[Federal Register: December 28, 2000 (Volume 65, Number 250)]
[Rules and Regulations]
[Page 82711-82760]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr28de00-34]

[[pp. 82711-82760]] Standards for Privacy of Individually Identifiable Health
Information

[[Continued from page 82710]]

[[Page 82711]]

from national surveys while preserving confidentiality and which have
been dealing with these issues for decades. The problems and solutions
being used by these agencies are laid out in detail in the Statistical
Policy Working Paper 22 cited earlier.
    To protect the privacy of individuals providing information to the
Bureau of Census, the Bureau has determined that a geographical region
must contain at least 100,000 people.\20\ This standard has been used
by the Bureau of the Census for many years and is supported by
simulation studies using Census data.\21\ These studies showed that
after a certain point, increasing the size of a geographic area does
not significantly decrease the percentage of unique records (i.e.,
those that could be identified if sampled), but that the point of
diminishing returns is dependent on the number and type of demographic
variables on which matching might occur. For a small number of
demographic variables (6), this point was quite low (about 20,000
population), but it rose quickly to about 50,000 for 10 variables and
to about 80,000 for 15 variables. The Bureau of the Census releases
sets of data to the public that it considers safe from re-
identification because it limits geographical areas to those containing
at least 100,000 people and limits the number and detail of the
demographic variables in the data. At the point of approximately
100,000 population, 7.3% of records were unique (and therefore
potentially identifiable) on 6 demographic variables from the 1990
Census Short Form: Age in years (90 categories), race (up to 180
categories), sex (2 categories), relationship to householder (14
categories), Hispanic (2 categories), and tenure (owner vs. renter in 5
categories). Using 6 variables derived from the Long Form data, age (10
categories), race (6 categories), sex (2 categories), marital status (5
categories), occupation (54 categories), and personal income (10
categories), raised the percentage to 9.8%.
---------------------------------------------------------------------------

    \20\ Statistical Policy Working Paper 22--Report on Statistical
Disclosure Limitation Methodology (http://www.fcsm.gov/working-
papers/wp22.html) (prepared by the Subcommittee on Disclosure
Limitation Methodology, Federal Committee on Statistical
Methodology, Office of Management and Budget).
    \21\ The Geographic Component of Disclosure Risk for Microdata.
Brian Greenberg and Laura Voshell. Bureau of the Census Statistical
Research Division Report: Census/SRD/RR-90-13, October, 1990.
---------------------------------------------------------------------------

    We also examined the results of an NCHS simulation study using
national survey data\22\ to see if some scientific support could be
found for a compromise. The study took random samples from populations
of different sizes and then compared the samples to the whole
population to see how many records were identifiable, that is, matched
uniquely to a unique person in the whole population on the basis of 9
demographic variables: Age (85 categories), race (4 categories), gender
(2 categories), ethnicity (2 categories), marital status (3
categories), income (3 categories), employment status (2 categories),
working class (4 categories), and occupation (42 categories). Even when
some of the variables are aggregated or coded, from the perspective of
a large statistical agency desiring to release data to the public, the
study concluded that a population size of 500,000 was not sufficient to
provide a reasonable guarantee that certain individuals could not be
identified. About 2.5 % of the sample from the population of 500,000
was uniquely identifiable, regardless of sample size. This percentage
rose as the size of the population decreased, to about 14% for a
population of 100,000 and to about 25% for a population of 25,000.
Eliminating the occupation variable (which is less likely to be found
in health data) reduced this percentage significantly to about 0.4 %,
3%, and 10% respectively. These percentages of unique records (and thus
the potentials for re-identification) are highly dependent on the
number of variables (which must also be available in other databases
which are identified to be considered in a disclosure risk analysis),
the categorical breakdowns of those variables, and the level of
geographic detail included.
---------------------------------------------------------------------------

    \22\ A Simulation Study of the Identifiability of Survey
Respondents when their Community of Residence is Known. John Horm,
Natonal Center for Health Statistics, 2000.
---------------------------------------------------------------------------

    With respect to how we might clarify the requirement to achieve a
``low probability'' that information could be identified, the
Statistical Policy Working Paper 22 referenced above discusses the
attempts of several researchers to define mathematical measures of
disclosure risk only to conclude that ``more research into defining a
computable measure of risk is necessary.'' When we considered whether
we could specify a maximum level of risk of disclosure with some
precision (such as a probability or risk of identification of 0.01), we
concluded that it is premature to assign mathematical precision to the
``art'' of de-identification.
    After evaluating current practices and recognizing the expressed
need for some geographic indicators in otherwise de-identified
databases, we concluded that permitting geographic identifiers that
define populations of greater than 20,000 individuals is an appropriate
standard that balances privacy interests against desirable uses of de-
identified data. In making this determination, we focused on the
studies by the Bureau of Census cited above which seemed to indicate
that a population size of 20,000 was an appropriate cut off if there
were relatively few (6) demographic variables in the database. Our
belief is that, after removing the required identifiers to meet the
safe harbor standards, the number of demographic variables retained in
the databases will be relatively small, so that it is appropriate to
accept a relatively low number as a minimum geographic size.
    In applying this provision, covered entities must replace the
(currently 18) forbidden 3-digit zip codes with zeros and thus treat
them as a single geographic area (with >20,000 population). The list of
the forbidden 3-digit zip codes will be maintained as part of the
updated Secretarial guidance referred to above. Currently, they are:
022, 036, 059, 102, 203, 555, 556, 692, 821, 823, 830, 831, 878, 879,
884, 893, 987, and 994. This will result in an average 3-digit zip code
area population of 287,858 which should result in an average of about
4% unique records using the 6 variables described above from the Census
Short Form. Although this level of unique records will be much higher
in the smaller geographic areas, the actual risk of identification will
be much lower because of the limited availability of comparable data in
publically available, identified databases, and will be further reduced
by the low probability that someone will expend the resources to try to
identify records when the chance of success is so small and uncertain.
We think this compromise will meet the current need for an easy method
to identify geographic area while providing adequate protection from
re-identification. If a greater level of geographical detail is
required for a particular use, the information will have to be obtained
through another permitted mechanism or be subjected to a specific de-
identification determination as described above. We will monitor the
availability of identified public data and the concomitant re-
identification risks, both theoretical and actual, and adjust this safe
harbor in the future as necessary.
    As we stated above, we understand that many commenters would prefer
a looser standard for determining when information is de-identified,
both generally and with respect to the standards for identifying
geographic

[[Page 82712]]

area. However, because public databases (such as voter records or
driver's license records) that include demographic information about a
geographically defined population are available, a surprisingly large
percentage of records of health information that contain similar
demographic information can be identified. Although the number of these
databases seems to be increasing, the number of demographic variables
within them still appears to be fairly limited. The number of cases of
privacy violation from health records which have been identified in
this way is small to date. However, the risk of identification
increases with decreasing population size, with increasing amounts of
demographic information (both in level of detail and number of
variables), and with the uniqueness of the combination of such
information in the population. That is, an 18-year-old single white
male student is not at risk of identification in a database from a
large city such as New York. However, if the database were about a
small town where most of the inhabitants were older, retired people of
a specific minority race or ethnic group, that same person might be
unique in that community and easily identified. We believe that the
policy that we have articulated reaches the appropriate balance between
reasonably protecting privacy and providing a sufficient level of
information to make de-identified databases useful.
    Comments: Some comments noted that identifiers that accompany
photographic images are often needed to interpret the image and that it
would be difficult to use the image alone to identify the individual.
    Response: We agree that our proposed requirement to remove all
photographic images was more than necessary. Many photographs of
lesions, for example, which cannot usually be used alone to identify an
individual, are included in health records. In this final rule, the
only absolute requirement is the removal of full-face photographs, and
we depend on the ``catch-all'' of ``any other unique * * *
characteristic * * * '' to pick up the unusual case where another type
of photographic image might be used to identify an individual.
    Comments: A number of commenters felt that the proposed bar for
removal had been set too high; that the removal of these 19 identifiers
created a difficult standard, since some identifiers may be buried in
lengthy text fields.
    Response: We understand that some of the identifiers on our list
for removal may be buried in text fields, but we see no alternative
that protects privacy. In addition, we believe that such unstructured
text fields have little or no value in a de-identified information set
and would be removed in any case. With time, we expect that such
identifiers will be kept out of places where they are hard to locate
and expunge.
    Comments: Some commenters asserted that this requirement creates a
disincentive for covered entities to de-identify data and would
compromise the Secretary's desire to see de-identified data used for a
multitude of purposes. Others stated that the ``no reason to believe''
test creates an unreasonable burden on covered entities, and would
actually chill the release of de-identified information, and set an
impossible standard.
    Response: We recognize that the proposed standards might have
imposed a burden that could have prevented the widespread use of de-
identified information. We believe that our modifications to the final
rule discussed above will make the process less burdensome and remove
some of the disincentive. However, we could not loosen the standards as
far as many commenters wanted without seriously jeopardizing the
privacy of the subjects of the information. As discussed above, we
modify the ``no reason to know'' standard that was part of the safe
harbor provision and replace it in the final rule with an ``actual
knowledge'' standard. We believe that this change provides additional
certainty to covered entities using the safe harbor and should
eliminate any chilling effect.
    Comments: Although most commenters wanted to see data elements
taken off the list, there were a small number of commenters that wanted
to see data items added to the list. They believed that it is also
necessary to remove clinical trial record numbers, device model serial
numbers, and all proper nouns from the records.
    Response: In response to these requests, we have slightly revised
the list of identifiers that must be removed under the safe harbor
provision. Clinical trial record numbers are included in the general
category of ``any other unique identifying number, characteristic, or
code.'' These record numbers cannot be included with de-identified
information because, although the availability of clinical trial
numbers may be limited, they are used for other purposes besides de-
identification/re-identification, such as identifying clinical trial
records, and may be disclosed under certain circumstances. Thus, they
do not meet the criteria in the rule for use as a unique record
identifier for de-identified records. Device model serial numbers are
included in ``any device identifier or serial number'' and must be
removed. We considered the request to remove all proper nouns to be
very burdensome to implement for very little increase in privacy and
likely to be arbitrary in operation, and so it is not included in the
final rule.
Re-Identification
    Comments: One commenter wanted to know if the rule requires that
covered entities retain the ability to re-identify de-identified
information.
    Response: The rule does not require covered entities to retain the
ability to re-identify de-identified information, but it does allow
them to retain this ability.
    Comments: A few commenters asked us to prohibit anyone from re-
identifying de-identified health information.
    Response: We do not have the authority to regulate persons other
than covered entities, so we cannot affect attempts by entities outside
of this rule to re-identify information. Under the rule, we permit the
covered entity that created the de-identified information to re-
identify it. However, we include a requirement that, when a unique
record identifier is included in the de-identified information, such
identifier must not be such that someone other than the covered entity
could use it to identify the individual (such as when a derivative of
the individual's name is used as the unique record identifier).

Section 164.514(d)--Minimum Necessary

    Comment: A large number of commenters objected to the application
of the proposed ``minimum necessary'' standard for uses and disclosures
of protected health information to uses and disclosures for treatment
purposes. Some suggested that the final regulation should establish a
good faith exception or safe harbor for disclosures made for treatment.
    The overwhelming majority of commenters, generally from the medical
community, argued that application of the proposed standard would be
contrary to sound medical practice, increase medical errors, and lead
to an increase in liability. Some likened the standard to a ``gag
clause'' in that it limited the exchange of information critical for
quality patient care. They found the standard unworkable in daily
treatment situations. They argued that this standard would be
potentially dangerous in that it could cause practitioners to withhold
information that could be essential for later care. Commenters asserted
that caregivers need to be able to give and receive a

[[Page 82713]]

complete picture of the patient's health to make a diagnosis and
develop a treatment plan.
    Other commenters noted that the complexity of medicine is such that
it is unreasonable to think that anyone will know the exact parameters
of the information another caregiver will need for proper diagnosis and
treatment or that a plan will need to support quality assurance and
improvement activities. They therefore suggested that the minimum
necessary standard be applied instead as an administrative requirement.
    Providers also emphasized that they already have an ethical duty to
limit the sharing of unnecessary medical information, and most already
have well-developed guidelines and practice standards in place.
Concerns were also voiced that attempts to provide the minimum
necessary information in the treatment setting would lead to multiple
editions of a record or creation of summaries that turn out to omit
crucial information resulting in confusion and error.
    Response: In response to these concerns, we substantially revise
the minimum necessary requirements. As suggested by certain commenters,
we provide, in Sec. 164.502(b), that disclosures of protected health
information to or requests by health care providers for treatment are
not subject to the minimum necessary standard. We also modify the
requirements for uses of protected health information. This final rule
requires covered entities to make determinations of minimum necessary
use, including use for treatment purposes, based on the role of the
person or class of workforce members rather than at the level of
specific uses. A covered entity must establish policies and procedures
that identify the types of persons who are to have access to designated
categories of information and the conditions, if any, of that access.
We establish no requirements specific to a particular use of
information. Covered entities are responsible for establishing and
documenting these policies and procedures. This approach is consistent
with the argument of many commenters that guidelines and practice
standards are appropriate means for protecting the privacy of patient
information.
    Comment: Some commenters argued that the standard should be
retained in the treatment setting for uses and disclosures pertaining
to mental health information. Some of these commenters asserted that
other providers do not need to know the mental status of a patient for
treatment purposes.
    Response: We agree that the standard should be retained for uses of
mental health information in the treatment setting. However, we believe
that the arguments for excepting disclosures of protected health
information for treatment purposes from application of the minimum
necessary standard are also persuasive with respect to mental health
information. An individual's mental health can interact with proper
treatment for other conditions in many ways. Psychoactive medications
may have harmful interactions with drugs routinely prescribed for other
purposes; an individual's mental health history may help another health
care provider understand the individual's ability to abide by a
complicated treatment regimen. For these reasons, it is also not
reasonable to presume that, in every case, a health care provider will
not need to know an individual's mental health status to provide
appropriate treatment.
    Providers' comments noted existing ethical duties to limit the
sharing of unnecessary medical information, and well-developed
guidelines and practice standards for this purpose. Under this rule,
providers may use these tools to guide their discretion in disclosing
health information for treatment.
    Comment: Several commenters urged that covered entities should be
required to conspicuously label records to show that they are not
complete. They argued that absent such labeling, patient care could be
compromised.
    Response: We believe that the final policy to except disclosures of
protected health information for treatment purposes from application of
the minimum necessary standard addresses these commenters' concerns.
    Comment: Some commenters argued that the audit exception to the
minimum necessary requirements needs to be clarified or expanded,
because ``audit'' and ``payment'' are essentially the same thing.
    Response: We eliminate this exception. The proposed exclusion of
disclosures to health plans for audit purposes is replaced with a
general requirement that covered entities must limit requests to other
covered entities for individually identifiable health information to
what is reasonably necessary for the purpose intended.
    Comment: Many commenters argued that the proposed standard was
unworkable as applied to ``uses'' by a covered entity's employees,
because the proposal appeared not to allow providers to create general
policy as to the types of records that particular employees may have
access to but instead required that each decision be made
``individually,'' which providers interpret as ``case-by-case.''
Commenters argued that the standard with regard to ``uses'' would be
impossible to implement and prohibitively expensive, requiring both
medical and legal input to each disclosure decision.
    Some commenters recommended deletion of the minimum necessary
standard with regard to ``uses.'' Other commenters specifically
recommended deletion of the requirement that the standard be applied on
an individual, case-by-case basis. Rather, they suggested that the
covered entity be allowed to establish general policies to meet the
requirement. Another commenter similarly urged that the standard not
apply to internal disclosures or for internal health care operations
such as quality improvement/assurance activities. The commenter
recommended that medical groups be allowed to develop their own
standards to ensure that these activities are carried out in a manner
that best helps the group and its patients.
    Other commenters expressed confusion and requested clarification as
to how the standard as proposed would actually work in day-to-day
operations within an entity.
    Response: Commenters' arguments regarding the workability of this
standard as proposed were persuasive, and we therefore make significant
modification to address these comments and improve the workability of
the standard. For all uses and many disclosures, we require covered
entities to include in their policies and procedures (see
Sec. 164.530), which may be standard protocols, for ``minimum
necessary'' uses and disclosures. We require implementation of such
policies in lieu of making the ``minimum necessary'' determination for
each separate use and disclosure.
    For uses, covered entities must implement policies and procedures
that restrict access to and use of protected health information based
on the specific professional roles of members of the covered entity's
workforce. The policies and procedures must identify the persons or
classes of persons in the entity's workforce who need access to
protected health information to carry out their duties and the category
or categories of protected health information to which such persons or
classes need access. These role-based access rules must also identify
the conditions, as appropriate, that would apply to such access. For
example, an institutional health care provider could allow physicians
access to all records under the condition that the viewing of medical
records of patients not under their care is recorded and reviewed.
Other health professionals' access could

[[Page 82714]]

be limited to time periods when they are on duty. Information available
to staff who are responsible for scheduling surgical procedures could
be limited to certain data. In many instances, use of order forms or
selective copying of relevant portions of a record may be appropriate
policies to meet this requirement.
    Routine disclosures also are not subject to individual review;
instead, covered entities must implement policies and procedures (which
may be standard protocols) to limit the protected health information in
routine disclosures to the minimum information reasonably necessary to
achieve the purpose of that type of disclosure. For non-routine
disclosures, a covered entity must develop reasonable criteria to limit
the protected health information disclosed to the minimum necessary to
accomplish the purpose for which disclosure is sought, and to implement
procedures for review of disclosures on an individual basis.
    We modify the proposed standard to require the covered entity to
make ``reasonable efforts'' to meet the minimum necessary standard (not
``all'reasonable efforts, as proposed). What is reasonable will vary
with the circumstances. When it is practical to use order forms or
selective copying of relevant portions of the record, the covered
entity is required to do so. Similarly, this flexibility in the
standard takes into account the ability of the covered entity to
configure its record system to allow selective access to only certain
fields, and the practicality of organizing systems to allow this
capacity. It might be reasonable for a covered entity with a highly
computerized information system to implement a system under which
employees with certain functions have access to only limited fields in
a patient records, while other employees have access to the complete
records. Such a system might not be reasonable for a covered entity
with a largely paper records system.
    Covered entities' policies and procedures must provide that
disclosure of an entire medical record will not be made except pursuant
to policies which specifically justify why the entire medical record is
needed.
    We believe that these modifications significantly improve the
workability of this standard. At the same time, we believe that asking
covered entities to assess their practices and establish rules for
themselves will lead to significant improvements in the privacy of
health information. See the preamble for Sec. 164.514 for a more
detailed discussion.
    Comment: The minimum necessary standard should not be applied to
uses and disclosures for payment or health care operations.
    Response: Commenter's arguments for exempting these uses and
disclosures from the minimum necessary standard were not compelling. We
believe that our modifications to application of the minimum necessary
standard to internal uses of protected health information, and to
routine disclosures, address many of the concerns raised, particularly
the concerns about administrative burdens and the concerns about having
the information necessary for day-to-day operations. We do not
eliminate this standard in part because we also remain concerned that
covered entities may be tempted to disclose an entire medical record
when only a few items of information are necessary, to avoid the
administrative step of extracting the necessary information (or
redacting the unnecessary information). We also believe this standard
will cause covered entities to assess their privacy practices, give the
privacy interests of their patients and enrollees greater attention,
and make improvements that might otherwise not have been made. For this
reason, the privacy benefits of retaining the minimum necessary
standard for these purposes outweigh the burdens involved. We note that
the minimum necessary standard is tied to the purpose of the
disclosure; thus, providers may disclose protected health information
as necessary to obtain payment.
    Comment: Other commenters urged us to apply a ``good faith''
provision to all disclosures subject to the minimum necessary standard.
Commenters presented a range of options to modify the proposed
provisions which, in their view, would have mitigated their liability
if they failed to comply with minimum necessary standard.
    Response: We believe that the modifications to this standard,
described above, substantially address these commenters' concerns. In
addition to allowing the covered entity to use standard protocols for
routine disclosures, we modify the standard to require a covered entity
to make ``reasonable efforts,'' not ``all'' reasonable efforts as
proposed, in making the ``minimum necessary'' disclosure.
    Comments: Some commenters complained that language in the proposed
rule was vague and provided little guidance, and should be abandoned.
    Response: In the preamble for Sec. 164.504 and these responses to
comments, we provide further guidance on how a covered entity can
develop its policies for the minimum necessary use and disclosure of
protected health information. We do not abandon this standard for the
reasons described above. We remain concerned about the number of
persons who have access to identifiable health information, and believe
that causing covered entities to examine their practices will have
significant privacy benefits.
    Comment: Some commenters asked that the minimum necessary standard
should not be applied to disclosures to business partners. Many of
these commenters articulated the burdens they would bear if every
disclosure to a business partner was required to meet the minimum
necessary standard.
    Response: We do not agree. In this final rule, we minimize the
burden on covered entities in the following ways: in circumstances
where disclosures are made on a routine, recurring basis, such as in
on-going relationships between covered entities and their business
associates, individual review of each routine disclosure has been
eliminated; covered entities are required only to develop standard
protocols to apply to such routine disclosures made to business
associates (or types of business associates). In addition, we allow
covered entities to rely on the representation of a professional hired
to provide professional services as to what information is the minimum
necessary for that purpose.
    Comment: Some commenters were concerned that applying the standard
in research settings will result in providers declining to participate
in research protocols.
    Response: We have modified the proposal to reduce the burden on
covered entities that wish to disclose protected health information for
research purposes. The final rule requires covered entities to obtain
documentation or statements from persons requesting protected health
information for research that, among other things, describe the
information necessary for the research. We allow covered entities to
reasonably rely on the documentation or statements as describing the
minimum necessary disclosure.
    Comment: Some commenters argued that government requests should not
be subject to the minimum necessary standard, whether or not they are
``authorized by law.''
    Response: We found no compelling reason to exempt government
requests from this standard, other than when a disclosure is required
by law. (See preamble to Sec. 164.512(a) for the

[[Page 82715]]

rationale behind this policy). When a disclosure is required by law,
the minimum necessary standard does not apply, whether the recipient of
the information is a government official or a private individual.
    At the same time, we understand that when certain government
officials make requests for protected health information, some covered
entities might feel pressure to comply that might not be present when
the request is from a private individuals. For this reason, we allow
(but do not require) covered entities to reasonably rely on the
representations of public officials as to the minimum necessary
information for the purpose.
    Comment: Some commenters argued that requests under proposed
Sec. 164.510 should not be subject to the minimum necessary standard,
whether or not they are ``authorized by law.'' Others argued that for
disclosures made for administrative proceedings pursuant to proposed
Sec. 164.510, the minimum necessary standard should apply unless they
are subject to a court order.
    Response: We found no compelling reason to exempt disclosures for
purposes listed in the regulation from this standard, other than for
disclosures required by law. When there is no such legal mandate, the
disclosure is voluntary on the part of the covered entity, and it is
therefore reasonable to expect the covered entity to make some effort
to protect privacy before making such a disclosure. If the covered
entity finds that redacting unnecessary information, or extracting the
requested information, prior to making the disclosure, is too
burdensome, it need not make the disclosure. Where there is ambiguity
regarding what information is needed, some effort on the part of the
covered entity can be expected in these circumstances.
    We also found no compelling reason to limit the exemption for
disclosures ``required by law'' to those made pursuant to a court
order. The judgment of a state legislature or regulatory body that a
disclosure is required is entitled to no less deference than the same
decision made by a court. For further rationale for this policy, see
the preamble to Sec. 164.512(a).
    Comment: Some commenters argued that, in cases where a request for
disclosure is not required by law, covered entities should be permitted
to rely on the representations by public officials, that they have
requested no more than the minimum amount necessary.
    Response: We agree, and retain the proposed provision which allows
reasonable reliance on the representations of public officials.
    Comment: Some commenters argued that it is inappropriate to require
covered entities to distinguish between disclosures that are ``required
by law'' and those that are merely ``authorized by law,'' for the
purposes of determining when the standard applies.
    Response: We do not agree. Covered entities have an independent
duty to be aware of their legal obligations to federal, state, local
and territorial or tribal authorities. In addition, Sec. 164.514(h)
allows covered entities to reasonably rely on the oral or written
representation of public officials that a disclosure is required by
law.
    Comment: The minimum necessary standard should not be applied to
pharmacists, or to emergency services.
    Response: We believe that the final rule's exemption of disclosures
of protected health information to health care providers for treatment
purposes from the minimum necessary standard addresses these commenters
concerns about emergency services. Together with the other changes we
make to the proposed standard, we believe we have also addressed most
of the commenters' concerns about pharmacists. With respect to
pharmacists, the comments offered no persuasive reasons to treat
pharmacists differently from other health care providers. Our reasons
for retaining this standard for other uses and disclosures of protected
health information are explained above.
    Comment: A number of commenters argued that the standard should not
apply to disclosures to attorneys, because it would interfere with the
professional duties and judgment of attorneys in their representation
of covered entities. Commenters stated that if a layperson within a
covered entity makes an improper decision as to what the minimum
necessary information is in regard to a request by the entity's
attorney, the attorney may end up lacking information that is vital to
representation. These commenters stated that attorneys are usually
going to be in a better position to determine what information is truly
the minimum necessary for effective counsel and representation of the
client.
    Response: We found no compelling reason to treat attorneys
differently from other business associates. However, to ensure that
this rule does not inadvertently cause covered entities to second-guess
the professional judgment of the attorneys and other professionals they
hire, we modify the proposed policies to explicitly allow covered
entities to rely on the representation of a professional hired to
provide professional services as to what information is the minimum
necessary for that purpose.
    Comment: Commenters from the law enforcement community expressed
concern that providers may attempt to misuse the minimum necessary
standard as a means to restrict access to information, particularly
with regard to disclosures for health oversight or to law enforcement
officials.
    Response: The minimum necessary standard does not apply to
disclosures required by law. Since the disclosures to law enforcement
officials to which this standard applies are all voluntary, there would
be no need for a covered entity to ``manipulate'' the standard; it
could decline to make the disclosure.
    Comment: Some commenters argued that the only exception to the
application of the standard should be when an individual requests
access to his or her own information. Many of these commenters
expressed specific concerns about victims of domestic violence and
other forms of abuse.
    Response: We do not agree with the general assertion that
disclosure to the individual is the only appropriate exception to the
minimum necessary standard. There are other, limited, circumstances in
which application of the minimum necessary standard could cause
significant harm. For reasons described above, disclosures of protected
health information for treatment purposes are not subject to this
standard. Similarly, as described in detail in the preamble to
Sec. 164.512(a), where another public body has mandated the disclosure
of health information, upsetting that judgment in this regulation would
not be appropriate.
    The more specific concerns expressed about victims of domestic
violence and other forms of abuse are addressed in a new provision
regarding disclosure of protected health information related to
domestic violence and abuse (see Sec. 164.512(c)), and in new
limitations on disclosures to persons involved in the individual's care
(see Sec. 164.510(b)). We believe that the limitations we place on
disclosure of health information in those circumstances address the
concerns of these commenters.
    Comment: Some commenters argued that disclosures to next of kin
should be restricted to minimum necessary protected health information,
and to protected health information about only the current medical
condition.
    Response: In the final regulation, we change the proposed provision
regarding ``next of kin'' to more clearly focus on the disclosures we
intended to target: Disclosures to persons involved

[[Page 82716]]

in the individual's care. We allow such disclosure only with the
agreement of the individual, or where the covered entity has offered
the individual the opportunity to object to the disclosure and the
individual did not object. If the opportunity to object cannot
practicably be provided because of the incapacity of the individual or
other emergency, we require covered entities to exercise professional
judgment in the best interest of the patient in deciding whether to
disclose information. In such cases, we permit disclosure only of that
information directly relevant to the person's involvement with the
individual's health care. (This provision also includes limited
disclosure to certain persons seeking to identify or locate an
individual.) See Sec. 164.510(b).
    Some additional concerns expressed about victims of domestic
violence and other forms of abuse are also addressed in a new section
on disclosure of protected health information related to domestic
violence and abuse. See Sec. 164.512(c). We believe that the
limitations we place on disclosure of health information in these
provisions address the concerns of these commenters.
    Comment: Some commenters argued that covered entities should be
required to determine whether de-identified information could be used
before disclosing information under the minimum necessary standard.
    Response: We believe that requiring covered entities' policies and
procedures for minimum necessary disclosures to address whether de-
identified information could be used in all instances would impose
burdens on some covered entities that could outweigh the benefits of
such a requirement. There is significant variation in the
sophistication of covered entities' information systems. Some covered
entities can reasonably implement policies and procedures that make
significant use of de-identified information; other covered entities
would find such a requirement excessively burdensome. For this reason,
we chose instead to require ``reasonable efforts,'' which can vary
according to the situation of each covered entity.
    In addition, we believe that the fact that we allow de-identified
information to be disclosed without regard to the policies, procedures,
and documentation required for disclosure of identifiable health
information will provide an incentive to encourage its use where
appropriate.
    Comment: Several commenters argued that standard transactions
should not be subject to the standard.
    Response: We agree that data elements that are required or
situationally required in the standard transactions should not be, and
are not, subject to this standard. However, in many cases, covered
entities have significant discretion as to the information included in
these transactions. Therefore, this standard does apply to those
optional data elements.
    Comment: Some commenters asked for clarification to understand how
the minimum necessary standard is intended to interact with the
security NPRM.
    Response: The proposed Security Rule included requirements for
electronic health information systems to include access management
controls. Under this regulation, the covered entity's privacy policies
will determine who has access to what protected health information. We
will make every effort to ensure consistency prior to publishing the
final Security Rule.
    Comment: Many commenters, representing health care providers,
argued that if the request was being made by a health plan, the health
plan should be required to request only the minimum protected health
information necessary. Some of these commenters stated that the
requestor is in a better position to know the minimum amount of
information needed for their purposes. Some of these commenters argued
that the minimum necessary standard should be imposed only on the
requesting entity. A few of these commenters argued that both the
disclosing and the requesting entity should be subject to the minimum
necessary standard, to create ``internal tension'' to assure the
standard is honored.
    Response: We agree, and in the final rule we require that a request
for protected health information made by one covered entity to another
covered entity must be limited to the minimum amount necessary for the
purpose. As with uses and disclosures of protected health information,
covered entities may have standard protocols for routine requests.
Similarly, this requirement does not apply to requests made to health
care providers for treatment purposes. We modify the rule to balance
this provision; that is, it now applies both to disclosure of and
requests for protected health information. We also allow, but do not
require, the covered entity releasing the information to reasonably
rely on the assertion of a requesting covered entity that it is
requesting only the minimum protected health information necessary.
    Comment: A few commenters suggested that there should be a process
for resolving disputes between covered entities over what constitutes
the ``minimum necessary'' information.
    Response: We do not intend that this rule change the way covered
entities currently handle their differences regarding the disclosure of
health information. We understand that the scope of information
requested from providers by health plans is a source of tension in the
industry today, and we believe it would not be appropriate to use this
regulation to affect that debate. As discussed above, we require both
the requesting and the disclosing covered entity to take privacy
concerns into account, but do not inject additional tension into the
on-going discussions.

Section 164.514(e)--Marketing

    Comment: Many commenters requested clarification of the boundaries
between treatment, payment, health care operations, and marketing. Some
of these commenters requested clarification of the apparent
inconsistency between language in proposed Sec. 164.506(a)(1)(i) (a
covered entity is permitted to use or disclose protected health
information without authorization ``to carry out'' treatment, payment,
or health care operations) and proposed Sec. 164.508(a)(2)(A) (a
covered entity must obtain an authorization for all uses and
disclosures that are not ``compatible with or directly related to''
treatment, payment, and health care operations). They suggested
retaining the language in proposed Sec. 164.508(a)(2)(A), which would
permit a broader range of uses and disclosures without authorization,
in order to engage in health promotion activities that might otherwise
be considered marketing.
    Response: In the final rule, we make several changes to the
definitions of treatment, payment, and health care operations that are
intended to clarify the uses and disclosures of protected health
information that may be made for each purpose. See Sec. 164.501 and the
corresponding preamble discussion regarding the definitions of these
terms. We also have added a definition of the term ``marketing'' to
help establish the boundary between marketing and treatment, payment,
and health care operations. See Sec. 164.501. We also clarify the
conditions under which authorization is or is not required for uses and
disclosures of protected health information for marketing purposes. See
Sec. 164.514(e). Due to these changes, we believe it is appropriate to
retain the wording from proposed Sec. 164.506(a)(1)(i).

