Professional Law and Ethics - Page 4

Professional Law and Ethics - 1

Professional Law and Ethics - Page 2

Professional Law and Ethics - Page 3

 

HIPAA Mandate

I. Background

A. Statutory Background

    Congress recognized the importance of protecting the privacy of
health information given the rapid evolution of health information
systems in the Health Insurance Portability and Accountability Act of
1996 (HIPAA), Public Law 104-191, which became law on August 21, 1996.
HIPAA's Administrative Simplification provisions, sections 261 through
264 of the statute, were designed to improve the efficiency and
effectiveness of the health care system by facilitating the electronic
exchange of information with respect to certain financial and
administrative transactions carried out by health plans, health care
clearinghouses, and health care providers who transmit information
electronically in connection with such transactions. To implement these
provisions, the statute directed HHS to adopt a suite of uniform,
national standards for transactions, unique health identifiers, code
sets for the data elements of the transactions, security of health
information, and electronic signature.
    At the same time, Congress recognized the challenges to the
confidentiality of health information presented by the increasing
complexity of the health care industry, and by advances in the health
information systems technology and communications. Thus, the
Administrative Simplification provisions of HIPAA authorized the
Secretary to promulgate standards for the privacy of individually
identifiable health information if Congress did not enact health care
privacy legislation by August 21, 1999. HIPAA also required the
Secretary of HHS to provide Congress with recommendations for
legislating to protect the confidentiality of health care information.
The Secretary submitted such recommendations to Congress on September
11, 1997, but Congress did not pass such legislation within its self-
imposed deadline.

With respect to these regulations, HIPAA provided that the
standards, implementation specifications, and requirements established
by the Secretary not supersede any contrary State law that imposes more
stringent privacy protections. Additionally, Congress required that HHS
consult with the National Committee on Vital and Health Statistics, a
Federal advisory committee established pursuant to section 306(k) of
the Public Health Service Act (42 U.S.C. 242k(k)), and the Attorney
General in the development of HIPAA privacy standards.
    After a set of HIPAA Administrative Simplification standards is
adopted by the Department, HIPAA provides HHS with authority to modify
the standards as deemed appropriate, but not more frequently than once
every 12 months. However, modifications are permitted during the first
year after adoption of the standards if the changes are necessary to
permit compliance with the standards. HIPAA also provides that
compliance with modifications to standards or implementation
specifications must be accomplished by a date designated by the
Secretary, which may not be earlier than 180 days after the adoption of
the modification.

B. Regulatory and Other Actions to Date

    HHS published a proposed Rule setting forth privacy standards for
individually identifiable health information on November 3, 1999 (64 FR
59918). The Department received more than 52,000 public comments in
response to the proposal. After reviewing and considering the public
comments, HHS issued a final Rule (65 FR 82462) on December 28, 2000,
establishing ``Standards for Privacy of Individually Identifiable
Health Information'' (``Privacy Rule'').
    In an era where consumers are increasingly concerned about the
privacy of their personal information, the Privacy Rule creates, for
the first time, a floor of national protections for the privacy of
their most sensitive information--health information. Congress has
passed other laws to protect consumers' personal information contained
in bank, credit card, other financial records, and even video rentals.
These health privacy protections are intended to provide consumers with
similar assurances that their health information, including genetic
information, will be properly protected. Under the Privacy Rule, health
plans, health care clearinghouses, and certain health care providers
must guard against misuse of individuals' identifiable health
information and limit the sharing of such information, and consumers
are afforded significant new rights to enable them to understand and
control how their health information is used and disclosed.
    After publication of the Privacy Rule, HHS received many inquiries
and unsolicited comments through

[[Page 53183]]

telephone calls, e-mails, letters, and other contacts about the impact
and operation of the Privacy Rule on numerous sectors of the health
care industry. Many of these commenters exhibited substantial confusion
and misunderstanding about how the Privacy Rule will operate; others
expressed great concern over the complexity of the Privacy Rule. In
response to these communications and to ensure that the provisions of
the Privacy Rule would protect patients' privacy without creating
unanticipated consequences that might harm patients' access to health
care or quality of health care, the Secretary of HHS opened the Privacy
Rule for additional public comment in March 2001 (66 FR 12738).
    After an expedited review of the comments by the Department, the
Secretary decided that it was appropriate for the Privacy Rule to
become effective on April 14, 2001, as scheduled (65 FR 12433). At the
same time, the Secretary directed the Department immediately to begin
the process of developing guidelines on how the Privacy Rule should be
implemented and to clarify the impact of the Privacy Rule on health
care activities. In addition, the Secretary charged the Department with
proposing appropriate changes to the Privacy Rule during the next year
to clarify the requirements and correct potential problems that could
threaten access to, or quality of, health care. The comments received
during the comment period, as well as other communications from the
public and all sectors of the health care industry, including letters,
testimony at public hearings, and meetings requested by these parties,
have helped to inform the Department's efforts to develop proposed
modifications and guidance on the Privacy Rule.
    On July 6, 2001, the Department issued its first guidance to answer
common questions and clarify certain of the Privacy Rule's provisions.
In the guidance, the Department also committed to proposing
modifications to the Privacy Rule to address problems arising from
unintended effects of the Privacy Rule on health care delivery and
access. The guidance will soon be updated to reflect the modifications
adopted in this final Rule. The revised guidance will be available on
the HHS Office for Civil Rights (OCR) Privacy Web site at http://
www.hhs.gov/ocr/hipaa/.
    In addition, the National Committee for Vital and Health Statistics
(NCVHS), Subcommittee on Privacy and Confidentiality, held public
hearings on the implementation of the Privacy Rule on August 21-23,
2001, and January 24-25, 2002, and provided recommendations to the
Department based on these hearings. The NCVHS serves as the statutory
advisory body to the Secretary of HHS with respect to the development
and implementation of the Rules required by the Administrative
Simplification provisions of HIPAA, including the privacy standards.
Through the hearings, the NCVHS specifically solicited public input on
issues related to certain key standards in the Privacy Rule: consent,
minimum necessary, marketing, fundraising, and research. The resultant
public testimony and subsequent recommendations submitted to the
Department by the NCVHS also served to inform the development of these
proposed modifications.

II. Overview of the March 2002 Notice of Proposed Rulemaking (NPRM)
                      
    As described above, through public comments, testimony at public
hearings, meetings at the request of industry and other stakeholders,
as well as other communications, the Department learned of a number of
concerns about the potential unintended effects certain provisions
would have on health care quality and access. On March 27, 2002, in
response to these concerns, and pursuant to HIPAA's provisions for
modifications to the standards, the Department proposed modifications
to the Privacy Rule (67 FR 14776). ]
    The Department proposed to modify the following areas or provisions
of the Privacy Rule: consent; uses and disclosures for treatment,
payment, and health care operations; notice of privacy practices;
minimum necessary uses and disclosures, and oral communications;
business associates; uses and disclosures for marketing; parents as the
personal representatives of unemancipated minors; uses and disclosures
for research purposes; uses and disclosures for which authorizations
are required; and de-identification. In addition to these key areas,
the proposal included changes to other provisions where necessary to
clarify the Privacy Rule. The Department also included in the proposed
Rule a list of technical corrections intended as editorial or
typographical corrections to the Privacy Rule.
    The proposed modifications collectively were designed to ensure
that protections for patient privacy are implemented in a manner that
maximizes the effectiveness of such protections while not compromising
either the availability or the quality of medical care. They reflected
a continuing commitment on the part of the Department to strong privacy
protections for medical records and the belief that privacy is most
effectively protected by requirements that are not exceptionally
difficult to implement. The Department welcomed comments and
suggestions for alternative ways effectively to protect patient privacy
without adversely affecting access to, or the quality of, health care.
    Given that the compliance date of the Privacy Rule for most covered
entities is April 14, 2003, and the Department's interest in having the
compliance date for these revisions also be no later than April 14,
2003, the Department solicited public comment on the proposed
modifications for only 30 days. As stated above, the proposed
modifications addressed public concerns already communicated to the
Department through a wide variety of sources since publication of the
Privacy Rule in December 2000. For these reasons, the Department
believed that 30 days should be sufficient for the public to state its
views fully to the Department on the proposed modifications to the
Privacy Rule. During the 30-day comment period, the Department received
in excess of 11,400 comments.

III. Section-by-Section Description of Final Modifications and
Response to Comments
                      
A. Section 164.501--Definitions

1. Marketing

December 2000 Privacy Rule

    The Privacy Rule defined ``marketing'' at Sec. 164.501 as a
communication about a product or service, a purpose of which is to
encourage recipients of the communication to purchase or use the
product or service, subject to certain limited exceptions. To avoid
interfering with, or unnecessarily burdening communications about,
treatment or about the benefits and services of health plans and health
care providers, the Privacy Rule explicitly excluded two types of
communications from the definition of ``marketing:'' (1) communications
made by a covered entity for the purpose of describing the
participating providers and health plans in a network, or describing
the services offered by a provider or the benefits covered by a health
plan; and (2) communications made by a health care provider as part of
the treatment of a patient and for the purpose of furthering that
treatment, or made by a provider or health plan in the course of
managing an individual's treatment or recommending an alternative
treatment. Thus, a health plan could send its

[[Page 53184]]

enrollees a listing of network providers, and a health care provider
could refer a patient to a specialist without either an authorization
under Sec. 164.508 or having to meet the other special requirements in
Sec. 164.514(e) that attach to marketing communications. However, these
communications qualified for the exception to the definition of
``marketing'' only if they were made orally or, if in writing, were
made without remuneration from a third party. For example, it would not
have been marketing for a pharmacy to call a patient about the need to
refill a prescription, even if that refill reminder was subsidized by a
third party; but it would have been marketing for that same, subsidized
refill reminder to be sent to the patient in the mail.
    Generally, if a communication was marketing, the Privacy Rule
required the covered entity to obtain the individual's authorization to
use or disclose protected health information to make the communication.
However, the Privacy Rule, at Sec. 164.514(e), permitted the covered
entity to make health-related marketing communications without such
authorization, provided it complied with certain conditions on the
manner in which the communications were made. Specifically, the Privacy
Rule permitted a covered entity to use or disclose protected health
information to communicate to individuals about the health-related
products or services of the covered entity or of a third party, without
first obtaining an authorization for that use or disclosure of
protected health information, if the communication: (1) Identified the
covered entity as the party making the communication; (2) identified,
if applicable, that the covered entity received direct or indirect
remuneration from a third party for making the communication; (3) with
the exception of general circulation materials, contained instructions
describing how the individual could opt-out of receiving future
marketing communications; and (4) where protected health information
was used to target the communication about a product or service to
individuals based on their health status or health condition, explained
why the individual had been targeted and how the product or service
related to the health of the individual.
    For certain permissible marketing communications, however, the
Department did not believe these conditions to be practicable.
Therefore, Sec. 164.514(e) also permitted a covered entity to make a
marketing communication that occurred in a face-to-face encounter with
the individual, or that involved products or services of only nominal
value, without meeting the above conditions or requiring an
authorization. These provisions, for example, permitted a covered
entity to provide sample products during a face-to-face communication,
or to distribute calendars, pens, and the like, that displayed the name
of a product or provider.

