issue (the meaning of the term “contrary”) does not arise solely in the context of the proposed privacy standard. The term “contrary” appears throughout section 1178(a) and is a precondition for any preemption analysis done under that section.
The definition set out at proposed § 160.202 embodies the tests that the courts have developed to analyze what is known as “conflict preemption.” In this analysis, the courts will consider a provision of State law to be in conflict with a provision of federal law where it would be impossible for a private party to comply with both State and federal requirements or where the provision of State law “stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Congress.” This latter test has been further defined as, where the State law in question “interferes with the methods by which the federal statute was designed to reach [its] goal.” International Paper Co. v. Ouellette, 479 U.S. 481, 494 (1987). In Gade, the Supreme Court applied this latter test to preempt an Illinois law and regulations that imposed additional, non- conflicting conditions on employers, holding that the additional conditions conflicted with the underlying congressional purpose to have one set of requirements apply. This test, then, is particularly relevant with respect to the other HIPAA regulations, where Congress clearly intended uniform standards to apply nationwide.
The Department is of the view that this definition should be workable and is probably what Congress intended in using the term -- as a shorthand reference to the case law. We considered a broader definition (“inconsistent with”), but rejected it on the grounds that it would have less legal support and would be no easier to apply than the statutory term “contrary” itself.
The issue of when a provision of State law is “more stringent” than the comparable “requirements, standards, or implementation specifications” of the HIPAA privacy regulation is not an easy one. In general, it seems reasonable to assume that “more stringent” means “providing greater privacy protection” but, such an interpretation leads to somewhat different applications, depending on the context. For example, a State law that provided for fewer and more limited disclosures than the HIPAA privacy regulation would be “more stringent.” At the same time, a State law that provides for more and/or greater penalties for wrongful disclosures than does the HIPAA privacy regulation would also be “more stringent.” Thus, in the former case, “more stringent” means less or fewer, while in the latter case, “more stringent” means more or greater. In addition, some situations are more difficult to characterize. For example, if the HIPAA privacy regulation requires disclosure to the individual on request and a State law prohibits disclosure in the circumstance in question, which law is “more stringent” or “provides more privacy protection”?
A continuum of regulatory options is available. At one end of the continuum is the minimalist approach of not interpreting the term “more stringent” further or spelling out only a general interpretation, such as the “provides more privacy protection”standard, and leaving the specific applications to later case-by-case determinations. At the other end of the continuum is the approach of spelling out in the regulation a number of different applications, to create a very specific analytic framework for future determinations. We propose below the latter approach for several reasons: specific criteria will simplify the determination process for agency officials, as some determinations will be already covered by the regulation, while others will be obvious; specific criteria will also provide guidance for determinations where issue of “stringency” is not obvious; courts will be more likely to give deference to agency determinations, leading to greater uniformity and consistency of expectation; and the public, regulated entities, and States will have more notice as to what the determinations are likely to be.
The specific criteria proposed at proposed § 160.202 are extrapolated from the principles of the fair information practices that underlie and inform these proposed rules and the Secretary’s Recommendations. For example, limiting disclosure of personal health information obviously protects privacy; thus, under the criteria proposed below, the law providing for less disclosure is considered to be “more stringent.” Similarly, as the access of an individual to his or her protected health information is considered to be central to enabling the individual to protect such information, the criteria proposed below treat a law granting greater rights of access as “more stringent.” We recognize that many State laws require patients to authorize or consent to disclosures of their health information for treatment and/or payment purposes. We consider individual authorization generally to be more protective of privacy interests than the lack of such authorization, so such State requirements would generally stand, under the definition proposed below.