[[Page 82717]]

    Comment: We received a wide variety of suggestions with respect to
authorization for uses and disclosures of protected health information
for marketing purposes. Some commenters supported requiring
authorization for all such uses and disclosures. Other commenters
suggested permitting all such uses and disclosures without
authorization.
    Some commenters suggested we distinguish between marketing to
benefit the covered entity and marketing to benefit a third party. For
example, a few commenters suggested we should prohibit covered entities
from seeking authorization for any use or disclosure for marketing
purposes that benefit a third party. These commenters argued that the
third parties should be required to obtain the individual's
authorization directly from the individual, not through a covered
entity, due to the potential for conflicts of interest.
    While a few commenters suggested that we require covered entities
to obtain authorization to use or disclose protected health information
for the purpose of marketing its own products and services, the
majority argued these types of marketing activities are vital to
covered entities and their customers and should therefore be permitted
to occur without authorization. For example, commenters suggested
covered entities should be able to use and disclose protected health
information without authorization in order to provide appointment
reminders, newsletters, information about new initiatives, and program
bulletins.
    Finally, many commenters argued we should not require authorization
for the use or disclosure of protected health information to market any
health-related goods and services, even if those goods and services are
offered by a third party. Some of these commenters suggested that
individuals should have an opportunity to opt out of these types of
marketing activities rather than requiring authorization.
    Response: We have modified the final rule in ways that address a
number of the issues raised in the comments. First, the final rule
defines the term marketing, and excepts certain communications from the
definition. See Sec. 164.501. These exceptions include communications
made by covered entities for the purpose of describing network
providers or other available products, services, or benefits and
communications made by covered entities for certain treatment-related
purposes. These exceptions only apply to oral communications or to
written communications for which the covered entity receives no third-
party remuneration. The exceptions to the definition of marketing fall
within the definitions of treatment and/or health care operations, and
therefore uses, or disclosures to a business associate, of protected
health information for these purposes are permissible under the rule
without authorization.
    The final rule also permits covered entities to use protected
health information to market health-related products and services,
whether they are the products and services of the covered entity or of
a third party, subject to a number of limitations. See Sec. 164.514(e).
We permit these uses to allow entities in the health sector to inform
their patients and enrollees about products that may benefit them. The
final rule contains significant restrictions, including requirements
that the covered entity disclose itself as the source of a marketing
communication, that it disclose any direct or indirect remuneration
from third parties for making the disclosure, and that, except in the
cases of general communications such as a newsletter, the communication
disclose how the individual can opt-out of receiving additional
marketing communications. Additional requirements are imposed if the
communication is targeted based on the health status or condition of
the proposed recipients.
    We believe that these modifications address many of the issues
raised by commenters and provide a substantial amount of flexibility as
to when a covered entity may communicate about a health-related product
or service to a patient or enrollee. These communications may include
appointment reminders, newsletters, and information about new health
products. These changes, however, do not permit a covered entity to
disclose protected health information to third parties for marketing
(other than to a business associate to make a marketing communication
on behalf of the covered entity) without authorization under
Sec. 164.508.
    Comment: A few commenters suggested we prohibit health care
clearinghouses from seeking authorization for the use or disclosure of
protected health information for marketing purposes.
    Response: We do not prohibit clearinghouses from seeking
authorizations for these purposes. We believe, however, that health
care clearinghouses will almost always create or obtain protected
health information in a business associate capacity. Business
associates may only engage in activities involving the use or
disclosure of protected health information, including seeking or acting
on an authorization, to the extent their contracts allow them to do so.
When a clearinghouse creates or receives protected health information
other than as a business associate of a covered entity, it is permitted
and required to obtain authorizations to the same extent as any other
covered entity.
    Comment: A few commenters suggested we require covered entities to
publicly disclose, on the covered entity's website or upon request, all
of their marketing arrangements.
    Response: While we agree that such a requirement would provide
individuals with additional information about how their information
would be used, we do not feel that such a significant intrusion into
the business practices of the covered entity is warranted.
    Comment: Some commenters argued that if an activity falls within
the scope of payment, it should not be considered marketing. Commenters
strongly supported an approach which would bar an activity from being
construed as ``marketing'' even if performing that activity would
result in financial gain to the covered entity. In a similar vein, we
were urged to adopt the position that if an activity was considered
payment, treatment or health care operations, it could not be further
evaluated to determine whether it should be excluded as marketing.
    Response: We considered the approach offered by commenters but
decided against it. Some activities, such as the marketing of a covered
entity's own health-related products or services, are now included in
the definition of health care operations, provided certain requirements
are met. Other types of activities, such as the sale of a patient list
to a marketing firm, would not be permitted under this rule without
authorization from the individual. We do not believe that we can
envision every possible disclosure of health information that would
violate the privacy of an individual, so any list would be incomplete.
Therefore, whether or not a particular activity is considered
marketing, payment, treatment or health care operations will be a fact-
based determination based on the activity's congruence with the
particular definition.
    Comment: Some industry groups stated that if an activity involves
selling products, it is not disease management. They suggested we adopt
a definition of disease management that differentiates use of
information for the best interests of patient from uses undertaken for
``ulterior purposes'' such as advertising, marketing, or promoting
separate products.

[[Page 82718]]

    Response: We agree in general that the sale of unrelated products
to individuals is not a population-based activity that supports
treatment and payment. However, in certain circumstances marketing
activities are permitted as a health care operation; see the definition
of ``health care operations'' in Sec. 164.501 and the related marketing
requirements of Sec. 164.514.
    Comment: Some commenters complained that the absence of a
definition for disease management created uncertainty, in view of the
proposed rule's requirement to get authorization for marketing. They
expressed concern that the effect would be to require patient consent
for many activities that are desirable, not practicably done if
authorization is required, and otherwise classifiable as treatment,
payment, or health care operations. Examples provided include reminders
for appointments, reminders to get preventive services like mammograms,
and information about home management of chronic illnesses. They also
stated that the proposed rule would prevent many disease management and
preventive health activities.
    Response: We agree that the distinction in the NPRM between disease
management and marketing was unclear. Rather than provide a definition
of disease management, this final rule defines marketing. We note that
overlap between disease management and marketing exists today in
practice and they cannot be distinguished easily with a definitional
label. However, for purposes of this rule, the revised language makes
clear for what activities an authorization is required. We note that
under this rule many of the activities mentioned by commenters will not
require authorizations under most circumstances. See the discussion of
disease management under the definition of ``treatment'' in
Sec. 164.501.

Section 164.514(f)--Fundraising

    Comment: Many comments objected to the requirement that an
authorization from the individual be obtained for use and disclosure of
protected health information for fundraising purposes. They argued
that, in the case of not-for-profit health care providers, having to
obtain authorization would be time consuming and costly, and that such
a requirement would lead to a decrease in charitable giving. The
commenters also urged that fundraising be included within the
definition of health care operations. Numerous commenters suggested
that they did not need unfettered access to patient information in
order to carry out their fundraising campaigns. They stated that a
limited data set restricted to name, address, and telephone number
would be sufficient to meet their needs. Several commenters suggested
that we create a voluntary opt-out provision so people can avoid
solicitations.
    Response: We agree with commenters that our proposal could have
adversely effected charitable giving, and accordingly make several
modifications to the proposal. First, the final rule allows a covered
entity to use or disclose to a business associate protected health
information without authorization to identify individuals for
fundraising for its own benefit. Permissible fundraising activities
include appeals for money, sponsorship of events, etc. They do not
include royalties or remittances for the sale of products of third
parties (except auctions, rummage sales, etc).
    Second, the final rule allows a covered entity to disclose
protected health information without authorization to an
institutionally related foundation that has as its mission to benefit
the covered entity. This special provision is necessary to accommodate
tax code provisions which may not allow such foundations to be business
associates of their associated covered entity.
    We also agree that broad access to protected health information is
unnecessary for fundraising and unnecessarily intrudes on individual
privacy. The final rule limits protected health information to be used
or disclosed for fundraising to demographic information and the date
that treatment occurred. Demographic information is not defined in the
rule, but will generally include in this context name, address and
other contact information, age, gender, and insurance status. The term
does not include any information about the illness or treatment.
    We also agree that a voluntary opt-out is an appropriate
protection, and require in Sec. 164.520 that covered entities provide
information on their fundraising activities in their ``Notice of
Information Practices.'' As part of the notice and in any fundraising
materials, covered entities must provide information explaining how
individuals may opt out of fundraising communications.
    Comment: Some commenters stated that use and disclosure of
protected health information for fundraising, without authorization
should be limited to not-for-profit entities. They suggested that not-
for-profit entities were in greater need of charitable contributions
and as such, they should be exempt from the authorization requirement
while for-profit organizations should have to comply with the
requirement.
    Response: We do not agree that the profit status of a covered
entity should determine its allowable use of protected health
information for fundraising. Many for-profit entities provide the same
services and have similar missions to not-for-profit entities.
Therefore, the final rule does not make this distinction.
    Comment: Several commenters suggested that the final rule should
allow the internal use of protected health information for fundraising,
without authorization, but not disclosure for fundraising. These
commenters suggested that by limiting access of protected health
information to only internal development offices concerns about misuse
would be reduced.
    Response: We do not agree. A number of commenters noted that they
have related charitable foundations that raise funds for the covered
entity, and we permit disclosures to such foundations to ensure that
this rule does not interfere with charitable giving.
    Comment: Several commenters asked us to address the content of
fundraising letters. They pointed out that disease or condition-
specific letters requesting contributions, if opened by the wrong
person, could reveal personal information about the intended recipient.
    Response: We agree that such communications raise privacy concerns.
In the final rule, we limit the information that can be used or
disclosed for fundraising, and exclude information about diagnosis,
nature of services, or treatment.

Section 164.514(g)--Verification

    Comment: A few commenters suggested that verification guidelines
may need to be different as they apply to emergency clinical situations
as opposed to routine data collection where delays do not threaten
health.
    Response: We agree, and make special provisions in Secs. 164.510
and 164.512 for disclosures of protected health information by a
covered entity without authorization where the individual is unable to
agree or object to disclosure due to incapacity or other emergency
circumstance.
    For example, a health care provider may need to make disclosures to
family members, close personal friends, and others involved in the
individual's care in emergency situations. Similarly, a health care
provider may need to respond to a request from a hospital seeking
protected health information in

[[Page 82719]]

a circumstance described as an emergency. In each case, we require only
that the covered entity exercise professional judgment, in the best
interest of the patient, in deciding whether to make a disclosure.
Based on the comments and our fact finding, this reflects current
practice.
    Comment: A few commenters stated the rules should include
provisions for electronic verification of identity (such as Public Key
Infrastructure (PKI)) as established in the regulations on Security and
Electronic Signatures. One commenter suggested that some kind of PKI
credentialing certificate should be required.
    Response: This regulation does not address specific technical
protocols utilized to meet the verification requirements. If the
requirements of the rule are otherwise met, the mechanism for meeting
them can be determined by the covered entity.
    Comment: A few commenters wanted more clarification on the
verification procedures. One commenter wanted to know if contract
number is enough for verification. A few commenters wanted to know if a
callback or authorization on a letterhead is acceptable. A few
commenters wanted to know if plans are considered to ``routinely do
business'' with all of their members.
    Response: In the final rule, we modify the proposed provision and
require covered entities to have policies and procedures reasonably
designed to verify the identify and authority of persons requesting
protected health information. Whether knowledge of a contract number is
reasonable evidence of authority and identity will depend on the
circumstances. Call-backs and letterhead are typically used today for
verification, and are acceptable under this rule if reasonable under
the circumstances. For communications with health plan members, the
covered entity will already have information about each individual,
collected during enrollment, that can be used to establish identity,
especially for verbal or electronic inquiries. For example, today many
health plans ask for the social security or policy number of
individuals seeking information or assistance by telephone. How this
verification is done is left up to the covered entity.
    Comment: One commenter expressed the need for consistency on
verification requirements between this rule and the Security
regulation.
    Response: We will make every effort to ensure consistency prior to
publishing the final Security Rule.
    Comment: One commenter stated that the verification language in
proposed Sec. 164.518(c)(2)(ii)(B)(1) would have created a presumption
that ``a request for disclosure made by official legal process issued
by a[n] administrative body'' is reasonable legal authority to disclose
the protected health information. The commenter was concerned that this
provision could be interpreted to permit a state agency to demand the
disclosure of protected health information merely on the basis of a
letter signed by an agency representative. The commenter believed that
the rule specifically should defer to state or federal law on the
disclosure of protected health information pursuant to legal process.
    Response: The verification provisions in this rule are minimum
requirements that covered entities must meet before disclosing
protected health information under this regulation. They do not mandate
disclosure, nor do they preempt state laws which impose additional
restrictions on disclosure. Where state law regarding disclosures is
more stringent, the covered entity must adhere to state law.
    Comment: A few commenters wanted the verification requirements to
apply to disclosures of protected health information for treatment,
payment and operations purposes.
    Response: We agree. This verification requirement applies to all
disclosures of protected health information permitted by this rule,
including for treatment, payment and operations, where the identity of
the recipient is not known to the covered entity. Routine
communications between providers, where existing relationships have
been established, do not require special verification procedures.
    Comment: A few commenters were concerned that a verbal inquiry for
next of kin verification is not consistent with the verification
guidelines of this verification subsection and that verbal inquiry
would create problems because anyone who purports to be a next of kin
could easily obtain information under false pretenses.
    Response: In the final rule in Sec. 164.514, we require the covered
entity to verify the identity and authority of persons requesting
protected health information, where the identity and authority of such
person is not known to the covered entity. This applies to next of kin
situations. Procedures for disclosures to next of kin, other family
members and persons assisting in an individual's care are also
discussed in Sec. 164.510(b), which allows the covered entity to
exercise professional judgment as to whether the disclosure is in the
individual's best interest when the individual is not available to
agree to the disclosure or is incapacitated. Requiring written proof of
identity in many of these situations, such as when a family member is
seeking to locate a relative in an emergency or disaster situation,
would create enormous burden without a corresponding enhancement of
privacy, and could cause unnecessary delays in these situations. We
therefore believe that reliance on professional judgment provides a
better framework for balancing the need for privacy with the need to
locate and identify individuals.
    Comment: A few commenters stated that the verification requirements
will provide great uncertainty to providers who receive authorizations
from life, disability income and long-term care insurers in the course
of underwriting and claims investigation. They are unaware of any
breaches of confidentiality associated with these circumstances and
believe the rule creates a solution to a non-existent problem. Another
commenter stated that it is too burdensome for health care providers to
verify requests that are normally received verbally or via fax.
    Response: This rule requires covered health care providers to
adhere to current best practices for verification. That is, when the
requester is not known to the covered provider, the provider makes a
reasonable effort to determine that the protected health information is
being sent to the entity authorized to receive it. Our fact finding
reveals that this is often done by sending the information to a
recognizable organizational address or if being transmitted by fax or
phone by calling the requester back through the main organization
switchboard rather than through a direct phone number. We agree that
these procedures seem to work reasonably well in current practice and
are sufficient to meet the relevant requirements in the final rule.
    Comments: One comment suggested requiring a form of photo
identification such as a driver's license or certain personal
information such as date of birth to verify the identity of the
individual.
    Response: These are exactly the types of standard procedures for
verifying the identity of individuals that are envisioned by the final
rule. Most health care entities already conduct such procedures
successfully. However, it is unwise to prescribe specific means of
verification for all situations. Instead, we require policies and
procedures reasonably designed for purposes of verification.
    Comment: One professional association said that the example
procedure described in the NPRM for asking questions to verify that an
adult

[[Page 82720]]

acting for a young child had the requisite relationship to the child
would be quite complex and difficult in practice. The comment asked for
specific guidance as to what questions would constitute an adequate
attempt to verify such a relationship.
    Response: The final rule requires the covered entity to implement
policies and procedures that are reasonably designed to comply with the
verification requirement in Sec. 164.514. It would not be possible to
create the requested specific guidance which could deal with the
infinite variety of situations that providers must face, especially the
complex ones such as that described by the commenter. As with many of
the requirements of this final rule, health care providers are given
latitude and expected to make decisions regarding disclosures, based on
their professional judgment and experience with common practice, in the
best interest of the individual.
    Comment: One commenter asserted that ascertaining whether a
requestor has the appropriate legal authority is beyond the scope of
the training or expertise of most employees in a physician's office.
They believe that health care providers must be able to reasonably rely
on the authority of the requestor.
    Response: In the final regulation we require covered entities to
have policies and procedures reasonably designed to verify the identify
and authority of persons requesting health information. Where the
requester is a public official and legal authority is at issue, we
provide detailed descriptions of the acceptable methods for such
verification in the final rule. For others, the covered entity must
implement policies and procedures that are reasonably designed to
comply with the requirement to verify the identity and authority of a
requestor, but only if the requestor is unknown to the covered entity.
As described above, we expect these policies and procedures to document
currently used best practices and reliance on professional judgment in
the best interest of the individual.
    Comment: One commenter expressed concern that the verification/
identification procedures may eliminate or significantly reduce their
ability to utilize medical records copy services. As written, they
believe the NPRM provides the latitude to set up copy service
arrangements, but any change that would add restrictions would
adversely affect their ability to process an individual's disability
claim.
    Response: The covered entity can establish reasonable policies and
procedures to address verification in routine disclosures under
business associate agreements, with, for example, medical records copy
services. Nothing in the verification provisions would preclude those
activities, nor have we significantly modified the NPRM provision on
this issue.

Section 164.520--Notice of Privacy Practices for Protected Health
Information

    Comment: Many commenters supported the proposal to require covered
entities to produce a notice of information practices. They stated that
such notice would improve individuals' understanding of how their
information may be used and disclosed and would help to build trust
between individuals and covered entities. A few comments, however,
argued that the notice requirement would be administratively burdensome
and expensive without providing significant benefit to individuals.
    Response: We retain the requirement for covered health care
providers and health plans to produce a notice of information
practices. We additionally require health care clearinghouses that
create or receive protected health information other than as a business
associate of another covered entity to produce a notice. We believe the
notice will provide individuals with a clearer understanding of how
their information may be used and disclosed and is essential to inform
individuals of their privacy rights. The notice will focus individuals
on privacy issues, and prompt individuals to have discussions about
privacy issues with their health plans, health care providers, and
other persons.
    The importance of providing individuals with notice of the uses and
disclosures of their information and of their rights with respect to
that information is well supported by industry groups, and is
recognized in current state and federal law. The July 1977 Report of
the Privacy Protection Study Commission recommended that ``each
medical-care provider be required to notify an individual on whom it
maintains a medical record of the disclosures that may be made of
information in the record without the individual's express
authorization.'' \23\ The Commission also recommended that ``an
insurance institution * * * notify (an applicant or principal insured)
as to: * * * the types of parties to whom and circumstances under which
information about the individual may be disclosed without his
authorization, and the types of information that may be disclosed;
[and] * * * the procedures whereby the individual may correct, amend,
delete, or dispute any resulting record about himself.'' \24\ The
Privacy Act (5 U.S.C. 552a) requires government agencies to provide
notice of the routine uses of information the agency collects and the
rights individuals have with respect to that information. In its report
``Best Principles for Health Privacy,'' the Health Privacy Working
Group stated, ``Individuals should be given notice about the use and
disclosure of their health information and their rights with regard to
that information.'' \25\ The National Association of Insurance
Commissioners' Health Information Privacy Model Act requires carriers
to provide a written notice of health information policies, standards,
and procedures, including a description of the uses and disclosures
prohibited and permitted by the Act, the procedures for authorizing and
limiting disclosures and for revoking authorizations, and the
procedures for accessing and amending protected health information.
---------------------------------------------------------------------------

    \23\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 313.
    \24\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 192.
    \25\ Health Privacy Working Group, ``Best Principles for Health
Privacy,'' Health Privacy Project, Institute for Health Care
Research and Policy, Georgetown University, July 1999, p.19.
---------------------------------------------------------------------------

    Some states require additional notice. For example, Hawaii requires
health care providers and health plans, among others, to produce a
notice of confidentiality practices, including a description of the
individual's privacy rights and a description of the uses and
disclosures of protected health information permitted under state law
without the individual's authorization. (HRS section 323C-13)
    Today, health plan hand books and evidences of coverage include
some of what is required to be in the notice. Industry and standard-
setting organizations have also developed notice requirements. The
National Committee for Quality Assurance accreditation guidelines state
that an accredited managed care organization ``communicates to
prospective members its policies and practices regarding the
collection, use, and disclosure of medical information [and] * * *
informs members * * * of its policies and procedures on * * * allowing
members access to their medical records.'' \26\ Standards of the
American Society for Testing and Materials state,

[[Page 82721]]

``Organizations and individuals who collect, process, handle, or
maintain health information should provide individuals and the public
with a notice of information practices.'' They recommend that the
notice include, among other elements, ``a description of the rights of
individuals, including the right to inspect and copy information and
the right to seek amendments [and] a description of the types of uses
and disclosures that are permitted or required by law without the
individual's authorization.'' \27\ We build on this well-established
principle in this final rule.
---------------------------------------------------------------------------

    \26\ National Committee on Quality Assurance, ``Surveyor
Guidelines for the Accreditation of MCOs,'' effective July 1, 2000--
June 30, 2001, p. 324.
    \27\ ASTM, ``Standard Guide for Confidentiality, Privacy, Access
and Data Security, Principles for Health Information Including
Computer-Based Patient Records,'' E 1869-97, Sec. 9.2.
---------------------------------------------------------------------------

    Comment: We received many comments on the model notice provided in
the proposed rule. Some commenters argued that patients seeing similar
documents would be less likely to become disoriented when examining a
new notice. Other commenters, however, opposed the inclusion of a model
notice or expressed concern about particular language included in the
model. They maintained that a uniform model notice would never capture
the varying practices of covered entities. Many commenters opposed
requirements for a particular format or specific language in the
notice. They stated that covered entities should be afforded maximum
flexibility in fashioning their notices. Other commenters requested
inclusion of specific language as a header to indicate the importance
of the notice. A few commenters recommended specific formatting
requirements, such as font size or type.
    Response: On the whole, we found commenters' arguments for
flexibility in the regulation more persuasive than those arguing for
more standardization. We agree that a uniform notice would not capture
the wide variation in information practices across covered entities. We
therefore do not include a model notice in the final rule, and do not
require inclusion of specific language in the notice (except for a
standard header). We also do not require particular formatting. We do,
however, require the notice to be written in plain language. (See above
for guidance on writing documents in plain language.) We also agree
with commenters that the notice should contain a standard header to
draw the individual's attention to the notice and facilitate the
individual's ability to recognize the notice across covered entities.
    We believe that post-publication guidance will be a more effective
mechanism for helping covered entities design their notices than the
regulation itself. After the rule is published, we can provide guidance
on notice content and format tailored to different types of health
plans and providers. We believe such specially designed guidance will
be more useful than a one-size-fits-all model notice we might publish
with this regulation.
    Comment: Commenters suggested that the rule should require that the
notice regarding privacy practices include specific provisions related
to health information of unemancipated minors.
    Response: Although we agree that minors and their parents should be
made aware of practices related to confidentiality of protected health
information of unemancipated minors, we do not require covered entities
that treat minors or use their protected health information to include
provisions in their notice that are not required of other covered
entities. In general, the content of notice requirements in
Sec. 164.520(b) do not vary based on the status of the individual being
served. We have decided to maintain consistency by declining to
prescribe specific notice requirements for minors. The rule does permit
a covered entity to provide individuals with notice of its policies and
procedures with respect to anticipated uses and disclosures of
protected health information (Sec. 164.520(b)(2)), and providers are
encouraged to do so.
    Comment: Some commenters argued that covered entities should not be
required to distinguish between those uses and disclosures that are
required by law and those that are permitted by law without
authorization, because these distinctions may not always be clear and
will vary across jurisdictions. Some commenters maintained that simply
stating that the covered entity would make all disclosures required by
law would be sufficient. Other comments suggested that covered entities
should be able to produce very broadly stated notices so that repeated
revisions and mailings of those revisions would not be necessary.
    Response: While we believe that covered entities have an
independent duty to understand the laws to which they are subject, we
also recognize that it could be difficult to convey such legal
distinctions clearly and concisely in a notice. We therefore eliminate
the proposed requirement for covered entities to distinguish between
those uses and disclosures that are required by and those that are
permitted by law. We instead require that covered entities describe
each purpose for which they are permitted or required to use or
disclose protected health information under this rule and other
applicable law without individual consent or authorization.
Specifically, covered entities must describe the types of uses and
disclosures they are permitted to make for treatment, payment, and
health care operations. They must also describe each of the purposes
for which the covered entity is permitted or required by this subpart
to use or disclose protected health information without the
individual's written consent or authorization (even if they do not plan
to make a permissive use or disclosure). We believe this requirement
provides individuals with sufficient information to understand how
information about them can be used and disclosed and to prompt them to
ask for additional information to obtain a clearer understanding, while
minimizing covered entities' burden.
    A notice that stated only that the covered entity would make all
disclosures required by law, as suggested by some of these commenters,
would fail to inform individuals of the uses and disclosures of
information about them that are permitted, but not required, by law. We
clarify that each and every disclosure required by law need not be
listed on the notice. Rather, the covered entity can include a general
statement that disclosures required by law will be made.
    Comment: Some comments argued that the covered entity should not
have to provide notice about uses and disclosures that are permitted
under the rule without authorization. Other comments suggested that the
notice should inform individuals about all of the uses and disclosures
that may be made, with or without the individual's authorization.
    Response: When the individual's permission is not required for uses
and disclosures of information, we believe providing the required
notice is the most effective means of ensuring that individuals are
aware of how information about them may be shared. The notice need not
describe uses and disclosures for which the individual's permission is
required, because the individual will be informed of these at the time
permission to use or disclose the information is requested.
    We additionally require covered entities, even those required to
obtain the individual's consent for use and disclosure of protected
health information for treatment, payment, and health care operations,
to describe those uses and disclosures in their notice. (See
Sec. 164.506 and the corresponding preamble discussion regarding
consent requirements.) We require these uses

[[Page 82722]]

and disclosures to be described in the notice in part in order to
reduce the administrative burden on covered providers that are required
to obtain consent. Rather than obtaining a new consent each time the
covered provider's information policies and procedures are materially
revised, covered providers may revise and redistribute their notice. We
also expect that the description of how information may be used to
carry out treatment, payment, and health care operations in the notice
will be more detailed than in the more general consent document.
    Comment: Some commenters argued that covered entities should not be
required to provide notice of the right to request restrictions,
because doing so would be burdensome to the covered entity and
distracting to the individual; because individuals have the right
whether they are informed of such right or not; and because the
requirement would be unlikely to improve patient care.
    Response: We disagree. We believe that the ability of an individual
to request restrictions is an important privacy right and that
informing people of their rights improves their ability to exercise
those rights. We do not believe that adding a sentence to the notice is
burdensome to covered entities.
    Comment: We received comments supporting inclusion of a contact
point in the notice, so that individuals will not be forced to make
multiple calls to find someone who can assist them with the issues in
the notice.
    Response: We retain the requirement, but clarify that the title of
the contact person is sufficient. A person's name is not required.
    Comment: Some commenters argued that we could facilitate compliance
by requiring the notice to include the proposed requirement that
covered entities use and disclose only the minimum necessary protected
health information.
    Response: We do not agree that adding such a requirement would
strengthen the notice. The purpose of the notice is to inform
individuals of their privacy rights, and of the purposes for which
protected health information about them may be used or disclosed.
Informing individuals that covered entities may use and disclose only
the minimum necessary protected health information for a purpose would
not increase individuals' understanding of their rights or the purposes
for which information may be used or disclosed.
    Comment: A few commenters supported allowing covered entities to
apply changes in their information practices to protected health
information obtained prior to the change. They argued that requiring
different protections for information obtained at different times would
be inefficient and extremely difficult to administer. Some comments
supported requiring covered entities to state in the notice that the
information policies and procedures are subject to change.
    Response: We agree. In the final rule, we provide a mechanism by
which covered entities may revise their privacy practices and apply
those revisions to protected health information they already maintain.
We permit, but do not require, covered entities to reserve the right to
change their practices and apply the revised practices to information
previously created or obtained. If a covered entity wishes to reserve
this right, it must make a statement to that effect in its notice. If
it does not make such a statement, the covered entity may still revise
its privacy practices, but it may apply the revised practices only to
protected health information created or obtained after the effective
date of the notice in which the revised practices are reflected. See
Sec. 164.530(i) and the corresponding preamble discussion of
requirements regarding changes to information policies and procedures.
    Comment: Some commenters requested clarification of the term
``material changes'' so that entities will be comfortable that they act
properly after making changes to their information practices. Some
comments stated that entities should notify individuals whenever a new
category of disclosures to be made without authorization is created.
    Response: The concept of ``material change'' appears in other
notice laws, such as the ERISA requirements for summary plan
descriptions. We therefore retain the ``materiality'' condition for
revision of notices, and encourage covered entities to draw on the
concept as it has developed through those other laws. We agree that the
addition of a new category of use or disclosure of health information
that may be made without authorization would likely qualify as a
material change.
    Comment: We proposed to permit covered entities to implement
revised policies and procedures without first revising the notice if a
compelling reason existed to do so. Some commenters objected to this
proposal because they were concerned that the ``compelling reason''
exception would give covered entities broad discretion to engage in
post hoc violations of its own information practices.
    Response: We agree and eliminate this provision. Covered entities
may not implement revised information policies and procedures before
properly documenting the revisions and updating their notice. See
Sec. 164.530(i). Because in the final rule we require the notice to
include all disclosures that may be made, not only those the covered
entity intends to make, we no longer need this provision to accommodate
emergencies.
    Comment: Some comments suggested that we require covered entities
to maintain a log of all past notices, with changes from the previous
notice highlighted. They further suggested we require covered entities
to post this log on their web sites.
    Response: In accordance with Sec. 164.530(j)(2), a covered entity
must retain for six years a copy of each notice it issues. We do not
require highlighting of changes to the notice or posting of prior
notices, due to the associated administrative burdens and the
complexity such a requirement would build into the notice over time. We
encourage covered entities, however, to make such materials available
upon request.
    Comment: Several commenters requested clarification about when,
relative to the compliance date, covered entities are required to
produce their notice. One commenter suggested that covered entities be
allowed a period not less than 180 days after adoption of the final
rule to develop and distribute the notice. Other comments requested
that the notice compliance date be consistent with other HIPAA
regulations.
    Response: We require covered entities to have a notice available
upon request as of the compliance date of this rule (or the compliance
date of the covered entity if such date is later). See Sec. 164.534 and
the corresponding preamble discussion of the compliance date.
    Comment: Some commenters suggested that covered entities,
particularly covered health care providers, should be required to
discuss the notice with individuals. They argued that posting a notice
or otherwise providing the notice in writing may not achieve the goal
of informing individuals of how their information will be handled,
because some individuals may not be literate or able to function at the
reading level used in the notice. Others argued that entities should
have the flexibility to choose alternative modes of communicating the
information in the notice, including voice disclosure. In contrast,
some commenters were concerned that requirements to provide the notice
in plain language or in languages other than English would be overly
burdensome.