March 2002 NPRM

    The Department received many complaints concerning the complexity
and unworkability of the Privacy Rule's marketing requirements. Many
entities expressed confusion over the Privacy Rule's distinction
between health care communications that are excepted from the
definition of ``marketing'' versus those that are marketing but
permitted subject to the special conditions in Sec. 164.514(e). For
example, questions were raised as to whether disease management
communications or refill reminders were ``marketing'' communications
subject to the special disclosure and opt-out conditions in
Sec. 164.514(e). Others stated that it was unclear whether various
health care operations activities, such as general health-related
educational and wellness promotional activities, were to be treated as
marketing under the Privacy Rule.
    The Department also learned that consumers were generally
dissatisfied with the conditions required by Sec. 164.514(e). Many
questioned the general effectiveness of the conditions and whether the
conditions would properly protect consumers from unwanted disclosure of
protected health information to commercial entities, and from the
intrusion of unwanted solicitations. They expressed specific
dissatisfaction with the provision at Sec. 164.514(e)(3)(iii) for
individuals to opt-out of future marketing communications. Many argued
for the opportunity to opt-out of marketing communications before any
marketing occurred. Others requested that the Department limit
marketing communications to only those consumers who affirmatively
chose to receive such communications.
    In response to these concerns, the Department proposed to modify
the Privacy Rule to make the marketing provisions clearer and simpler.
First, the Department proposed to simplify the Privacy Rule by
eliminating the special provisions for marketing health-related
products and services at Sec. 164.514(e). Instead, any use or
disclosure of protected health information for a communication defined
as ``marketing'' in Sec. 164.501 would require an authorization by the
individual. Thus, covered entities would no longer be able to make any
type of marketing communications that involved the use or disclosure of
protected health information without authorization simply by meeting
the disclosure and opt-out conditions in the Privacy Rule. The
Department intended to effectuate greater consumer privacy protection
by requiring authorization for all uses or disclosures of protected
health information for marketing communications, as compared to the
disclosure and opt-out conditions of Sec. 164.514(e).
    Second, the Department proposed minor clarifications to the Privacy
Rule's definition of ``marketing'' at Sec. 164.501. Specifically, the
Department proposed to define ``marketing'' as ``to make a
communication about a product or service to encourage recipients of the
communication to purchase or use the product or service.'' The proposed
modification retained the substance of the ``marketing'' definition,
but changed the language slightly to avoid the implication that in
order for a communication to be marketing, the purpose or intent of the
covered entity in making such a communication would have to be
determined. The simplified language permits the Department to make the
determination based on the communication itself.
    Third, with respect to the exclusions from the definition of
``marketing'' in Sec. 164.501, the Department proposed to simplify the
language to avoid confusion and better conform to other sections of the
regulation, particularly in the area of treatment communications. The
proposal retained the exclusions for communications about a covered
entity's own products and services and about the treatment of the
individual. With respect to the exclusion for a communication made ``in
the course of managing the treatment of that individual,'' the
Department proposed to modify the language to use the terms ``case
management'' and ``care coordination'' for that individual. These terms
are more consistent with the terms used in the definition of ``health
care operations,'' and were intended to clarify the Department's
intent.
    One substantive change to the definition proposed by the Department
was to eliminate the condition on the above exclusions from the
definition of ``marketing'' that the covered entity could not receive
remuneration from a third party for any written communication. This
limitation was not well understood and treated similar communications
differently. For

[[Page 53185]]

example, a prescription refill reminder was marketing if it was in
writing and paid for by a third party, while a refill reminder that was
not subsidized, or was made orally, was not marketing. With the
proposed elimination of the health-related marketing requirements in
Sec. 164.514(e) and the proposed requirement that any marketing
communication require an individual's prior written authorization,
retention of this condition would have adversely affected a health care
provider's ability to make many common health-related communications.
Therefore, the Department proposed to eliminate the remuneration
prohibition to the exceptions to the definition so as not to interfere
with necessary and important treatment and health-related
communications between a health care provider and patient.
    To reinforce the policy requiring an authorization for most
marketing communications, the Department proposed to add a new
marketing provision at Sec. 164.508(a)(3) explicitly requiring an
authorization for a use or disclosure of protected health information
for marketing purposes. Additionally, if the marketing was expected to
result in direct or indirect remuneration to the covered entity from a
third party, the Department proposed that the authorization state this
fact. As noted above, because a use or disclosure of protected health
information for marketing communications required an authorization, the
disclosure and opt-out provisions in Sec. 164.514(e) no longer would be
necessary and the Department proposed to eliminate them. As in the
December 2000 Privacy Rule at Sec. 164.514(e)(2), the proposed
modifications at Sec. 164.508(a)(3) excluded from the marketing
authorization requirements face-to-face communications made by a
covered entity to an individual. The Department proposed to retain this
exception so that the marketing provisions would not interfere with the
relationship and dialogue between health care providers and
individuals. Similarly, the Department proposed to retain the exception
to the authorization requirement for a marketing communication that
involved products or services of nominal value, but proposed to replace
the language with the common business term ``promotional gift of
nominal value.''
    As noted above, because some of the proposed simplifications were a
substitute for Sec. 164.514(e), the Department proposed to eliminate
that section, and to make conforming changes to remove references to
Sec. 164.514(e) at Sec. 164.502(a)(1)(vi) and in paragraph (6)(v) of
the definition of ``health care operations'' in Sec. 164.501.

Overview of Public Comments

    The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this issue
are discussed below in the section entitled, ``Response to Other Public
Comments.''
    The Department received generally favorable comment on its proposal
to simplify the marketing provisions by requiring authorizations for
uses or disclosures of protected health information for marketing
communications, instead of the special provisions for health-related
products and services at Sec. 164.514(e). Many also supported the
requirement that authorizations notify the individual of marketing that
results in direct or indirect remuneration to the covered entity from a
third party. They argued that for patients to make informed decisions,
they must be notified of potential financial conflicts of interest.
However, some commenters opposed the authorization requirement for
marketing, arguing instead for the disclosure and opt-out requirements
at Sec. 164.514(e) or for a one-time, blanket authorization from an
individual for their marketing activities.
    Commenters were sharply divided on whether the Department had
properly defined what is and what is not marketing. Most of those
opposed to the Department's proposed definitions objected to the
elimination of health-related communications for which the covered
entity received remuneration from the definition of ``marketing.'' They
argued that these communications would have been subject to the
consumer protections in Sec. 164.514(e) but, under the proposal, could
be made without any protections at all. The mere presence of
remuneration raised conflict of interest concerns for these commenters,
who feared patients would be misled into thinking the covered entity
was acting solely in the patients' best interest when recommending an
alternative medication or treatment. Of particular concern to these
commenters was the possibility of a third party, such as a
pharmaceutical company, obtaining a health care provider's patient list
to market its own products or services directly to the patients under
the guise of recommending an ``alternative treatment'' on behalf of the
provider. Commenters argued that, even if the parties attempted to
cloak the transaction in the trappings of a business associate
relationship, when the remuneration flowed from the third party to the
covered entity, the transaction was tantamount to selling the patient
lists and ought to be considered marketing.
    On the other hand, many commenters urged the Department to broaden
the categories of communications that are not marketing. Several
expressed concern that, under the proposal, they would be unable to
send newsletters and other general circulation materials with
information about health-promoting activities (e.g., screenings for
certain diseases) to their patients or members without an
authorization. Health plans were concerned that they would be unable to
send information regarding enhancements to health insurance coverage to
their members and beneficiaries. They argued, among other things, that
they should be excluded from the definition of ``marketing'' because
these communications would be based on limited, non-clinical protected
health information, and because policyholders benefit and use such
information to fully evaluate the mix of coverage most appropriate to
their needs. They stated that providing such information is especially
important given that individual and market-wide needs, as well as
benefit offerings, change over time and by statute. For example,
commenters informed the Department that some States now require long-
term care insurers to offer new products to existing policyholders as
they are brought to market and to allow policyholders to purchase the
new benefits through a formal upgrade process. These health plans were
concerned that an authorization requirement for routine communications
about options and enhancements would take significant time and expense.
Some insurers also urged that they be allowed to market other lines of
insurance to their health plan enrollees.
    A number of commenters urged the Department to exclude any activity
that met the definitions of ``treatment,'' ``payment,'' or ``health
care operations'' from the definition of ``marketing'' so that they
could freely inform customers about prescription discount card and
price subsidy programs. Still others wanted the Department to broaden
the treatment exception to include all health-related communications
between providers and patients.
    Final Modifications. The Department adopts the modifications to
marketing substantially as proposed in the NPRM, but makes changes to
the proposed definition of ``marketing'' and further clarifies one of
the exclusions from the definition of ``marketing'' in response to
comments on the proposal. The