However, we would interpret a State law relating to individual authorization to be preempted if the law requires, or would permit a provider or health plan to require, as a condition of treatment or payment for health care, an individual to authorize uses or disclosures for purposes other than treatment, payment and health care operations, and if such authorization would override restrictions or limitations in this regulation relating to the uses and disclosures for purposes other than treatment, payment and health care operations. For example, if a State law permitted or required a provider to obtain an individual authorization for disclosure as a condition of treatment, and further permitted the provider to include in the authorization disclosures for research or for commercial purposes, the State law would be preempted with respect to the compelled authorization for research or commercial purposes. At the same time, if a State law required a provider to obtain an individual authorization for disclosure as a condition of treatment, and further required the provider to include an authorization for the provider to disclosure data to a State data reporting agency, such a law would not be preempted, because State laws that require such data reporting are saved from preemption under section § 1178(c) of the statute.
In addition, to the extent that a State consent law does not contain other consent or authorization requirements that parallel or are stricter than the applicable federal requirements, those detailed federal requirements would also continue to apply. We solicit comment in particular on how these proposed criteria would be likely to operate with respect to particular State privacy laws.
Because States generally have laws that relate to the privacy of individually identifiable health information, there may be conflicts between provisions of various State laws and the federal requirements. Where such conflicts appear to exist, questions may arise from the regulated entities or from the public concerning which requirements apply. It is possible that such questions may also arise in the context of the Secretary’s enforcement of the civil monetary penalty provisions of section 1176. The Secretary accordingly proposes to adopt the following process for responding to such comments and making the determinations necessary to carry out her responsibilities under section 1176.
The rules proposed below would establish two related processes: one for making the determinations called for by section 1178(a)(2)(A) of the Act and the other for issuing advisory opinions regarding whether a provision of State law would come within the exception provided for by section 1178(a)(2)(B).
The rules proposed below should not usually implicate section 1178(a)(2)(A), which provides that a State law will not be preempted where the Secretary determines it is necessary for one or more of five specific purposes: (1) to prevent fraud and abuse; (2) to ensure appropriate State regulation of insurance and health plans; (3) for State reporting on health care delivery or costs; (4) for other purposes; or (5) which address controlled substances. The process for implementing this statutory provision is proposed here, because the issue of how such preemption issues will be handled has been raised in prior HIPAA rulemakings and needs to be addressed, and, as explained above, the statutory provision itself is fairly intertwined (in terms of the specific terms used), with the preemption provisions of the statute that relate to privacy.
The process proposed below for determinations by the Secretary would permit States to request an exception to the general rule of preemption. The decision to limit, at least as an initial matter, the right to request such determinations to States was made for several reasons. First, States are obviously most directly concerned by preemption, in that it is State legislative, judicial, or executive action that the federal requirements supersede. Principles of comity dictate that States be given the opportunity to make the case that their laws should not be superseded. Second, States are in the best position to address the issue of how their laws operate and what their intent is, both of which are relevant to the determination to be made. Third, we need to control the process as an initial matter, so that the Secretary is not overwhelmed by requests. Fourth, where particular federal requirements will have a major impact on providers, plans, or clearinghouses within a particular State, we assume that they will be able to work with their State governments to raise the issue with the Secretary; the discussion process that such negotiations should entail should help crystallize the legal and other issues for the Secretary and, hence, result in better determinations. We emphasize that HHS may well revisit this issue, once it has gained some experience with the proposed process.
Proposed § 160.204(a)(1) sets out a number of requirements for requests for determinations. In general, the purpose of these requirements is to provide as complete a statement as possible of the relevant information as an initial matter, to minimize the time needed for the Secretarial determination.
The remaining requirements of proposed § 160.204(a) generally are designed to set out an orderly process and effect of the determinations. Of particular note is proposed § 160.204(a)(5), which provides that such determinations apply only to transactions that are wholly intrastate. We recognize that in today’s economy, many, perhaps most, transactions will be interstate, so that the effect of a positive determination could be minimal under this provision. Nonetheless, we think that there is no practical alternative to the proposed policy. We do not see how it would be practical to split up transactions that involved more than one State, when one State’s law was preempted and the other’s was not. We do not see why the non-preempted law should govern the transaction, to the extent it involved an entity in a State whose law was preempted. Quite aside from the sovereignty issues such a result would raise, such a result would be very confusing for the health care industry and others working with it and thus inconsistent with the underlying goal of administrative simplification. Rather, such a situation would seem to be a classic case for application of federal standards, and proposed § 160.204(a)(5) would accordingly provide for this.