[[Page 82723]]

    Response: We require covered entities to write the notice in plain
language so that the average reader will be able to understand the
notice. We encourage, but do not require, covered entities to consider
alternative means of communicating with certain populations. We note
that any covered entity that is a recipient of federal financial
assistance is generally obligated under Title VI of the Civil Rights
Act of 1964 to provide material ordinarily distributed to the public in
the primary languages of persons with limited English proficiency in
the recipients' service areas. While we believe the notice will prompt
individuals to initiate discussions with their health plans and health
care providers about the use and disclosure of health information, we
believe this should be a matter left to each individual and that
requiring covered entities to initiate discussions with each individual
would be overly burdensome.
    Comment: Some commenters suggested that covered entities,
particularly health plans, should be permitted to distribute their
notice in a newsletter or other communication with individuals.
    Response: We agree, so long as the notice is sufficiently separate
from other important documents. We therefore prohibit covered entities
from combining the notice in a single document with either a consent
(Sec. 164.506) or an authorization (Sec. 164.508), but do not otherwise
prohibit covered entities from including the notice in or with other
documents the covered entity shares with individuals.
    Comment: Some comments suggested that covered entities should not
be required to respond to requests for the notice from the general
public. These comments indicated that the requirement would place an
undue burden on covered entities without benefitting individuals.
    Response: We proposed that the notice be publicly available so that
individuals may use the notice to compare covered entities' privacy
practices and to select a health plan or health care provider
accordingly. We therefore retain the proposed requirement for covered
entities to provide the notice to any person who requests a copy,
including members of the general public.
    Comment: Many commenters argued that the distribution requirements
for health plans should be less burdensome. Some suggested requiring
distribution upon material revision, but not every three years. Some
suggested that health plans should only be required to distribute their
notice annually or upon re-enrollment. Some suggested that health plans
should only have to distribute their notice upon initial enrollment,
not re-enrollment. Other commenters supported the proposed approach.
    Response: We agree that the notice distribution requirements for
health plans can be less burdensome than in the NPRM while still being
effective. In the final rule, we reduce health plans' distribution
burden in several ways. First, we require health plans to remind
individuals every three years of the availability of the notice and of
how to obtain a copy of the notice, rather than requiring the notice to
be distributed every three years as proposed. Second, we clarify that
health plans only have to distribute the notice to new enrollees on
enrollment, not to current members of the health plan upon re-
enrollment. Third, we specifically allow all covered entities to
distribute the notice electronically in accordance with
Sec. 164.520(c)(3).
    We retain the requirement for health plans to distribute the notice
within 60 days of a material revision. We believe the revised
distribution requirements will ensure that individuals are adequately
informed of health plans' information practices and any changes to
those procedures, without unduly burdening health plans.
    Comment: Many commenters argued that health plans should not be
required to distribute their notice to every person covered by the
plan. They argued that distributing the notice to every family member
would be unnecessarily duplicative, costly, and difficult to
administer. They suggested that health plans only be required to
distribute the notice to the primary participant or to each household
with one or more insured individuals.
    Response: We agree, and clarify in the final rule that a health
plan may satisfy the distribution requirement by providing the notice
to the named insured on behalf of the dependents of that named insured.
For example, a group health plan may satisfy its notice requirement by
providing a single notice to each covered employee of the plan sponsor.
We do not require the group health plan to distribute the notice to
each covered employee and to each covered dependent of those employees.
    Comment: Many comments requested clarification about health plans'
ability to distribute the notice via other entities. Some commenters
suggested that group health plans should be able to satisfy the
distribution requirement by providing copies of the notice to plan
sponsors for delivery to employees. Others requested clarification that
covered health care providers are only required to distribute their own
notice and that health plans should be prohibited from using their
affiliated providers to distribute the health plan's notice.
    Response: We require health plans to distribute their notice to
individuals covered by the health plan. Health plans may elect to hire
or otherwise arrange for others, including group health plan sponsors
and health care providers affiliated with the health plan, to carry out
this distribution. We require covered providers to distribute only
their own notices, and neither require nor prohibit health plans and
health care providers from devising whatever arrangements they find
suitable to meet the requirements of this rule. However, if a covered
entity arranges for another person or entity to distribute the covered
entity's notice on its behalf and individuals do not receive such
notice, the covered entity would be in violation of the rule.
    Comment: Some comments stated that covered providers without direct
patient contact, such as clinical laboratories, might not have
sufficient patient contact information to be able to mail the notice.
They suggested we require or allow such providers to form agreements
with referring providers or other entities to distribute notices on
their behalf or to include their practices in the referring entity's
own notice.
    Response: We agree with commenters' concerns about the potential
administrative and financial burdens of requiring covered providers
that have indirect treatment relationships with individuals, such as
clinical laboratories, to distribute the notice. Therefore, we require
these covered providers to provide the notice only upon request. In
addition, these covered providers may elect to reach agreements with
other entities distribute their notice on their behalf, or to
participate in an organized health care arrangement that produces a
joint notice. See Sec. 164.520(d) and the corresponding preamble
discussion of joint notice requirements.
    Comment: Some commenters requested that covered health care
providers be permitted to distribute their notice prior to an
individual's initial visit so that patients could review the
information in advance of the visit. They suggested that distribution
in advance would reduce the amount of time covered health care
providers' staff would have to spend explaining the notice to patients
in the office. Other comments argued that providers should

[[Page 82724]]

distribute their notice to patients at the time the individual visits
the provider, because providers lack the administrative infrastructure
necessary to develop and distribute mass communications and generally
have difficulty identifying active patients.
    Response: In the final rule, we clarify that covered providers with
direct treatment relationships must provide the notice to patients no
later than the first service delivery to the patient after the
compliance date. For the reasons identified by these commenters, we do
not require covered providers to send their notice to the patient in
advance of the patient's visit. We do not prohibit distribution in
advance, but only require distribution to the patient as of the time of
the visit. We believe this flexibility will allow each covered provider
to develop procedures that best meet its and its patients' needs.
    Comment: Some comments suggested that covered providers should be
required to distribute the notice as of the compliance date. They noted
that if the covered provider waited to distribute the notice until
first service delivery, it would be possible (pursuant to the rule) for
a use or disclosure to be made without the individual's authorization,
but before the individual receives the notice.
    Response: Because health care providers generally lack the
administrative infrastructure necessary to develop and distribute mass
communications and generally have difficulty identifying active
patients, we do not require covered providers to distribute the notice
until the first service delivery after the compliance date. We
acknowledge that this policy allows uses and disclosure of health
information without individuals' consent or authorization before the
individual receives the notice. We require covered entities, including
covered providers, to have the notice available upon request as of the
compliance date of the rule. Individuals may request a copy of the
notice from their provider at any time.
    Comment: Many commenters were concerned with the requirement that
covered providers post their notice. Some commenters suggested that
covered hospital-based providers should be able to satisfy the
distribution requirements by posting their notice in multiple locations
at the hospital, rather than handing the notice to patients--
particularly with respect to distribution after material revisions have
been made. Some additionally suggested that these covered providers
should have copies of the notice available on site. Some commenters
emphasized that the notice must be clear and conspicuous to give
individuals meaningful and effective notice of their rights. Other
commenters noted that posting the notice will not inform former
patients who no longer see the provider.
    Response: We clarify in the final rule that the requirement to post
a notice does not substitute for the requirement to give individuals a
notice or make notices available upon request. Covered providers with
direct treatment relationships, including covered hospitals, must give
a copy of the notice to the individual as of first service delivery
after the compliance date. After giving the individual a copy of the
notice as of that first visit, the covered provider has no other
obligation to actively distribute the notice. We believe it is
unnecessarily burdensome to require covered providers to mail the
notice to all current and former patients each time the notice is
revised, because unlike health plans, providers may have a difficult
time identifying active patients. All individuals, including those who
no longer see the covered provider, have the right to receive a copy of
the notice on request.
    If the covered provider maintains a physical delivery site, it must
also post the notice (including revisions to the notice) in a clear and
prominent location where it is reasonable to expect individuals seeking
service from the covered provider to be able to read the notice. The
covered provider must also have the notice available on site for
individuals to be able to request and take with them.
    Comment: Some comments requested clarification about the
distribution requirements for a covered entity that is a health plan
and a covered health care provider.
    Response: Under Sec. 164.504(g), discussed above, covered entities
that conduct multiple types of covered functions, such as the kind of
entities described in the above comments, are required to comply with
the provisions applicable to a particular type of health care function
when acting in that capacity. Thus, in the example described above, the
covered entity is required by Sec. 164.504(g) to follow the
requirements for health plans with respect to its actions as a health
plan and to follow the requirements for health care providers with
respect to its actions as a health care provider.
    Comment: We received many comments about the ability of covered
entities to distribute their notices electronically. Many commenters
suggested that we permit covered entities to distribute the notice
electronically, either via a web site or e-mail. They argued that
covered entities are increasingly using electronic technology to
communicate with patients and otherwise administer benefits. They also
noted that other regulations permit similar documents, such as ERISA-
required summary plan descriptions, to be delivered electronically.
Some commenters suggested that electronic distribution should be
permitted unless the individual specifically requests a hard copy or
lacks electronic access. Some argued that entities should be able to
choose a least-cost alternative that allows for periodic changes
without excessive mailing costs. A few commenters suggested requiring
covered entities to distribute notices electronically.
    Response: We clarify in the final rule that covered entities may
elect to distribute their notice electronically, provided the
individual agrees to receiving the notice electronically and has not
withdrawn such agreement. We do not require any particular form of
agreement. For example, a covered provider could ask an individual at
the time the individual requests a copy of the notice whether she
prefers to receive it in hard copy or electronic form. A health plan
could ask an individual applying for coverage to provide an e-mail
address where the health plan can send the individual information. If
the individual provides an e-mail address, the health plan can infer
agreement to obtain information electronically.
    An individual who has agreed to receive the notice electronically,
however, retains the right to request a hard copy of the notice. This
right must be described in the notice. In addition, if the covered
entity knows that electronic transmission of the notice has failed, the
covered entity must produce a hard copy of the notice. We believe this
provision allows covered entities flexibility to provide the notice in
the form that best meets their needs without compromising individuals'
right to adequate notice of covered entities' information practices.
    We note that covered entities may also be subject to the Electronic
Signatures in Global and National Commerce Act. This rule is not
intended to alter covered entities' requirements under that Act.
    Comment: Some commenters were concerned that covered providers with
``face-to-face'' patient contact would have a competitive disadvantage
against covered internet-based providers, because the face-to-face
providers would be required to distribute the notice in hard copy while
internet-based providers could satisfy the requirement

[[Page 82725]]

by requiring review of the notice on the web site before processing an
order. They suggested allowing face-to-face covered providers to
satisfy the distribution requirement by asking patients to review the
notice posted on site.
    Response: We clarify in the final rule that covered health care
providers that provide services to individuals over the internet have
direct treatment relationships with those individuals. Covered
internet-based providers, therefore, must distribute the notice at the
first service delivery after the compliance date by automatically and
contemporaneously providing the notice electronically in response to
the individual's first request for service, provided the individual
agrees to receiving the notice electronically.
    Even though we require all covered entity web sites to post the
entity's notice prominently, we note that such posting is not
sufficient to meet the distribution requirements. A covered internet-
based provider must send the notice electronically at the individual's
first request for service, just as other covered providers with direct
treatment relationships must give individuals a copy of the notice as
of the first service delivery after the compliance date.
    We do not intend to create competitive advantages among covered
providers. A web-based and a non-web-based covered provider each have
the same alternatives available for distribution of the notice. Both
types of covered providers may provide either a paper copy or an
electronic copy of the notice.
    Comment: We received several comments suggesting that some covered
entities should be exempted from the notice requirement or permitted to
combine notices with other covered entities. Many comments argued that
the notice requirement would be burdensome for hospital-based
physicians and result in numerous, duplicative notices that would be
meaningless or confusing to patients. Other comments suggested that
multiple health plans offered through the same employer should be
permitted to produce a single notice.
    Response: We retain the requirement for all covered health care
providers and health plans to produce a notice of information
practices. Health care clearinghouses are required to produce a notice
of information practices only to the extent the clearinghouse creates
or receives protected health information other than as a business
associate of a covered entity. See Sec. 164.500(b)(2). Two other types
of covered entities are not required to produce a notice: a
correctional institution that is a covered entity and a group health
plan that provides benefits only through one or more contracts of
insurance with health insurance issuers or HMOs.
    We clarify in Sec. 164.504(d), however, that affiliated covered
entities under common ownership or control may designate themselves as
a single covered entity for purposes of this rule. An affiliated
covered entity is only required to produce a single notice.
    In addition, covered entities that participate in an organized
health care arrangement--which could include hospitals and their
associated physicians--may choose to produce a single, joint notice, if
certain requirements are met. See Sec. 164.501 and the corresponding
preamble discussion of organized health care arrangements.
    We clarify that each covered entity included in a joint notice must
meet the applicable distribution requirements. If any one of the
covered entities, however, provides the notice to a given individual,
the distribution requirement with respect to that individual is met for
all of the covered entities included in the joint notice. For example,
a covered hospital and its attending physicians may elect to produce a
joint notice. When an individual is first seen at the hospital, the
hospital must provide the individual with a copy of the joint notice.
Once the hospital has done so, the notice distribution requirement for
all of the attending physicians that provide treatment to the
individual at the hospital and that are included in the joint notice is
satisfied.
    Comment: We solicited and received comments on whether to require
covered entities to obtain the individual's signature on the notice.
Some commenters suggested that requiring a signature would convey the
importance of the notice, would make it more likely that individuals
read the notice, and could have some of the same benefits of a consent.
They noted that at least one state already requires entities to make a
reasonable effort to obtain a signed notice. Other comments noted that
the signature would be useful for compliance and risk management
purposes because it would document that the individual had received the
notice.
    The majority of commenters on this topic, however, argued that a
signed acknowledgment would be administratively burdensome,
inconsistent with the intent of the Administrative Simplification
requirements of HIPAA, impossible to achieve for incapacitated
individuals, difficult to achieve for covered entities that do not have
direct contact with patients, inconsistent with other notice
requirements under other laws, misleading to individuals who might
interpret their signature as an agreement, inimical to the concept of
permitting uses and disclosures without authorization, and an
insufficient substitute for authorization.
    Response: We agree with the majority of commenters and do not
require covered entities to obtain the individual's signed
acknowledgment of receipt of the notice. We believe that we satisfied
most of the arguments in support of requiring a signature with the new
policy requiring covered health care providers with direct treatment
relationships to obtain a consent for uses and disclosures of protected
health information to carry out treatment, payment, and health care
operations. See Sec. 164.506 and the corresponding preamble discussion
of consent requirements. We note that this rule does not preempt other
applicable laws that require a signed notice and does not prohibit a
covered entity from requesting an individual to sign the notice.
    Comment: Some commenters supported requiring covered entities to
adhere to their privacy practices, as described in their notice. They
argued that the notice is meaningless if a covered entity does not
actually have to follow the practices contained in its notice. Other
commenters were concerned that the rule would prevent a covered entity
from using or disclosing protected health information in otherwise
lawful and legitimate ways because of an intentional or inadvertent
omission from its published notice. Some of these commenters suggested
requiring the notice to include a description of some or all
disclosures that are required or permitted by law. Some commenters
stated that the adherence requirement should be eliminated because it
would generally inhibit covered entities' ability to innovate and would
be burdensome.
    Response: We agree that the value of the notice would be
significantly diminished absent a requirement that covered entities
adhere to the statements they make in their notices. We therefore
retain the requirement for covered entities to adhere to the terms of
the notice. See Sec. 164.502(i).
    Many of these commenters' concerns regarding a covered entity's
inability to use or disclose protected health information due to an
intentional or inadvertent omission from the notice are addressed in
our revisions to the proposed content requirements for the notice.
Rather than require covered entities to describe only those uses and

[[Page 82726]]

disclosures they anticipate making, as proposed, we require covered
entities to describe all uses and disclosures they are required or
permitted to make under the rule without the individual's consent or
authorization. We permit a covered entity to provide a statement that
it will disclose protected health information that is otherwise
required by law, as permitted in Sec. 164.512(a), without requiring
them to list all state laws that may require disclosure. Because the
notice must describe all legally permissible uses and disclosures, the
notice will not generally preclude covered entities from making any
uses or disclosures they could otherwise make without individual
consent or authorization. This change will also ensure that individuals
are aware of all possible uses and disclosures that may occur without
their consent or authorization, regardless of the covered entity's
current practices.
    We encourage covered entities, however, to additionally describe
the more limited uses and disclosures they actually anticipate making
in order to give individuals a more accurate understanding of how
information about them will be shared. We expect that certain covered
entities will want to distinguish themselves on the basis of their
privacy protections. We note that a covered entity that chooses to
exercise this option must clearly state that, at a minimum, the covered
entity may make disclosures that are required by law and that are
necessary to avert a serious and imminent threat to health or safety.

Section 164.522--Rights To Request Privacy Protection for Protected
Health Information

Section 164.522(a)--Right of an Individual To Request Restriction of
Uses and Disclosures

    Comment: Several commenters supported the language in the NPRM
regarding the right to request restrictions. One commenter specifically
stated that this is a balanced approach that addresses the needs of the
few who would have reason to restrict disclosures without negatively
affecting the majority of individuals. At least one commenter explained
that if we required consent or authorization for use and disclosure of
protected health information for treatment, payment, and health care
operations then we must also have a right to request restrictions of
such disclosure in order to make the consent meaningful.
    Many commenters requested that we delete this provision, claiming
it would interfere with patient care, payment, and data integrity. Most
of the commenters that presented this position asserted that the
framework of giving patients control over the use or disclosure of
their information is contrary to good patient care because incomplete
medical records may lead to medical errors, misdiagnoses, or
inappropriate treatment decisions. Other commenters asserted that
covered entities need complete data sets on the populations they serve
to effectively conduct research and quality improvement projects and
that restrictions would hinder research, skew findings, impede quality
improvement, and compromise accreditation and performance measurement.
    Response: We acknowledge that widespread restrictions on the use
and disclosure of protected health information could result in some
difficulties related to payment, research, quality assurance, etc.
However, in our efforts to protect the privacy of health information
about individuals, we have sought a balance in determining the
appropriate level of individual control and the smooth operation of the
health care system. In the final rule, we require certain covered
providers and permit all covered entities to obtain consent from
individuals for use and disclosure of protected health information for
treatment, payment, and health care operations (see Sec. 164.506). In
order to give individuals some control over their health information
for uses and disclosures of protected health information for treatment,
payment, and health care operations, we provide individuals with the
opportunity to request restrictions of such uses and disclosures.
    Because the right to request restrictions encourages discussions
about how protected health information may be used and disclosed and
about an individual's concerns about such uses and disclosures, it may
improve communications between a provider and patient and thereby
improve care. According to a 1999 survey on the Confidentiality of
Medical Records by the California HealthCare Foundation, one out of
every six people engage in behavior to protect themselves from unwanted
disclosures of health information, such as lying to providers or
avoiding seeking care. This indicates that, without the ability to
request restrictions, individuals would have incentives to remain
silent about important health information that could have an effect on
their health and health care, rather than consulting a health care
provider.
    Further, this policy is not a dramatic change from the status quo.
Today, many state laws restrict disclosures for certain types of health
information without patient's authorization. Even if there is no
mandated requirement to restrict disclosures of health information,
providers may agree to requests for restrictions of disclosures when a
patient expresses particular sensitivity and concern for the disclosure
of health information.
    We agree that there may be instances in which a restriction could
negatively affect patient care. Therefore, we include protections
against this occurrence. First, the right to request restrictions is a
right of individuals to make the request. A covered entity may refuse
to restrict uses and disclosures or may agree only to certain aspects
of the individual's request if there is concern for the quality of
patient care in the future. For example, if a covered provider believes
that it is not in the patient's best medical interest to have such a
restriction, the provider may discuss the request for restriction with
the patient and give the patient the opportunity to explain the concern
for disclosure. Also, a covered provider who is concerned about the
implications on future treatment can agree to use and disclose
sensitive protected health information for treatment purposes only and
agree not to disclose information for payment and operation purposes.
Second, a covered provider need not comply with a restriction that has
been agreed to if the individual who requested the restriction is in
need of emergency treatment and the restricted protected health
information is needed to provide the emergency treatment. This
exception should limit the harm to health that may otherwise result
from restricting the use or disclosure of protected health information.
We encourage covered providers to discuss with individuals that the
information may be used or disclosed in emergencies. We require that
the covered entity that discloses restricted protected health
information in an emergency request that the health care provider that
receives such information not further use or re-disclose the
information.
    Comment: Some health plans stated that an institutionalized right
to restrict can interfere with proper payment and can make it easier
for unscrupulous providers or patients to commit fraud on insurance
plans. They were concerned that individuals could enter into
restrictions with providers to withhold information to insurance
companies so that the insurance company would not know about certain
conditions when underwriting a policy.

[[Page 82727]]

    Response: This rule does not enhance the ability of unscrupulous
patients or health care providers to engage in deceptive or fraudulent
withholding of information. This rule grants a right to request a
restriction, not an absolute right to restrict. Individuals can make
such requests today. Other laws criminalize insurance fraud; this
regulation does not change those laws.
    Comment: One commenter asserted that patients cannot anticipate the
significance that one aspect of their medical information will have on
treatment of other medical conditions, and therefore, allowing them to
restrict use or disclosure of some information is contrary to the
patient's best interest.
    Response: We agree that patients may find it difficult to make such
a calculus, and that it is incumbent on health care providers to help
them do so. Health care providers may deny requests for or limit the
scope of the restriction requested if they believe the restriction is
not in the patient's best interest.
    Comment: One commenter asked whether an individual's restriction to
disclosure of information will be a bar to liability for misdiagnosis
or failure to diagnose by a covered entity who can trace its error back
to the lack of information resulting from such restriction.
    Response: Decisions regarding liability and professional standards
are determined by state and other law. This rule does not establish or
limit liability for covered entities under those laws. We expect that
the individual's request to restrict the disclosure of their protected
health information would be considered in the decision of whether or
not a covered entity is liable.
    Comment: One commenter requested that we allow health plans to deny
coverage or reimbursement when a covered health care provider's
agreement to restrict use or disclosure prevents the plan from getting
the information that is necessary to determine eligibility or coverage.
    Response: In this rule, we do not modify insurers' rules regarding
information necessary for payment. We recognize that restricting the
disclosure of information may result in a denial of payment. We expect
covered providers to explain this possibility to individuals when
considering their requests for restrictions and to make alternative
payment arrangements with individuals if necessary.
    Comment: Some commenters discussed the administrative burden and
cost of the requirement that individuals have the right to request
restrictions and that trying to segregate certain portions of
information for protection may be impossible. Others stated that the
administrative burden would make providers unable to accommodate
restrictions, and would therefore give patients false expectations that
their right to request restrictions may be acted upon. One commenter
expressed concern that large covered providers would have a
particularly difficult time establishing a policy whereby the covered
entity could agree to restrictions and would have an even more
difficult time implementing the restrictions since records may be kept
in multiple locations and accessed by multiple people within the
organization. Still other commenters believed that the right to request
restrictions would invite argument, delay, and litigation.
    Response: We do not believe that this requirement is a significant
change from current practice. Providers already respond to requests by
patients regarding sensitive information, and are subject to state law
requirements not to disclose certain types of information without
authorization. This right to request is permissive so that covered
entities can balance the needs of particular individuals with the
entity's ability to manage specific accommodations.
    Comment: Some commenters were concerned that a covered entity would
agree to a restriction and then realize later that the information must
be disclosed to another caregiver for important medical care purposes.
    Response: Some individuals seek treatment only on the condition
that information about that treatment will not be shared with others.
We believe it is necessary and appropriate, therefore, that when a
covered provider agrees to such a restriction, the individual must be
able to rely on that promise. We strongly encourage covered providers
to consider future treatment implications of agreeing to a restriction.
We encourage covered entities to inform others of the existence of a
restriction when appropriate, provided that such notice does not amount
to a de facto disclosure of the restricted information. If the covered
provider subject to the restriction believes that disclosing the
protected health information that was created or obtained subject to
the restriction is necessary to avert harm (and it is not for emergency
treatment), the provider must ask the individual for permission to
terminate or modify the restriction. If the individual agrees to the
termination of the restriction, the provider must document this
termination by noting this agreement in the medical record or by
obtaining a written agreement of termination from the individual and
may use or disclose the information for treatment. If the individual
does not agree to terminate or modify the restriction, however, the
provider must continue to honor the restriction with respect to
protected health information that was created or received subject to
the restriction. We note that if the restricted protected health
information is needed to provide emergency treatment to the individual
who requested the restriction, the covered entity may use or disclose
such information for such treatment.
    Comment: Commenters asked that we require covered entities to keep
an accounting of the requests for restrictions and to report this
information to the Department in order for the Department to determine
whether covered entities are showing ``good faith'' in dealing with
these requests.
    Response: We require that covered entities that agree to
restrictions with individuals document such restrictions. A covered
entity must retain such documentation for six years from the date of
its creation or the date when it last was in effect, whichever is
later. We do not require covered entities to keep a record of all
requests made, including those not agreed to, nor that they report such
requests to the Department. The decision to agree to restrictions is
that of the covered entity. Because there is no requirement to agree to
a restriction, there is no reason to impose the burden to document
requests that are denied. Any reporting requirement could undermine the
purpose of this provision by causing the sharing, or appearance of
sharing, of information for which individuals are seeking extra
protection.
    Comment: One commenter asserted that providers that currently allow
such restrictions will choose not to do so under the rule based on the
guidance of legal counsel and loss prevention managers, and suggested
that the Secretary promote competition among providers with respect to
privacy by developing a third-party ranking mechanism.
    Response: We believe that providers will do what is best for their
patients, in accordance with their ethics codes, and will continue to
find ways to accommodate requested restrictions when they believe that
it is in the patients' best interests. We anticipate that providers who
find such action to be of commercial benefit will notify consumers of
their willingness to be responsive to such requests. Involving third
parties could undermine the purpose of this provision, by causing the
sharing, or appearance of sharing, of information for which individuals
are seeking extra protection.

[[Page 82728]]

    Comment: One commenter said that any agreement regarding patient-
requested restrictions should be in writing before a covered provider
would be held to standards for compliance.
    Response: We agree that agreed to restrictions must be documented
in writing, and we require that covered entities that agree to
restrictions document those restrictions in accordance with
Sec. 164.530(j). The writing need not be formal; a notation in the
medical record will suffice. We disagree with the request that an
agreed to restriction be reduced to writing in order to be enforced. If
we adopted the requested policy, a covered entity could agree to a
restriction with an individual, but avoid being held to this agreed to
restriction under the rule by failing to document the restriction. This
would give a covered entity the opportunity to agree to a restriction
and then, at its sole discretion, determine if it is enforceable by
deciding whether or not to make a note of the restriction in the record
about the individual. Because the covered entity has the ability to
agree or fail to agree to a restriction, we believe that once the
restriction is agreed to, the covered entity must honor the agreement.
Any other result would be deceptive to the individual and could lead an
individual to disclose health information under the assumption that the
uses and disclosures will be restricted. Under Sec. 164.522, a covered
entity could be found to be in violation of the rule if it fails to put
an agreed-upon restriction in writing and also if it uses or discloses
protected health information inconsistent with the restriction.
    Comment: Some commenters said that the right to request
restrictions should be extended to some of the uses and disclosures
permitted without authorization in Sec. 164.510 of the NPRM, such as
disclosures to next of kin, for judicial and administrative
proceedings, for law enforcement, and for governmental health data
systems. Other commenters said that these uses and disclosures should
be preserved without an opportunity for individuals to opt out.
    Response: We have not extended the right to request restrictions
under this rule to disclosures permitted in Sec. 164.512 of the final
rule. However, we do not preempt other law that would enforce such
agreed-upon restrictions. As discussed in more detail, above, we have
extended the right to request restrictions to disclosures to persons
assisting in the individual's care, such as next of kin, under
Sec. 164.510(b). Any restriction that a covered entity agrees to with
respect to persons assisting in the individual's care in accordance
with the rule will be enforceable under the rule.
    Comment: A few commenters raised the question of the effect of a
restriction agreed to by one covered entity that is part of a larger
covered entity, particularly a hospital. Commenters were also concerned
about who may speak on behalf of the covered entity.
    Response: All covered entities are required to establish policies
and procedures for providing individuals the right to request
restrictions, including policies for who may agree to such restrictions
on the covered entity's behalf. Hospitals and other large entities that
are concerned about employees agreeing to restrictions on behalf of the
organization will have to make sure that their policies are
communicated appropriately to those employees. The circumstances under
which members of a covered entity's workforce can bind the covered
entity are a function of other law, not of this regulation.
    Comment: Commenters expressed confusion about the intended effect
of any agreed-upon restrictions on downstream covered entities. They
asserted that it would be extremely difficult for a requested
restriction to be followed through the health care system and that it
would be unfair to hold covered entities to a restriction when they did
not agree to such restriction. Specifically, commenters asked whether a
covered provider that receives protected health information in
compliance with this rule from a physician or medical group that has
agreed to limit certain uses of the information must comply with the
original restriction. Other commenters expressed concern that not
applying a restriction to downstream covered entities is a loophole and
that all downstream covered providers and health plans should be bound
by the restrictions.
    Response: Under the final rule, a restriction that is agreed to
between an individual and a covered entity is only binding on the
covered entity that agreed to the restriction and not on downstream
entities. It would also be binding on any business associate of the
covered entity since a business associate can not use or disclose
protected health information in any manner that a covered entity would
not be permitted to use or disclose such information. We realize that
this may limit the ability of an individual to successfully restrict a
use or disclosure under all circumstances, but we take this approach
for two reasons. First, we allow covered entities to refuse
individuals' requests for restrictions. Requiring downstream covered
entities to abide by a restriction would be tantamount to forcing them
to agree to a request to which they otherwise may not have agreed.
Second, some covered entities have information systems which will allow
them to accommodate such requests, while others do not. If the
downstream provider is in the latter category, the administrative
burden of such a requirement would be unmanageable.
    We encourage covered entities to explain this limitation to
individuals when they agree to restrictions, so individuals will
understand that they need to ask all their health plans and providers
for desired restrictions. We also require that a covered entity that
discloses protected health information to a health care provider for
emergency treatment, in accordance with Sec. 164.522 (a)(iii), to
request that the recipient not further use or disclose the information.
    Comment: One commenter requested that agreed-to restrictions of a
covered entity not be applied to business associates.
    Response: As stated in Sec. 164.504(e)(2), business associates are
acting on behalf of, or performing services for, the covered entity and
may not, with two narrow exceptions, use or disclose protected health
information in a manner that would violate this rule if done by the
covered entity. Business associates are agents of the covered entity
with respect to protected health information they obtain through the
business relationship. If the covered entity agrees to a restriction
and, therefore, is bound to such restriction, the business associate
will also be required to comply with the restriction. If the covered
entity has agreed to a restriction, the satisfactory assurances from
the business associate, as required in Sec. 164.504(e), must include
assurances that protected health information will not be used or
disclosed in violation of an agreed to restriction.
    Comment: One commenter requested clarification that the right to
request restrictions cannot be used to restrict the creation of de-
identified information.
    Response: We found no reason to treat the use of protected health
information to create de-identified information different from other
uses of protected health information. The right to request restriction
applies to any use or disclosure of protected health information to
carry out treatment, payment, or health care operations. If the covered
entity uses protected health information to create de-identified
information, the covered entity need not agree to a restriction of this
use.