[[Page 53186]]

definition of ``marketing'' is modified to close what commenters
characterized as a loophole, that is, the possibility that covered
entities, for remuneration, could disclose protected health information
to a third party that would then be able to market its own products and
services directly to individuals. Also, in response to comments, the
Department clarifies the language in the marketing exclusion for
communications about a covered entity's own products and services.
    As it proposed to do, the Department eliminates the special
provisions for marketing health-related products and services at
Sec. 164.514(e). Except as provided for at Sec. 164.508(a)(3), a
covered entity must have the individual's prior written authorization
to use or disclose protected health information for marketing
communications and will no longer be able to do so simply by meeting
the disclosure and opt-out provisions, previously set forth in
Sec. 164.514(e). The Department agrees with commenters that the
authorization provides individuals with more control over whether they
receive marketing communications and better privacy protections for
such uses and disclosures of their health information. In response to
commenters who opposed this proposal, the Department does not believe
that an opt-out requirement for marketing communications would provide
a sufficient level of control for patients regarding their health
information. Nor does the Department believe that a blanket
authorization provides sufficient privacy protections for individuals.
Section 164.508(c) sets forth the core elements of an authorization
necessary to give individuals control of their protected health
information. Those requirements give individuals sufficient information
and notice regarding the type of use or disclosure of their protected
health information that they are authorizing. Without such specificity,
an authorization would not have meaning. Indeed, blanket marketing
authorizations would be considered defective under Sec. 164.508(b)(2).
    The Department adopts the general definition of ``marketing'' with
one clarification. Thus, ``marketing'' means ``to make a communication
about a product or service that encourages the recipients of the
communication to purchase or use the product or service.'' In removing
the language referencing the purpose of the communication and
substituting the term ``that encourages'' for the term ``to
encourage'', the Department intends to simplify the determination of
whether a communication is marketing. If, on its face, the
communication encourages recipients of the communication to purchase or
use the product or service, the communication is marketing. A few
commenters argued for retaining the purpose of the communication as
part of the definition of ``marketing'' based on their belief that the
intent of the communication was a clearer and more definitive standard
than the effect of the communication. The Department disagrees with
these commenters. Tying the definition of ``marketing'' to the purpose
of the communication creates a subjective standard that would be
difficult to enforce because the intent of the communicator rarely
would be documented in advance. The definition adopted by the Secretary
allows the communication to speak for itself.
    The Department further adopts the three categories of
communications that were proposed as exclusions from the definition of
``marketing.'' Thus, the covered entity is not engaged in marketing
when it communicates to individuals about: (1) The participating
providers and health plans in a network, the services offered by a
provider, or the benefits covered by a health plan; (2) the
individual's treatment; or (3) case management or care coordination for
that individual, or directions or recommendations for alternative
treatments, therapies, health care providers, or settings of care to
that individual. For example, a doctor that writes a prescription or
refers an individual to a specialist for follow-up tests is engaging in
a treatment communication and is not marketing a product or service.
The Department continues to exempt from the ``marketing'' definition
the same types of communications that were not marketing under the
Privacy Rule as published in December 2000, but has modified some of
the language to better track the terminology used in the definition of
``health care operations.'' The commenters generally supported this
clarification of the language.
    The Department, however, does not agree with commenters that sought
to expand the exceptions from marketing for all communications that
fall within the definitions of ``treatment,'' ``payment,'' or ``health
care operations.'' The purpose of the exclusions from the definition of
marketing is to facilitate those communications that enhance the
individual's access to quality health care. Beyond these important
communications, the public strongly objected to any commercial use of
protected health information to attempt to sell products or services,
even when the product or service is arguably health related. In light
of these strong public objections, ease of administration is an
insufficient justification to categorically exempt all communications
about payment and health care operations from the definition of
``marketing.''
    However, in response to comments, the Department is clarifying the
language that excludes from the definition of ``marketing'' those
communications that describe network participants and the services or
benefits of the covered entity. Several commenters, particularly
insurers, were concerned that the reference to a ``plan of benefits''
was too limiting and would prevent them from sending information to
their enrollees regarding enhancements or upgrades to their health
insurance coverage. They inquired whether the following types of
communications would be permissible: enhancements to existing products;
changes in deductibles/copays and types of coverage (e.g., prescription
drug); continuation products for students reaching the age of majority
on parental policies; special programs such as guaranteed issue
products and other conversion policies; and prescription drug card
programs. Some health plans also inquired if they could communicate
with beneficiaries about ``one-stop shopping'' with their companies to
obtain long-term care, property, casualty, and life insurance products.
    The Department understands the need for covered health care
providers and health plans to be able to communicate freely to their
patients or enrollees about their own products, services, or benefits.
The Department also understands that some of these communications are
required by State or other law. To ensure that such communications may
continue, the Department is broadening its policy, both of the December
2000 Privacy Rule as well as proposed in the March 2002 NPRM, to allow
covered entities to use protected health information to convey
information to beneficiaries and members about health insurance
products offered by the covered entity that could enhance or substitute
for existing health plan coverage. Specifically, the Department
modifies the relevant exemption from the definition of ``marketing'' to
include communications that describe ``a health-related product or
service (or payment for such product or service) that is provided by,
or included in a plan of benefits of, the covered entity making the
communication, including communications about: the entities
participating in a health care provider network or health plan network;
replacement of, or enhancements to, a

[[Page 53187]]

health plan; and health-related products or services available only to
a health plan enrollee that add value to, but are not part of, a plan
of benefits.'' Thus, under this exemption, a health plan is not
engaging in marketing when it advises its enrollees about other
available health plan coverages that could enhance or substitute for
existing health plan coverage. For example, if a child is about to age
out of coverage under a family's policy, this provision will allow the
plan to send the family information about continuation coverage for the
child. This exception, however, does not extend to excepted benefits
(described in section 2791(c)(1) of the Public Health Service Act, 42
U.S.C. 300gg-91(c)(1)), such as accident-only policies), nor to other
lines of insurance (e.g., it is marketing for a multi-line insurer to
promote its life insurance policies using protected health
information).
    Moreover, the expanded language makes clear that it is not
marketing when a health plan communicates about health-related products
and services available only to plan enrollees or members that add value
to, but are not part of, a plan of benefits. The provision of value-
added items or services (VAIS) is a common practice, particularly for
managed care organizations. Communications about VAIS may qualify as a
communication that is about a health plan's own products or services,
even if VAIS are not considered plan benefits for the Adjusted
Community Rate purposes. To qualify for this exclusion, however, the
VAIS must meet two conditions. First, they must be health-related.
Therefore, discounts offered by Medicare+Choice or other managed care
organizations for eyeglasses may be considered part of the plan's
benefits, whereas discounts to attend movie theaters will not. Second,
such items and services must demonstrably ``add value'' to the plan's
membership and not merely be a pass-through of a discount or item
available to the public at large. Therefore, a Medicare+Choice or other
managed care organization could, for example, offer its members a
special discount opportunity for a health/fitness club without
obtaining authorizations, but could not pass along to its members
discounts to a health fitness club that the members would be able to
obtain directly from the health/fitness clubs.
    In further response to comments, the Department has added new
language to the definition of ``marketing'' to close what commenters
perceived as a loophole that a covered entity could sell protected
health information to another company for the marketing of that
company's products or services. For example, many were concerned that a
pharmaceutical company could pay a provider for a list of patients with
a particular condition or taking a particular medication and then use
that list to market its own drug products directly to those patients.
The commenters believed the proposal would permit this to happen under
the guise of the pharmaceutical company acting as a business associate
of the covered entity for the purpose of recommending an alternative
treatment or therapy to the individual. The Department agrees with
commenters that the potential for manipulating the business associate
relationship in this fashion should be expressly prohibited. Therefore,
the Department is adding language that would make clear that business
associate transactions of this nature are marketing. Marketing is
defined expressly to include ``an arrangement between a covered entity
and any other entity whereby the covered entity discloses protected
health information to the other entity, in exchange for direct or
indirect remuneration, for the other entity or its affiliate to make a
communication about its own product or service that encourages
recipients of the communication to purchase or use that product or
service.'' These communications are marketing and can only occur if the
covered entity obtains the individual's authorization pursuant to
Sec. 164.508. The Department believes that this provision will make
express the fundamental prohibition against covered entities selling
lists of patients or enrollees to third parties, or from disclosing
protected health information to a third party for the marketing
activities of the third party, without the written authorization of the
individual. The Department further notes that manufacturers that
receive identifiable health information and misuse it may be subject to
action taken under other consumer protection statutes by other Federal
agencies, such as the Federal Trade Commission.
    The Department does not, however, agree with commenters who argued
for retention of the provisions that would condition the exclusions
from the ``marketing'' definition on the absence of remuneration.
Except for the arrangements that are now expressly defined as
``marketing,'' the Department eliminates the conditions that
communications are excluded from the definition of ``marketing'' only
if they are made orally, or, if in writing, are made without any direct
or indirect remuneration. The Department does not agree that the simple
receipt of remuneration should transform a treatment communication into
a commercial promotion of a product or service. For example, health
care providers should be able to, and can, send patients prescription
refill reminders regardless of whether a third party pays or subsidizes
the communication. The covered entity also is able to engage a
legitimate business associate to assist it in making these permissible
communications. It is only in situations where, in the guise of a
business associate, an entity other than the covered entity is
promoting its own products using protected health information it has
received from, and for which it has paid, the covered entity, that the
remuneration will place the activity within the definition of
``marketing.''
    In addition, the Department adopts the proposed marketing
authorization provision at Sec. 164.508(a)(3), with minor language
changes to conform to the revised ``marketing'' definition. The Rule
expressly requires an authorization for uses or disclosures of
protected health information for marketing communications, except in
two circumstances: (1) When the communication occurs in a face-to-face
encounter between the covered entity and the individual; or (2) the
communication involves a promotional gift of nominal value. A marketing
authorization must include a statement about remuneration, if any. For
ease of administration, the Department has changed the regulatory
provision to require a statement on the authorization whenever the
marketing ``involves'' direct or indirect remuneration to the covered
entity from a third party, rather than requiring the covered entity to
identify those situations where ``the marketing is expected to result
in'' remuneration.
    Finally, the Department clarifies that nothing in the marketing
provisions of the Privacy Rule are to be construed as amending,
modifying, or changing any rule or requirement related to any other
Federal or State statutes or regulations, including specifically anti-
kickback, fraud and abuse, or self-referral statutes or regulations, or
to authorize or permit any activity or transaction currently proscribed
by such statutes and regulations. Examples of such laws include the
anti-kickback statute (section 1128B(b) of the Social Security Act),
safe harbor regulations (42 CFR part 1001), Stark law (section 1877 of
the Social Security Act) and regulations (42 CFR parts 411 and 424),
and HIPAA statute on self-referral (section 1128C of the Social
Security Act). The definition

[[Page 53188]]

of ``marketing'' is solely applicable to the Privacy Rule and the
permissions granted by the Rule are only for a covered entity's use or
disclosure of protected health information. In particular, although
this regulation defines the term ``marketing'' to exclude
communications to an individual to recommend, purchase, or use a
product or service as part of the treatment of the individual or for
case management or care coordination of that individual, such
communication by a ``white coat'' health care professional may violate
the anti-kickback statute. Similar examples for pharmacist
communications with patients relating to the marketing of products on
behalf of pharmaceutical companies were identified by the OIG as
problematic in a 1994 Special Fraud Alert (December 19, 1994, 59 FR
65372). Other violations have involved home health nurses and physical
therapists acting as marketers for durable medical equipment companies.
Although a particular communication under the Privacy Rule may not
require patient authorization because it is not marketing, or may
require patient authorization because it is ``marketing'' as the Rule
defines it, the arrangement may nevertheless violate other statutes and
regulations administered by HHS, the Department of Justice, or other
Federal or State agency.