The rules proposed below lay out a similar process for advisory opinions under section 1178(a)(2)(B). That section of the statute provides that, subject to the requirements of section 264(c)(2) [the provision of HIPAA that establishes the “more stringent” preemption test], State laws that “relate to the privacy of individually identifiable health information” are excepted from the general rule that the HIPAA standards, requirements, and implementation specifications preempt contrary State law.
Unlike section 1178(a)(2)(A), section 1178(a)(2)(B) does not provide for the making of a determination by the Secretary. Nonetheless, it is clear that the Secretary may make judgments about the legal effect of particular State privacy laws in making compliance and enforcement decisions. It is also foreseeable that the Secretary will be asked to take a position on whether particular State privacy laws are preempted or not. We have concluded that the best way of addressing these concerns is to provide a mechanism by which the Secretary can issue advisory opinions, so that the public may be informed about preemption judgments the Secretary has made. See proposed § 160.204(b).
The process proposed below for requesting advisory opinions is limited to States, for the reasons described in the preceding section. The requirements for requests for advisory opinions are similar to the requirements for determinations in proposed § 160.204(a), but are tailored to the different statutory requirements of sections 1178(a)(2)(A) and 264(c)(2). As with proposed § 164.204(a), the process proposed below would provide for publication of advisory opinions issued by the Secretary on an annual basis, to ensure that the public is informed of the decisions made in this area.
Section 1178(b) provides that “Nothing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth, or death, public health surveillance, or public health investigation or intervention.” This section appears to carve out an area over which the States have traditionally exercised oversight and authority -- the collection of vital statistics, the enforcement of laws regarding child abuse and neglect, and the conduct of public health surveillance, investigation, and intervention. State laws in these areas may involve reporting of individually identifiable health information to State or local authorities. Section 1178(b) indicates that existing or future State laws in these areas are enforceable, notwithstanding any privacy requirements adopted pursuant to section 264(c). In addition, covered entities should not be inhibited from complying with requests authorized by State law for release of information by public health authorities for the stated purposes.
It should be noted that the limitation of section 1178(b) applies to the “authority, power, or procedures established under any law.” Public health laws often convey broad general authorities for the designated agency to protect public health, including enforcement powers, and these State authorities and powers would remain enforceable. Further, section 1178(b) also covers “procedures” authorized by law; we read this language as including State administrative regulations and guidelines.
The proposed rules propose to address these concerns by treating the disclosures covered by section 1178(b) as allowable disclosures for public health activities under proposed § 164.510(b). Thus, those disclosures permitted under proposed § 164.510(b) are intended to be, with respect to disclosures authorized by State law, at least as broad as section 1178(b). This means that disclosures that are authorized by State law but which do not come within the scope of proposed § 164.510(b) are considered to fall outside of the limitation of section 1178(b). In addition, since similar activities and information gathering are conducted by the federal government, disclosures to public health authorities authorized by federal law would be permitted disclosures under this proposed rule and applicable federal law will govern the use and re-disclosure of the information.
Section 1178(c) provides that nothing in part C of title XI limits the ability of States to require health plans “to report, or to provide access to, information for management audits, financial audits, program monitoring and evaluation, facility licensure or certification, or individual licensure or certification.” This section thus also carves out an area in which the States have traditionally regulated health care as an area which the statute intends to leave in place. State laws requiring the reporting of or access to information of the type covered by section 1178(c) will in certain cases involve the reporting of, or access to, individually identifiable health information. Accordingly, provision has been made for such reporting and access by making such reporting and access permitted disclosures and uses under this proposed rule. See proposed § 164.510(c).