[[Page 82729]]

    Comment: Some commenters stated that individuals should be given a
true right to restrict uses and disclosures of protected health
information in certain defined circumstances (such as for sensitive
information) rather than a right to request restrictions.
    Response: We are concerned that a right to restrict could create
conflicts with the professional ethical obligations of providers and
others. We believe it is better policy to allow covered entities to
refuse to honor restrictions that they believe are not appropriate and
leave the individual with the option of seeking service from a
different covered entity. In addition, many covered entities have
information systems that would make it difficult or impossible to
accommodate certain restrictions.
    Comment: Some commenters requested that self-pay patients have
additional rights to restrict protected health information. Others
believed that this policy would result in de facto discrimination
against those patients that could not afford to pay out-of-pocket.
    Response: Under the final rule, the decision whether to tie an
agreement to restrict to the way the individual pays for services is
left to each covered entity. We have not provided self-pay patients
with any special rights under the rule.
    Comment: Some commenters suggested that we require restrictions to
be clearly noted so that insurers and other providers would be aware
that they were not being provided with complete information.
    Response: Under the final rule, we do not require or prohibit a
covered entity to note the existence of an omission of information. We
encourage covered entities to inform others of the existence of a
restriction, in accordance with professional practice and ethics, when
appropriate to do so. In deciding whether or not to disclose the
existence of a restriction, we encourage the covered entity to
carefully consider whether disclosing the existence is tantamount to
disclosure of the restricted protected health information so as to not
violate the agreed to restriction.
    Comment: A few commenters said that covered entities should have
the right to modify or revoke an agreement to restrict use or
disclosure of protected health information.
    Response: We agree that, as circumstances change, covered entities
should be able to revisit restrictions to which they had previously
agreed. At the same time, individuals should be able to rely on
agreements to restrict the use or disclosure of information that they
believe is particularly sensitive. If a covered entity would like to
revoke or modify an agreed-upon restriction, the covered entity must
renegotiate the agreement with the individual. If the individual agrees
to modify or terminate the restriction, the covered entity must get
written agreement from the individual or must document the oral
agreement. If the individual does not agree to terminate or modify the
restriction, the covered entity must inform the individual that it is
modifying or terminating its agreement to the restriction and any
modification or termination would apply only with respect to protected
health information created or received after the covered entity
informed the individual of the termination. Any protected health
information created or received during the time between when the
restriction was agreed to and when the covered entity informed the
individual or such modification or termination remains subject to the
restriction.
    Comment: Many commenters advocated for stronger rights to request
restrictions, particularly that victims of domestic violence should
have an absolute right to restrict disclosure of information.
    Response: We address restrictions for disclosures in two different
ways, the right to request restrictions (Sec. 164.522(a)) and
confidential communications (Sec. 164.522(b)). We have provided all
individuals with a right to request restrictions on uses or disclosures
of treatment, payment, and health care operations. This is not an
absolute right to restrict. Covered entities are not required to agree
to requested restrictions; however, if they do, the rule would require
them to act in accordance with the restrictions. (See the preamble
regarding Sec. 164.522 for a more comprehensive discussion of the right
to request restrictions.)
    In the final rule, we create a new provision that provides
individuals with a right to confidential communications, in response to
these comments. This provision grants individuals with a right to
restrict disclosures of information related to communications made by a
covered entity to the individual, by allowing the individual to request
that such communications be made to the person at an alternative
location or by an alternative means. For example, a woman who lives
with an abusive man and is concerned that his knowledge of her health
care treatment may lead to additional abuse can request that any mail
from the provider be sent to a friend's home or that telephone calls by
a covered provider be made to her at work. Other reasonable
accommodations may be requested as well, such as requesting that a
covered provider never contact the individual by a phone, but only
contact her by electronic mail. A provider must accommodate an
individual's request for confidential communications, under this
section, without requiring an explanation as to the reason for the
request as a condition of accommodating the request. The individual
does not need to be in an abusive situation to make such requests of a
covered provider. The only conditions that a covered provider may place
on an individual is that the request be reasonable with respect to the
administrative burden on the provider, the request to be in writing,
the request specify an alternative address or other method of contact,
and that (where relevant) the individual provide information about how
payment will be handled. What is reasonable may vary by the size or
type of covered entity; however, additional modest cost to the provider
would not be unreasonable.
    An individual also has a right to restrict communications from a
health plan. The right is the same as with covered providers except it
is limited to cases where the disclosure of information could endanger
the individual. A health plan may require an individual to state this
fact as a condition of accommodating the individual's request for
confidential communications. This would provide victims of domestic
violence the right to control such disclosures.
    Comment: Commenters opposed the provision of the NPRM
(Sec. 164.506(c)(1)(ii)(B)) stating that an individual's right to
request restrictions on use or disclosure of protected health
information would not apply in emergency situations as set forth in
proposed Sec. 164.510(k). Commenters asserted that victims who have
been harmed by violence may first turn to emergency services for help
and that, in such situations, the victim should be able to request that
the perpetrator not be told of his or her condition or whereabouts.
    Response: We agree with some of the commenters' concerns. In the
final rule, the right to request restrictions is available to all
individuals regardless of the circumstance or the setting in which the
individual is obtaining care. For example, an individual that seeks
care in an emergency room has the same right to request a restriction
as an individual seeking care in the office of a covered physician.
    However, we continue to permit a covered entity to disclose
protected health information to a health care

[[Page 82730]]

provider in an emergency treatment situation if the restricted
protected health information is needed to provide the emergency
treatment or if the disclosure is necessary to avoid serious and
imminent threats to public health and safety. Although we understand
the concern of the commenters, we believe that these exceptions are
limited and will not cause a covered entity to disclose information to
a perpetrator of a crime. We are concerned that a covered provider
would be required to delay necessary care if a covered entity had to
determine if a restriction exists at the time of such emergency. Even
if a covered entity knew that there was a restriction, we permitted
this limited exception for emergency situations because, as we had
stated in the preamble for Sec. 164.506 of the NPRM, an emergency
situation may not provide sufficient opportunity for a patient and
health care provider to discuss the potential implications of
restricting use and disclosure of protected health information on that
emergency. We also believe that the importance of avoiding serious and
imminent threats to health and safety and the ethical and legal
obligations of covered health care providers' to make disclosures for
these purposes is so significant that it is not appropriate to apply
the right to request restrictions on such disclosures.
    We note that we have included other provisions in the final rule
intended to avoid or minimize harm to victims of domestic violence.
Specifically, we include provisions in the final rule that allow
individuals to opt out of certain types of disclosures and require
covered entities to use professional judgment to determine whether
disclosure of protected health information is in a patient's best
interest (see Sec. 164.510(a) on use and disclosure for facility
directories and Sec. 164.510(b) on uses and disclosures for assisting
in an individual's care and notification purposes). Although an agreed
to restriction under Sec. 164.522 would apply to uses and disclosures
for assisting in an individual's care, the opt out provision in
Sec. 164.510(b) can be more helpful to a person who is a victim of
domestic violence because the individual can opt out of such disclosure
without obtaining the agreement of the covered provider. We permit a
covered entity to elect not to treat a person as a personal
representative (see Sec. 164.502(g)) or to deny access to a personal
representative (see Sec. 164.524(a)(3)(iii)) where there are concerns
related to abuse. We also include a new Sec. 164.512(c) which
recognizes the unique circumstances surrounding disclosure of protected
health information about victims of abuse, neglect, and domestic
violence.

Section 164.522(b)--Confidential Communications Requirements

    Comment: Several commenters requested that we add a new section to
prevent disclosure of sensitive health care services to members of the
patient's family through communications to the individual's home, such
as appointment notices, confirmation or scheduling of appointments, or
mailing a bill or explanation of benefits, by requiring covered
entities to agree to correspond with the patient in another way. Some
commenters stated that this is necessary in order to protect
inadvertent disclosure of sensitive information and to protect victims
of domestic violence from disclosure to an abuser. A few commenters
suggested that a covered entity should be required to obtain an
individual's authorization prior to communicating with the individual
at the individual's home with respect to health care relating to
sensitive subjects such as reproductive health, sexually transmissible
diseases, substance abuse or mental health.
    Response: We agree with commenters' concerns regarding covered
entities' communications with individuals. We created a new provision,
Sec. 164.522(b), to address confidential communications by covered
entities. This provision gives individuals the right to request that
they receive communications from covered entities at an alternative
address or by an alternative means, regardless of the nature of the
protected health information involved. Covered providers are required
to accommodate reasonable requests by individuals and may not require
the individual to explain the basis for the request as a condition of
accommodation. Health plans are required to accommodate reasonable
requests by individuals as well; however, they may require the
individual to provide a statement that disclosure of the information
could endanger the individual, and they may condition the accommodation
on the receipt of such statement.
    Under the rule, we have required covered providers to accommodate
requests for communications to alternative addresses or by alternative
means, regardless of the reason, to limit risk of harm. Providers have
more frequent one-on-one communications with patients, making the
safety concerns from an inadvertent disclosure more substantial and the
need for confidential communications more compelling. We have made the
requirement for covered providers absolute and not contingent on the
reason for the request because we wanted to make it relatively easy for
victims of domestic violence, who face real safety concerns by
disclosures of health information, to limit the potential for such
disclosures.
    The standard we created for health plans is different from the
requirement for covered providers, in that we only require health plans
to make requested accommodations for confidential communications when
the individual asserts that disclosure could be dangerous to the
individual. We address health plan requirements in this way because
health plans are often issued to a family member (the employee), rather
than to each individual member of a family, and therefore, health plans
tend to communicate with the named insured rather than with individual
family members. Requiring plans to accommodate a restriction for one
individual could be administratively more difficult than it is for
providers that regularly communicate with individuals. However, in the
case of domestic violence or potential abuse, the level of harm that
can result from a disclosure of protected health information tips the
balance in favor of requiring such restriction to prevent inadvertent
disclosure. We have adopted the policy recommended by the National
Association of Insurance Commissioners in the Health Information Policy
Model Act (1998) as this best reflects the balance of the appropriate
level of regulation of the industry compared with the need to protect
individuals from harm that may result from inadvertent disclosure of
information. This policy is also consistent with recommendations made
in the Family Violence Prevention Fund's publication ``Health Privacy
Principles for Protecting Victims of Domestic Violence'' (October
2000). Of course, health plans may accommodate requests for
confidential communications without requiring a statement that the
individual would be in danger from disclosure of protected health
information.
    Comment: One commenter requested that we create a standard that all
information from a health plan be sent to the patient and not the
policyholder or subscriber.
    Response: We require health plans to accommodate certain requests
that information not be sent to a particular location or by particular
means. A health plan must accommodate reasonable requests by
individuals that protected health information about them be sent
directly to them and not to a policyholder or subscriber, if the

[[Page 82731]]

individual states that he or she may be in danger from disclosure of
such information. We did not generally require health plans to send
information to the patient and not the policyholder or subscriber
because we believed it would be administratively burdensome and because
the named insured may have a valid need for such information to manage
payment and benefits.

Sensitive Subjects

    Comment: Many commenters requested that additional protections be
placed on sensitive information, including information regarding HIV/
AIDS, sexually transmitted diseases, mental health, substance abuse,
reproductive health, and genetics. Many requested that we ensure the
regulation adequately protects victims of domestic violence. They
asserted that the concern for discrimination or stigma resulting from
disclosure of sensitive health information could dissuade a person from
seeking needed treatment. Some commenters noted that many state laws
provide additional protections for various types of information. They
requested that we develop federal standards to have consistent rules
regarding the protection of sensitive information to achieve the goals
of cost savings and patient protection. Others requested that we
require patient consent or special authorization before certain types
of sensitive information was disclosed, even for treatment, payment,
and health care operations, and some thought we should require a
separate request for each disclosure. Some commenters requested that
the right to request restrictions be replaced with a requirement for an
authorization for specific types of sensitive information. There were
recommendations that we require covered entities to develop internal
policies to address sensitive information.
    Other commenters argued that sensitive information should not be
segregated from the record because it may limit a future provider's
access to information necessary for treatment of the individual and it
could further stigmatize a patient by labeling him or her as someone
with sensitive health care issues. These commenters further maintained
that segregation of particular types of information could negatively
affect analysis of community needs, research, and would lead to higher
costs of health care delivery.
    Response: We generally do not differentiate among types of
protected health information, because all health information is
sensitive. The level of sensitivity varies not only with the type of
information, but also with the individual and the particular situation
faced by the individual. This is demonstrated by the different types of
information that commenters singled out as meriting special protection,
and in the great variation among state laws in defining and protecting
sensitive information. Most states have a law providing heightened
protection for some type of health information. However, even though
most states have considered the issue of sensitive information, the
variation among states in the type of information that is specially
protected and the requirements for permissible disclosure of such
information demonstrates that there is no national consensus.
    Where, as in this case, most states have acted and there is no
predominant rule that emerges from the state experience with this
issue, we have decided to let state law predominate. The final rule
only provides a floor of protection for health information and does not
preempt state laws that provide greater protection than the rule. Where
states have decided to treat certain information as more sensitive than
other information, we do not preempt those laws.
    To address the variation in the sensitivity of protected health
information without defining specially sensitive information, we
incorporate opportunities for individuals and covered entities to
address specific sensitivities and concerns about uses and disclosures
of certain protected health information that the patient and provider
believe are particularly sensitive, as follows:
     Covered entities are required to provide individuals with
notice of their privacy practices and give individuals the opportunity
to request restrictions of the use and disclosure of protected health
information by the covered entity. (See Sec. 164.522(a) regarding right
to request restrictions.)
     Individuals have the right to request, and in some cases
require, that communications from the covered entity to them be made to
an alternative address or by an alternative means than the covered
entity would otherwise use. (See Sec. 164.522(b) regarding confidential
communications.)
     Covered entities have the opportunity to decide not to
treat a person as a personal representative when the covered entity has
a reasonable belief that an individual has been subjected to domestic
violence, abuse, or neglect by such person or that treating such person
as a personal representative could endanger the individual. (See
Sec. 164.502(g)(5) regarding personal representatives.)
     Covered entities may deny access to protected health
information when there are concerns that the access may result in
varying levels of harm. (See Sec. 164.524(a)(3) regarding denial of
access.)
     Covered health care providers may, in some circumstances
and consistent with any known prior preferences of the individual,
exercise professional judgment in the individual's best interest to not
disclose directory information. (See Sec. 164.510(a) regarding
directory information.)
     Covered entities may, in some circumstances, exercise
professional judgment in the individual's best interest to limit
disclosure to persons assisting in the individual's care. (See
Sec. 164.510(b) regarding persons assisting in the individual's care.)
    This approach allows for state law and personal variation in this
area.
    The only type of protected health information that we treat with
heightened protection is psychotherapy notes. We provide a different
level of protection because they are unique types of protected health
information that typically are not used or required for treatment,
payment, or health care operations other than by the mental health
professional that created the notes. (See Sec. 164.508(a)(2) regarding
psychotherapy notes.)

Section 164.524--Access of Individuals to Protected Health
Information

    Comment: Some commenters recommended that there be no access to
disease registries.
    Response: Most entities that maintain disease registries are not
covered entities under this regulation; examples of such non-covered
entities are public health agencies and pharmaceutical companies. If,
however, a disease registry is maintained by a covered entity and is
used to make decisions about individuals, this rule requires the
covered entity to provide access to information about a requesting
individual unless one of the rule's conditions for denial of access is
met. We found no persuasive reasons why disease registries should be
given special treatment compared with other information that may be
used to make decisions about an individual.
    Comment: Some commenters stated that covered entities should be
held accountable for access to information held by business partners so
that individuals would not have the burden of tracking down their
protected health information from a business partner. Many commenters,
including insurers

[[Page 82732]]

and academic medical centers, recommended that, to reduce burden and
duplication, only the provider who created the protected health
information should be required to provide individuals access to the
information. Commenters also asked that other entities, including
business associates, the Medicare program, and pharmacy benefit
managers, not be required to provide access, in part because they do
not know what information the covered entity already has and they may
not have all the information requested. A few commenters also argued
that billing companies should not have to provide access because they
have a fiduciary responsibility to their physician clients to maintain
the confidentiality of records.
    Response: A general principle in responding to all of these points
is that a covered entity is required to provide access to protected
health information in accordance with the rule regardless of whether
the covered entity created such information or not. Thus, we agree with
the first point: in order to meet its requirements for providing
access, a covered entity must not only provide access to such protected
health information it holds, but must also provide access to such
information in a designated record set of its business associate,
pursuant to its business associate contract, unless the information is
the same as information maintained directly by the covered entity. We
require this because an individual may not be aware of business
associate relationships. Requiring an individual to track down
protected health information held by a business associate would
significantly limit access. In addition, we do not permit a covered
entity to limit its duty to provide access by giving protected health
information to a business associate.
    We disagree with the second point: if the individual directs an
access request to a covered entity that has the protected health
information requested, the covered entity must provide access (unless
it may deny access in accordance with this rule). In order to assure
that an individual can exercise his or her access rights, we do not
require the individual to make a separate request to each originating
provider. The originating provider may no longer be in business or may
no longer have the information, or the non-originating provider may
have the information in a modified or enhanced form.
    We disagree with the third point: other entities must provide
access only if they are covered entities or business associates of
covered entities, and they must provide access only to protected health
information that they maintain (or that their business associates
maintain). It would not be efficient to require a covered entity to
compare another entity's information with that of the entity to which
the request was addressed. (See the discussion regarding covered
entities for information about whether a pharmacy benefit manager is a
covered entity.)
    We disagree with the fourth point: a billing company will be
required by its business associate contract only to provide the
requested protected health information to its physician client. This
action will not violate any fiduciary responsibility. The physician
client would in turn be required by the rule to provide access to the
individual.
    Comment: Some commenters asked for clarification that the
clearinghouse function of turning non-standardized data into
standardized data does not create non-duplicative data and that
``duplicate'' does not mean ``identical.'' A few commenters suggested
that duplicated information in a covered entity's designated record set
be supplied only once per request.
    Response: We consider as duplicative information the same
information in different formats, media, or presentations, or which
have been standardized. Business associates who have materially altered
protected health information are obligated to provide individuals
access to it. Summary information and reports, including those of lab
results, are not the same as the underlying information on which the
summaries or reports were based. A clean document is not a duplicate of
the same document with notations. If the same information is kept in
more than one location, the covered entity has to produce the
information only once per request for access.
    Comment: A few commenters suggested requiring covered entities to
disclose to third parties without exception at the requests of
individuals. It was argued that this would facilitate disability
determinations when third parties need information to evaluate
individuals' entitlement to benefits. Commenters argued that since
covered entities may deny access to individuals under certain
circumstances, individuals must have another method of providing third
parties with their protected health information.
    Response: We allow covered entities to forward protected health
information about an individual to a third party, pursuant to the
individual's authorization under Sec. 164.508. We do not require
covered entities to disclose information pursuant to such
authorizations because the focus of the rule is privacy of protected
health information. Requiring disclosures in all circumstances would be
counter to this goal. In addition, a requirement of disclosing
protected health information to a third party is not a necessary
substitute for the right of access to individuals, because we allow
denial of access to individuals under rare circumstances. However, if
the third party is a personal representative of the individual in
accordance with Sec. 164.502(g) and there is no concern regarding abuse
or harm to the individual or another person, we require the covered
entity to provide access to that third party on the individual's
behalf, subject to specific limitations. We note that a personal
representative may obtain access on the individual's behalf in some
cases where covered entity may deny access to the individual. For
example, an inmate may be denied a copy of protected health
information, but a personal representative may be able to obtain a copy
on the individual's behalf. See Sec. 164.502(g) and the corresponding
preamble discussion regarding the ability of a personal representative
to act on an individual's behalf.
    Comment: The majority of commenters supported granting individuals
the right to access protected health information for as long as the
covered entity maintains the protected health information; commenters
argued that to do otherwise would interfere with existing record
retention laws. Some commenters advocated for limiting the right to
information that is less than one or two years old. A few commenters
explained that frequent changes in technology makes it more difficult
to access stored data. The commenters noted that the information
obtained prior to the effective date of the rule should not be required
to be accessible.
    Response: We agree with the majority of commenters and retain the
proposal to require covered entities to provide access for as long as
the entity maintains the protected health information. We do not agree
that information created prior to the effective date of the rule should
not be accessible. The reasons for granting individuals access to
information about them do not vary with the date the information was
created.
    Comment: A few commenters argued that there should be no grounds
for denying access, stating that individuals should always have the
right to inspect and copy their protected health information.

[[Page 82733]]

    Response: While we agree that in the vast majority of instances
individuals should have access to information about them, we cannot
agree that a blanket rule would be appropriate. For example, where a
professional familiar with the particular circumstances believes that
providing such access is likely to endanger a person's life or physical
safety, or where granting such access would violate the privacy of
other individuals, the benefits of allowing access may not outweigh the
harm. Similarly, we allow denial of access where disclosure would
reveal the source of confidential information because we do not want to
interfere with a covered entity's ability to maintain implicit or
explicit promises of confidence.
    We create narrow exceptions to the rule of open access, and we
expect covered entities to employ these exceptions rarely, if at all.
Moreover, we require covered entities to provide access to any
protected health information requested after excluding only the
information that is subject to a denial. The categories of permissible
denials are not mandatory, but are a means of preserving the
flexibility and judgment of covered entities under appropriate
circumstances.
    Comment: Many commenters supported our proposal to allow covered
entities to deny an individual access to protected health information
if a professional determines either that such access is likely to
endanger the life or physical safety of a person or, if the information
is about another person, access is reasonably likely to cause
substantial harm to such person.
    Some commenters requested that the rule also permit covered
entities to deny a request if access might be reasonably likely to
cause psychological or mental harm, or emotional distress. Other
commenters, however, were particularly concerned about access to mental
health information, stating that the lack of access creates resentment
and distrust in patients.
    Response: We disagree with the comments suggesting that we expand
the grounds for denial of access to an individual to include a
likelihood of psychological or mental harm of the individual. We did
not find persuasive evidence that this is a problem sufficient to
outweigh the reasons for providing open access. We do allow a denial
for access based on a likelihood of substantial psychological or mental
harm, but only if the protected health information includes information
about another person and the harm may be inflicted on such other person
or if the person requesting the access is a personal representative of
the individual and the harm may be inflicted on the individual or
another person.
    We generally agree with the commenters concerns that denying access
specifically to mental health records could create distrust. To balance
this concern with other commenters' concerns about the potential for
psychological harm, however, we exclude psychotherapy notes from the
right of access. This is the only distinction we make between mental
health information and other types of protected health information in
the access provisions of this rule. Unlike other types of protected
health information, these notes are not widely disseminated through the
health care system. We believe that the individual's privacy interests
in having access to these notes, therefore, are outweighed by the
potential harm caused by such access. We encourage covered entities
that maintain psychotherapy notes, however, to provide individuals
access to these notes when they believe it is appropriate to do so.
    Comment: Some commenters believed that there is a potential for
abuse of the provision allowing denial of access because of likely harm
to self. They questioned whether there is any experience from the
Privacy Act of 1974 to suggest that patients who requested and received
their records have ever endangered themselves as a result.
    Response: We are unaware of such problems from access to records
that have been provided under the Privacy Act but, since these are
private matters, such problems might not come to our attention. We
believe it is more prudent to preserve the flexibility and judgment of
health care professionals familiar with the individuals and facts
surrounding a request for records than to impose the blanket rule
suggested by these commenters.
    Comment: Commenters asserted that the NPRM did not adequately
protect vulnerable individuals who depend on others to exercise their
rights under the rule. They requested that the rule permit a covered
entity to deny access when the information is requested by someone
other than the subject of the information and, in the opinion of a
licensed health care professional, access to the information could harm
the individual or another person.
    Response: We agree with the commenters that such protection is
warranted and add a provision in Sec. 164.524(a)(3), which permits a
covered health care provider to deny access if a personal
representative of the individual is making the request for access and a
licensed health care professional has determined, in the exercise of
professional judgment, that providing access to such personal
representative could result in substantial harm to the individual or
another person. Access can be denied even if the potential harm may be
inflicted by someone other than the personal representative.
    This provision is designed to strike a balance between the
competing interests of ensuring access to protected health information
and protecting the individual or others from harm. The ``substantial
harm'' standard will ensure that a covered entity cannot deny access in
cases where the harm is de minimus.
    The amount of discretion that a covered entity has to deny access
to a personal representative is generally greater than the amount of
discretion that a covered entity has to deny access to an individual.
Under the final rule, a covered entity may deny access to an individual
if a licensed health care professional determines that the access
requested is reasonably likely to endanger the life or physical safety
of the individual or another person. In this case, concerns about
psychological or emotional harm would not be sufficient to justify
denial of access. We establish a relatively high threshold because we
want to assure that individuals have broad access to health information
about them, and due to the potential harm that comes from denial of
access, we believe denials should be permitted only in limited
circumstances.
    The final rule grants covered entities greater discretion to deny
access to a personal representative than to an individual in order to
provide protection to those vulnerable people who depend on others to
exercise their rights under the rule and who may be subjected to abuse
or neglect. This provision applies to personal representatives of
minors as well as other individuals. The same standard for denial of
access on the basis of potential harm that applies to personal
representatives also applies when an individual is seeking access to
his or her protected health information, and the information makes
reference to another person. Under these circumstances, a covered
entity may deny a request for access if such access is reasonably
likely to cause substantial harm to such other person. The standard for
this provision and for the provision regarding access by personal
representatives is the same because both circumstances involve one
person obtaining information about another person, and in both cases
the covered entity is balancing the right of access of one person
against the right of

[[Page 82734]]

a second person not to be harmed by the disclosure.
    Under any of these grounds for denial of access to protected health
information, the covered entity is not required to deny access to a
personal representative under these circumstances, but has the
discretion to do so.
    In addition to denial of access rights, we also address the
concerns raised by abusive or potentially abusive situations in the
section regarding personal representatives by giving covered entities
discretion to not recognize a person as a personal representative of an
individual if the covered entity has a reasonable belief that the
individual has been subjected to domestic violence, abuse, or neglect
by or would be in danger from a person seeking to act as the personal
representative. (See Sec. 164.502(g))
    Comment: A number of commenters were concerned that this provision
would lead to liability for covered entities if the release of
information results in harm to individuals. Commenters requested a
``good faith'' standard in this provision to relieve covered entities
of liability if individuals suffer harm as a result of seeing their
protected health information or if the information is found to be
erroneous. A few commenters suggested requiring providers (when
applicable) to include with any disclosure to a third party a statement
that, in the provider's opinion, the information should not be
disclosed to the patient.
    Response: We do not intend to create a new duty to withhold
information nor to affect other laws on this issue. Some state laws
include policies similar to this rule, and we are not aware of
liability arising as a result.
    Comment: Some commenters suggested that both the individual's
health care professional and a second professional in the relevant
field of medicine should review each request. Many commenters suggested
that individuals have a right to have an independent review of any
denial of access, e.g., review by a health care professional of the
individual's choice.
    Response: We agree with the commenters who suggest that denial on
grounds of harm to self or others should be determined by a health
professional, and retain this requirement in the final rule. We
disagree, however, that all denials should be reviewed by a
professional of the individual's choice. We are concerned that the
burden such a requirement would place on covered entities would be
significantly greater than any benefits to the individual. We believe
that any health professional, not just one of the individual's choice,
will exercise appropriate professional judgment. To address some of
these concerns, however, we add a provision for the review of denials
requiring the exercise of professional judgment. If a covered entity
denies access based on harm to self or others, the individual has the
right to have the denial reviewed by another health care professional
who did not participate in the original decision to deny access.
    Comment: A few commenters objected to the proposal to allow covered
entities to deny a request for access to health information if the
information was obtained from a confidential source that may be
revealed upon the individual's access. They argued that this could be
subject to abuse and the information could be inherently less reliable,
making the patient's access to it even more important.
    Response: While we acknowledge that information provided by
confidential sources could be inaccurate, we are concerned that
allowing unfettered access to such information could undermine the
trust between a health care provider and patients other than the
individual. We retain the proposed policy because we do not want to
interfere with a covered entity's ability to obtain important
information that can assist in the provision of health care or to
maintain implicit or explicit promises of confidence, which may be
necessary to obtain such information. We believe the concerns raised
about abuse are mitigated by the fact that the provision does not apply
to promises of confidentiality made to a health care provider. We note
that a covered entity may provide access to such information.
    Comment: Some commenters were concerned that the NPRM did not allow
access to information unrelated to treatment, and thus did not permit
access to research information.
    Response: In the final rule, we eliminate the proposed special
provision for ``research information unrelated to treatment.'' The only
restriction on access to research information in this rule applies
where the individual agrees in advance to denial of access when
consenting to participate in research that includes treatment. In this
circumstance, the individual's right of access to protected health
information created in the course of the research may be suspended for
as long as the research is in progress, but access rights resume after
such time. In other instances, we make no distinction between research
information and other information in the access provisions in this
rule.
    Comment: A few commenters supported the proposed provision
temporarily denying access to information obtained during a clinical
trial if participants agreed to the denial of access when consenting to
participate in the trial. Some commenters believed there should be no
access to any research information. Other commenters believed denial
should occur only if the trial would be compromised. Several
recommended conditioning the provision. Some recommended that access
expires upon completion of the trial unless there is a health risk. A
few commenters suggested that access should be allowed only if it is
included in the informed consent and that the informed consent should
note that some information may not be released to the individual,
particularly research information that has not yet been validated.
Other commenters believed that there should be access if the research
is not subject to IRB or privacy board review or if the information can
be disclosed to third parties.
    Response: We agree with the commenters that support temporary
denial of access to information from research that includes treatment
if the subject has agreed in advance, and with those who suggested that
the denial of access expire upon completion of the research, and retain
these provisions in the final rule. We disagree with the commenters who
advocate for further denial of this information. These comments did not
explain why an individual's interest in access to health information
used to make decisions about them is less compelling with respect to
research information. Under this rule, all protected health information
for research is subject either to privacy board or IRB review unless a
specific authorization to use protected health information for research
is obtained from the individual. Thus, this is not a criterion we can
use to determine access rights.
    Comment: A few commenters believed that it would be ``extremely
disruptive of and dangerous'' to patients to have access to records
regarding their current care and that state law provides sufficient
protection of patients' rights in this regard.
    Response: We do not agree. Information about current care has
immediate and direct impact on individuals. Where a health care
professional familiar with the circumstances believes that it is
reasonably likely that access to records would endanger the life or
physical safety of the individual or another

[[Page 82735]]

person, the regulation allows the professional to withhold access.
    Comment: Several commenters requested clarification that a patient
not be denied access to protected health information because of failure
to pay a bill. A few commenters requested clarification that entities
may not deny requests simply because producing the information would be
too burdensome.
    Response: We agree with these comments, and confirm that neither
failure to pay a bill nor burden are lawful reasons to deny access
under this rule. Covered entities may deny access only for the reasons
provided in the rule.
    Comment: Some commenters requested that the final rule not include
detailed procedural requirements about how to respond to requests for
access. Others made specific recommendations on the procedures for
providing access, including requiring written requests, requiring
specific requests instead of blanket requests, and limiting the
frequency of requests. Commenters generally argued against requiring
covered entities to acknowledge requests, except under certain
circumstances, because of the potential burden on entities.
    Response: We intend to provide sufficient procedural guidelines to
ensure that individuals have access to their protected health
information, while maintaining the flexibility for covered entities to
implement policies and procedures that are appropriate to their needs
and capabilities. We believe that a limit on the frequency of requests
individuals may make would arbitrarily infringe on the individual's
right of access and have, therefore, not included such a limitation. To
limit covered entities' burden, we do not require covered entities to
acknowledge receipt of the individuals' requests, other than to notify
the individual once a decision on the request has been made. We also
permit a covered entity to require an individual to make a request for
access in writing and to discuss a request with an individual to
clarify which information the individual is actually requesting. If
individuals agree, covered entities may provide access to a subset of
information rather than all protected health information in a
designated record set. We believe these changes provide covered
entities with greater flexibility without compromising individuals'
access rights.
    Comment: Commenters offered varying suggestions for required
response time, ranging from 48 hours because of the convenience of
electronic records to 60 days because of the potential burden. Others
argued against a finite time period, suggesting the response time be
based on mutual convenience of covered entities and individuals,
reasonableness, and exigencies. Commenters also varied on suggested
extension periods, from one 30-day extension to three 30-day extensions
to one 90-day extension, with special provisions for off-site records.
    Response: We are imposing a time limit because individuals are
entitled to know when to expect a response. Timely access to protected
health information is important because such information may be
necessary for the individual to obtain additional health care services,
insurance coverage, or disability benefits, and the covered entity may
be the only source for such information. To provide additional
flexibility, we eliminate the requirement that access be provided as
soon as possible and we lengthen the deadline for access to off-site
records. For on-site records, covered entities must act on a request
within 30 days of receipt of the request. For off-site records,
entities must complete action within 60 days. We also permit covered
entities to extend the deadline by up to 30 days if they are unable to
complete action on the request within the standard deadline. These time
limits are intended to be an outside deadline rather than an
expectation. We expect covered entities to be attentive to the
circumstances surrounding each request and respond in an appropriate
time frame.
    Comment: A few commenters suggested that, upon individuals'
requests, covered entities should be required to provide protected
health information in a format that would be understandable to a
patient, including explanations of codes or abbreviations. The
commenters suggested that covered entities be permitted to provide
summaries of pertinent information instead of full copies of records;
for example, a summary may be more helpful for the patient's purpose
than a series of indecipherable billing codes.
    Response: We agree with these commenters' point that some health
information is difficult to interpret. We clarify, therefore, that the
covered entity may provide summary information in lieu of the
underlying records. A summary may only be provided if the covered
entity and the individual agree, in advance, to the summary and to any
fees imposed by the covered entity for providing such summary. We
similarly permit a covered entity to provide an explanation of the
information. If the covered entity charges a fee for providing an
explanation, it must obtain the individual's agreement to the fee in
advance.
    Comment: Though there were recommendations that fees be limited to
the costs of copying, the majority of commenters on this topic
requested that covered entities be able to charge a reasonable, cost-
based fee. Commenters suggested that calculation of access costs
involve factors such as labor costs for verification of requests, labor
and software costs for logging of requests, labor costs for retrieval,
labor costs for copying, expense costs for copying, capital cost for
copying, expense costs for mailing, postal costs for mailing, billing
and bad-debt expenses, and labor costs for refiling. Several commenters
recommended specific fee structures.
    Response: We agree that covered entities should be able to recoup
their reasonable costs for copying of protected health information, and
include such provision in the regulation. We are not specifying a set
fee because copying costs could vary significantly depending on the
size of the covered entity and the form of such copy (e.g., paper,
electronic, film). Rather, covered entities are permitted to charge a
reasonable, cost-based fee for copying (including the costs of supplies
and labor), postage, and summary or explanation (if requested and
agreed to by the individual) of information supplied. The rule limits
the types of costs that may be imposed for providing access to
protected health information, but does not preempt applicable state
laws regarding specific allowable fees for such costs. The inclusion of
a copying fee is not intended to impede the ability of individuals to
copy their records.
    Comment: Many commenters stated that if a covered entity denies a
request for access because the entity does not hold the protected
health information requested, the covered entity should provide, if
known, the name and address of the entity that holds the information.
Some of these commenters additionally noted that the Uniform Insurance
Information and Patient Protection Act, adopted by 16 states, already
imposes this notification requirement on insurance entities. Some
commenters also suggested requiring providers who leave practice or
move offices to inform individuals of that fact and of how to obtain
their records.
    Response: We agree that, when covered entities deny requests for
access because they do not hold the protected health information
requested, they should inform individuals of the holder of the
information, if known; we include this provision in the final rule. We
do not require health care providers to

[[Page 82736]]

notify all patients when they move or leave practice, because the
volume of such notifications would be unduly burdensome.