Response to Other Public Comments

    Comment: Some commenters recommended that the definition of
``marketing'' be broadened to read as follows: ``any communication
about a product or service to encourage recipients of the communication
to purchase or use the product or service or that will make the
recipient aware of the product or service available for purchase or use
by the recipient.'' According to these commenters, the additional
language would capture marketing campaign activities to establish
``brand recognition.''
    Response: The Department believes that marketing campaigns to
establish brand name recognition of products is already encompassed
within the general definition of ``marketing'' and that it is not
necessary to add language to accomplish this purpose.
    Comment: Some commenters opposed the proposed deletion of
references to the covered entity as the source of the communications,
in the definition of those communications that were excluded from the
``marketing'' definition. They objected to these non-marketing
communications being made by unrelated third parties based on protected
health information disclosed to these third parties by the covered
entity, without the individual's knowledge or authorization.
    Response: These commenters appear to have misinterpreted the
proposal as allowing third parties to obtain protected health
information from covered entities for marketing or other purposes for
which the Rule requires an individual's authorization. The deletion of
the specific reference to the covered entity does not permit
disclosures to a third party beyond the disclosures already permitted
by the Rule. The change is intended to be purely editorial: since the
Rule applies only to covered entities, the only entities whose
communications can be governed by the Rule are covered entities, and
thus the reference to covered entities there was redundant. Covered
entities may not disclose protected health information to third parties
for marketing purposes without authorization from the individual, even
if the third party is acting as the business associate of the
disclosing covered entity. Covered entities may, however, use protected
health information to communicate with individuals about the covered
entity's own health-related products or services, the individual's
treatment, or case management or care coordination for the individual.
The covered entity does not need an authorization for these types of
communications and may make the communication itself or use a business
associate to do so.

Comment: Some commenters advocated for reversion to the provision
in Sec. 164.514(e) that the marketing communication identify the
covered entity responsible for the communication, and argued that the
covered entity should be required to identify itself as the source of
the protected health information.
    Response: As modified, the Privacy Rule requires the individual's
written authorization for the covered entity to use or disclose
protected health information for marketing purposes, with limited
exceptions. The Department believes that the authorization process
itself will put the individual sufficiently on notice that the covered
entity is the source of the protected health information. To the extent
that the commenter suggests that these disclosures are necessary for
communications that are not ``marketing'as defined by the Rule, the
Department disagrees because such a requirement would place an undue
burden on necessary health-related communications.
    Comment: Many commenters opposed the proposed elimination of the
provision that would have transformed a communication exempted from
marketing into a marketing communication if it was in writing and paid
for by a third party. They argued that marketing should include any
activity in which a covered entity receives compensation, directly or
indirectly, through such things as discounts from another provider,
manufacturer, or service provider in exchange for providing information
about the manufacturer or service provider's products to consumers, and
that consumers should be advised whenever such remuneration is involved
and allowed to opt-out of future communications.
    Response: The Department considered whether remuneration should
determine whether a given activity is marketing, but ultimately
concluded that remuneration should not define whether a given activity
is marketing or falls under an exception to marketing. In fact, the
Department believes that the provision in the December 2000 Rule that
transformed a treatment communication into a marketing communication if
it was in writing and paid for by a third party blurred the line
between treatment and marketing in ways that would have made the
Privacy Rule difficult to implement. The Department believes that
certain health care communications, such as refill reminders or
informing patients about existing or new health care products or
services, are appropriate, whether or not the covered entity receives
remuneration from third parties to pay for them. The fact that
remuneration is received for a marketing communication does not mean
the communication is biased or inaccurate. For the same reasons, the
Department does not believe that the communications that are exempt
from the definition of ``marketing'' require any special conditions,
based solely on direct or indirect remuneration received by the covered
entity. Requiring disclosure and opt-out conditions on these
communications, as Sec. 164.514(e) had formerly imposed on health-
related marketing communications, would add a layer of complexity to
the Privacy Rule that the Department intended to eliminate.
Individuals, of course, are free to negotiate with covered entities for
limitations on such uses and disclosures, to which the entity may, but
is not required to, agree.
    The Department does agree with commenters that, in limited
circumstances, abuses can occur. The Privacy Rule, both as published in
December 2000 and as proposed to be modified in March 2002, has always
prohibited covered entities from selling protected health information
to a third

[[Page 53189]]

party for the marketing activities of the third party, without
authorization. Nonetheless, in response to continued public concern,
the Department has added a new provision to the definition of
``marketing'' to prevent situations in which a covered entity could
take advantage of the business associate relationship to sell protected
health information to another entity for that entity's commercial
marketing purposes. The Department intends this prohibition to address
the potential financial conflict of interest that would lead a covered
entity to disclose protected health information to another entity under
the guise of a treatment exemption.
    Comment: Commenters argued that written authorizations (opt-ins)
should be required for the use of clinical information in marketing.
They stated that many consumers do not want covered entities to use
information about specific clinical conditions that an individual has,
such as AIDS or diabetes, to target them for marketing of services for
such conditions.
    Response: The Department does not intend to interfere with the
ability of health care providers or health plans to deliver quality
health care to individuals. The ``marketing'' definition excludes
communications for the individual's treatment and for case management,
care coordination or the recommendation of alternative therapies.
Clinical information is critical for these communications and, hence,
cannot be used to distinguish between communications that are or are
not marketing. The covered entity needs the individual's authorization
to use or disclose protected health information for marketing
communications, regardless of whether clinical information is to be
used.
    Comment: The proposed modification eliminated the Sec. 164.514
requirements that permitted the use of protected health information to
market health-related products and services without an authorization.
In response to that proposed modification, many commenters asked
whether covered entities would be allowed to make communications about
``health education'' or ``health promoting'' materials or services
without an authorization under the modified Rule. Examples included
communications about health improvement or disease prevention, new
developments in the diagnosis or treatment of disease, health fairs,
health/wellness-oriented classes or support groups.
    Response: The Department clarifies that a communication that merely
promotes health in a general manner and does not promote a specific
product or service from a particular provider does not meet the general
definition of ``marketing.'' Such communications may include
population-based activities to improve health or reduce health care
costs as set forth in the definition of ``health care operations'' at
Sec. 164.501. Therefore, communications, such as mailings reminding
women to get an annual mammogram, and mailings providing information
about how to lower cholesterol, about new developments in health care
(e.g., new diagnostic tools), about health or ``wellness'' classes,
about support groups, and about health fairs are permitted, and are not
considered marketing.
    Comment: Some commenters asked whether they could communicate with
beneficiaries about government programs or government-sponsored
programs such as information about SCHIP; eligibility for Medicare/
Medigap (e.g., eligibility for limited, six-month open enrollment
period for Medicare supplemental benefits).
    Response: The Department clarifies that communications about
government and government-sponsored programs do not fall within the
definition of ``marketing.'' There is no commercial component to
communications about benefits available through public programs.
Therefore, a covered entity is permitted to use and disclose protected
health information to communicate about eligibility for Medicare
supplemental benefits, or SCHIP. As in our response above, these
communications may reflect population-based activities to improve
health or reduce health care costs as set forth in the definition of
``health care operations'' at Sec. 164.501.
    Comment: The proposed modification eliminated the Sec. 164.514
requirements that allowed protected health information to be used and
disclosed without authorization or the opportunity to opt-out, for
communications contained in newsletters or similar general
communication devices widely distributed to patients, enrollees, or
other broad groups of individuals. Many commenters requested
clarification as to whether various types of general circulation
materials would be permitted under the proposed modification.
Commenters argued that newsletters or similar general communication
devices widely distributed to patients, enrollees, or other broad
groups of individuals should be permitted without authorizations
because they are ``common'' and ``serve appropriate information
distribution purposes'' and, based on their general circulation, are
less intrusive than other forms of communication.
    Response: Covered entities may make communications in newsletter
format without authorization so long as the content of such
communications is not ``marketing,'' as defined by the Rule. The
Department is not creating any special exemption for newsletters.
    Comment: One commenter suggested that, even when authorizations are
granted to disclose protected health information for a particular
marketing purpose to a non-covered entity, there should also be an
agreement by the third party not to re-disclose the protected health
information. This same commenter also recommended that the Privacy Rule
place restrictions on non-secure modes of making communications
pursuant to an authorization. This commenter argued that protected
health information should not be disclosed on the outside of mailings
or through voice mail, unattended FAX, or other modes of communication
that are not secure.
    Response: Under the final Rule, a covered entity must obtain an
individual's authorization to use or disclose protected health
information for a marketing communication, with some exceptions. If an
individual wanted an authorization to limit the use of the information
by the covered entity, the individual could negotiate with the covered
entity to make that clear in the authorization. Similarly, individuals
can request confidential forms of communication, even with respect to
authorized disclosures. See Sec. 164.522(b).
    Comment: Commenters requested that HHS provide clear guidance on
what types of activities constitute a use or disclosure for marketing,
and, therefore, require an authorization.
    Response: The Department has modified the ``marketing'' definition
to clarify the types of uses or disclosures of protected health
information that are marketing, and, therefore, require prior
authorization and those that are not marketing. The Department intends
to update its guidance on this topic and address specific examples
raised by commenters at that time.
    Comment: A number of commenters wanted the Department to amend the
face-to-face authorization exception. Some urged that it be broadened
to include telephone, mail and other common carriers, fax machines, or
the Internet so that the exception would cover communications between
providers and patients that are not in person. For example, it was
pointed out that some providers, such as home

[[Page 53190]]