Section 164.526--Amendment of Protected Health Information

    Comment: Many commenters strongly encouraged the Secretary to adopt
``appendment'' rather than ``amendment and correction'' procedures.
They argued that the term ``correction'' implies a deletion of
information and that the proposed rule would have allowed covered
entities to remove portions of the record at their discretion.
Commenters indicated that appendment rather than correction procedures
will ensure the integrity of the medical record and allow subsequent
health care providers access to the original information as well as the
appended information. They also indicated appendment procedures will
protect both individuals and covered entities since medical records are
sometimes needed for litigation or other legal proceedings.
    Response: We agree with commenters' concerns about the term
``correction.'' We have revised the rule and deleted ``correction''
from this provision in order to clarify that covered entities are not
required by this rule to delete any information from the designated
record set. We do not intend to alter medical record retention laws or
current practice, except to require covered entities to append
information as requested to ensure that a record is accurate and
complete. If a covered entity prefers to comply with this provision by
deleting the erroneous information, and applicable record retention
laws allow such deletion, the entity may do so. For example, an
individual may inform the entity that someone else's X-rays are in the
individual's medical record. If the entity agrees that the X-ray is
inaccurately filed, the entity may choose to so indicate and note where
in the record the correct X-ray can be found. Alternatively, the entity
may choose to remove the X-ray from the record and replace it with the
correct X-ray, if applicable law allows the entity to do so. We intend
the term ``amendment'' to encompass either action.
    We believe this approach is consistent with well-established
privacy principles, with other law, and with industry standards and
ethical guidelines. The July 1977 Report of the Privacy Protection
Study Commission recommended that health care providers and other
organizations that maintain medical-record information have procedures
for individuals to correct or amend the information.\28\ The Privacy
Act (5 U.S.C. 552a) requires government agencies to permit individuals
to request amendment of any record the individual believes is not
accurate, relevant, timely, or complete. In its report ``Best
Principles for Health Privacy,'' the Health Privacy Working Group
recommended, ``An individual should have the right to supplement his or
her own medical record. Supplementation should not be implied to mean
deletion or alteration of the medical record.'' \29\ The National
Association of Insurance Commissioners' Health Information Privacy
Model Act establishes the right of an individual who is the subject of
protected health information to amend protected health information to
correct any inaccuracies. The National Conference of Commissioners on
Uniform State Laws' Uniform Health Care Information Act states,
``Because accurate health-care information is not only important to the
delivery of health care, but for patient applications for life,
disability and health insurance, employment, and a great many other
issues that might be involved in civil litigation, this Act allows a
patient to request an amendment in his record.''
---------------------------------------------------------------------------

    \28\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, p. 300-303.
    \29\ Health Privacy Working Group, ``Best Principles for Health
Privacy,'' Health Privacy Project, Institute for Health Care
Research and Policy, Georgetown University, July 1999.
---------------------------------------------------------------------------

    Some states also establish a right for individuals to amend health
information about them. For example, Hawaii law (HRS section 323C-12)
states, ``An individual or the individual's authorized representative
may request in writing that a health care provider that generated
certain health care information append additional information to the
record in order to improve the accuracy or completeness of the
information; provided that appending this information does not erase or
obliterate any of the original information.'' Montana law (MCA section
50-16-543) states, ``For purposes of accuracy or completeness, a
patient may request in writing that a health care provider correct or
amend its record of the patient's health care information to which he
has access.'' Connecticut, Georgia, and Maine provide individuals a
right to request correction, amendment, or deletion of recorded
personal information about them maintained by an insurance institution.
Many other states have similar provisions.
    Industry and standard-setting organizations have also developed
policies for amendment of health information. The National Committee
for Quality Assurance and the Joint Commission on Accreditation of
Healthcare Organizations issued recommendations stating, ``The
opportunity for patients to review their records will enable them to
correct any errors and may provide them with a better understanding of
their health status and treatment. Amending records does not erase the
original information. It inserts the correct information with a
notation about the date the correct information was available and any
explanation about the reason for the error.'' \30\ Standards of the
American Society for Testing and Materials state, ``An individual has a
right to amend by adding information to his or her record or database
to correct inaccurate information in his or her patient record and in
secondary records and databases which contain patient identifiable
health information.'' \31\ We build on this well-established principle
in this final rule.
---------------------------------------------------------------------------

    \30\ National Committee on Quality Assurance and the Joint
Commission on Accreditation of Healthcare Organizations,
``Protecting Personal Health Information: A Framework for Meeting
the Challenges in a Managed Care Environment,''1998, p. 25.
    \31\ ASTM, ``Standard Guide for Confidentiality, Privacy, Access
and Data Security, Principles for Health Information Including
Computer-Based Patient Records,'' E 1869-97, Sec. 11.1.1.
---------------------------------------------------------------------------

    Comment: Some commenters supported the proposal to allow
individuals to request amendment for as long as the covered provider or
plan maintains the information. A few argued that the provision should
be time-limited, e.g., that covered entities should not have to amend
protected health information that is more than two years old. Other
comments suggested that the provision should only be applied to
protected health information created after the compliance date of the
regulation.
    Response: The purpose of this provision is to create a mechanism
whereby individuals can ensure that information about them is as
accurate as possible as it travels through the health care system and
is used to make decisions, including treatment decisions, about them.
To achieve this result, individuals must have the ability to request
amendment for as long as the information used to make decisions about
them exists. We therefore retain the proposed approach. For these
reasons, we also require covered entities to address requests for
amendment of all protected health information within designated record
sets, including information created or obtained prior to

[[Page 82737]]

the compliance date, for as long as the entity maintains the
information.
    Comment: A few commenters were concerned that the proposal implied
that the individual is in control of and may personally change the
medical record. These commenters opposed such an approach.
    Response: We do not give individuals the right to alter their
medical records. Individuals may request amendment, but they have no
authority to determine the final outcome of the request and may not
make actual changes to the medical record. The covered entity must
review the individual's request and make appropriate decisions. We have
clarified this intent in Sec. 164.526(a)(1) by stating that individuals
have a right to have a covered entity amend protected health
information and in Sec. 164.526(b)(2) by stating that covered entities
must act on an individual's request for amendment.
    Comment: Some comments argued that there is no free-text field in
some current transaction formats that would accommodate the extra text
required to comply with the amendment provisions (e.g., sending
statements of disagreement along with all future disclosures of the
information at issue). Commenters argued that this provision will
burden the efficient transmission of information, contrary to HIPAA
requirements.
    Response: We believe that most amendments can be incorporated into
the standard transactions as corrections of erroneous data. We agree
that some of the standard transactions cannot currently accommodate
additional material such as statements of disagreement and rebuttals to
such statements. To accommodate these rare situations, we modify the
requirements in Sec. 164.526(d)(iii). The provision now states that if
a standard transaction does not permit the inclusion of the additional
material required by this section, the covered entity may separately
transmit the additional material to the recipient of the standard
transaction. Commenters interested in modifying the standard
transactions to allow the incorporation of additional materials may
also bring the issue up for resolution through the process established
by the Transactions Rule and described in its preamble.
    Comment: The NPRM proposed to allow amendment of protected health
information in designated record sets. Some commenters supported the
concept of a designated record set and stated that it appropriately
limits the type of information available for amendment to information
directly related to treatment. Other commenters were concerned about
the burden this provision will create due to the volume of information
that will be available for amendment. They were primarily concerned
with the potential for frivolous, minor, or technical requests. They
argued that for purposes of amendment, this definition should be
limited to information used to make medical or treatment decisions
about the individual. A few commenters requested clarification that
individuals do not have a right to seek amendment unless there is
verifiable information to support their claim or they can otherwise
convince the entity that the information is inaccurate or incomplete.
    Response: We believe that the same information available for
inspection should also be subject to requests for amendment, because
the purpose of these provisions is the same: To give consumers access
to and the chance to correct errors in information that may be used to
make decisions that affect their interests. We thus retain use of the
``designated record set'' in this provision. However, we share
commenters'' concerns about the potential for minor or technical
requests. To address this concern, we have clarified that covered
entities may deny a request for amendment if the request is not in
writing and does not articulate a reason to support the request, as
long as the covered entity informs the individual of these requirements
in advance.
    Comment: Many commenters noted the potentially negative impact of
the proposal to allow covered entities to deny a request for amendment
if the covered entity did not create the information at issue. Some
commenters pointed out that the originator of the information may no
longer exist or the individual may not know who created the information
in question. Other commenters supported the proposal that only the
originator of the information is responsible for amendments to it. They
argued that any extension of this provision requiring covered entities
to amend information they have not created is administratively and
financially burdensome.
    Response: In light of the comments, we modify the rule to require
the holder of the information to consider a request for amendment if
the individual requesting amendment provides a reasonable basis to
believe that the originator of the information is no longer available
to act on a request. For example, if a request indicates that the
information at issue was created by a hospital that has closed, and the
request is not denied on other grounds, then the entity must amend the
information. This provision is necessary to preserve an individual's
right to amend protected health information about them in certain
circumstances.
    Comment: Some commenters stated that the written contract between a
covered entity and its business associate should stipulate that the
business associate is required to amend protected health information in
accordance with the amendment provisions. Otherwise, these commenters
argued, there would be a gap in the individual's right to have
erroneous information corrected, because the covered entity could deny
a request for amendment of information created by a business associate.
    Response: We agree that information created by the covered entity
or by the covered entity's business associates should be subject to
amendment. This requirement is consistent with the requirement to make
information created by a business associate available for inspection
and copying. We have revised the rule to require covered entities to
specify in the business associate contract that the business associate
will make protected health information available for amendment and will
incorporate amendments accordingly. (See Sec. 164.504(e).)
    Comment: One commenter argued that covered entities should be
required to presume information must be corrected where an individual
informs the entity that an adjudicative process has made a finding of
medical identity theft.
    Response: Identity theft is one of many reasons why protected
health information may be inaccurate, and is one of many subjects that
may result in an adjudicative process relevant to the accuracy of
protective health information. We believe that this provision
accommodates this situation without a special provision for identity
theft.
    Comment: Some commenters asserted that the proposed rule's
requirement that action must be taken on individuals' requests within
60 days of the receipt of the request was unreasonable and burdensome.
A few commenters proposed up to three 30-day extensions for
``extraordinary'' (as defined by the entity) requests.
    Response: We agree that 60 days will not always be a sufficient
amount of time to adequately respond to these requests. Therefore, we
have revised this provision to allow covered entities the option of a
30-day extension to deal with requests that require additional response
time. However, we expect that 60 days will be adequate for most cases.
    Comment: One commenter questioned whether a covered entity could

[[Page 82738]]

appropriately respond to a request by amending the record, without
indicating whether it believes the information at issue is accurate and
complete.
    Response: An amendment need not include a statement by the covered
entity as to whether the information is or is not accurate and
complete. A covered entity may choose to amend a record even if it
believes the information at issue is accurate and complete. If a
request for amendment is accepted, the covered entity must notify the
individual that the record has been amended. This notification need not
include any explanation as to why the request was accepted. A
notification of a denied request, however, must contain the basis for
the denial.
    Comment: A few commenters suggested that when an amendment is made,
the date should be noted. Some also suggested that the physician should
sign the notation.
    Response: We believe such a requirement would create a burden that
is not necessary to protect individuals' interests, and so have not
accepted this suggestion. We believe that the requirements of
Sec. 164.526(c) regarding actions a covered entity must take when
accepting a request will provide an adequate record of the amendment. A
covered entity may date and sign an amendment at its discretion.
    Comment: The NPRM proposed that covered entities, upon accepting a
request for amendment, make reasonable efforts to notify those persons
the individual identifies, and other persons whom the covered entity
knows have received the erroneous or incomplete information and who may
have relied, or could foreseeably rely, on such information to the
detriment of the individual. Many commenters argued that this
notification requirement was too burdensome and should be narrowed.
They expressed concern that covered entities would have to notify
anyone who might have received the information, even persons identified
by the individual with whom the covered entity had no contact. Other
commenters also contended that this provision would require covered
entities to determine the reliance another entity might place on the
information and suggested that particular part of the notification
requirements be removed. Another commenter suggested that the
notification provision be eliminated entirely, believing that it was
unnecessary.
    Response: Although there is some associated administrative burden
with this provision, we believe it is a necessary requirement to
effectively communicate amendments of erroneous or incomplete
information to other parties. The negative effects of erroneous or
incomplete medical information can be devastating. This requirement
allows individuals to exercise some control in determining recipients
they consider important to be notified, and requires the covered entity
to communicate amendments to other persons that the covered entity
knows have the erroneous or incomplete information and may take some
action in reliance on the erroneous or incomplete information to the
detriment of the individual. We have added language to clarify that the
covered entity must obtain the individual's agreement to have the
amendment shared with the persons the individual and covered entity
identifies. We believe these notification requirements appropriately
balance covered entities' burden and individuals' interest in
protecting the accuracy of medical information used to make decisions
about them. We therefore retain the notification provisions
substantially as proposed.
    Comment: Some commenters argued against the proposed provision
requiring a covered entity that receives a notice of amendment to
notify its business associates, ``as appropriate,'' of necessary
amendments. Some argued that covered entities should only be required
to inform business associates of these changes if the amendment could
affect the individual's further treatment, citing the administrative
and financial burden of notifying all business associates of changes
that may not have a detrimental effect on the patient. Other commenters
suggested that covered entities should only be required to inform
business associates whom they reasonably know to be in possession of
the information.
    Response: We agree with commenters that clarification is warranted.
Our intent is that covered entities must meet the requirements of this
rule with respect to protected health information they maintain,
including protected health information maintained on their behalf by
their business associates. We clarify this intent by revising the
definition of designated record set (see Sec. 164.501) to include
records maintained ``by or for'' a covered entity. Section 164.526(e)
requires a covered entity that is informed of an amendment made by
another covered entity to incorporate that amendment into designated
record sets, whether the designated record set is maintained by the
covered entity or for the covered entity by a business associate. If a
business associate maintains the record at issue on the covered
entity's behalf, the covered entity must fulfill its requirement by
informing the business associate of the amendment to the record. The
contract with the business associate must require the business
associate to incorporate any such amendments. (See Sec. 164.504(e).)
    Comment: Some commenters supported the proposal to require covered
entities to provide notification of the covered entity's statement of
denial and the individual's statement of disagreement in any subsequent
disclosures of the information to which the dispute relates. They
argued that we should extend this provision to prior recipients of
disputed information who have relied on it. These commenters noted an
inconsistency in the proposed approach, since notification of accepted
amendments is provided to certain previous recipients of erroneous
health information and to recipients of future disclosures. They
contended there is not a good justification for the different treatment
and believed that the notification standard should be the same,
regardless of whether the covered entity accepts the request for
amendment.
    These commenters also recommended that the individual be notified
of the covered entity's intention to rebut a statement of disagreement.
They suggested requiring covered entities to send a copy of the
statement of rebuttal to the individual.
    Response: Where a request for amendment is accepted, the covered
entity knows that protected health information about the individual is
inaccurate or incomplete or the amendment is otherwise warranted; in
these circumstances, it is reasonable to ask the covered entity to
notify certain previous recipients of the information that reliance on
such information could be harmful. Where, however, the request for
amendment is denied, the covered entity believes that the relevant
information is accurate and complete or the amendment is otherwise
unacceptable. In this circumstance, the burden of prior notification
outweighs the potential benefits. We therefore do not require
notification of prior recipients.
    We agree, however, that individuals should know how a covered
entity has responded to their requests, and therefore add a requirement
that covered entities also provide a copy of any rebuttal statements to
the individual.

[[Page 82739]]

Section 164.528--Accounting of Disclosures of Protected Health
Information

    Comment: Many commenters expressed support for the concept of the
right to receive an accounting of disclosures. Others opposed even the
concept. One commenter said that it is likely that some individuals
will request an accounting of disclosures from each of his or her
health care providers and payors merely to challenge the disclosures
that the covered entity made.
    Some commenters also questioned the value to the individual of
providing the right to an accounting. One commenter stated that such a
provision would be meaningless because those who deliberately
perpetrate an abuse are unlikely to note their breach in a log.
    Response: The final rule retains the right of an individual to
receive an accounting of disclosures of protected health information.
The provision serves multiple purposes. It provides a means of
informing the individual as to which information has been sent to which
recipients. This information, in turn, enables individuals to exercise
certain other rights under the rule, such as the rights to inspection
and amendment, with greater precision and ease. The accounting also
allows individuals to monitor how covered entities are complying with
the rule. Though covered entities who deliberately make disclosures in
violation of the rule may be unlikely to note such a breach in the
accounting, other covered entities may document inappropriate
disclosures that they make out of ignorance and not malfeasance. The
accounting will enable the individual to address such concerns with the
covered entity.
    We believe this approach is consistent with well-established
privacy principles, with other law, and with industry standards and
ethical guidelines. The July 1977 Report of the Privacy Protection
Study Commission recommended that a health care provider should not
disclose individually-identifiable information for certain purposes
without the individual's authorization unless ``an accounting of such
disclosures is kept and the individual who is the subject of the
information being disclosed can find out that the disclosure has been
made and to whom.'' \32\ With certain exceptions, the Privacy Act (5
U.S.C. 552a) requires government agencies to ``keep an accurate
accounting of * * * the date, nature, and purpose of each disclosure of
a record to any person or to another agency * * * and * * * the name
and address of the person or agency to whom the disclosure is made.''
The National Association of Insurance Commissioners' Health Information
Privacy Model Act requires carriers to provide to individuals on
request ``information regarding disclosure of that individual's
protected health information that is sufficient to exercise the right
to amend the information.'' We build on these standards in this final
rule.
---------------------------------------------------------------------------

    \32\ Privacy Protection Study Commission, ``Personal Privacy in
an Information Society,'' July 1977, pp. 306-307.
---------------------------------------------------------------------------

    Comment: Many commenters disagreed with the NPRM's exception for
treatment, payment, and health care operations. Some commenters wanted
treatment, payment, and health care operations disclosures to be
included in an accounting because they believed that improper
disclosures of protected health information were likely to be committed
by parties within the entity who have access to protected health
information for treatment, payment, and health care operations related
purposes. They suggested that requiring covered entities to record
treatment, payment, and health care operations disclosures would either
prevent improper disclosures or enable transgressions to be tracked.
    One commenter reasoned that disclosures for treatment, payment, and
health care operations purposes should be tracked since these
disclosures would be made without the individual's consent. Others
argued that if an individual's authorization is not required for a
disclosure, then the disclosure should not have to be tracked for a
future accounting to the individual.
    One commenter requested that the provision be restated so that no
accounting is required for disclosures ``compatible with or directly
related to'' treatment, payment or health care operations. This comment
indicated that the change would make Sec. 164.515(a)(1) of the NPRM
consistent with Sec. 164.508(a)(2)(i)(A) of the NPRM.
    Response: We do not accept the comments suggesting removing the
exception for disclosures for treatment, payment, and health care
operations. While including all disclosures within the accounting would
provide more information to individuals about to whom their information
has been disclosed, we believe that documenting all disclosures made
for treatment, payment, and health care operations purposes would be
unduly burdensome on entities and would result in accountings so
voluminous as to be of questionable value. Individuals who seek
treatment and payment expect that their information will be used and
disclosed for these purposes. In many cases, under this final rule, the
individual will have consented to these uses and disclosures. Thus, the
additional information that would be gained from including these
disclosures would not outweigh the added burdens on covered entities.
We believe that retaining the exclusion of disclosures to carry out
treatment, payment, and health care operations makes for a manageable
accounting both from the point of view of entities and of individuals.
We have conformed the language in this section with language in other
sections of the rule regarding uses and disclosures to carry out
treatment, payment, and health care operations. See Sec. 164.508 and
the corresponding preamble discussion regarding our decision to use
this language.
    Comments: A few commenters called for a record of all disclosures,
including a right of access to a full audit trail where one exists.
Some commenters stated while audit trails for paper records are too
expensive to require, the privacy rule should not discourage audit
trails, at least for computer-based records. They speculated that an
important reason for maintaining a full audit trail is that most abuses
are the result of activity by insiders. On the other hand, other
commenters pointed out that an enormous volume of records would be
created if the rule requires recording all accesses in the manner of a
full audit trail.
    One commenter supported the NPRM's reference to the proposed HIPAA
Security Rule, agreeing that access control and disclosure requirements
under this rule should be coordinated with the final HIPAA Security
Rule. The commenter recommended that HHS add a reference to the final
HIPAA Security Rule in this section and keep specific audit log and
reporting requirements generic in the privacy rule.
    Response: Audit trails and the accounting of disclosures serve
different functions. In the security field, an audit trail is typically
a record of each time a sensitive record is altered, how it was altered
and by whom, but does not usually record each time a record is used or
viewed. The accounting required by this rule provides individuals with
information about to whom a disclosure is made. An accounting, as
described in this rule, would not capture uses. To the extent that an
audit trail would capture uses, consumers reviewing an audit trail may
not be able to distinguish between

[[Page 82740]]

accesses of the protected health information for use and accesses for
disclosure. Further, it is not clear the degree to which the field is
technologically poised to provide audit trails. Some entities could
provide audit trails to individuals upon their request, but we are
concerned that many could not.
    We agree that it is important to coordinate this provision of the
privacy rule with the Security Rule when it is issued as a final rule.
    Comments: We received many comments from researchers expressing
concerns about the potential impact of requiring an accounting of
disclosures related to research. The majority feared that the
accounting provision would prove so burdensome that many entities would
decline to participate in research. Many commenters believed that
disclosure of protected health information for research presents little
risk to individual privacy and feared that the accounting requirement
could shut down research.
    Some commenters pointed out that often only a few data elements or
a single element is extracted from the patient record and disclosed to
a researcher, and that having to account for so singular a disclosure
from what could potentially be an enormous number of records imposes a
significant burden. Some said that the impact would be particularly
harmful to longitudinal studies, where the disclosures of protected
health information occur over an extended period of time. A number of
commenters suggested that we not require accounting of disclosures for
research, registries, and surveillance systems or other databases
unless the disclosure results in the actual physical release of the
patient's entire medical record, rather than the disclosure of discrete
elements of information contained within the record.
    We also were asked by commenters to provide an exclusion for
research subject to IRB oversight or research that has been granted a
waiver of authorization pursuant to proposed Sec. 164.510, to exempt
``in-house'' research from the accounting provision, and to allow
covered entities to describe the type of disclosures they have made to
research projects, without specifically listing each disclosure.
Commenters suggested that covered entities could include in an
accounting a listing of the various research projects in which they
participated during the time period at issue, without regard to whether
a particular individual's protected health information was disclosed to
the project.
    Response: We disagree with suggestions from commenters that an
accounting of disclosures is not necessary for research. While it is
possible that informing individuals about the disclosures made of their
health information may on occasion discourage worthwhile activities, we
believe that individuals have a right to know who is using their health
information and for what purposes. This information gives individuals
more control over their health information and a better base of
knowledge from which to make informed decisions.
    For the same reasons, we also do not believe that IRB or privacy
board review substitutes for providing individuals the right to know
how their information has been disclosed. We permit IRBs or privacy
boards to determine that a research project would not be feasible if
authorization were required because we understand that it could be
virtually impossible to get authorization for archival research
involving large numbers of individuals or where the location of the
individuals is not easy to ascertain. While providing an accounting of
disclosures for research may entail some burden, it is feasible, and we
do not believe that IRBs or privacy boards would have a basis for
waiving such a requirement. We also note that the majority of comments
that we received from individuals supported including more information
in the accounting, not less.
    We understand that requiring covered entities to include
disclosures for research in the accounting of disclosures entails some
burden, but we believe that the benefits described above outweigh the
burden.
    We do not agree with commenters that we should exempt disclosures
where only a few data elements are released or in the case of data
released without individuals' names. We recognize that information
other than names can identify an individual. We also recognize that
even a few data elements could be clues to an individual's identity.
The actual volume of information released is not an appropriate
indicator of whether an individual could have a concern about privacy.
    We disagree with comments that suggested that it would be
sufficient to provide individuals with a general list of research
projects to which information has been disclosed by the covered entity.
We believe that individuals are entitled to a level of specificity
about disclosures of protected health information about them and should
know to which research projects their protected health information has
been disclosed, rather than to which projects protected health
information may have been disclosed. However, we have added a provision
allowing for a summary accounting of recurrent disclosures. For
multiple disclosures to the same recipient pursuant to a single
authorization or for a single purpose permitted under the rule without
authorization, the covered entity may provide a summary accounting
addressing the series of disclosures rather than a detailed accounting
of each disclosure in the series. This change is designed to ease the
burden on covered entities involved in longitudinal projects.
    With regard to the suggestion that we exempt ``in-house'' research
from the accounting provision, we note that only disclosures of
protected health information must appear in an accounting.
    Comments: Several commenters noted that disclosures for public
health activities may be of interest to individuals, but add to the
burden imposed on entities. Furthermore, some expressed fear that
priority public health activities would be compromised by the
accounting provision. One commenter from a health department said that
covered entities should not be required to provide an accounting to
certain index cases, where such disclosures create other hazards, such
as potential harm to the reporting provider. This commenter also
speculated that knowing protected health information had been disclosed
for these public health purposes might cause people to avoid treatment
in order to avoid being reported to the public health department.
    A provider association expressed concern about the effect that the
accounting provision might have on a non-governmental, centralized
disease registry that it operates. The provider organization feared
that individuals might request that their protected health information
be eliminated in the databank, which would make the data less useful.
    Response: As in the discussion of research above, we reject the
contention that we should withhold information from individuals about
where their information has been disclosed because informing them could
occasionally discourage some worthwhile activities. We also believe
that, on balance, individuals' interest in having broad access to this
information outweighs concerns about the rare instances in which
providing this information might raise concerns about harm to the
person who made the disclosure. As we stated above, we believe that
individuals have

[[Page 82741]]

a right to know who is using their health information and for what
purposes. This information gives individuals more control over their
health information and a better base of knowledge from which to make
informed decisions.
    Comment: We received many comments about the proposed time-limited
exclusion for law enforcement and health oversight. Several commenters
noted that it is nearly impossible to accurately project the length of
an investigation, especially during its early stages. Some recommended
we permit a deadline based on the end of an event, such as conclusion
of an investigation. One commenter recommended amending the standard
such that covered entities would never be required to give an
accounting of disclosures to health oversight or law enforcement
agencies. The commenter noted that there are public policy reasons for
limiting the extent to which a criminal investigation is made known
publicly, including the possibility that suspects may destroy or
falsify evidence, hide assets, or flee. The commenter also pointed out
that disclosure of an investigation may unfairly stigmatize a person or
entity who is eventually found to be innocent of any wrongdoing.
    On the other hand, many commenters disagreed with the exemption for
recording disclosures related to oversight activities and law
enforcement. Many of these commenters stated that the exclusion would
permit broad exceptions for government purposes while holding
disclosures for private purposes to a more burdensome standard.
    Some commenters felt that the NPRM made it too easy for law
enforcement to obtain an exception. They suggested that law enforcement
should not be excepted from the accounting provision unless there is a
court order. One commenter recommended that a written request for
exclusion be dated, signed by a supervisory official, and contain a
certification that the official is personally familiar with the purpose
of the request and the justification for exclusion from accounting.
    Response: We do not agree with comments suggesting that we
permanently exclude disclosures for oversight or law enforcement from
the accounting. We believe generally that individuals have a right to
know who is obtaining their health information and for what purposes.
    At the same time, we agree with commenters that were concerned that
an accounting could tip off subjects of investigations. We have
retained a time-limed exclusion period similar to that proposed in the
NPRM. To protect the integrity of investigations, in the final rule we
require covered entities to exclude disclosures to a health oversight
agency or law enforcement official for the time specified by that
agency or official, if the agency or official states that including the
disclosure in an accounting to the individual would be reasonably
likely to impede the agency or official's activities. We require the
statement from the agency or official to provide a specific time frame
for the exclusion. For example, pursuant to a law enforcement
official's statement, a covered entity could exclude a law enforcement
disclosure from the accounting for a period of three months from the
date of the official's statement or until a date specified in the
statement.
    In the final rule, we permit the covered entity to exclude the
disclosure from an accounting to an individual if the agency or
official makes the statement orally and the covered entity documents
the statement and the identify of the agency or official that made the
statement. We recognize that in urgent situations, agencies and
officials may not be able to provide statements in writing. If the
agency or official's statement is made orally, however, the disclosure
can be excluded from an accounting to the individual for no longer than
30 days from the oral statement. For exclusions longer than 30 days, a
covered entity must receive a written statement.
    We believe these requirements appropriately balance individuals'
rights to be informed of the disclosures of protected health
information while recognizing the public's interest in maintaining the
integrity of health oversight and law enforcement activities.
    Comment: One commenter stated that under Minnesota law, providers
who are mandated reporters of abuse are limited as to whom they may
reveal the report of abuse (generally law enforcement authorities and
other providers only). This is because certain abusers, such as
parents, by law may have access to a victim's (child's) records. The
commenter requested clarification as to whether these disclosures are
exempt from the accounting requirement or whether preemption would
apply.
    Response: While we do not except mandatory disclosures of abuse
from the accounting for disclosure requirement, we believe the
commenter's concerns are addressed in several ways. First, nothing in
this regulation invalidates or limits the authority or procedures
established under state law providing for the reporting of child abuse.
Thus, with respect to child abuse the Minnesota law's procedures are
not preempted even though they are less stringent with respect to
privacy. Second, with respect to abuse of persons other than children,
we allow covered entities to refuse to treat a person as an
individual's personal representative if the covered entity believes
that the individual has been subjected to domestic violence, abuse, or
neglect from the person. Thus, the abuser would not have access to the
accounting. We also note that a covered entity must exclude a
disclosure, including disclosures to report abuse, from the accounting
for specified period of time if the law enforcement official to whom
the report is made requests such exclusion.
    Comment: A few comments noted the lack of exception for disclosures
made to intelligence agencies.
    Response: We agree with the comments and have added an exemption
for disclosures made for national security or intelligence purposes
under Sec. 164.512(k)(2). Individuals do not have a right to an
accounting of disclosures for these purposes.
    Comment: Commenters noted that the burden associated with this
provision would, in part, be determined by other provisions of the
rule, including the definitions of ``individually identifiable,''
``treatment,'' and ``health care operations.'' They expressed concern
that the covered entity would have to be able to organize on a patient
by patient basis thousands of disclosures of information, which they
described as ``routine.'' These commenters point to disclosures for
patient directory information, routine banking and payment processes,
uses and disclosures in emergency circumstances, disclosures to next of
kin, and release of admissions statistics to a health oversight agency.
    Response: We disagree with the commenters that ambiguity in other
areas of the rule increase the burden associated with maintaining an
accounting. The definitions of treatment, payment, and health
operations are necessarily broad and there is no accounting required
for disclosures for these purposes. These terms cover the vast majority
of routine disclosures for health care purposes. (See Sec. 164.501 and
the associated preamble for a discussion of changes made to these
definitions.)
    The disclosures permitted under Sec. 164.512 are for national
priority purposes, and determining whether a disclosure fits within the
section is necessary before the disclosure can be