delivery pharmacies, may have a direct treatment relationship, but
communicate with patients through other channels. Some raised specific
concerns about communicating with ``shut-ins'' and ``persons living in
rural areas.'' Other commenters asked the Department to make the
exception more narrow to cover only those marketing communications made
by a health care provider, as opposed to by a business associate, or to
cover only those marketing communications of a provider that arise from
a treatment or other essential health care communication.
    Response: The Department believes that expanding the face-to-face
authorization exception to include telephone, mail, and other common
carriers, fax machines or the Internet would create an exception
essentially for all types of marketing communications. All providers
potentially use a variety of means to communicate with their patients.
The authorization exclusion, however, is narrowly crafted to permit
only face-to-face encounters between the covered entity and the
individual.
    The Department believes that further narrowing the exception to
place conditions on such communications, other than that it be face-to-
face, would neither be practical nor better serve the privacy interests
of the individual. The Department does not intend to police
communications between doctors and patients that take place in the
doctor's office. Further limiting the exception would add a layer of
complexity to the Rule, encumbering physicians and potentially causing
them to second-guess themselves when making treatment or other
essential health care communications. In this context, the individual
can readily stop any unwanted communications, including any
communications that may otherwise meet the definition of ``marketing.''
2. Health Care Operations: Changes of Legal Ownership
    December 2000 Privacy Rule. The Rule's definition of ``health care
operations'' included the disclosure of protected health information
for the purposes of due diligence with respect to the contemplated sale
or transfer of all or part of a covered entity's assets to a potential
successor in interest who is a covered entity, or would become a
covered entity as a result of the transaction.
    The Department indicated in the December 2000 preamble of the
Privacy Rule its intent to include in the definition of health care
operations the actual transfer of protected health information to a
successor in interest upon a sale or transfer of its assets. (65 FR
82609.) However, the regulation itself did not expressly provide for
the transfer of protected health information upon the sale or transfer
of assets to a successor in interest. Instead, the definition of
``health care operations'' included uses or disclosures of protected
health information only for due diligence purposes when a sale or
transfer to a successor in interest is contemplated.
    March 2002 NPRM. A number of entities expressed concern about the
discrepancy between the intent as expressed in the preamble to the
December 2000 Privacy Rule and the actual regulatory language. To
address these concerns, the Department proposed to add language to
paragraph (6) of the definition of ``health care operations'' to
clarify its intent to permit the transfer of records to a covered
entity upon a sale, transfer, merger, or consolidation. This proposed
change would prevent the Privacy Rule from interfering with necessary
treatment or payment activities upon the sale of a covered entity or
its assets.
    The Department also proposed to use the terms ``sale, transfer,
consolidation or merger'' and to eliminate the term ``successor in
interest'' from this paragraph. The Department intended this provision
to apply to any sale, transfer, merger or consolidation and believed
the current language may not accomplish this goal.
    The Department proposed to retain the limitation that such
disclosures are health care operations only to the extent the entity
receiving the protected health information is a covered entity or would
become a covered entity as a result of the transaction. The Department
clarified that the proposed modification would not affect a covered
entity's other legal or ethical obligation to notify individuals of a
sale, transfer, merger, or consolidation.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    Numerous commenters supported the proposed modifications.
Generally, these commenters claimed the modifications would prevent
inconvenience to consumers, and facilitate timely access to health
care. Specifically, these commenters indicated that health care would
be delayed and consumers would be inconvenienced if covered entities
were required to obtain individual consent or authorization before they
could access health records that are newly acquired assets resulting
from the sale, transfer, merger, or consolidation of all or part of a
covered entity. Commenters further claimed that the administrative
burden of acquiring individual permission and culling records of
consumers who do not give consent would be too great, and would cause
some entities to simply store or destroy the records instead.
Consequently, health information would be inaccessible, causing
consumers to be inconvenienced and health care to be delayed. Some
commenters noted that the proposed modifications recognize the
realities of business without compromising the availability or quality
of health care or diminishing privacy protections one would expect in
the handling of protected health information during the course of such
business transactions.
    Opposition to the proposed modifications was limited, with
commenters generally asserting that the transfer of records in such
circumstances would not be in the best interests of individuals.
    Final Modifications. The Department agrees with the commenters that
supported the proposed modifications and, therefore, adopts the
modifications to the definition of health care operations. Thus,
``health care operations'' includes the sale, transfer, merger, or
consolidation of all or part of the covered entity to or with another
covered entity, or an entity that will become a covered entity as a
result of the transaction, as well as the due diligence activities in
connection with such transaction. In response to a comment, the final
Rule modifies the phrase ``all or part of a covered entity'' to read
``all or part of the covered entity'' to clarify that any disclosure
for such activity must be by the covered entity that is a party to the
transaction.
    Under the final definition of ``health care operations,'' a covered
entity may use or disclose protected health information in connection
with a sale or transfer of assets to, or a consolidation or merger
with, an entity that is or will be a covered entity upon completion of
the transaction; and to conduct due diligence in connection with such
transaction. The modification makes clear it is also a health care
operation to transfer records containing protected health information
as part of the transaction. For example, if a pharmacy which is a
covered entity buys another pharmacy which is also a covered entity,
protected health information can be exchanged between the two entities
for purposes of conducting due diligence, and the selling entity may

[[Page 53191]]

transfer any records containing protected health information to the new
owner upon completion of the transaction. The new owner may then
immediately use and disclose those records to provide health care
services to the individuals, as well as for payment and health care
operations purposes. Since the information would continue to be
protected by the Privacy Rule, any other use or disclosure of the
information would require an authorization unless otherwise permitted
without authorization by the Rule, and the new owner would be obligated
to observe the individual's rights of access, amendment, and
accounting. The Privacy Rule would not interfere with other legal or
ethical obligations of an entity that may arise out of the nature of
its business or relationship with its customers or patients to provide
such persons with notice of the transaction or an opportunity to agree
to the transfer of records containing personal information to the new
owner.

Response to Other Public Comments

    Comment: One commenter was concerned about what obligations the
parties to a transaction have regarding protected health information
that was exchanged as part of a transaction if the transaction does not
go through.
    Response: The Department believes that other laws and standard
business practices are adequate to address these situations and
accordingly does not impose additional requirements of this type. It is
standard practice for parties contemplating such transactions to enter
into confidentiality agreements. In addition to exchanging protected
health information, the parties to such transactions commonly exchange
confidential proprietary information. It is a standard practice for the
parties to these transaction to agree that the handling of all
confidential information, such as proprietary information, will include
ensuring that, in the event that the proposed transaction is not
consummated, the information is either returned to its original owner
or destroyed as appropriate. They may include protected health
information in any such agreement, as they determine appropriate to the
circumstances and applicable law. ]
3. Protected Health Information: Exclusion for Employment Records
    December 2000 Privacy Rule. The Privacy Rule broadly defines
``protected health information'' as individually identifiable health
information maintained or transmitted by a covered entity in any form
or medium. The December 2000 Privacy Rule expressly excluded from the
definition of ``protected health information'' only educational and
other records that are covered by the Family Education Rights and
Privacy Act of 1974, as amended, 20 U.S.C. 1232g. In addition,
throughout the December 2000 preamble to the Privacy Rule, the
Department repeatedly stated that the Privacy Rule does not apply to
employers, nor does it apply to the employment functions of covered
entities, that is, when they are acting in their role as employers. For
example, the Department stated:

    Covered entities must comply with this regulation in their
health care capacity, not in their capacity as employers. For
example, information in hospital personnel files about a nurses'
(sic) sick leave is not protected health information under this
rule.

65 FR 82612. However, the definition of protected health information
did not expressly exclude personnel or employment records of covered
entities.
    March 2002 NPRM. The Department understands that covered entities
are also employers, and that this creates two potential sources of
confusion about the status of health information. First, some employers
are required or elect to obtain health information about their
employees, as part of their routine employment activities [e.g.,
hiring, compliance with the Occupational Safety and Health
Administration (OSHA) requirements]. Second, employees of covered
health care providers or health plans sometimes seek treatment or
reimbursement from that provider or health plan, unrelated to the
employment relationship.
    To avoid any confusion on the part of covered entities as to
application of the Privacy Rule to the records they maintain as
employers, the Department proposed to modify the definition of
``protected health information'' in Sec. 164.501 to expressly exclude
employment records held by a covered entity in its role as employer.
The proposed modification also would alleviate the situation where a
covered entity would feel compelled to elect to designate itself as a
hybrid entity solely to carve out its employment functions.
Individually identifiable health information maintained or transmitted
by a covered entity in its health care capacity would, under the
proposed modification, continue to be treated as protected health
information.

The Department specifically solicited comments on whether the term
``employment records'' is clear and what types of records would be
covered by the term.
    In addition, as discussed in section III.C.1. below, the Department
proposed to modify the definition of a hybrid entity to permit any
covered entity that engaged in both covered and non-covered functions
to elect to operate as a hybrid entity. Under the proposed
modification, a covered entity that primarily engaged in covered
functions, such as a hospital, would be allowed to elect hybrid entity
status even if its only non-covered functions were those related to its
capacity as an employer. Indeed, because of the absence of an express
exclusion for employment records in the definition of protected health
information, some covered entities may have elected hybrid entity
status under the misconception that this was the only way to prevent
their personnel information from being treated as protected health
information under the Rule.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The Department received comments both supporting and opposing the
proposal to add an exemption for employment records to the definition
of protected health information. Support for the proposal was based
primarily on the need for clarity and certainty in this important area.
Moreover, commenters supported the proposed exemption for employment
records because it reinforced and clarified that the Privacy Rule does
not conflict with an employer's obligation under numerous other laws,
including OSHA, Family and Medical Leave Act (FMLA), workers'
compensation, and alcohol and drug free workplace laws.
    Those opposed to the modification were concerned that a covered
entity may abuse its access to the individually identifiable health
information in its employment records by using that information for
discriminatory purposes. Many commenters expressed concern that an
employee's health information created, maintained, or transmitted by
the covered entity in its health care capacity would be considered an
employment record and, therefore, would not be considered protected
health information. Some of these commenters argued for the inclusion
of special provisions, similar to the ``adequate separation''
requirements for disclosure of protected health information from group
health plan to plan sponsor functions (Sec. 164.504(f)), to heighten
the protection for an employee's individually identifiable health
information when moving between a covered entity's

[[Page 53192]]

health care functions and its employer functions.
    A number of commenters also suggested types of records that the
Department should consider to be ``employment records'' and, therefore,
excluded from the definition of ``protected health information.'' The
suggested records included records maintained under the FMLA or the
Americans with Disabilities Act (ADA), as well as records relating to
occupational injury, disability insurance eligibility, sick leave
requests and justifications, drug screening results, workplace medical
surveillance, and fitness-for-duty test results. One commenter
suggested that health information related to professional athletes
should qualify as an employment record.
    Final Modifications. The Department adopts as final the proposed
language excluding employment records maintained by a covered entity in
its capacity as an employer from the definition of ``protected health
information.'' The Department agrees with commenters that the
regulation should be explicit that it does not apply to a covered
entity's employer functions and that the most effective means of
accomplishing this is through the definition of ``protected health
information.''
    The Department is sensitive to the concerns of commenters that a
covered entity not abuse its access to an employee's individually
identifiable health information which it has created or maintains in
its health care, not its employer, capacity. In responding to these
concerns, the Department must remain within the boundaries set by the
statute, which does not include employers per se as covered entities.
Thus, we cannot regulate employers, even when it is a covered entity
acting as an employer.
    To address these concerns, the Department clarifies that a covered
entity must remain cognizant of its dual roles as an employer and as a
health care provider, health plan, or health care clearinghouse.
Individually identifiable health information created, received, or
maintained by a covered entity in its health care capacity is protected
health information. It does not matter if the individual is a member of
the covered entity's workforce or not. Thus, the medical record of a
hospital employee who is receiving treatment at the hospital is
protected health information and is covered by the Rule, just as the
medical record of any other patient of that hospital is protected
health information and covered by the Rule. The hospital may use that
information only as permitted by the Privacy Rule, and in most cases
will need the employee's authorization to access or use the medical
information for employment purposes. When the individual gives his or
her medical information to the covered entity as the employer, such as
when submitting a doctor's statement to document sick leave, or when
the covered entity as employer obtains the employee's written
authorization for disclosure of protected health information, such as
an authorization to disclose the results of a fitness for duty
examination, that medical information becomes part of the employment
record, and, as such, is no longer protected health information. The
covered entity as employer, however, may be subject to other laws and
regulations applicable to the use or disclosure of information in an
employee's employment record.
    The Department has decided not to add a definition of the term
``employment records'' to the Rule. The comments indicate that the same
individually identifiable health information about an individual may be
maintained by the covered entity in both its employment records and the
medical records it maintains as a health care provider or enrollment or
claims records it maintains as a health plan. The Department therefore
is concerned that a definition of ``employment record'' may lead to the
misconception that certain types of information are never protected
health information, and will put the focus incorrectly on the nature of
the information rather than the reasons for which the covered entity
obtained the information. For example, drug screening test results will
be protected health information when the provider administers the test
to the employee, but will not be protected health information when,
pursuant to the employee's authorization, the test results are provided
to the provider acting as employer and placed in the employee's
employment record. Similarly, the results of a fitness for duty exam
will be protected health information when the provider administers the
test to one of its employees, but will not be protected health
information when the results of the fitness for duty exam are turned
over to the provider as employer pursuant to the employee's
authorization.
    Furthermore, while the examples provided by commenters represent
typical files or records that may be maintained by employers, the
Department does not believe that it has sufficient information to
provide a complete definition of employment record. Therefore, the
Department does not adopt as part of this rulemaking a definition of
employment record, but does clarify that medical information needed for
an employer to carry out its obligations under FMLA, ADA, and similar
laws, as well as files or records related to occupational injury,
disability insurance eligibility, sick leave requests and
justifications, drug screening results, workplace medical surveillance,
and fitness-for-duty tests of employees, may be part of the employment
records maintained by the covered entity in its role as an employer.

Response to Other Public Comments

    Comment: One commenter requested clarification as to whether the
term ``employment record'' included the following information that is
either maintained or transmitted by a fully insured group health plan
to an insurer or HMO for enrollment and/or disenrollment purposes: (a)
the identity of an individual including name, address, birth date,
marital status, dependent information and SSN; (b) the individual's
choice of plan; (c) the amount of premiums/contributions for coverage
of the individual; (d) whether the individual is an active employee or
retired; (e) whether the individual is enrolled in Medicare.
    Response: All of this information is protected health information
when held by a fully insured group health plan and transmitted to an
issuer or HMO, and the Privacy Rule applies when the group health plan
discloses such information to any entity, including the plan sponsor.
There are special rules in Sec. 164.504(f) which describe the
conditions for disclosure of protected health information to the plan
sponsor. If the group health plan received the information from the
plan sponsor, it becomes protected health information when received by
the group health plan. The plan sponsor is not the covered entity, so
this information will not be protected when held by a plan sponsor,
whether or not it is part of the plan sponsor's ``employment record.''
    Comment: One commenter asked for clarification as to how the
Department would characterize the following items that a covered entity
may have: (1) medical file kept separate from the rest of an employment
record containing (a) doctor's notes; (b) leave requests; (c) physician
certifications; and (d) positive hepatitis test results; (2) FMLA
documentation including: (a) physician certification form; and (b)
leave requests; (3) occupational injury files containing (a) drug
screening; (b) exposure test results; (c) doctor's notes; and (d)
medical director's notes.

[[Page 53193]]

    Response: As explained above, the nature of the information does
not determine whether it is an employment record. Rather, it depends on
whether the covered entity obtains or creates the information in its
capacity as employer or in its capacity as covered entity. An
employment record may well contain some or all of the items mentioned
by the commenter; but so too might a treatment record. The Department
also recognizes that the employer may be required by law or sound
business practice to treat such medical information as confidential and
maintain it separate from other employment records. It is the function
being performed by the covered entity and the purpose for which the
covered entity has the medical information, not its record keeping
practices, that determines whether the health information is part of an
employment record or whether it is protected health information.
    Comment: One commenter suggested that the health records of
professional athletes should qualify as ``employment records.'' As
such, the records would not be subject to the protections of the
Privacy Rule.
    Response: Professional sports teams are unlikely to be covered
entities. Even if a sports team were to be a covered entity, employment
records of a covered entity are not covered by this Rule. If this
comment is suggesting that the records of professional athletes should
be deemed ``employment records'' even when created or maintained by
health care providers and health plans, the Department disagrees. No
class of individuals should be singled out for reduced privacy
protections. As noted in the preamble to the December 2000 Rule,
nothing in this Rule prevents an employer, such as a professional
sports team, from making an employee's agreement to disclose health
records a condition of employment. A covered entity, therefore, could
disclose this information to an employer pursuant to an authorization.

B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules

1. Incidental Uses and Disclosures
    December 2000 Privacy Rule. The December 2000 Rule did not
explicitly address incidental uses and disclosures of protected health
information. Rather, the Privacy Rule generally requires covered
entities to make reasonable efforts to limit the use or disclosure of,
and requests for, protected health information to the minimum necessary
to accomplish the intended purpose. See Sec. 164.502(b). Additionally,
Sec. 164.530(c) of the Privacy Rule requires covered entities to
implement appropriate administrative, technical, and physical
safeguards to reasonably safeguard protected health information from
any intentional or unintentional use or disclosure that violates the
Rule.
    Protected health information includes individually identifiable
health information (with limited exceptions) in any form, including
information transmitted orally, or in written or electronic form. See
the definition of ``protected health information'' at Sec. 164.501.
    March 2002 NPRM. After publication of the Privacy Rule, the
Department received a number of concerns and questions as to whether
the Privacy Rule's restrictions on uses and disclosures will prohibit
covered entities from engaging in certain common and essential health
care communications and practices in use today. In particular, concern
was expressed that the Privacy Rule establishes absolute, strict
standards that would not allow for the incidental or unintentional
disclosures that could occur as a by-product of engaging in these
health care communications and practices. It was argued that the
Privacy Rule would, in effect, prohibit such practices and, therefore,
impede many activities and communications essential to effective and
timely treatment of patients.
    For example, some expressed concern that health care providers
could no longer engage in confidential conversations with other
providers or with patients, if there is a possibility that they could
be overheard. Similarly, others questioned whether they would be
prohibited from using sign-in sheets in waiting rooms or maintaining
patient charts at bedside, or whether they would need to isolate X-ray
lightboards or destroy empty prescription vials. These concerns seemed
to stem from a perception that covered entities are required to prevent
any incidental disclosure such as those that may occur when a visiting
family member or other person not authorized to access protected health
information happens to walk by medical equipment or other material
containing individually identifiable health information, or when
individuals in a waiting room sign their name on a log sheet and
glimpse the names of other patients.
    The Department, in its July 6 guidance, clarified that the Privacy
Rule is not intended to impede customary and necessary health care
communications or practices, nor to require that all risk of incidental
use or disclosure be eliminated to satisfy its standards. The guidance
promised that the Department would propose modifications to the Privacy
Rule to clarify that such communications and practices may continue, if
reasonable safeguards are taken to minimize the chance of incidental
disclosure to others.
    Accordingly, the Department proposed to modify the Privacy Rule to
add a new provision at Sec. 164.502(a)(1)(iii) which would explicitly
permit certain incidental uses and disclosures that occur as a result
of a use or disclosure otherwise permitted by the Privacy Rule. The
proposal described an incidental use or disclosure as a secondary use
or disclosure that cannot reasonably be prevented, is limited in
nature, and that occurs as a by-product of an otherwise permitted use
or disclosure. The Department proposed that an incidental use or
disclosure be permissible only to the extent that the covered entity
had applied reasonable safeguards as required by Sec. 164.530(c), and
implemented the minimum necessary standard, where applicable, as
required by Secs. 164.502(b) and 164.514(d).
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The Department received many comments on its proposal to permit
certain incidental uses and disclosures, the majority of which
expressed strong support for the proposal. Many of these commenters
indicated that such a policy would help to ensure that essential health
care communications and practices are not chilled by the Privacy Rule.
A few commenters opposed the Department's proposal to permit certain
incidental uses and disclosures, one of whom asserted that the burden
on medical staff to take precautions not to be overheard is minimal
compared to the potential harm to patients if incidental disclosures
were to be considered permissible.
    Final Modifications. In response to the overwhelming support of
commenters on this proposal, the Department adopts the proposed
provision at Sec. 164.502(a)(1)(iii), explicitly permitting certain
incidental uses and disclosures that occur as a by-product of a use or
disclosure otherwise permitted under the Privacy Rule. As in the
proposal, an incidental use or disclosure is permissible only to the
extent that the covered entity has applied reasonable safeguards as

[[Page 53194]]

required by Sec. 164.530(c), and implemented the minimum necessary
standard, where applicable, as required by Secs. 164.502(b) and
164.514(d). The Department continues to believe, as was stated in the
proposed Rule, that so long as reasonable safeguards are employed, the
burden of impeding such communications is not outweighed by any
benefits that may accrue to individuals' privacy interests.
    However, an incidental use or disclosure that occurs as a result of
a failure to apply reasonable safeguards or the minimum necessary
standard, where required, is not a permissible use or disclosure and,
therefore, is a violation of the Privacy Rule. For example, a hospital
that permits an employee to have unimpeded access to patients' medical
records, where such access is not necessary for the employee to do her
job, is not applying the minimum necessary standard and, therefore, any
incidental use or disclosure that results from this practice would be
an unlawful use or disclosure under the Privacy Rule.
    In response to the few comments that opposed the proposal to permit
certain incidental uses and disclosures, the Department reiterates that
the Privacy Rule must not impede essential health care communications
and practices. Prohibiting all incidental uses and disclosures would
have a chilling effect on normal and important communications among
providers, and between providers and their patients, and, therefore,
would negatively affect individuals' access to quality health care. The
Department does not intend with this provision to obviate the need for
medical staff to take precautions to avoid being overheard, but rather,
will only allow incidental uses and disclosures where appropriate
precautions have been taken.
    The Department clarifies, in response to a comment, that this
provision applies, subject to reasonable safeguards and the minimum
necessary standard, to an incidental use or disclosure that occurs as a
result of any permissible use or disclosure under the Privacy Rule made
to any person, and not just to incidental uses and disclosures
resulting from treatment communications or only to communications among
health care providers or other medical staff. For example, a provider
may instruct an administrative staff member to bill a patient for a
particular procedure, and may be overheard by one or more persons in
the waiting room. Assuming that the provider made reasonable efforts to
avoid being overheard and reasonably limited the information shared, an
incidental disclosure resulting from such conversation is permissible
under the Rule.
    In the proposal, the Department did not address whether or not
incidental disclosures would need to be included in the accounting of
disclosures required by Sec. 164.528. However, one commenter urged the
Department to exclude incidental disclosures from the accounting. The
Department agrees with this commenter and clarifies that covered
entities are not required to include incidental disclosures in an
accounting of disclosures provided to the individual pursuant to
Sec. 164.528. The Department does not believe such a requirement would
be practicable; in many instances, the covered entity may not know that
an incidental disclosure occurred. To make this policy clear, the
Department includes an explicit exception for such disclosures to the
accounting standard at Sec. 164.528(a)(1).