[[Page 82742]]

made. There is no additional burden, once such a determination is made,
in determining whether it must be included in the accounting.
    We agree with the commenters that there are areas where we can
reduce burden by removing additional disclosures from the accounting
requirement, without compromising individuals' rights to know how their
information is being disclosed. In the final rule, covered entities are
not required to include the following disclosures in the accounting:
disclosures to the individual, disclosures for facility directories
under Sec. 164.510(a), or disclosures to persons assisting in the
individual's care or for other notification purposes under
Sec. 164.510(b). For each of these types of disclosures, the individual
is likely to already know about the disclosure or to have agreed to the
disclosure, making the inclusion of such disclosures in the accounting
less important to the individual and unnecessarily burdensome to the
covered entity.
    Comment: Many commenters objected to requiring business partners to
provide an accounting to covered entities upon their request. They
cited the encumbrance associated with re-contracting with the various
business partners, as well as the burden associated with establishing
this type of record keeping.
    Response: Individuals have a right to know to whom and for what
purpose their protected health information has been disclosed by a
covered entity. The fact that a covered entity uses a business
associate to carry out a function does not diminish an individual's
right to know.
    Comments: One commenter requested clarification as to how far a
covered entity's responsibility would extend, asking whether an entity
had to track only their direct disclosures or subsequent re-
disclosures.
    Response: Covered entities are required to account for their
disclosures, as well as the disclosures of their business associates,
of protected health information. Because business associates act on
behalf of covered entities, it is essential that their disclosures be
included in any accounting that an individual requests from a covered
entity. Covered entities are not responsible, however, for the actions
of persons who are not their business associates. Once a covered entity
has accounted for a disclosure to any person other than a business
associate, it is not responsible for accounting for any further uses or
disclosures of the information by that other person.
    Comments: Some commenters said that the accounting provision
described in the NPRM was ambiguous and created uncertainty as to
whether it addresses disclosures only, as the title would indicate, or
whether it includes accounting of uses. They urged that the standard
address disclosures only, and not uses, which would make implementation
far more practicable and less burdensome.
    Response: The final rule requires disclosures, not uses, to be
included in an accounting. See Sec. 164.501 for definitions of ``use''
and ``disclosure.''
    Comments: We received many comments from providers and other
representatives of various segments of the health care industry,
expressing the view that a centralized system of recording disclosures
was not possible given the complexity of the health care system, in
which disclosures are made by numerous departments within entities. For
example, commenters stated that a hospital medical records department
generally makes notations regarding information it releases, but that
these notations do not include disclosures that the emergency
department may make. Several commenters proposed that the rule provide
for patients to receive only an accounting of disclosures made by
medical records departments or some other central location, which would
relieve the burden of centralizing accounting for those entities who
depend on paper records and tracking systems.
    Response: We disagree with commenters' arguments that covered
entities should not be held accountable for the actions of their
subdivisions or workforce members. Covered entities are responsible for
accounting for the disclosures of protected health information made by
the covered entity, in accordance with this rule. The particular person
or department within the entity that made the disclosure is immaterial
to the covered entity's obligation. In the final rule, we require
covered entities to document each disclosure that is required to be
included in an accounting. We do not, however, require this
documentation to be maintained in a central registry. A covered
hospital, for example, could maintain separate documentation of
disclosures that are made from the medical records department and the
emergency department. At the time an individual requests an accounting,
this documentation could be integrated to provide a single accounting
of disclosures made by the covered hospital. Alternatively, the covered
hospital could centralize its processes for making and documenting
disclosures. We believe this provision provides covered entities with
sufficient flexibility to meet their business needs without
compromising individuals' rights to know how information about them is
disclosed.
    Comments: Commenters stated that the accounting requirements placed
undue burden on covered entities that use paper, rather than
electronic, records.
    Response: We do not agree that the current reliance on paper
records makes the accounting provision unduly burdensome. Covered
entities must use the paper records in order to make a disclosure, and
have the opportunity when they do so to make a notation in the record
or in a separate log. We require an accounting only for disclosures for
purposes other than treatment, payment, and health care operations.
Such disclosures are not so numerous that they cannot be accounted for,
even if paper records are involved.
    Comments: The exception to the accounting provision for disclosures
of protected health information for treatment, payment, and health care
operations purposes was viewed favorably by many respondents. However,
at least one commenter stated that since covered entities must
differentiate between disclosures that require documentation and those
that do not, they will have to document each instance when a patient's
medical record is disclosed to determine the reason for the disclosure.
This commenter also argued that the administrative burden of requiring
customer services representatives to ask in which category the
information falls and then to keep a record that they asked the
question and record the answer would be overwhelming for plans. The
commenter concluded that the burden of documentation on a covered
entity would not be relieved by the stipulation that documentation is
not required for treatment, payment, and health care operations.
    Response: We disagree. Covered entities are not required to
document every disclosure in order to differentiate those for
treatment, payment, and health care operations from those for purposes
for which an accounting is required. We require that, when a disclosure
is made for which an accounting is required, the covered entity be able
to produce an accounting of those disclosures upon request. We do not
require a covered entity to be able to account for every disclosure. In
addition, we believe that we have addressed many of the commenters'
concerns by clarifying in the final rule that disclosures to the

[[Page 82743]]

individual, regardless of the purpose for the disclosure, are not
subject to the accounting requirement.
    Comments: An insurer explained that in the context of underwriting,
it may have frequent and multiple disclosures of protected health
information to an agent, third party medical provider, or other entity
or individual. It requested we reduce the burden of accounting for such
disclosures.
    Response: We add a provision allowing for a summary accounting of
recurrent disclosures. For multiple disclosures to the same recipient
pursuant to a single authorization or for a single purpose permitted
under the rule without authorization, the covered entity may provide a
summary accounting addressing the series of disclosures rather than a
detailed accounting of each disclosure in the series.
    Comment: Several commenters said that it was unreasonable to expect
covered entities to track disclosures that are requested by the
individual. They believed that consumers should be responsible for
keeping track of their own requests.
    Other commenters asked that we specify that entities need not
retain and provide copies of the individual's authorization to disclose
protected health information. Some commenters were particularly
concerned that if they maintain all patient information on a computer
system, it would be impossible to link the paper authorization with the
patient's electronic records.
    Another commenter suggested we allow entities to submit copies of
authorizations after the 30-day deadline for responding to the
individual, as long as the accounting itself is furnished within the
30-day window.
    Response: In the final rule we do not require disclosures to the
individual to be included in the accounting. Other disclosures
requested by the individual must be included in the accounting, unless
they are otherwise excepted from the requirement. We do not agree that
individuals should be required to track these disclosures themselves.
In many cases, an authorization may authorize a disclosure by more than
one entity, or by a class of entities, such as all physicians who have
provided medical treatment to the individual. Absent the accounting,
the individual cannot know whether a particular covered entity has
acted on the authorization.
    We agree, however, that it is unnecessarily burdensome to require
covered entities to provide the individual with a copy of the
authorization. We remove the requirement. Instead, we require the
accounting to contain a brief statement describing the purpose for
which the protected health information was disclosed. The statement
must be sufficient to reasonably inform the individual of the basis for
the disclosure. Alternatively, the covered entity may provide a copy of
the authorization or a copy of the written request for disclosure, if
any, under Secs. 164.502(a)(2)(ii) or 164.512.
    Comments: We received many comments regarding the amount of
information required in the accounting. A few commenters requested that
we include additional elements in the accounting, such as the method of
transmittal and identity of the employee who accessed the information.
    Other commenters, however, felt that the proposed requirements went
beyond what is necessary to inform the individual of disclosures.
Another commenter stated that if the individual's right to obtain an
accounting extends to disclosures that do not require a signed
authorization, then the accounting should be limited to a disclosure of
the manner and purpose of disclosures, as opposed to an individual
accounting of each entity to whom the protected health information was
disclosed. An insurer stated that this section of the proposed rule
should be revised to provide more general, rather than detailed,
guidelines for accounting of disclosures. The commenter believed that
its type of business should be allowed to provide general information
regarding the disclosure of protected health information to outside
entities, particularly with regard to entities with which the insurer
maintains an ongoing, standard relationship (such as a reinsurer).
    Response: In general, we have retained the proposed approach, which
we believe strikes an appropriate balance between the individual's
right to know to whom and for what purposes their protected health
information has been disclosed and the burden placed on covered
entities. In the final rule, we clarify that the accounting must
include the address of the recipient only if the address is known to
the covered entity. As noted above, we also add a provision allowing
for a summary accounting of recurrent disclosures. We note that some of
the activities of concern to commenters may fall under the definition
of health care operations (see Sec. 164.501 and the associated
preamble).
    Comment: A commenter asked that we limit the accounting to
information pertaining to the medical record itself, as opposed to
protected health information more generally. Similarly, commenters
suggested that the accounting be limited to release of the medical
record only.
    Response: We disagree. Protected health information exists in many
forms and resides in many sources. An individual's right to know to
whom and for what purposes his or her protected health information has
been disclosed would be severely limited if it pertained only to
disclosure of the medical record, or information taken only from the
record.
    Comment: A commenter asked that we make clear that only disclosures
external to the organization are within the accounting requirement.
    Response: We agree. The requirement only applies to disclosures of
protected health information, as defined in Sec. 164.501.
    Comment: Some commenters requested that we establish a limit on the
number of times an individual could request an accounting. One comment
suggested we permit individuals to request one accounting per year;
another suggested two accountings per year, except in ``emergency
situations.'' Others recommended that we enable entities to recoup some
of the costs associated with implementation by allowing the entity to
charge for an accounting.
    Response: We agree that covered entities should be able to defray
costs of excessive requests. The final rule provides individuals with
the right to receive one accounting without charge in a twelve-month
period. For additional requests by an individual within a twelve-month
period, the covered entity may charge a reasonable, cost-based fee. If
it imposes such a fee, the covered entity must inform the individual of
the fee in advance and provide the individual with an opportunity to
withdraw or modify the request to avoid or reduce the fee.
    Comment: In the NPRM, we solicited comments on the appropriate
duration of the individual's right to an accounting. Some commenters
supported the NPRM's requirement that the right exist for as long as
the covered entities maintains the protected health information. One
commenter, however, noted that most audit control systems do not retain
data on activity for indefinite periods of time.
    Other commenters noted that laws governing the length of retention
of clinical records vary by state and by provider type and suggested
that entities be allowed to adhere to state laws or policies
established by professional organizations or accrediting bodies. Some
commenters suggested that the

[[Page 82744]]

language be clarified to state that whatever minimum requirements are
in place for the record should also guide covered entities in retaining
their capacity to account for disclosures over that same time, but no
longer.
    Several commenters asked us to consider specific time limits. It
was pointed out that proposed Sec. 164.520(f)(6) of the NPRM set a six-
year time limit for retaining certain information including
authorization forms and contracts with business partners. Included in
this list was the accounting of disclosures, but this requirement was
inconsistent with the more open-ended language in Sec. 164.515.
Commenters suggested that deferring to this six-year limit would make
this provision consistent with other record retention provisions of the
standard and might relieve some of the burden associated with
implementation. Other specific time frames suggested were two years,
three years, five years, and seven years.
    Another option suggested by commenters was to keep the accounting
record for as long as entities have the information maintained and
``active'' on their systems. Information permanently taken off the
covered entity's system and sent to ``dead storage'' would not be
covered. One commenter further recommended that we not require entities
to maintain records or account for prior disclosures for members who
have ``disenrolled.''
    Response: We agree with commenters who suggested we establish a
specific period for which an individual may request an accounting. In
the final rule, we provide that individuals have a right to an
accounting of the applicable disclosures that have been made in the
six-year period prior to a request for an accounting. We adopt this
time frame to conform with the other documentation retention
requirements in the rule. We also note that an individual may request,
and a covered entity may then provide, an accounting of disclosures for
a period of time less than six years from the date of the request. For
example, an individual could request an accounting only of disclosures
that occurred during the year prior to the request. In addition, we
note that covered entities do not have to account for disclosures that
occurred prior to the compliance date of this rule.
    Comments: Commenters asked that we provide more time for entities
to respond to requests for accounting. Suggestions ranged from 60 days
to 90 days. Another writer suggested that entities be able to take up
to three 30-day extensions from the original 30-day deadline.
Commenters raised concerns about the proposed requirement that a
covered health care provider or health plan act as soon as possible.
    Response: We agree with concerns raised by commenters and in the
final rule, covered entities are required to provide a requested
accounting no later than 60 days after receipt of the request. We also
provide for one 30 day extension if the covered entity is unable to
provide the accounting within the standard time frame. We eliminate the
requirement for a covered entity to act as soon as possible.
    We recognize that circumstances may arise in which an individual
will request an accounting on an expedited basis. We encourage covered
entities to implement procedures for handling such requests. The time
limitation is intended to be an outside deadline, rather than an
expectation. We expect covered entities always to be attentive to the
circumstances surrounding each request and to respond in an appropriate
time frame.
    Comment: A commenter asked that we provide an exemption for
disclosures related to computer upgrades, when protected health
information is disclosed to another entity solely for the purpose of
establishing or checking a computer system.
    Response: This activity falls within the definition of health care
operations and is, therefore, excluded from the accounting requirement.

Section 164.530--Administrative Requirements

Section 164.530(a)--Designation of a Privacy Official and Contact
Person

    Comment: Many of the commenters on this topic objected to the cost
of establishing a privacy official, including the need to hire
additional staff, which might need to include a lawyer or other highly
paid individual.
    Response: We believe that designation of a privacy official is
essential to ensure a central point of accountability within each
covered entity for privacy-related issues. The privacy official is
charged with developing and implementing the policies and procedures
for the covered entity, as required throughout the regulation, and for
compliance with the regulation generally. While the costs for these
activities are part of the costs of compliance with this rule, not
extra costs associated with the designation of a privacy official, we
do anticipate that there will be some cost associated with this
requirement. The privacy official role may be an additional
responsibility given to an existing employee in the covered entity,
such as an office manager in a small entity or an information officer
or compliance official in a larger institution. Cost estimates for the
privacy official are discussed in detail in the overall cost analysis.
    Comment: A few commenters argued for more flexibility in meeting
the requirement for accountability. One health care provider maintained
that covered entities should be able to establish their own system of
accountability. For example, most physician offices already have the
patient protections incorporated in the proposed administrative
requirements--the commenter urged that the regulation should explicitly
promote the application of flexibility and scalability. A national
physician association noted that, in small offices, in particular,
responsibility for the policies and procedures should be allowed to be
shared among several people. A major manufacturing corporation asserted
that mandating a privacy official is unnecessary and that it would be
preferable to ask for the development of policies that are designed to
ensure that processes are maintained to assure compliance.
    Response: We believe that a single focal point is needed to achieve
the necessary accountability. At the same time, we recognize that
covered entities are organized differently and have different
information systems. We therefore do not prescribe who within a covered
entity must serve as the privacy official, nor do we prohibit combining
this function with other duties. Duties may be delegated and shared, so
long as there is one point of accountability for the covered entity's
policies and procedures and compliance with this regulation.
    Comment: Some commenters echoed the proposal of a professional
information management association that the regulation establish formal
qualifications for the privacy official, suggesting that this should be
a credentialed information management professional with specified
minimum training standards. One commenter emphasized that the privacy
official should be sufficiently high in management to have influence.
    Response: While there may be some advantages to establishing formal
qualifications, we concluded the disadvantages outweigh the advantages.
Since the job of privacy official will differ substantially among
organizations of varying size and function, specifying a single set of
qualifications would sacrifice flexibility and scalability in
implementation.

[[Page 82745]]

    Comment: A few commenters suggested that we provide guidance on the
tasks of the privacy official. One noted that this would reduce the
burden on covered entities to clearly identify those tasks during the
initial HIPAA implementation phase.
    Response: The regulation itself outlines the tasks of the privacy
official, by specifying the policies and procedures required, and
otherwise explaining the duties of covered entities. Given the wide
variation in the function and size of covered entities, providing
further detail here would unnecessarily reduce flexibility for covered
entities. We will, however, provide technical assistance in the form of
guidance on the various provisions of the regulation before the
compliance date.
    Comment: Some comments expressed concern that the regulation would
require a company with subsidiaries to appoint a privacy official
within each subsidiary. Instead they argued that the corporate entity
should have the option of designating a single corporate official
rather than one at each subsidiary.
    Response: In the final regulation, we give covered entities with
multiple subsidiaries that meet the definition of covered entities
under this rule the flexibility to designate whether such subsidiaries
are each a separate covered entity or are together a single covered
entity. (See Sec. 164.504(b) for the rules requiring such designation.)
If only one covered entity is designated for the subsidiaries, only one
privacy officer is needed. Further, we do not prohibit the privacy
official of one covered entity from serving as the privacy official of
another covered entity, so long as all the requirements of this rule
are met for each such covered entity.

Section 164.530(b)--Training

    Comment: A few commenters felt that the proposed provision was too
stringent, and that the content of the training program should be left
to the reasonable discretion of the covered entity.
    Response: We clarify that we do not prescribe the content of the
required training; the nature of the training program is left to the
discretion of the covered entity. The scenarios in the NPRM preamble of
potential approaches to training for different sized covered entities
were intended as examples of the flexibility and scalability of this
requirement.
    Comment: Most commenters on this provision asserted that
recertification/retraining every three years is excessive, restrictive,
and costly. Commenters felt that retraining intervals should be left to
the discretion of the covered entity. Some commenters supported
retraining only in the event of a material change. Some commenters
supported the training requirement as specified in the NPRM.
    Response: For the reasons cited by the commenters, we eliminate the
triennial recertification requirements in the final rule. We also
clarify that retraining is not required every three years. Retraining
is only required in the case of material changes to the privacy
policies and procedures of the covered entity.
    Comment: Several commenters objected to the burden imposed by
required signatures from employees after they are trained. Many
commenters suggested that electronic signatures be accepted for various
reasons. Some felt that it would be less costly than manually
producing, processing, and retaining the hard copies of the forms. Some
suggested sending out the notice to the personal workstation via email
or some other electronic format and having staff reply via email. One
commenter suggested that the covered entity might opt to give web based
training instead of classroom or some other type. The commenter
indicated that with web based training, the covered entity could record
whether or not an employee had received his or her training through the
use of a guest book or registration form on the web site. Thus, a
physical signature should not be required.
    Response: We agree that there are many appropriate mechanisms by
which covered entities can implement their training programs, and
therefore remove this requirement for signature. We establish only a
general requirement that covered entities document compliance with the
training requirement.
    Comment: Some commenters were concerned that there was no proposed
requirement for business associates to receive training and/or to train
their employees. The commenters believed that if the business associate
violated any privacy requirements, the covered entity would be held
accountable. These commenters urged the Secretary to require periodic
training for appropriate management personnel assigned outside of the
component unit of the covered entity, including business associates.
Other commenters felt that it would not be fair to require covered
entities to impose training requirements on business associates.
    Response: We do not have the statutory authority directly to
require business associates to train their employees. We also believe
it would be unnecessarily burdensome to require covered entities to
monitor business associates' establishment of specific training
requirements. Covered entities' responsibility for breaches of privacy
by their business associates is described in Secs. 164.504(e) and
164.530(f). If a covered entity believes that including a training
requirement in one or more of its business associate contracts is an
appropriate means of protecting the health information provided to the
business associate, it is free to do so.
    Comments: Many commenters argued that training, as well as all of
the other administrative requirements, are too costly for covered
entities and that small practices would not be able to bear the added
costs. Commenters also suggested that HHS should provide training
materials at little, or no, cost to the covered entity.
    Response: For the final regulation, we make several changes to the
proposed provisions. We believe that these changes address the issue of
administrative cost and burden to the greatest extent possible,
consistent with protecting the privacy of health information. In
enforcing the privacy rule, we expect to provide general training
materials. We also hope to work with professional associations and
other groups that target classes of providers, plans and patients, in
developing specialized material for these groups.
    We note that, under long-standing legal principles, entities are
generally responsible for the actions of their workforce. The
requirement to train workforce members to implement the covered
entity's privacy policies and procedures, and do such things as pass
evidence of potential problems to those responsible, is in line with
these principles. For example, the comments and our fact finding
indicate that, today, many hospitals require their workforce members to
sign a confidentiality agreement, and include confidentiality matters
in their employee handbooks.

Section 164.530(c)--Safeguards

    Comments: A few comments assert that the rule requires some
institutions that do not have adequate resources to develop costly
physical and technical safeguards without providing a funding mechanism
to do so. Another comment said that the vague definitions of adequate
and appropriate safeguards could be interpreted by HHS to require the
purchase of new computer systems and reprogram many old ones. A few
other comments suggested that the safeguards language was vague and
asked for more specifics.
    Response: We require covered entities to maintain safeguards
adequate for their operations, but do not require that

[[Page 82746]]

specific technologies be used to do so. Safeguards need not be
expensive or high-tech to be effective. Sometimes, it is an adequate
safeguard to put a lock on a door and only give the keys to those who
need access. As described in more detail in the preamble discussion of
Sec. 164.530, we do not require covered entities to guarantee the
safety of protected health information against all assaults. This
requirement is flexible and scalable to allow implementation of
required safeguards at a reasonable cost.
    Comments: A few commenters noted that once protected health
information becomes non-electronic, by being printed for example, it
escapes the protection of the safeguards in the proposed Security Rule.
They asked if this safeguards requirement is intended to install
similar security protections for non-electronic information.
    Response: This provision is not intended to incorporate the
provisions in the proposed Security regulation into this regulation, or
to otherwise require application of those provisions to paper records.
    Comments: Some commenters said that it was unclear what
``appropriate'' safeguards were required by the rule and who
establishes the criteria for them. A few noted that the privacy
safeguards were not exactly the same as the security safeguards, or
that the ``other safeguards'' section was too vague to implement. They
asked for more clarification of safeguards requirements and flexible
solutions.
    Response: In the preamble discussion of Sec. 164.530, we provide
examples of types of safeguards that can be appropriate to satisfy this
requirement. Other sections of this regulation require specific
safeguards for specific circumstances. The discussion of the
requirements for ``minimum necessary'' uses and disclosures of
protected health information includes related guidance for developing
role-based access policies for a covered entity's workforce. The
requirements for ``component entities'' include requirements for
firewalls to prevent access by unauthorized persons. The proposed
Security Rule included further details on what safeguards would be
appropriate for electronic information systems. The flexibility and
scalability of these rules allows covered entities to analyze their own
needs and implement solutions appropriate for their own environment.
    Comments: A few comments asked for a requirement for a firewall
between a health care component and the rest of a larger organization
as another appropriate safeguard.
    Response: We agree, and have incorporated such a requirement in
Sec. 164.504.
    Comments: One commenter agreed with the need for administrative,
physical, and technical safeguards, but took issue with our
specification of the type of documentation or proof that the covered
entity is taking action to safeguard protected health information.
    Response: This privacy rule does not require specific forms of
proof for safeguards.
    Comments: A few commenters asked that, for the requirement for a
signed certification of training and the requirements for verification
of identity, we consider the use of electronic signatures that meet the
requirements in the proposed security regulation to meet the
requirements of this rule.
    Response: In this final rule, we drop the requirements for signed
certifications of training. Signatures are required elsewhere in this
regulation, for example, for a valid authorization. In the relevant
sections we clarify that electronic signatures are sufficient provided
they meet standards to be adopted under HIPAA. In addition, we do not
intend to interfere with the application of the Electronic Signature in
Global and National Commerce Act.
    Comments: A few commenters requested that the privacy requirements
for appropriate administrative, technical, and physical safeguards be
considered to have been met if the requirements of the proposed
Security Rule have been met. Others requested that the safeguards
requirements of the final Privacy Rule mirror or be harmonized with the
final Security Rule so they do not result in redundant or conflicting
requirements.
    Response: Unlike the proposed regulation, the final regulation
covers all protected health information, not just information that had
at some point been electronic. Thus, these commenters' assumption that
the proposed Privacy Rule and the proposed Security Rule covered the
same information is not the case, and taking the approach suggested by
these comments would leave a significant number of health records
unprotected. The safeguards required by this regulation are appropriate
for both paper and electronic information. We will take care to ensure
that the final Security Rule works in tandem with these requirements.
    Comments: One commenter requested that the final privacy rule be
published before the final Security Rule, recognizing that the privacy
policies must be in place before the security technology used to
implement them could be worked out. Another commenter asked that the
final Security Rule be published immediately and not wait for an
expected delay while privacy policies are worked out.
    Response: Now that this final privacy rule has been published in a
timely manner, the final Security Rule can be harmonized with it and
published soon.
    Comments: Several commenters echoed an association recommendation
that, for those organizations that have implemented a computer based
patient record that is compliant with the requirements of the proposed
Security Rule, the minimum necessary rule should be considered to have
been met by the implementation of role-based access controls.
    Response: The privacy regulation applies to paper records to which
the proposed Security Rule does not apply. Thus, taking the approach
suggested by these comments would leave a significant number of health
records unprotected. Further, since the final Security Rule is not yet
published and the number of covered entities that have implemented this
type of computer-based patient record systems is still small, we cannot
make a blanket statement. We note that this regulation requires covered
entities to develop role-based access rules, in order to implement the
requirements for ``minimum necessary'' uses and disclosures of
protected health information. Thus, this regulation provides a
foundation for the type of electronic system to which these comments
refer.

Section 164.530(d)--Complaints to the Covered Entity

    Comment: Several commenters felt that some form of due process is
needed when it comes to internal complaints. Specifically, they wanted
to be assured that the covered entity actually hears the complaints
made by the individual and that the covered entity resolves the
complaint within a reasonable time frame. Without due process the
commenters felt that the internal complaint process is open ended. Some
commenters wanted the final rule to include an appeals process for
individuals if a covered entity's determination in regards to the
complaint is unfavorable to the individual.
    Response: We do not require covered entities to implement any
particular due process or appeals process for complaints, because we
are concerned about the burden this could impose on covered entities.
We provide individuals with an alternative to take their complaints to
the Secretary. We believe that this provides incentives for

[[Page 82747]]

covered entities to implement a complaint process that resolves
complaints to individuals' satisfaction.
    Comment: Some commenters felt that the individual making the
complaint should exhaust all other avenues to resolve their issues
before filing a complaint with the Secretary. A number of commenters
felt that any complaint being filed with the Secretary should include
documentation of the reviews done by the covered entity.
    Response: We reject these suggestions, for two reasons. First, we
want to avoid establishing particular process requirements for covered
entities' complaint programs. Also, this rule does not require the
covered entity to share any information with the complainant, only to
document the receipt of the complaint and the resolution, if any.
Therefore, we cannot expect the complainant to have this information
available to submit to the Secretary. Second, we believe the individual
making the complaint should have the right to share the complaint with
the Secretary at any point in time. This approach is consistent with
existing civil rights enforcement programs for which the Department is
responsible. Based on that experience, we believe that most complaints
will come first to covered entities for disposition.
    Comment: Some commenters wanted the Department to prescribe a
minimum amount of time before the covered entity could dispose of the
complaints. They felt that storing these complaints indefinitely would
be cumbersome and expensive.
    Response: We agree, and in the final rule require covered entities
to keep all items that must be documented, including complaints, for at
least six years from the date of creation.
    Comments: Some commenters objected to the need for covered entities
to have at least one employee, if not more, to deal with complaints.
They felt that this would be costly and is redundant in light of the
designation of a contact person to receive complaints.
    Response: We do not require assignment of dedicated staff to handle
complaints. The covered entity can determine staffing based on its
needs and business practices. We believe that consumers need one clear
point of contact for complaints, in order that this provision
effectively inform consumers how to lodge complaints and so that the
compliant will get to someone who knows how to respond. The contact
person (or office) is for receipt of complaints, but need not handle
the complaints.

Section 164.530(e)--Sanctions

    Comment: Commenters argued that most covered entities already have
strict sanctions in place for violations of a patient's privacy, either
due to current laws, contractual obligations, or good operating
practices. Requiring covered entities to create a formal sanctioning
process would be superfluous.
    Response: We believe it is important for the covered entity to have
these sanction policies and procedures documented so that employees are
aware of what actions are prohibited and punishable. For entities that
already have sanctions policies in place, it should not be problematic
to document those policies. We do not define the particular sanctions
that covered entities must impose.
    Comment: Several commenters agreed that training should be provided
and expectations should be clear so that individuals are not sanctioned
for doing things that they did not know were wrong or inappropriate. A
good faith exception should be included in the final rule to protect
these individuals.
    Response: We agree that employees should be trained to understand
the covered entity's expectations and understand the consequences of
any violation. This is why we are requiring each covered entity to
train its workforce. However, we disagree that a good faith exception
is explicitly needed in the final rule. We leave the details of
sanctions policies to the discretion of the covered entity. We believe
it is more appropriate to leave this judgment to the covered entity
that will be familiar with the circumstances of the violation, rather
than to specify such requirements in the regulation.
    Comment: Some commenters felt that the sanctions need to reach
business partners as well, not just employees of the covered entities.
These commenters felt all violators should be sanctioned, including
government officials and agencies.
    Response: All members of a covered entity's workforce are subject
to sanctions for violations, including government officials who are
part of a covered entity's workforce. Requirements for addressing
privacy violations by business associates are discussed in
Secs. 164.504(e) and 164.530(f).
    Comments: Many commenters appreciated the flexibility left to the
covered entities to determine sanctions. However, some were concerned
that the covered entity would need to predict each type of violation
and the associated sanction. They argue that, if the Department could
not determine this in the NPRM, then the covered entities should be
allowed to come up with sanctions as appropriate at the time of the
violation. Some commenters wanted a better explanation and
understanding of what HHS' expectation is of when is it appropriate to
apply sanctions. Some commenters felt that the sanctioning requirement
is nebulous and requires independent judgment of compliance; as a
result it is hard to enforce. Offending individuals may use the
vagueness of the standard as an defense.
    Response: We agree with the commenters that argue that covered
entities should be allowed to determine the specific sanctions as
appropriate at the time of the violation. We believe it is more
appropriate to leave this judgment to the covered entity, because the
covered entity will be familiar with the circumstances of the violation
and the best way to improve compliance.
    Comment: A commenter felt that the self-imposition of this
requirement is an inadequate protection, as there is an inherent
conflict of interest when an entity must sanction one of its own.
    Response: We believe it is in the covered entity's best interests
to appropriately sanction those individuals who do not follow the
outlined policies and procedures. Allowing violations to go unpunished
may lead bigger problems later, and result in complaints being
registered with the Department by aggrieved parties and/or an
enforcement action.
    Comment: This provision should cover all violations, not just
repeat violations.
    Response: We do not limit this requirement to repeat offenses.

Section 164.530(f)--Duty To Mitigate

    Comments: A few commenters felt that any duty to mitigate would be
onerous, especially for small entities. One commenter supported an
affirmative duty to mitigate for employees of the covered entity, as
long as there is no prescribed mitigation policy. One commenter stated
that a requirement for mitigation is unnecessary because any prudent
entity would do it.
    Some practitioner organizations as well as a health plan, expressed
concern about the obligation to mitigate in the context of the business
associate relationship. Arguing that it is unnecessary for the
regulation to explicitly extend the duty to mitigate to business
associates, commenters noted that: Any prudent entity would discipline
a vendor or employee that violates a regulation; that the matter is
best left to the terms of the contract, and that it is difficult and
expensive for a

[[Page 82748]]

business associate to have a separate set of procedures on mitigation
for each client/provider. One commenter suggested that the federal
government should fund the monitoring needed to administer the
requirement.
    Response: Eliminating the requirement to mitigate harm would
undermine the purposes of this rule by reducing covered entities'
accountability to their patients for failure to protect their
confidential data. To minimize burden, we do not prescribe what
mitigation policies and procedures must be implemented. We require only
that the covered entity mitigate harm. We also assume that violations
will be rare, and so the duty to mitigate harm will rarely be
triggered. To the extent a covered entity already has methods for
mitigating harm, this rule will not pose significant burden, since we
don't require the covered entity to follow any prescribed method or set
of rules.
    We also modify the NPRM to impose the duty to mitigate only where
the covered entity has actual knowledge of harm. Further reducing
burden, the rule requires mitigation ``to the extent practicable.'' It
does not require the covered entity to eliminate the harm unless that
is practicable. For example, if protected health information is
advertently provided to a third party without authorization in a
domestic abuse situation, the covered entity would be expected to
promptly contact the patient as well as appropriate authorities and
apprize them of the potential danger.
    The harm to the individual is the same, whether the privacy breach
was caused by a member of the covered entity's workforce, or by a
contractor. We believe the cost of this requirement to be minimal for
covered entities that engage in prudent business practices for
exchanging protected health information with their business associates.
    Comment: A few commenters noted that it is difficult to determine
whether a violation has resulted in a deleterious effect, especially as
the entity cannot know all places to which information has gone and
uses that have been made of it. Consequently, there should be a duty to
mitigate even if a deleterious effect cannot be shown, because the
individual has no other redress.
    Response: As noted above, this provision only applies if the
covered entity has actual knowledge of the harm, and requires
mitigation ``to the extent practicable.'' The covered entity is
expected to take reasonable steps based on knowledge of where the
information has been disclosed, how it might be used to cause harm to
the patient or another individual, and what steps can actually have a
mitigating effect in that specific situation.
    Comments: Commenters stated that the language of the regulation was
in some places vague and imprecise thus providing covered entities with
insufficient guidance and allowing variation in interpretation.
Commenters also noted that this could result in inconsistency in
implementation as well as permitting such inconsistency to be used as a
defense by an offending entity. Particular language for which at least
one commenter requested clarification included ``reasonable steps'' and
what is entailed in the duty to mitigate.
    Response: We considered ways in which we might increase
specificity, including defining ``to the extent practicable'' and
``reasonable steps'' and relating the mitigating action to the
deleterious impact. While this approach could remove from the covered
entity the burden of decision-making about actions that need to be
taken, we believe that other factors outweighed this potential benefit.
Not only would there be a loss of desirable flexibility in
implementation, but it would not be possible to define ``to the extent
practicable'' in a way that makes sense for all types of covered
entities. We believe that allowing flexibility and judgment by those
familiar with the circumstances to dictate the approach is the best
approach to mitigating harm.