Response to Other Public Comments

    Comment: One commenter expressed concern that the requirement
reasonably to safeguard protected health information would be
problematic because any unintended use or disclosure could arguably
demonstrate a failure to ``reasonably safeguard.'' This commenter
requested that the Department either delete the language in
Sec. 164.530(c)(2)(ii) or modify the language to make clear that the
fact that an incidental use or disclosure occurs does not imply that
safeguards were not reasonable.
    Response: The Department clarifies that the fact that an incidental
use or disclosure occurs does not by itself imply that safeguards were
not reasonable. However, the Department does not believe that a
modification to the proposed language is necessary to express this
intent. The language proposed and now adopted at Sec. 164.530(c)(2)(ii)
requires only that the covered entity reasonably safeguard protected
health information to limit incidental uses or disclosures, not that
the covered entity prevent all incidental uses and disclosures. Thus,
the Department expects that incidental uses and disclosures will occur
and permits such uses and disclosures to the extent the covered entity
has in place reasonable safeguards and has applied the minimum
necessary standard, where applicable.
    Comment: Another commenter requested that the Department clarify
its proposal to assure that unintended disclosures will not result in
civil penalties.
    Response: The Department's authority to impose civil monetary
penalties on violations of the Privacy Rule is defined in HIPAA.
Specifically, HIPAA added section 1176 to the Social Security Act,
which prescribes the Secretary's authority to impose civil monetary
penalties. Therefore, in the case of a violation of a disclosure
provision in the Privacy Rule, a penalty may not be imposed, among
other things, if the person liable for the penalty did not know and, by
exercising reasonable diligence would not have known, that such person
violated the provision. HIPAA also provides for criminal penalties
under certain circumstances, but the Department of Justice, not this
Department, has authority for criminal penalties.
    Comment: One commenter requested that the Department clarify how
covered entities should implement technical and physical safeguards
when they do not yet know what safeguards the final Security Rule will
require.
    Response: Each covered entity should assess the nature of the
protected health information it holds, and the nature and scope of its
business, and implement safeguards that are reasonable for its
particular circumstances. There should be no potential for conflict
between the safeguards required by the Privacy Rule and the final
Security Rule standards, for several reasons. First, while the Privacy
Rule applies to protected health information in all forms, the Security
Rule will apply only to electronic health information systems that
maintain or transmit individually identifiable health information.
Thus, all safeguards for protected health information in oral, written,
or other non-electronic forms will be unaffected by the Security Rule.
Second, in preparing the final Security Rule, the Department is working
to ensure the Security Rule requirements for electronic information
systems work ``hand in glove'' with any relevant requirements in the
Privacy Rule, including Sec. 164.530.
    Comment: One commenter argued that while this new provision is
helpful, it does not alleviate covered entities' concerns that routine
practices, often beneficial for treatment, will be prohibited by the
Privacy Rule. This commenter stated that, for example, specialists
provide certain types of therapy to patients in a group setting, and,
in some cases, where family members are also present.
    Response: The Department reiterates that the Privacy Rule is not
intended to impede common health care communications and practices that
are essential in providing health care to the individual. Further, the
Privacy Rule's new provision permitting certain incidental uses and
disclosures is

[[Page 53195]]

intended to increase covered entities' confidence that such practices
can continue even where an incidental use or disclosure may occur,
provided that the covered entity has taken reasonable precautions to
safeguard and limit the protected health information disclosed. For
example, this provision should alleviate concerns that common
practices, such as the use of sign-in sheets and calling out names in
waiting rooms will not violate the Rule, so long as the information
disclosed is appropriately limited. With regard to the commenters'
specific example, disclosure of protected health information in a group
therapy setting would be a treatment disclosure, and thus permissible
without individual authorization. Further, Sec. 164.510(b) generally
permits a covered entity to disclose protected health information to a
family member or other person involved in the individual's care. In
fact, this section specifically provides that, where the individual is
present during a disclosure, the covered entity may disclose protected
health information if it is reasonable to infer from the circumstances
that the individual does not object to the disclosure. Absent

countervailing circumstances, the individual's agreement to participate
in group therapy or family discussions is a good basis for such a
reasonable inference. As such disclosures are permissible disclosures
in and of themselves, they would not be incidental disclosures.
    Comment: Some commenters, while in support of permitting incidental
uses and disclosures, requested that the Department provide additional
guidance in this area by providing additional examples of permitted
incidental uses and disclosures and/or clarifying what would constitute
``reasonable safeguards.''
    Response: The reasonable safeguards and minimum necessary standards
are flexible and adaptable to the specific business needs and
circumstances of the covered entity. Given the discretion covered
entities have in implementing these standards, it is difficult for the
Department to provide specific guidance in this area that is generally
applicable to many covered entities. However, the Department intends to
provide future guidance through frequently asked questions or other
materials in response to specific scenarios that are raised by
industry.
2. Minimum Necessary Standard
    December 2000 Privacy Rule. The Privacy Rule generally requires
covered entities to make reasonable efforts to limit the use or
disclosure of, and requests for, protected health information to the
minimum necessary to accomplish the intended purpose. See
Sec. 164.502(b). Protected health information includes individually
identifiable health information (with limited exceptions) in any form,
including information transmitted orally, or in written or electronic
form. See the definition of ``protected health information'' at
Sec. 164.501. The minimum necessary standard is intended to make
covered entities evaluate their practices and enhance protections as
needed to limit unnecessary or inappropriate access to, and disclosures
of, protected health information.
    The Privacy Rule contains some exceptions to the minimum necessary
standard. The minimum necessary requirements do not apply to uses or
disclosures that are required by law, disclosures made to the
individual or pursuant to an authorization initiated by the individual,
disclosures to or requests by a health care provider for treatment
purposes, uses or disclosures that are required for compliance with the
regulations implementing the other administrative simplification
provisions of HIPAA, or disclosures to the Secretary of HHS for
purposes of enforcing this Rule. See Sec. 164.502(b)(2).
    The Privacy Rule sets forth requirements for implementing the
minimum necessary standard with regard to a covered entity's uses,
disclosures, and requests at Sec. 164.514(d). A covered entity is
required to develop and implement policies and procedures appropriate
to the entity's business practices and workforce that reasonably
minimize the amount of protected health information used, disclosed,
and requested. For uses of protected health information, the policies
and procedures must identify the persons or classes of persons within
the covered entity who need access to the information to carry out
their job duties, the categories or types of protected health
information needed, and the conditions appropriate to such access. For
routine or recurring requests and disclosures, the policies and
procedures may be standard protocols. Non-routine requests for, and
disclosures of, protected health information must be reviewed
individually.
    With regard to disclosures, the Privacy Rule permits a covered
entity to rely on the judgment of certain parties requesting the
disclosure as to the minimum amount of information that is needed. For
example, a covered entity is permitted reasonably to rely on
representations from a public official, such as a State workers'
compensation official, that the information requested is the minimum
necessary for the intended purpose. Similarly, a covered entity is
permitted reasonably to rely on the judgment of another covered entity
that the information requested is the minimum amount of information
reasonably necessary to fulfill the purpose for which the request has
been made. See Sec. 164.514(d)(3)(iii).
    March 2002 NPRM. The Department proposed a number of minor
modifications to the minimum necessary standard to clarify the
Department's intent or otherwise conform these provisions to other
proposed modifications. First, the Department proposed to separate
Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii)
and (iii)) to eliminate confusion regarding the exception to the
minimum necessary standard for uses or disclosures made pursuant to an
authorization under Sec. 164.508, and the separate exception for
disclosures made to the individual. Second, to conform to the proposal
to eliminate the special authorizations required by the Privacy Rule at
Sec. 164.508(d), (e), and (f), the Department proposed to exempt from
the minimum necessary standard any uses or disclosures for which the
covered entity had received an authorization that meets the
requirements of Sec. 164.508, rather than just those authorizations
initiated by the individual.
    Third, the Department proposed to modify Sec. 164.514(d)(1) to
delete the term ``reasonably ensure'' in response to concerns that the
term connotes an absolute, strict standard and, therefore, is
inconsistent with the Department's intent that the minimum necessary
requirements be reasonable and flexible to the unique circumstances of
the covered entity. In addition, the Department proposed to generally
revise the language in Sec. 164.514(d)(1) to be more consistent with
the description of standards elsewhere in the Privacy Rule.
    Fourth, so that the minimum necessary standard would be applied
consistently to requests for, and disclosures of, protected health
information, the Department proposed to add a provision to
Sec. 164.514(d)(4) to make the implementation specifications for
applying the minimum necessary standard to requests for protected
health information by a covered entity more consistent with the
corresponding implementation specifications for disclosures.
Specifically, for requests not made on a routine and recurring basis,
the Department proposed to add the requirement that a covered entity
must implement the minimum

[[Page 53196]]