Section 164.530(g)--Refraining From Intimidating or Retaliatory Acts

    Comment: Several commenters stated that the regulation should
prohibit covered entities from engaging in intimidating or retaliatory
acts against any person, not just against the ``individual,'' as
proposed. They suggested adding ``or other person or entity'' after
``any individual.''
    Response: We agree, and allow any person to file a compliant with
the Secretary. ``Person'' is not limited to natural persons, but
includes any type of organization, association or group such as other
covered entities, health oversight agencies and advocacy groups.
    Comment: A few commenters suggested deleting this provision in its
entirety. One commenter indicated that the whistleblower and
retaliation provisions could be inappropriately used against a hospital
and that the whistleblower's ability to report numerous violations will
result in a dangerous expansion of liability. Another commenter stated
that covered entities could not take action against an employee who had
violated the employer's privacy provisions if this employee files a
complaint with the Secretary.
    Several commenters suggested deleting ``in any manner'' and ``or
opposing any act or practice made unlawful by this subpart'' in
Sec. 164.522(d)(4). The commenters indicated that, as proposed, the
rule would make it difficult to enforce compliance within the
workforce. One commenter stated that the proposed 164.522(d)(4) ``is
extremely broad and may allow an employee to reveal protected health
information to fellow employees, the media and others (e.g., an
employee may show a medical record to a friend or relative before
filing a complaint with the Department). This commenter further stated
that covered entities will ``absolutely be prevented from prohibiting
such conduct.'' One commenter suggested adding that a covered entity
may take disciplinary action against any member of its work force or
any business partner who uses or discloses individually identifiable
health information in violation of this subpart in any manner other
than through the processes set forth in the regulation.
    Response: To respond to these comments, we make several changes to
the proposed provision.
    First, where the activity does not involve the filing of a
complaint under Sec. 160.306 of this part or participation in an
investigation or proceeding initiated by the government under the rule,
we delete the phrase ``in any manner'' and add a requirement that the
individual's opposition to ``any act or practice'' made unlawful by
this subpart be in good faith, and that the expression of that
opposition must be reasonable. Second, we add a requirement that the
individual's opposition to ``any act or practice'' made unlawful by
this subpart must not involve a disclosure of protected health
information that is in violation of this subpart. Thus, the employee
who discloses protected health information to the media or friends is
not protected. In providing interpretations of the retaliation
provision, we will consider existing interpretations of similar
provisions such as the guidance issued by EEOC in this regard.

Section 164.530(h)--Waiver of Rights

    There are no comments directly about this section because it was
not included in the proposed rule.

Section 164.530(i)--Policies and Procedures and Sec. 164.530(j)--
Documentation Requirements

    Comments: Many of the comments to this provision addressed the
costs and

[[Page 82749]]

complexity of the regulation as a whole, not the additional costs of
documenting policies and procedures per se. Some did, either implicitly
or explicitly, object to the need to develop and document policies and
procedures as creating excessive administrative burden. Many of these
commenters also asserted that there is a contradiction between the
administrative burden of this provision and one of the statutory
purposes of this section of the HIPAA to reduce costs through
administrative simplification. Suggested alternatives were generally
reliance on existing regulations and ethical standards, or on current
business practices.
    Response: A specific discussion of cost and burden is found in the
Regulatory Impact Analysis of this final rule.
    We do not believe there is a contradiction between the
administrative costs of this provision and of the goal of
administrative simplification. In the Administrative Simplification
provisions of the HIPAA, Congress combined a mandate to facilitate the
efficiencies and cost savings for the health care industry that the
increasing use of electronic technology affords, with a mandate to
improve privacy and confidentiality protections. Congress recognized,
and we agree, that the benefits of electronic commerce can also cause
increased vulnerability to inappropriate access and use of medical
information, and so must be balanced with increased privacy
protections. By including the mandate for privacy standards in section
264 of the HIPAA, Congress determined that existing regulations and
ethical standards, and current business practices were insufficient to
provide the necessary protections.
    Congress mandated that the total benefits associated with
administrative simplification must outweigh its costs, including the
costs of implementing the privacy regulation. We are well within this
mandate.
    Comments: Several commenters suggested that the documentation
requirements not be established as a standard under the regulation,
because standards are subject to penalties. They recommend we delete
the documentation standards and instead provide specific guidance and
technical assistance. Several commenters objected to the suggestion in
the NPRM that professional associations assist their members by
developing appropriate policies for their membership. Several
commentators representing professional associations believed this to be
an onerous and costly burden for the associations, and suggested
instead that we develop specific models which might require only minor
modification. Some of these same associations were also concerned about
liability issues in developing such guidelines. One commenter argued
that sample forms, procedures, and policies should be provided as part
of the Final Rule, so that practitioners would not be overburdened in
meeting the demands of the regulations. They urged us to apply this
provision only to larger entities.
    Response: The purpose of requiring covered entities to develop
policies and procedures for implementing this regulation is to ensure
that important decisions affecting individuals' rights and privacy
interests are made thoughtfully, not on an ad hoc basis. The purpose of
requiring covered entities to maintain written documentation of these
policies is to facilitate workforce training, and to facilitate
creation of the required notice of information practices. We further
believe that requiring written documentation of key decisions about
privacy will enhance accountability, both within the covered entity and
to the Department, for compliance with this regulation.
    We do not include more specific guidance on the content of the
required policies and procedures because of the vast difference in the
size of covered entities and types of covered entities' businesses. We
believe that covered entities should have the flexibility to design the
policies and procedures best suited to their business and information
practices. We do not exempt smaller entities, because the privacy of
their patients is no less important than the privacy of individuals who
seek care from large providers. Rather, to address this concern we
ensure that the requirements of the rule are flexible so that smaller
covered entities need not follow detailed rules that might be
appropriate for larger entities with complex information systems.
    We understand that smaller covered entities may require some
assistance, and intend to provide such technical assistance after
publication of this rule. We hope to work with professional
associations and other groups that target classes of providers, plans
and patients, in developing specialized material for these groups. Our
discussions with several such organizations indicate their intent to
work on various aspects of model documentation, including forms.
Because the associations' comments regarding concerns about liability
did not provide sufficient details, we cannot address them here.
    Comment: Many commenters discussed the need for a recognition of
scalability of the policies and procedures of an entity based on size,
capabilities, and needs of the participants. It was noted that the
actual language of the draft regulations under Sec. 164.520 did not
address scalability, and suggested that some scalability standard be
formally incorporated into the regulatory language and not rely solely
on the NPRM introductory commentary.
    Response: In Sec. 164.530(i)(1) of the final rule, we specify that
we require covered entities to implement policies and procedures that
take into account the size of the covered entity and the types of
activities that relate to protected health information undertaken by
the covered entity.
    Comment: One commenter objected to our proposal to allow covered
entities to make uses or disclosures not permitted by their current
notice if a compelling reason exists to make the use or disclosure and
the entity documents the reasons and changes its policies within 30
days of the use or disclosure. The commenter argued that the subjective
language of the regulation might give entities the ability to engage in
post hoc justifications for violations of their own information
practices and policies. The commenter suggested that there should be an
objective standard for reviewing the covered entity's reasons before
allowing the covered entity to amend its policies.
    Response: We eliminate this provision from the final rule. The
final rule requires each covered entity to include in its notice of
information practices a statement of all permitted uses under this
rule, not just those in which the covered entity actually engages in at
the time of that notice.
    Comment: Some commenters expressed concern that the required
retention period in the NPRM applied to the retention of medical
records.
    Response: The retention requirement of this regulation only applies
to the documentation required by the rule, for example, keeping a
record of accounting for disclosures or copies of policies and
procedures. It does not apply to medical records.
    Comments: Comments on the six year retention period were mixed.
Some commenters endorsed the six-year retention period for maintaining
documentation. One of the comments stated this retention period would
assist physicians legally. Other commenters believed that the retention
period would be an undue burden. One commenter noted that most State
Board of Pharmacy regulations require

[[Page 82750]]

pharmacies to keep records for two years, so the six year retention
period would triple document retention costs.
    Response: We established the retention period at six years because
this is the statute of limitations for the civil monetary penalties.
This rule does not apply to all pharmacy records, but only to the
documentation required by this rule.

Section 164.530(k)--Group Health Plans

    There were no comments directly about this section because it was
not included in the proposed rule.

Section 164.532--Transition Provisions

    Comment: Commenters urged the Department to clarify whether the
``reach of the transition requirement'' is limited to a particular time
frame, to the provider's activities in a particular job, or work for a
particular employer. For example, one commenter questioned how long a
nurse is a covered entity after she moves from a job reviewing files
with protected health information to an administrative job that does
not handle protected health information; or whether an occupational
health nurse who used to transmit first reports of injury to her
company's workers' compensation carrier last year but no longer does so
this year because of a carrier change still is a covered entity.
    Response: Because this comment addresses a question of enforcement,
we will address it in the enforcement regulation.
    Comment: Several commenters sought clarification as to the
application of the privacy rule to research already begun prior to the
effective date or compliance date of the final rule. These commenters
argued that applying the privacy rule to research already begun prior
the rule's effective date would substantially overburden IRBs and that
the resulting research interruptions could harm participants and
threaten the reliability and validity of conclusions based upon
clinical trial data. The commenters recommended that the rule
grandfather in any ongoing research that has been approved by and is
under the supervision of an IRB.
    Response: We generally agree with the concerns raised by
commenters. In the final rule, we have provided that covered entities
may rely upon consents, authorizations, or other express legal
permissions obtained from an individual for a specific research project
that includes the treatment of individuals to use or disclose protected
health information the covered entity obtained before or after the
applicable compliance date of this rule as long as certain requirements
are met. These consents, authorizations, or other express legal
permissions may specifically permit a use or disclosure of individually
identifiable health information for purposes of the project or be a
general consent of the individual to participate in the project. A
covered entity may use or disclose protected health information it
created or received before or after the applicable compliance date of
this rule for purposes of the project provided that the covered entity
complies with all limitations expressed in the consent, authorization,
or permission.
    In regard to research projects that include the treatment of
individuals, such as clinical trials, covered entities engaged in these
projects will have obtained at least an informed consent from the
individual to participate in the project. In some cases, the researcher
may also have obtained a consent, authorization, or other express legal
permission to use or disclose individually identifiable health
information in a specific manner. To avoid disrupting ongoing research
and because the participants have already agreed to participate in the
project (which expressly permits or implies the use or disclosure of
their protected health information), we have grandfathered in these
consents, authorizations, and other express legal permissions.
    It is unlikely that a research project that includes the treatment
of individuals could proceed under the Common Rule with a waiver of
informed consent. However, to the extent such a waiver has been
granted, we believe individuals participating in the project should be
able to determine how their protected health information is used or
disclosed. Therefore, we require researchers engaged in research
projects that include the treatment of individuals who obtained an IRB
waiver of informed consent under the Common Rule to obtain an
authorization or a waiver of such authorization from an IRB or a
privacy board under Sec. 164.512(i) of this rule.
    If a covered entity obtained a consent, authorization, or other
express legal permission from the individual who is the subject of the
research, it would be able to rely upon that consent, authorization, or
permission, consistent with any limitations it expressed, to use or
disclose the protected health information it created or received prior
to or after the compliance date of this regulation. If a covered entity
wishes to use or disclose protected health information but no such
consent, authorization, or permission exists, it must obtain an
authorization pursuant to Sec. 164.508 or obtain a waiver of
authorization under Sec. 164.512(i). To the extent such a project is
ongoing and the researchers are unable to locate the individuals whose
protected health information they are using or disclosing, we believe
the IRB or privacy board under the criteria set forth in
Sec. 164.512(i) will be able to take that circumstance into account
when conducting its review. In most instances, we believe this type of
research will be able to obtain a waiver of authorization and be able
to continue uninterrupted.
    Comment: Several comments raised questions about the application of
the rule to individually identifiable information created prior to (1)
the effective date of the rule, and (2) the compliance dates of the
rule. One commenter suggested that the rule should apply only to
information gathered after the effective date of the final rule. A drug
manufacturer asked what would be the effect of the rule on research on
records compiled before the effective date of the rule.
    Response: We disagree with the commenter's suggestion. The
requirements of this regulation apply to all protected health
information held by a covered entity, regardless of when or how the
covered entity obtained the information. Congress required us to
adopted privacy standards that apply to individually identifiable
health information. While it limited the compliance date for health
plans, covered health care providers, and healthcare clearinghouses, it
did not provide similar limiting language with regard to individually
identifiable health information. Therefore, uses and disclosures of
protected health information made by a covered entity after the
compliance date of this regulation must meet the requirements of these
rules. Uses or disclosures of individually identifiable health
information made prior to the compliance date are not affected; covered
entities will not be sanctioned under this rule based on past uses or
disclosures that are inconsistent with this regulation.
    Consistent with the definition of individually identifiable health
information in HIPAA, of which protected health information is a
subset, we do not distinguish between protected health information in
research records and protected health information in other records.
Thus, a covered entity's research records are subject to this
regulation to the extent they contain protected health information.

[[Page 82751]]

Section 164.534--Effective Date and Compliance Date

    Section 1175(b)(1)(A) of the Act requires all covered entities
other than small health plans to comply with a standard or
implementation specification ``not later than 24 months after the date
on which an initial standard or implementation specification is adopted
or established''; section 1175(b)(1)(B) provides that small health
plans must comply not later than 36 months after that date. The
proposed rule provided, at proposed Sec. 164.524 (which was titled
``Effective date''), that a covered entity was required to be in
compliance with the proposed subpart E not later than 24 months
following the effective date of the rule, except that small health
plans were required to be in compliance not later than 36 months
following the effective date of the rule.
    The final rules retain these dates in the text of Subpart E, but
denominate them as ``compliance dates,'' to distinguish the statutory
dates from the date on which the rules become effective. The effective
date of the final rules is 60 days following publication in the Federal
Register.

Meaning of Effective Date

    Comment: A number of commenters expressed confusion about the
difference between the effective date of the rule and the effective
date on which compliance was required (the statutory compliance dates
set out at section 1175(b)(1), summarized above).
    Response: The Department agrees that the title of proposed
Sec. 164.524 was confusing. Similar comments were received on the
Transactions Rule. Those comments were addressed by treating the
``effective date'' of the rule as the date on which adoption takes
effect (the ``Effective Date'' heading at the beginning of the
preamble), while the dates provided for by section 1175(b)(1) of the
statute were denominated as ``compliance dates.'' These changes are
reflected in the definition of ``compliance date'' in Sec. 160.103
below (initially published as part of the Transactions Rule) and are
also reflected at Sec. 164.524 below. Section 164.524 below has also
been reorganized to follow the organization of the analogous provisions
of the Transactions Rule. The underlying policy, however, remains as
proposed.

Extend the Compliance Date

    Comment: Some commenters recommended that the compliance date be
extended. A number of comments objected that the time frame for
compliance with the proposed standards is unrealistically short. It was
pointed out that providers and others would have to do the following,
among other things, prior to the applicable compliance date: assess
their current systems and departments, determine which state laws were
preempted and which were not, update and reprogram computer systems,
train workers, create and implement the required privacy policies and
procedures, and create or update contracts with business partners. One
comment also noted that the task of coming into compliance during the
same time period with the other regulations being issued under HIPAA
would further complicate the task. These comments generally supported
an extension of the compliance dates by one or more years. Other
comments supported extending the compliance dates on the ground that
the complexity of the tasks involved in implementing the regulation
would be a heavy financial burden for providers and others, and that
they should be given more time to comply, in order to spread the
associated capital and workforce costs over a longer period. It was
also suggested that there be provision for granting extensions of the
compliance date, based on some criteria, such as a good faith effort to
comply or that the compliance dates be extended to two years following
completion of a ``state-by-state preemption analysis'' by the
Department.
    Response: The Secretary acknowledges that covered entities will
have to make changes to their policies and procedures during the period
between the effective date of the rules below and the applicable
compliance dates. The delayed compliance dates which the statute
provides for constitute a recognition of the fact changes will be
required and are intended to permit covered entities to manage and
implement these changes in an orderly fashion. However, because the
time frames for compliance with the initial standards are established
by statute, the Secretary has no discretion to extend them: Compliance
is statutorily required ``not later than'' the applicable compliance
date. Nor do we believe that it would be advisable to accomplish this
result by delaying the effective date of the final rules beyond 60
days. Since the Transactions Rule is now in effect, it is imperative to
bring the privacy protections afforded by the rules below into effect
as soon as possible. Retaining the delayed effective date of 60 days,
as originally contemplated, will minimize the gap between transactions
covered by those rules and not also afforded protection under the rules
below.

Phase-in Requirements

    Comment: Several comments suggested that the privacy standards be
phased in gradually, to ease the manpower and cost burdens of
compliance. A couple of equipment manufacturing groups suggested that
updating of various types of equipment would be necessary for
compliance purposes, and suggested a phased approach to this--for
example, an initial phase consisting of preparation of policies, plans,
and risk assessments, a second phase consisting of bringing new
equipment into compliance, and a final phase consisting of bringing
existing equipment into compliance.
    Response: As noted in the preceding response, section 1175(b)(1)
does not allow the Secretary discretion to change the time frame within
which compliance must be achieved. Congress appears to have intended
the phasing in of compliance to occur during the two-year compliance
period, not thereafter.

Compliance Gap Vis-a-Vis State Laws and Small Health Plans

    Comment: Several comments stated that, as drafted, the preemption
provisions would be effective as of the rule's effective date (i.e., 60
days following publication), even though covered entities would not be
required to comply with the rules for at least another two years.
According to these comments, the ``preempted'' state laws would not be
in effect in the interim, so that the actual privacy protection would
decrease during that period. A couple of comments also expressed
concern about how the preemption provisions would work, given the one-
year difference in applicable compliance dates for small health plans
and other covered entities. A state medical society pointed out that
this gap would also be very troublesome for providers who deal with
both ``small health plans'' and other health plans. One comment asked
what entities that decided to come into compliance early would have to
do with respect to conflicting state laws and suggested that, since all
parties ``need to know with confidence which laws govern at the moment,
* * * [t]here should be uniform effective dates.''
    Response: We agree that clarification is needed with respect to the
applicability of state laws in the interim between the effective date
and the compliance dates. What the comments summarized above appeared
to assume is that the preemption provisions of section 1178 operate to
broadly and generally invalidate any state law that comes within their
ambit. We do not agree that this is the effect of section

[[Page 82752]]

1178. Rather, what section 1178 does--where it acts to preempt--is to
preempt the state law in question with respect to the actions of
covered entities to which the state law applies. Thus, if a provision
of state law is preempted by section 1178, covered entities within that
state to which the state law applies do not have to comply with it, and
must instead comply with the contrary federal standard, requirement, or
implementation specification. However, as compliance with the contrary
federal standard, requirement, or implementation specification is not
required until the applicable compliance date, we do not view the state
law in question as meeting the test of being ``contrary.'' That is,
since compliance with the federal standard, requirement, or
implementation standard is not required prior to the applicable
compliance date, it is possible for covered entities to comply with the
state law in question. See Sec. 160.202 (definition of ``contrary'').
Thus, since the state law is not ``contrary'' to an applicable federal
standard, requirement, or implementation specification in the period
before which compliance is required, it is not preempted.
    Several implications of this analysis should be spelled out. First,
one conclusion that flows from this analysis is that preemption is
specific to covered entities and does not represent a general
invalidation of state law, as suggested by many commenters. Second,
because preemption is covered entity-specific, preemption will occur at
different times for small health plans than it will occur for all other
covered entities. That is, the preemption of a given state law for a
covered entity, such as a provider, that is covered by the 24-month
compliance date of section 1175(b)(1)(A) will occur 12 months earlier
than the preemption of the same state law for a small health plan that
is covered by the 36-month compliance date of section 1175(b)(1)(B).
Third, the preemption occurs only for covered entities; a state law
that is preempted under section 1178(a)(1) would not be preempted for
persons and entities to which it applies who are not covered entities.
Thus, to the extent covered entities or non-covered entities follow the
federal standards on a voluntary basis (i.e., the covered entity prior
to the applicable compliance date, the non-covered entity at any time),
the state law in question will not be preempted for them.

Small Health Plans

    Comment: Several comments, pointing to the ``Small Business''
discussion in the preamble to the proposed rules, applauded the
decision to extend the compliance date to three years for small
businesses. It was requested that the final rules clarify that the
three year compliance date applies to small doctors offices and other
small entities, as well as to small health plans.
    Response: We recognize that our discussion in the preamble to the
proposed rules may have suggested that more covered entities came
within the 36 month compliance date than is in fact the case. Again,
this is an area in which we are limited by statute. Under section
1175(b) of the Act, only small health plans have three years to come
into compliance with the standards below. Thus, other ``small
businesses'' that are covered entities must comply by the two-year
compliance date.

Coordination With the Security Standard

    Comment: Several comments suggested that the security standard be
issued either with or after the privacy standards. It was argued that
both sets of standards deal with protecting health information and will
require extensive personnel training and revisions to business
practices, so that coordinating them would make sense. An equipment
manufacturers group also pointed out that it would be logical for
covered entities and their business partners to know what privacy
policies are required in purchasing security systems, and that ``the
policies on privacy are implemented through the security standards
rather than having already finalized security standards drive policy.''
    Response: We agree with these comments, and are making every effort
to coordinate the final security standards with the privacy standards
below. The privacy standards below are being published ahead of the
security standards, which is also responsive to the stated concerns.

Prospective Application

    Comment: Several comments raised questions about the application of
the rule to individually identifiable information created prior to (1)
the effective date of the rule, and (2) the compliance dates of the
rule. One provider group suggested that the rule should apply only to
information gathered after the effective date of the final rule. A drug
manufacturer asked what would be the effect of the rule on research on
records compiled before the effective date of the rule.
    Response: These comments are addressed in connection with the
discussion of Sec. 164.532 above.

Impact Analyses

Cost/Benefit Analysis

    Comment: Many commenters made general statements to the effect that
the cost estimates for implementing the provisions of the proposed
regulation were incomplete or greatly understated.
    Response: The proposal, including the cost analysis, is, in effect,
a first draft. The purpose of the proposal was to solicit public
comment and to use those comments to refine the final regulation. As a
result of the public comment, the Department has significantly refined
our initial cost estimates for implementing this regulation. The cost
analysis below reflects a much more complete analysis of the major
components of the regulation than was presented in the proposal.
    Comment: Numerous commenters noted that significant areas of
potential cost had not been estimated and that if they were estimated,
they would greatly increase the total cost of the regulation. Potential
cost areas identified by various respondents as omitted from the
analyses include the minimum disclosure requirements; the requisite
monitoring by covered entities of business partners with whom they
share private health information; creation of de-identified
information; internal complaint processes; sanctions and enforcement;
the designation of a privacy official and creation of a privacy board;
new requirements for research/optional disclosures; and future
litigation costs.
    Response: We noted in the proposed rule that we did not have data
from which to estimate the costs of many provisions, and solicited
comments providing such data. The final analysis below reflects the
best estimate possible for these areas, based on the information
available. The data and the underlying assumptions are explained in the
cost analysis section below.
    Comment: A number of comments suggested that the final regulation
be delayed until more thorough analyses could be undertaken and
completed. One commenter stated that the Department should refrain from
implementing the regulation until a more realistic assessment of costs
could be made and include local governments in the process. Similarly,
a commenter requested that the Department assemble an outside panel of
health industry experts, including systems analysts, legal counsel, and
management consultants to develop stronger estimates.
    Response: The Department has engaged in extensive research, data
collection and fact-finding to improve

[[Page 82753]]

the quality of its economic analysis. This has included comments from
and discussions with the kinds of experts one commenter suggested. The
estimates represent a reasonable assessment of the policies proposed.
    Comment: Several commenters indicated that the proposed regulation
would impose significant new costs on providers' practices.
Furthermore, they believe that it runs counter to the explicit
statutory intent of HIPAA's Administrative Simplification provisions
which require that ``any standard adopted * * * shall be consistent
with the objective of reducing the administrative costs of providing
and paying for health care.''
    Response: As the Department explained in the Transactions Rule,
this provision applies to the administrative simplification regulations
of HIPAA in the aggregate. The Transactions Rule is estimated to save
the health care system $29.9 billion in nominal dollars over ten years.
Other regulations published pursuant to the administrative
simplification authority in HIPAA, including the privacy regulation,
will result in costs, but these costs are within the statutory
directive so long as they do not exceed the $29.9 billion in estimated
savings. Furthermore, as explained in the Transactions Rule, and the
preamble to this rule, assuring privacy is essential to sustaining many
of the advances that computers will provide. If people do not have
confidence that their medical privacy will be protected, they will be
much less likely to allow their records to be used for any purpose or
might even avoid obtaining necessary medical care.
    Comment: Several commenters criticized the omission of aggregate,
quantifiable benefit estimates in the proposed rule. Some respondents
argued that the analysis in the proposed rule used ``de minimis'' cost
estimates to argue only that benefits would certainly exceed such a low
barrier. These commenters further characterized the benefits analysis
in the Notice of Proposed Rulemaking as ``hand waving'' used to divert
attention from the fact that no real cost-benefit comparison is
presented. Another commenter stated that the benefit estimates rely
heavily on anecdotal and unsubstantiated inferences. This respondent
believes that the benefit estimates are based on postulated, but
largely unsubstantiated causal linkages between increased privacy and
earlier diagnosis and medical treatment.
    Response: The benefits of privacy are diffused and intangible but
real. Medical privacy is not a good people buy or sell in a market;
therefore, it is very difficult to quantify. The benefits discussion in
the proposal reflects this difficulty. The examples presented in the
proposal were meant to be illustrative of the benefits based on a few
areas of medicine where some relevant data was available.
Unfortunately, no commenters provided either a better methodological
approach or better data for assessing the overall benefits of privacy.
Therefore, we believe the analysis in the proposal represents a valid
illustration of the benefits of privacy, and we do not believe it is
feasible to provide an overall dollar estimate of the benefits of
privacy in the aggregate.
    Comment: One commenter criticized the benefit analysis as being
incomplete because it did not consider the potential cost of new
treatments that might be engendered by increased confidence in medical
privacy resulting from the regulation.
    Response: There is no data or model to reliably assess such long-
term behavioral and scientific changes, nor to determine what portion
of the increasingly rapid evolution of new improved treatments might
stem from improved privacy protections. Moreover, to be complete, such
analysis would have to include the savings that might be realized from
earlier detection and treatment. It is not possible at this time to
project the magnitude or even the direction of the net effects of the
response to privacy that the commenter suggests.

Scope of the Regulation

    Comment: Numerous commenters noted the potential cost and burden of
keeping track in medical records of information which had been
transmitted electronically, which would be subject to the rule, as
opposed to information that had only been maintained in paper form.
    Response: This argument was found to have considerable merit and
was one of the reasons that the Department concluded that the final
regulation should apply to all medical records maintained by covered
entities, including information that had never been transmitted
electronically. The costs analysis below reflects the change in scope.

Notice Requirements

    Comment: Several commenters expressed their belief that the
administrative and cost burdens associated with the notice requirements
were understated in the proposed rule. While some respondents took
issue with the policy development cost estimates associated with the
notice, more were focused on its projected implementation and
production costs. For example, one respondent stated that determining
``first service'' would be an onerous task for many small practices,
and that provider staff will now have to manually review each patient's
chart or access a computer system to determine whether the patient has
been seen since implementation of the rule.
    Response: The policy in the final rule has been changed to make the
privacy policy notice to patients less burdensome. Providers will be
able to distribute the notice when a patient is seen and will not have
to distribute it to a patient more than once, unless substantive
changes are made in the notice. This change will significantly reduce
the cost of distributing the privacy notices.
    Comment: Some commenters also took issue with the methodology used
to calculate the cost estimates for notices. These respondents believe
that the survey data used in the proposed rule to estimate the costs
(i.e., ``encounters,'' ``patients,'' and ``episodes'' per year) are
very different concepts that, when used together, render the purported
total meaningless. Commenters further stated that they can verify the
estimate of 543 million patients cited as being seen at least once
every five years.
    Response: In the course of receiving treatment, a patient may go to
a number of medical organizations. For example, a person might see a
doctor in a physician's office, be admitted to a hospital, and later go
to a pharmacy for medication. Each time a person ``encounters'' a
facility, a medical record may be started or additions made to an
existing record. The concept in the proposal was to identify the number
of record sets that a person might have for purposes of estimating
notice and copying costs. For example, whether a person made one or ten
visits in the course of a year to a specific doctor would, for our
purposes, be one record set because in each visit the doctor would most
likely be adding information to an existing medical record. The
comments demonstrated that we had not explained the concept well. As
explained below we modified the concept to more effectively measure the
number of record sets that exist and explain it more clearly.
    Comment: Several commenters criticized the lack of supporting
evidence for the cost estimates of notice development and
dissemination. Another opinion voiced in the comments is that the
estimated cost for plans of $0.75 per insured person is so low that it
may cover postage, but it

[[Page 82754]]

cannot include labor and capital usage costs.
    Response: Based on comments and additional fact finding, the
Department was able to gain a better understanding of how covered
entities would develop policies and disseminate information. The cost
analysis below explains more fully how we derived the final cost
estimates for these areas.
    Comment: A commenter noted that privacy policy costs assume that
national associations will develop privacy policies for members but HHS
analysis does not account for the cost to the national associations. A
provider cost range of $300-$3,000 is without justification and seems
low.
    Response: The cost to the national associations was included in the
proposal estimates, and it is included in the final analysis (see
below).
    Comment: A commenter states that the notice costs discussion mixes
the terms ``patients'', ``encounters'' and ``episodes'' and 397 million
encounter estimate is unclear.
    Response: A clearer explanation of the concepts employed in this
analysis is provided below.

Systems Compliance Costs

    Comment: Numerous commenters questioned the methodology used to
estimate the systems compliance cost and stated that the ensuing cost
estimates were grossly understated. Some stated that the regulation
will impose significant information technology costs to comply with
requirement to account for disclosures, additional costs for hiring new
personnel to develop privacy policies, and higher costs for training
personnel.
    Response: Significant comments were received regarding the cost of
systems compliance. In response, the Department retained the assistance
of consultants with extensive expertise in health care information
technology. We have relied on their work to revise our estimates, as
described below. The analysis does not include ``systems compliance''
as a cost item, per se. Rather, in the final analysis we organized
estimates around the major policy provisions so the public could more
clearly see the costs associated with them. To the extent that the
policy might require systems changes (and a number of them do), we have
incorporated those costs in the provision's estimate.
    Comment: Items explicitly identified by commenters as significantly
adding to systems compliance costs include tracking disclosures of
protected health information and patient authorizations; restricting
access to the data; accommodating minimum disclosure provisions;
installing notices and disclaimers; creating de-identified data;
tracking uses of protected health information by business partners;
tracking amendments and corrections; increased systems capacity; and
annual systems maintenance. The commenters noted that some of the
aforementioned items are acknowledged in the proposed rule as future
costs to covered entities, but several others are singularly ignored.
    Response: The Department recognizes the validity of much of this
criticism. Unfortunately, other than general criticism, commenters
provided no specific data or methodological information which might be
used to improve the estimates. Therefore, the Department retained
consultants with extensive expertise in these areas to assess the
proposed regulation, which helped the Department refine its policies
and cost estimates.
    In addition, it is important to note that the other HIPAA
administrative simplification regulations will require systems changes.
As explained generally in the cost analysis for the electronic
Transactions rule, it is assumed that providers and vendors will
undertake systems changes for these regulations collectively, thereby
minimizing the cost of changes.

Inspection and Copying

    Comment: Numerous commenters disagreed with the cost estimates in
the NPRM for inspection and copying of patient records, believing that
they were too low.
    Response: The Department has investigated the potential costs
through a careful reading of the comments and subsequent factfinding
discussions with a variety of providers. We believe the estimates,
explained more fully below, represent a reasonable estimate in the
aggregate. It is important to note, however, that this analysis is not
measuring the cost of all inspection and copying because a considerable
amount of this already occurs. The Department is only measuring the
incremental increase likely to occur as a result of this regulation.
    Comment: One commenter speculates that, even at a minimum charge of
$.50/page, (and not including search and retrieval charges), costs
could run as high as $450 million annually.
    Response: The $0.50 per page in the proposal represent an average
of several data sources. Subsequently, an industry commenter, which
provided extensive medical records copying, stated that this was a
reasonable average cost. Hence, we retained the number for the final
estimate.
    Comment: One respondent states that, since the proposed rules give
patients the right to inspect and copy their medical records regardless
of storage medium, HHS must make a distinction in its cost estimates
between records stored electronically and those which must be accessed
by manual means, since these costs will differ.
    Response: The cost estimates made for regulations are not intended
to provide such refined gradations; rather, they are intended to show
the overall costs for the regulation as a whole and its major
components. For inspections and copying (and virtually all other areas
for which estimates are made) estimates are based on averages;
particular providers may experience greater or lesser costs than the
average cost used in this analysis.
    Comment: Several commenters noted that the Department did not
appear to include the cost of establishing storage systems, retrieval
fees and the cost of searching for records, and that these costs, if
included, would significantly increase the Department's estimate.
    Response: Currently, providers keep and maintain medical records
and often provide copies to other providers and patients. Therefore,
much of the cost of maintaining records already exists. Indeed, based
on public comments, the Department has concluded that there will be
relatively few additional copies requested as the result of this
regulation (see below). We have measured and attributed to this
regulation the incremental cost, which is the standard for conducting
this kind of analysis.
    Comment: A federal agency expressed concern over the proposal to
allow covered entities to charge a fee for copying personal health
information based on reasonable costs. The agency requests personal
health information from many covered entities and pays a fee that it
establishes. Allowing covered entities to establish the fee, the agency
fears, may cost them significantly more than the current amounts they
pay and as a result, could adversely affect their program.
    Response: The proposal and the final rule establish the right to
access and copy records only for individuals, not other entities; the
``reasonable fee'' is only applicable to the individual's request. The
Department's expectation is that other existing practices regarding
fees, if any, for the exchange of records not requested by an
individual will not be affected by this rule.

[[Page 82755]]

Appending Records (Amendment and Correction)

    Comment: The proposed rule estimated the cost of amending and
correcting patients' records at $75 per instance and $260 million per
year for small entities. At least one commenter stated that such
requests will rise significantly upon implementation of the regulations
and increase in direct proportion to the number of patients served.
Another commenter described the more subtle costs associated with
record amendment and correction, which would include a case-by-case
clinical determination by providers on whether to grant such requests,
forwarding the ensuing record changes to business partners, and issuing
written statements to patients on the reasons for denials, including a
recourse for complaints.
    Response: The comments were considered in revising the proposal,
and the decision was made to clarify in the final regulation that
providers must only append the record (the policy is explained further
in the preamble and the regulation text). The provider is now only
required to note in the medical record any comments from the patient;
they may, but are not required to, correct any errors. This change in
policy significantly reduces the cost from the initial proposal
estimate.
    Comment: Several commenters criticized the proposed rule's lack of
justification for assumptions regarding the percentage of patients who
request inspection and copying, who also request amendment and
correction. Another commenter pointed out that the cost estimate for
amendment and correction is dependent on a base assumption that only
1.5 percent of patients will request inspection of their records. As
such, if this estimate were too low by just one percentage point, then
the estimates for inspection and copying plus the costs for amendment
and correction could rise by 67 percent.
    Response: Based on information and data received in the public
comments, the estimate for the number of people requesting inspection
and copying has been revised. No commenter provided specific
information on the number of amended record requests that might result,
but the Department subsequently engaged in fact-finding and made
appropriate adjustments in its estimates. The revisions are explained
further below.

Consent and Authorizations

    Comment: One respondent indicated that the development, collection,
and data entry of all the authorizations will create a new transaction
type for employers, health plans, and providers, and result in
duplicated efforts among them. This commenter estimates that the costs
of mailing, re-mailing, answering inquiries, making outbound calls and
performing data entry in newly created authorization computer systems
could result in expenses of close to $2.0 billion nationally. Another
commenter indicated that authorization costs will be at least double
the notice dissemination costs due to the cost of both outbound and
return postage.
    Response: Public commenters and subsequent factfinding clearly
indicate that most providers with patient contact already obtain
authorizations for release of records, so for them there is virtually
no new cost. Further, this comment does not reflect the actual
regulatory requirement. For example, there is no need to engage in
mailing and re-mailing of forms, and we do not foresee any reason why
there should be any significant calls involved.
    Comment: A commenter criticized the percentage (1%) that we used to
calculate the number of health care encounters expected to result in
requests to withhold the release of protected information. This
respondent postulates that even if one in six patients who encounter
the U.S. health care system opt to restrict access to their records,
the total expected national cost per year could rise to $900 million.
    Response: The final regulation requirements regarding the release
of protected health information has been substantially changed, thereby
greatly reducing the potential cost burden. A fuller explanation of the
cost is provided below in the regulatory impact analysis.
    Comment: An additional issue raised by commenters was the added
cost of seeking authorizations for health promotion and disease
management activities, health care operations that traditionally did
not require such action.
    Response: In the final regulation, a covered entity can use medical
information collected for treatment or operations for its own health
promotion and disease management efforts without obtaining additional
authorization. Therefore, there is no additional cost incurred.

Business Associates

    Comment: A number of commenters were concerned about the cost of
monitoring business partners. Specifically, one commenter stated that
the provisions of the proposed regulation pertaining to business
partners would likely force the discontinuation of outsourcing for some
functions, thereby driving up the administrative cost of health care.
    Response: The final regulation clarifies the obligations of the
business associates in assuring privacy. As explained in the preamble,
business associates must take reasonable steps to assure
confidentiality of health records they may have, and the covered entity
must take appropriate action if they become aware of a violation of the
agreement they have with the business associate. This does not
represent an unreasonable burden; indeed, the provider is required to
take the same kind of precautions and provide the same kind of
oversight that they would in many other kinds of contractual
relationships to assure they obtain the quality and level of
performance that they would expect from a business associate.
    Comment: HHS failed to consider enforcement costs associated with
monitoring partners and litigation costs arising from covered entities
seeking restitution from business partners whose behavior puts the
covered entity at risk for noncompliance.
    Response: The Department acknowledged in the proposal that it was
not estimating the cost of compliance with the business associates
provision because of inadequate information. It requested information
on this issue, but no specific information was provided in the
comments. However, based on revisions in the final policy and
subsequent factfinding, the Department has provided an estimate for
this requirement, as explained below.

Training

    Comment: Many of the commenters believe that the Department used
unrealistic assumptions in the development of the estimated cost of the
training provisions and they provided their own estimates.
    Response: The commenters' estimates varied widely, and could not be
used by the Department in revising its analysis because there was
inadequate explanation of how the estimates were made.
    Comment: Several commenters argued that if even an hour of time of
each of the entity's employees is spent on training instead of ``work''
and they are paid the minimum wage, an entity would incur $100 of cost
for training no more than 20 employees. The commenters noted that the
provision of health care services is a labor-intensive enterprise, and
many covered entities have thousands of employees, most of whom make
well in excess of minimum

[[Page 82756]]

wage. They questioned whether the estimates include time taken from the
employee's actual duties (opportunity cost) and the cost of a trainer
and materials.
    Response: As explained in more detail below, the Department made
extensive revisions in its training estimate, including the number of
workers in the health care sector, the cost of workers in training
based on average industry wages, and training costs (instructors and
materials). The revised estimate is a more complete and accurate
estimate of the costs likely to be borne as a result of the final
regulation.
    Comment: One commenter estimated that simply training an employee
could have a burdensome impact on his company. He argued, for example,
a 10-hour annual requirement takes 0.5% of an employee's time if they
work a 2000-hour year, but factoring in sick and vacation leave, the
effects of industry turnover could significantly increase the effect.
    Response: In the analysis below, the Department has factored in
turnover rates, employment growth and greater utilization based on data
obtained from broad-based surveys and a public comment.
    Comment: Some commenters felt that the regulatory training
provisions are overly burdensome. Specific concerns centered around the
requirement to train all individuals who may come in contact with
protected health information and the requirement to have such
individuals sign a new certifying statement at least every three years.
Some commenters felt that the content of the training program should be
left to the discretion of the covered entity.
    Response: Changes and clarifications in the training requirements
are made in the final regulation, explained below. For example, the
certification requirement has been eliminated. As in the NPRM, the
content of the training program is left to the discretion of the
covered entity. These changes are expected to lessen the training
burden and are reflected in the final cost estimates.

Compliance and Enforcement

    Comment: A Member of Congress and a number of privacy and consumer
groups expressed their concern with whether the Office for Civil Rights
(OCR) in HHS has adequate funding to carry out the major responsibility
of enforcing the complaint process established by this rule. The Member
stated that ``[d]ue to the limited enforcement ability allowed for in
this rule by HIPAA, it is essential that OCR have the capacity to
enforce the regulations. Now is the time for The Secretary to begin
building the necessary infrastructure to enforce the regulation
effectively.''
    Response: The Secretary agrees with the commenters and is committed
to an effective enforcement program. We will work with Congress to
ensure that the Department has the necessary funds to secure voluntary
compliance through education and technical assistance, to investigate
complaints and conduct compliance reviews, to provide states with
exception determinations and to use civil and criminal penalties when
necessary.

Economic Effect on Small Entities

    Comment: Many commenters stated that the cost estimates on the
effect of the proposed regulation on small businesses were understated
or incomplete.
    Response: The Department conducted a thorough review of potential
data sources that would improve the quality of the analysis of the
effects on small business. The final regulatory flexibility analysis
below is based on the best data available (much of it from the Small
Business Administration) and represents a reliable estimate for the
effects on small entities in various segments of the health care
industry. It is important to note that the estimates are for small
business segments in the aggregate; the cost to individual firms will
vary, perhaps considerably, based on its particular circumstances.
    Comment: The cost of implementing privacy regulations, when added
to the cost of other required HIPAA regulations, could increase
overhead significantly. As shown in the 1993 Workgroup on Electronic
Data Interchange (WEDI) Report, providers will bear the larger share of
implementation costs and will save less than payors.
    Response: The regulatory flexibility analysis below shows generally
the marginal effect of the privacy regulation on small entities.
Collectively, the HIPAA administrative standards will save money in the
health care system. As important, given the rapid expansion of
electronic commerce, it is probable that small entities would need to
comply with standards for electronic commerce in order to complete
effectively, even if the standards were voluntary. The establishment of
uniform standards through regulation help small entities because they
will not have to invest in multiple systems, which is what they would
confront if the system remained voluntary.
    Comment: One respondent believed that the initial and ongoing costs
for small provider offices could be as much as 11 times higher than the
estimates provided in the proposed rule. Other commenters stated that
the estimates for small entities are ``absurdly low''.
    Response: Although there were a number of commenters highly
critical of the small business analysis, none provided alternative
estimates or even provided a rationale for their statements. Many
appeared to assume that all costs associated with medical record
confidentiality should be estimated. This represents a misunderstanding
of the purpose of the analysis: to estimate the incremental effects of
this regulation, i.e., the new costs (and savings) that will result
from changes required by the regulation. The Department has made
substantial changes in the final small entities analysis (below),
reflecting policy changes in the final rule and additional information
and data collected by the Department since the issuance of the proposal
last fall. We believe that these estimates reasonably reflect the costs
that various types of small entities will experience in general, though
the actual costs of particular providers might vary considerably based
on their current practices and technology.
    Comment: A respondent expressed the belief that small providers
would bear a disproportionate share of the regulation's administrative
burden because of the likelihood of larger companies incurring fewer
marginal costs due to greater in-house resources to aid in the legal
and technical analysis of the proposed rule.
    Response: As explained below, the Department does not agree with
the assertion that small entities will be disproportionately affected.
Based on discussions with a number of groups, the Department expects
many professional and trade associations to provide their members with
analysis of the regulation, including model policies, statements and
basic training materials. This will minimize the cost for most small
entities. Providers that use protected health information for voluntary
practices, such as marketing or research, are more likely to need
specific legal and technical assistance, but these are likely to be
larger providers.
    Comment: Several commenters took issue with the ``top-down''
approach that we used to estimate costs for small businesses, believing
that this methodology provided only a single point estimate, gave no
indication of the variation around the estimate, and was subject to
numerous methodological errors since the entities to which the
numerator pertained may not have been

[[Page 82757]]

the same as the denominator. These respondents further recommended that
we prepare a ``bottom-up'' analysis using case studies and/or a survey
of providers to refine the estimates.
    Response: The purpose of the regulatory flexibility analysis is to
provide a better insight into the relative burden of small businesses
compared to larger firms in complying with a regulation. There may be
considerable variance around average costs within particular industry
sectors, even among small businesses within them. The estimates are
based on the best data available, including information from the Small
Business Administration, the Census Bureau, and public comments.
    Comment: A commenter stated that the proposal's cost estimate does
not account for additional administrative costs imposed on physicians,
such as requirements to rewrite contracts with business partners.
    Response: Such costs are included in the analysis below.
    Comment: Numerous public comments were directed specifically at the
systems compliance cost estimates for small businesses. One respondent
maintained that the initial upgrade cost alone would range from $50
thousand to more than $1 million per covered entity.
    Response: The cost estimates for systems compliance varied
enormously; unfortunately, none of the commenters provided
documentation of how they made their estimates, preventing us from
comparing their data and assumptions to the Department's. Because of
concern about the costs in this area, however, the Department retained
an outside consultant to provide greater expertise and analysis. The
product of this effort has been incorporated in the analysis below.
    Comment: One commenter stated that just the development and
documentation of new health information policies and procedures (which
would require an analysis of the federal regulations and state law
privacy provisions), would cost far more than the $396 cited in the
Notice of Proposed Rulemaking as the average start-up cost for small
businesses.
    Response: As explained below in the cost analysis, the Department
anticipates that most of the policies and procedures that will be
required under the final rule will be largely standardized,
particularly for small businesses. Thus, much of the work and cost can
be done by trade associations and professional groups, thereby
minimizing the costs and allowing it to be spread over a large
membership base.
    Comment: A number of comments criticized the initial estimates for
notices, inspection and copying, amendments and correction, and
training as they relate to small businesses.
    Response: The Department has made substantial revisions in its
estimates for all of these areas which is explained below in the
regulatory flexibility analysis.
    Comment: One commenter noted that there appeared to be a
discrepancy in the number of small entities cited. There is no
explanation for the difference and no explanation for difference
between ``establishments'' and ``entities.''
    Response: There are discrepancies among the data bases on the
number of ``establishments'' and ``entities'' or ``firms''. The problem
arises because most surveys count (or survey) establishments, which are
physical sites. A single firm or entity may have many establishments.
Moreover, although an establishment may have only a few employees, the
firm may have a large number of workers (the total of all its various
establishments) and therefore not be a small entity.
    As discussed below, there is some discrepancy between the aggregate
numbers we use for the regulatory impact analysis (RIA) and the
regulatory flexibility analysis (RFA). We concluded that for purposes
of the RFA, which is intended to measure the effects on small entities,
we would use Small Business Administration data, which defines entities
based on revenues rather than physical establishments to count the
number of small entities in various SIC. This provides a more accurate
estimate of small entities affected. For the RIA, which is measuring
total effects, we believe the establishment based surveys provide a
more reliable count.
    Comment: Because small businesses must notify patients of their
privacy policies on patients' first visit after the effective date of
the regulation, several commenters argued that staff would have to
search records either manually or by computer on a daily basis to
determine if patients had been seen since the regulation was
implemented.
    Response: Under the final regulation, all covered entities will
have to provide patients copies of their privacy policy at the first
visit after the effective date of the regulation. The Department does
not view this as burdensome. We expect that providers will simply place
a note or marker at the beginning of a file (electronic or paper) when
a patient is given the notice. This is neither time-consuming nor
expensive, and it will not require constant searches of records.
    Comment: A commenter stated that the definitions of small business,
small entity, and a small health plan are inconsistent because the NPRM
includes firms with annual receipts of $5 million or less and non-
profits.
    Response: The Small Business Administration, whose definitions we
use for this analysis, includes firms with $5 million or less in
receipts and all non-profits as ``small businesses.'' We recognize that
some health plans, though very large in terms of receipts (and insured
lives), nonetheless would be considered ``small businesses'' under this
definition because they are non-profits. In the final regulatory
flexibility analysis, we generally have maintained the Small Business
Administration definitions because it is the accepted standard for
these analyses. However, we have added several categories, such as IRBs
and employer sponsored group health plans, which are not small
entities, per se, but will be effected by the final rule and we were
able to identify costs imposed by the regulation on them.
    Comment: The same commenter wanted clarification that all non-
profit organizations are small entities and that the extended effective
date for compliance applies to them.
    Response: For purposes of the regulatory flexibility analysis, the
Department is utilizing the Small Business Administration guidelines.
However, under HIPAA the Secretary may extend the effective compliance
date from 24 months to 36 months for ``small health plans''. The
Secretary is given the explicit discretion of defining the term for
purposes of compliance with the regulation. For compliance purposes,
the Secretary has decided to define ``small health plans'' as those
with receipts of $5 million or less, regardless of their tax status. As
noted above, some non-profit plans are large in terms of revenues
(i.e., their revenues exceed $5 million annually). The Department
determined that such plans do not need extra time for compliance.
    Comment: Several commenters requested that ``small providers''
[undefined] be permitted to take 36 months to come into compliance with
the final regulation, just as small health plans will be permitted to
do so.
    Response: Congress specified small health plans, but not small
providers, as needing extra time to comply. The majority of providers
affected by the regulation are ``small'', based on the SBA definitions;
in other words, granting the delay would be tantamount to make the
effective date three years rather than two. In making policy decisions
for the final regulation, extensive consideration was given to
minimizing the cost and administrative burden associated with
implementing

[[Page 82758]]

the rule. The Department believes that the requirements of the final
rule will not be difficult to fulfill, and therefore, it has maintained
the two year effective date.

External Studies

    Comment: One commenter submitted a detailed analysis of privacy
legislation that was pending and concluded that they might cost over
$40 billion.
    Response: The study did not analyze the policies in the proposal,
and therefore, the estimates do not reflect the costs that would have
been imposed by the proposed regulation. In fact, the analysis was
prepared before the Administration's proposed privacy regulation was
even published. As a result, the analysis is of limited relevance to
the regulation actually proposed.
    The following are examples of assumptions and costs in the analysis
that do not match privacy policies or requirements stated in the
proposed rule.
    1. Authorizations: The study assumed rules requiring new
authorizations from current subscribers to use their data for
treatment, payment of claims, or other health plan operations. The
proposed rule would have prohibited providers or plans from obtaining
patient authorization to use data for treatment, payment or health care
operations, and the final rule makes obtaining consent for these
purposes voluntary for all health plans and for providers that do not
have direct treatment relationships with individuals.
    2. Disclosure History: The study assumes that providers, health
plans, and clearinghouses would have to track all disclosures of health
information. Under the NPRM and the final rule, plans, providers and
clearinghouses are only required to account for disclosures that are
not for treatment, payment, and health care operations, a small
minority of all disclosures.
    3. Inspection, Copying, and Amendment: The study assumed
requirements to allow patients and their subscribers to inspect, copy,
and amend all information that includes their name, social security
number or other identifying feature (e.g. customer service calls,
internal memorandum, claim runs). However, the study assumed broader
access than provided in the rule, which requires access only to
information in records used to make decisions about individuals, not
all records with identifiable information.
    4. Infrastructure development: The study attributed significant
costs to infrastructure implementation of (computer systems, training,
and other compliance costs). As explained below, the compliance
requirements are much less extensive than assumed in this study. For
example, many providers and plans will not be required to modify their
privacy systems but will only be required to document their practices
and notify patients of these practices, and others will be able to
purchase low-cost, off-the-shelf software that will facilitate the new
requirements. The final regulation will not require massive capital
expenditures; we assumed, based on our consultants' work, that
providers will rely on low-cost incremental adjustments initially, and
as their technology becomes outdated, they will replace it with new
systems that incorporate the HIPAA standard requirements.
    Although many of the policy assumptions in the study are
fundamentally different than those in the proposed or final regulation,
the study did provide some assistance to the Department in preparing
its final analysis. The Department compared data, methodologies and
model assumptions, which helped us think more critically about our own
analysis and enhanced the quality of our final work.
    Comment: One commenter submitted a detailed analysis of the NPRM
Regulatory Impact Analysis and concluded that it might cost over $64
billion over 5 years. This analysis provided an interesting framework
for analyzing the provision for the rule. More precisely, the analysis
generally attempted to identify the number of entities would be
required to comply with each of the significant provision of the
proposed rule, then estimated the numbers of hours required to comply
per entity, and finally, estimated an hourly wage.
    Response: HHS adopted this general structure for the final RIA
because it provided a better framework for analysis than what the
Department had done in the NPRM. However, HHS did not agree with many
of the specific assumptions used by in this analysis, for several
reasons. First, in some instances the assumptions were no longer
relevant because the requirements of the NPRM were altered in the final
rule. For other assumptions, HHS found more appropriate data sources
for the number of covered entities, wages rates and trend rates or
other factors affecting costs. In addition, HHS believes that in a few
instances, this analysis over-estimated what is required of covered
entities to comply. Based on public comments and its own factfinding,
the Department believes many of its assumptions used in the final
analysis more accurately reflect what is likely to be the real cost of
the regulation.

IV. Final Regulatory Impact Analysis

    5 U.S.C. 804(2) (as added by section 251 of Pub. L. 104-21),
specifies that a ``major rule'' is any rule that the Office of
Management and Budget finds is likely to result in:
     An annual effect on the economy of $100 million or more;
     A major increase in costs or prices for consumers,
individual industries, federal, state, or local government agencies, or
geographic regions; or
     Significant adverse effects in competition, employment,
investment productivity, innovation, or on the ability of United States
based enterprises to compete with foreign-based enterprises in domestic
and export markets. The impact of this final rule will be over $1
billion in the first year of implementation. Therefore, this rule is a
major rule as defined in 5 U.S.C. 804(2).
    Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, when regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects; distributive impacts; and equity). According to Executive
Order 12866, a regulatory action is ``significant'' if it meets any one
of a number of specified conditions, including having an annual effect
on the economy of $100 million or more adversely affecting in a
material way a sector of the economy, competition, or jobs, or if it
raises novel legal or policy issues. The purpose of the regulatory
impact analysis is to assist decision-makers in understanding the
potential ramifications of a regulation as it is being developed. The
analysis is also intended to assist the public in understanding the
general economic ramifications of a regulation, both in the aggregate
as well as the major policy areas of a regulation and how they are
likely to affect the major industries or sectors of the economy covered
by it.
    In accordance with the Small Business Regulatory Enforcement and
Fairness Act (Pub. L. 104-121), the Administrator of the Office of
Information and Regulatory Affairs of the Office of Management and
Budget (OMB) has determined that this rule is a major rule for the
purpose of congressional review.
    The proposal for the privacy regulation included a preliminary
regulatory impact analysis (RIA) which estimated the cost of the rule
at $3.8 billion over five years. The preliminary

[[Page 82759]]

analysis also noted that a number of significant areas were not
included in the estimate due to inadequate information. The proposal
solicited public comment on these and all other aspects of the
analysis. In this preamble, the Department has summarized the public
comments pertinent to the cost analysis and its response to them.
However, because of the extensive policy changes incorporated in the
final regulation, additional data collected from the public comments
and the Department's fact-finding, and changes in the methodology
underlying the estimates, the Department is setting forth in this
section a more complete explanation of its revised estimates and how
they were obtained. This will facilitate a better understanding by the
public of how the estimates were developed and provide more insight
into how the Department believes the regulation will ultimately affect
the health care sector.
    The impact analysis measures the effect of the regulation on
current practices. In the case of privacy, as discussed in the
preamble, there already exists considerable, though quite varied,
efforts to protect the confidentiality of medical information. The RIA
is measuring the change in these current practices and the cost of new
and additional responsibilities that are required to conform to the new
regulation.
    To achieve a reasonable level of privacy protection, the Department
defined three objectives for the final rule: (1) To establish national
baseline standards, implementation specifications, and requirements for
health information privacy protection, (2) to protect the privacy of
individually identifiable health information maintained or transmitted
by covered entities, and (3) to protect the privacy of all individually
identifiable health information within covered entities, regardless of
its form.
    Establishing minimum standards, implementation specifications, and
requirements for health information privacy protection creates a level
baseline of privacy protection for patients across states. The Health
Privacy Project's report, The State of Health Privacy: An Uneven
Terrain \33\ makes it clear that under the current system of state
laws, privacy protection is extremely variable. The Department's
statutory authority under HIPAA which allows the privacy regulation to
preempt any state law if such law is contrary to and not more stringent
than privacy protection pursuant to this regulation. This sets a floor,
but permits a state to create laws that are more protective of privacy.
We discuss preemption in greater detail in other parts of the preamble.
---------------------------------------------------------------------------

    \33\ Janlori Goldman, Institute for Health Care Research and
Policy, Georgetown University: http://www.healthprivacy.org/
resources>.
---------------------------------------------------------------------------

    The second objective is to establish a uniform base of privacy
protection for individually identifiable health information maintained
or transmitted by covered entities. HIPAA restricts the type of
entities covered by the rule to three broad categories: health care
providers that transmit health information in HIPAA standard
transactions, health plans, and health care clearinghouses. However,
there are similar public and private entities that are not within the
Department's authority to regulate under HIPAA. For example, life
insurance companies are not covered by this rule but may have access to
a large amount of individually identifiable health information.
    The third objective is to protect the privacy of all individually
identifiable health information held by covered entities, including
their business associates. Health information is currently stored and
transmitted in multiple forms, including electronic, paper, and oral
forms. To provide consistent protection to information, and to avoid
requiring covered entities from distinguishing between health
information that has been transmitted or maintained electronically and
that which has not, this rule covers all individually identifiable
health information in any form maintained or transmitted by a covered
entity.
    For purposes of this cost analysis, the Department has assumed all
health care providers will be affected by the rule. This results in an
overestimation of costs because there are providers that do not engage
in any HIPAA standard transactions, and therefore, are not affected.
The Department could not obtain any reliable data on the number of such
providers, but the available data suggest that there are very few such
entities, and given the expected increase in all forms of electronic
health care in the coming decade, the number of paper-only providers is
likely to decrease.

A. Relationship of This Analysis to Analyses in Other HIPAA Regulations

    Congress has recognized that privacy standards, implementation
specifications and requirements must accompany the electronic data
interchange standards, implementation specifications and requirements
because the increased ease of transmitting and sharing individually
identifiable health information will result in an increase in concern
regarding privacy and confidentiality of such information. The bulk of
the first Administrative Simplification section that was debated on the
floor of the Senate in 1994 (as part of the Health Security Act) was
made up of privacy provisions. The requirement for the issuance of
concomitant privacy measures remained a part of the HIPAA bill passed
by the House of Representatives in 1996, but the requirement for
privacy measures was removed in conference. Instead, Congress added
section 264 to Title II of HIPAA, which directs the Secretary to
develop and submit to Congress recommendations addressing at least the
following:
    (1) The rights that an individual who is a subject of individually
identifiable health information should have.
    (2) The procedures that should be established for the exercise of
such rights.
    (3) The uses and disclosures of such information that should be
authorized or required. The Secretary's Recommendations were submitted
to Congress on September 11, 1997, and are summarized below. Section
264(c)(1) of HIPAA provides that: If legislation governing standards
with respect to the privacy of individually identifiable health
information transmitted in connection with the transactions described
in section 1173(a) of the Social Security Act (as added by section 262)
is not enacted by (August 21, 1999), the Secretary of Health and Human
Services shall promulgate final regulations containing such standards
not later than (February 21, 2000). Such regulations shall address at
least the subjects described in subsection (regarding recommendations).
    Because the Congress did not enact legislation governing standards
with respect to the privacy of individually identifiable health
information prior to August 21, 1999, the Department has, in accordance
with this statutory mandate, developed final rules setting forth
standards to protect the privacy of such information.
    Title II of the Health Insurance Portability and Accountability Act
(HIPAA) also provides a statutory framework for the promulgation of
other administrative simplification regulations. On August 17, 2000,
the Transactions Rule was published. Proposals for health care provider
identifier (May 1998), employer identifier (June 1998), and security
and electronic signature standards (August 1998) have also been
published. These

[[Page 82760]]

regulations are expected to be made final in the foreseeable future.
    HIPAA states that, ``any standard adopted under this part shall be
consistent with the objective of reducing the administrative costs of
providing and paying for health care.'' (Section 1172 (b)). This
provision refers to the administrative simplification regulations in
their totality, including this rule regarding privacy standards. The
savings and costs generated by the various standards should result in a
net savings to the health care system. The Transactions Rule shows a
net savings of $29.9 billion over ten years (2002-2011), or a net
present value savings of $19 billion. This estimate does not include
the growth in ``e-health'' and ``e-commerce'' that may be spurred by
the adoption of uniform codes and standards.
    This final Privacy Rule is estimated to produce net costs of $18.0
billion, with net present value costs of $11.8 billion (2003 dollars)
over ten years (2003-2012). This estimate is based on some costs
already having been incurred due to the requirements of the
Transactions Rule, which included an estimate of a net savings to the
health care system of $29.9 billion over ten years (2002 dollars) and a
net present value of $19.1 billion. The Department expects that the
savings and costs generated by all administrative simplification
standards should result in a net savings to the health care system.

B. Summary of Costs and Benefits

    Measuring both the economic costs and benefits of health
information privacy is difficult. Traditionally, privacy has been
addressed by state laws, contracts, and professional practices and
guidelines. Moreover, these practices have been evolving as computers
have dramatically increased the potential use of medical data; the
scope and form of health information is likely to be very different ten
years from now than it is today. This final regulation is both altering
current health information privacy practice and shaping its evolution
as electronic uses expand.
    To estimate costs, the Department used information from published
studies, trade groups and associations, public comments to the proposed
regulation, and fact-finding by staff. The analysis focused on the
major policy areas in the regulation that would result in significant
costs. Given the vast array of institutions affected by this regulation
and the considerable variation in practices, the Department sought to
identify the ``typical'' current practice for each of the major policy
areas and estimate the cost of change resulting from the regulation.
Because of the paucity of data and incomplete information on current
practices, the Department has consistently made conservative
assumptions (that is, given uncertainty, we have made assumptions that,
if incorrect, are more likely to overstate rather than understate the
true cost).
    Benefits are difficult to measure because people conceive of
privacy primarily as a right, not as a commodity. Furthermore, a wide
gap appears to exist between what people perceive to be the level of
privacy afforded health information about them and what actually occurs
with the use of such information today. Arguably, the ``cost'' of the
privacy regulation is the amount necessary to bring health information
privacy to these perceived levels.
    The benefits of enhanced privacy protections for individually
identifiable health information are significant, even though they are
hard to quantify. The Department solicited comments on this issue, but
no commenters offered a better alternative. Therefore, the Department
is essentially reiterating the analysis it offered in the proposed
Privacy Rule. The illustrative examples set forth below, using existing
data on mental health, cancer screening, and HIV/AIDS patients, suggest
the level of economic and health benefits that might accrue to
individuals and society. Moreover, the benefits of improved privacy
protection are likely to increase in the future as patients gain trust
in health care practitioners' ability to maintain the confidentiality
of their health information.
    The estimated cost of compliance with the final rule is $17.6
billion over the ten year period, 2003-2012.\34\ This includes the cost
of all the major requirements for the rule, including costs to federal,
state and local governments. The net present value of the final rule,
applying a 11.2 percent discount rate \35\, is $11.8 billion.\36\
---------------------------------------------------------------------------

    \34\ The proposed privacy rule provided an estimate for a five-
year period. However, the Transactions Rule provided a cost estimate
for a ten year period. The decision was made to provide the final
privacy estimates in a ten year period so that it would be possible
to compare the costs and benefits of the two regulations.
    \35\ This based on a seven percent real discount rate, explained
in OMB Circular A-94, and a projected 4.2 percent inflation rate
projected over the ten-year period covered by this analysis.
    \36\ The regulatory impact analysis in the Transactions Rule
showed a net savings of $29.9 billion (net present value of $19.1
billion in 2002 dollars). The cost estimates included all electronic
systems changes that would be necessitated by the HIPAA
administrative standards (e.g., security, safeguards, and electronic
signatures; eligibility for a health plan; and remittance advice and
payment claim status), except privacy. At the time the Transactions
Rule was developed, the industry provided estimates for the systems
changes in the aggregate. The industry argued that affected parties
would seek to make all electronic changes in one effort because that
approach would be the most cost-efficient. The Department agreed,
and therefore, it ``bundled'' all the system change cost in the
Transactions Rule estimate. Privacy was not included because at the
time the Department had not made a decision to develop a privacy
rule. As the Department develops other HIPAA administrative
simplification standards, there may be additional costs and savings
due to the non-electronic components of those regulations, and they
will be identified in regulatory impact analyses that accompany
those regulations. The Department anticipates that such costs and
savings will be relatively small compared to the privacy and
Transactions rules. The Department anticipates that the net economic
impact of the rules will be a net savings to the health care system.
---------------------------------------------------------------------------

    The first year estimate is $3.2 billion (this includes expenditures
that may be incurred before the effective date in 2003). This
represents about 0.23 percent of projected national health expenditures
for 2003.\37\ By 2008, seven years after the rule's effective date, the
rule is estimated to cost 0.07 percent of projected national health
expenditures.
---------------------------------------------------------------------------

    \37\ Health spending projections from National Health
Expenditure Projections 1998-2008 (January 2000), Health Care
Financing Administration, Office of the Actuary, http://
hcfa.hhs.gov/stats/nhe-proj/>.
---------------------------------------------------------------------------

    The largest cost items are the requirement to have a privacy
official, $5.9 billion over ten years, and the requirement that
disclosures of protected health information only involve the minimum
amount necessary, $5.8 billion over ten years (see Table 1). These
costs reflect the change that affected organizations will have to
undertake to implement and maintain compliance with the requirements of
the rule and achieve enhanced privacy of protected health information.

[[Continued on page 82761]]