necessary standard by developing and implementing criteria designed to
limit its request for protected health information to the minimum
necessary to accomplish the intended purpose.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The Department received a number of comments on its proposal to
exempt from the minimum necessary standard any use or disclosure of
protected health information for which the covered entity has received
an authorization that meets the requirements of Sec. 164.508. Many
commenters supported this proposal. A few commenters generally urged
that the minimum necessary standard be applied to uses and disclosures
pursuant to an authorization. A few other commenters appeared to
misinterpret the policy in the December 2000 Rule and urged that the
Department retain the minimum necessary standard for disclosures
``pursuant to an authorization other than disclosures to an
individual.'' Some commenters raised specific concerns about
authorizations for psychotherapy notes and the particular need for
minimum necessary to be applied in these cases.
    A number of commenters expressed support for the Department's
statements in the preamble to the proposed Rule reinforcing that the
minimum necessary standard is intended to be flexible to account for
the characteristics of the entity's business and workforce, and not
intended to override the professional judgment of the covered entity.
Similarly, some commenters expressed support for the Department's
proposal to remove the term ``reasonably ensure'' from
Sec. 164.514(d)(1). However, a few commenters expressed concerns that
the proposed alternative language actually would implement a stricter
standard than that included in the December 2000 Privacy Rule.
    Final Modifications. In this final Rule, the Department adopts the
proposed policy to exempt from the minimum necessary standard any uses
or disclosures for which the covered entity has received an
authorization that meets the requirements of Sec. 164.508. The final
modification adopts the proposal to eliminate the special
authorizations that were required by the December 2000 Privacy Rule at
Sec. 164.508(d), (e), and (f). (See section III.E.1. of the preamble
for a detailed discussion of the modifications to the authorization
requirements of the Privacy Rule.) Since the only authorizations to
which the minimum necessary standard applied are being eliminated in
favor of a single consolidated authorization, the final Rule
correspondingly eliminates the minimum necessary provisions that
applied to the now-eliminated special authorizations. All uses and
disclosures made pursuant to any authorization are exempt from the
minimum necessary standard.
    In response to commenters who opposed this proposal as a potential
weakening of privacy protections or who wanted the minimum necessary
requirements to apply to authorizations other than disclosures to the
individual, the Department notes that nothing in the final Rule
eliminates an individual's control over his or her protected health
information with respect to an authorization. All authorizations must
include a description of the information to be used and disclosed that
identifies the information in a specific and meaningful fashion as
required by Sec. 164.508(c)(1)(i). If the individual does not wish to
release the information requested, the individual has the right to not
sign the authorization or to negotiate a narrower authorization with
the requestor.
    Additionally, in response to those commenters who raised specific
concerns with respect to authorizations which request release of
psychotherapy notes, the Department clarifies that the final Rule does
not require a covered entity to use and disclose protected health
information pursuant to an authorization. Rather, as with most other
uses and disclosures under the Privacy Rule, this is only a permissible
use or disclosure. If a covered health care provider is concerned that
a request for an individual's psychotherapy notes is not warranted or
is excessive, the provider may consult with the individual to determine
whether or not the authorization is consistent with the individual's
wishes.
    Further, the Privacy Rule does not permit a health plan to
condition enrollment, eligibility for benefits, or payment of a claim
on obtaining the individual's authorization to use or disclose
psychotherapy notes. Nor may a health care provider condition treatment
on an authorization for the use or disclosure of psychotherapy notes.
Thus, the Department believes that these additional protections
appropriately and effectively protect an individual's privacy with
respect to psychotherapy notes.
    The final Rule also retains for clarity the proposal to separate
Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii)
and (iii)); commenters did not explicitly address or raise issues with
this proposed clarification.
    In response to concerns that the proposed language at
Sec. 164.514(d)(1) would implement a stricter standard, the Department
disagrees and, therefore, adopts the proposed language. The language in
Sec. 164.514(d)(1) describes the standard: covered entities are
required to meet the requirements in the implementation specifications
of Sec. 164.514(d)(2) through (d)(5). The implementation specifications
describe what covered entities must do reasonably to limit uses,
disclosures, and requests to the minimum necessary. Thus, the
Department believes that the language in the implementation
specifications is adequate to reflect the Department's intent that the
minimum necessary standard is reasonable and flexible to accommodate
the unique circumstances of the covered entity.
    Commenters also generally did not address the Department's proposed
clarification to make the implementation specifications for requests of
protected health information consistent with those for disclosures of
protected health information. Consequently, as commenters did not raise
concerns with the proposal, this final Rule adopts the proposed
provision at Sec. 164.514(d)(4). For requests of protected health
information not made on a routine and recurring basis, a covered entity
must implement the minimum necessary standard by developing and
implementing criteria designed to limit its request for protected
health information to the minimum necessary to accomplish the intended
purpose.

Response to Other Public Comments

    Comment: Many commenters recommended changes to the minimum
necessary standard unrelated to the proposed modifications. For
example, some commenters urged that the Department exempt from the
minimum necessary standard all uses of protected health information, or
at least uses of protected health information for treatment purposes.
Alternatively, one commenter urged that the minimum necessary standard
be applied to disclosures for treatment purposes. Others requested that
the Department exempt uses and disclosures for payment and health care
operations from the standard, or exempt disclosures to another covered
entity for such purposes. A few commenters argued that the minimum
necessary standard should not apply to disclosures to another covered
entity. Some urged that the minimum

[[Page 53197]]

necessary standard be eliminated entirely.
    Response: The Department did not propose modifications relevant to
these comments, nor did it seek comment on these issues. The proposed
modifications generally were intended to address those problems or
issues that presented workability problems for covered entities or
otherwise had the potential to impede an individual's timely access to
quality health care. Moreover, the proposed modifications to the
minimum necessary standard were either minor clarifications of the
Department's intent with respect to the standard or would conform the
standard to other proposed modifications. The Department has, in
previous guidance as well as in the preamble to the December 2000
Privacy Rule, explained its position with respect to the above
concerns. The minimum necessary standard is derived from
confidentiality codes and practices in common use today. We continue to
believe that it is sound practice not to use or disclose private
medical information that is not necessary to satisfy a request or
effectively carry out a function. The privacy benefits of retaining the
minimum necessary standard outweigh the burden involved with
implementing the standard. The Department reiterates that position
here.
    Further, the Department designed the minimum necessary standard to
be sufficiently flexible to accommodate the various circumstances of
any covered entity. Covered entities will develop their own policies
and procedures to meet this standard. A covered entity's policies and
procedures may and should allow the appropriate individuals within an
entity to have access to protected health information as necessary to
perform their jobs with respect to the entity's covered functions. The
Department is not aware of any workability issues with this standard.
    With respect to disclosures to another covered entity, the Privacy
Rule permits a covered entity reasonably to rely on another covered
entity's request for protected health information as the minimum
necessary for the intended disclosure. See Sec. 164.514(d)(3)(iii). The
Department does not believe, therefore, that a blanket exception for
such disclosures is justified. The covered entity who holds the
information always retains discretion to make its own minimum necessary
determination.
    Lastly, the Department continues to believe that the exception for
disclosures to or requests by health care providers for treatment
purposes is appropriate to ensure that access to timely and quality
treatment is not impeded.
    As the Privacy Rule is implemented, the Department will monitor the
workability of the minimum necessary standard and consider proposing
revisions, where appropriate, to ensure that the Privacy Rule does not
hinder timely access to quality health care.
    Comment: One commenter requested that the Department state in the
preamble that the minimum necessary standard may not be used to
interfere with or obstruct essential health plan payment and health
care operations activities, including quality assurance, disease
management, and other activities. Another commenter asked that the
final Rule's preamble acknowledge that, in some cases, the minimum
protected health information necessary for payment or health care
operations will be the entire record. One commenter urged that the Rule
be modified to presume that disclosure of a patient's entire record is
justified, and that such disclosure does not require individual review,
when requested for disease management purposes.
    Response: The minimum necessary standard is not intended to impede
essential treatment, payment, or health care operations activities of
covered entities. Nor is the Rule intended to change the way covered
entities handle their differences with respect to disclosures of
protected health information. The Department recognizes that, in some
cases, an individual's entire medical record may be necessary for
payment or health care operations purposes, including disease
management purposes. However, the Department does not believe that
disclosure of a patient's entire medical record is always justified for
such purposes. The Privacy Rule does not prohibit the request for, or
release of, entire medical records in such circumstances, provided that
the covered entity has documented the specific justification for the
request or disclosure of the entire record.
    Comment: A few commenters requested that the Department add to the
regulatory text some of the statements included in the preamble to the
proposed modifications. For example, commenters asked that the final
Rule state that the minimum necessary standard is ``intended to be
consistent with, and not override, professional judgement and
standards.'' Similarly, others requested that the regulation specify
that ``covered entities must implement policies and procedures based on
their own assessment of what protected health information is reasonably
necessary for a particular purpose, given the characteristics of their
business and their workforce, and using their own professional
judgment.''
    Response: It is the Department's policy that the minimum necessary
standard is intended to be consistent with, and not override,
professional judgment and standards, and that covered entities must
implement policies and procedures based on their own assessment of what
protected health information is reasonably necessary for a particular
purpose, given the characteristics of their business and their
workforce. However, the Department does not believe a regulatory
modification is necessary because the Department has made its policy
clear not only in the preamble to the proposed modifications but also
in previous guidance and in this preamble.
    Comment: A commenter argued that the Department should exempt
disclosures for any of the standard transactions as required by the
Transactions Rule, when information is requested by a health plan or
its business associate.
    Response: The Department disagrees. The Privacy Rule already
exempts from the minimum necessary standard data elements that are
required or situationally required in any of the standard transactions
(Sec. 164.502(b)(2)(v)). If, however, a standard transaction permits
the use of optional data elements, the minimum necessary standard
applies. For example, the standard transactions adopted for the
outpatient pharmacy sector use optional data elements. The payer
currently specifies which of the optional data elements are needed for
payment of its particular pharmacy claims. The minimum necessary
standard applies to the payer's request for such information. A
pharmacist is permitted to rely on the payer's request for information,
if reasonable to do so, as the minimum necessary for the intended
disclosure.
    Comment: A few commenters expressed concerns with respect to a
covered entity's disclosures for research purposes. Specifically, one
commenter was concerned that a covered entity will not accept
documentation of an external IRB's waiver of authorization for purposes
of reasonably relying on the request as the minimum necessary. It was
suggested that the Department deem that a disclosure to a researcher
based on appropriate documentation from an IRB or Privacy Board meets
the minimum necessary standard.
    Response: The Department understands commenters' concerns that
covered entities may decline to

[[Page 53198]]

participate in research studies, but believes that the Rule already
addresses this concern. The Privacy Rule explicitly permits a covered
entity reasonably to rely on a researcher's documentation or the
representations of an IRB or Privacy Board pursuant to Sec. 164.512(i)
that the information requested is the minimum necessary for the
research purpose. This is true regardless of whether the documentation
is obtained from an external IRB or Privacy Board or one that is
associated with the covered entity. The preamble to the March 2002 NPRM
further reinforced this policy by stating that reasonable reliance on
an IRB's documentation of approval of the waiver criteria and a
description of the data needed for the research as required by
Sec. 164.512(i) would satisfy a covered entity's obligations with
respect to limiting the disclosure to the minimum necessary. The
Department reiterates this policy here and believes that this should
give covered entities sufficient confidence in accepting IRB waivers of
authorization.
    Comment: A number of commenters requested that the Department limit
the amount of information that pharmacy benefits managers (PBM) may
demand from pharmacies as part of their claims payment activities.
    Response: The health plan, as a covered entity, is obligated to
instruct the PBM, as its business associate acting through the business
associate contract, to request only the minimum amount of information
necessary to pay a claim. The pharmacist may rely on this determination
if reasonable to do so, and then does not need to engage in a separate
minimum necessary assessment. If a pharmacist does not agree that the
amount of information requested is reasonably necessary for the PBM to
fulfill its obligations, it is up to the pharmacist and PBM to
negotiate a resolution of the dispute as to the amount of information
needed by the PBM to carry out its obligations and that the pharmacist
is willing to provide, recognizing that the PBM is not required to pay
claims if it has not received the information it believes is necessary
to process the claim in accordance with its procedures, including fraud
prevention procedures.
    The standard for electronic pharmacy claims, adopted by the
Secretary in the Transactions Rule, includes optional data elements and
relies on each payer to specify the data elements required for payment
of its claims. Understandably, the majority of health plans require
some patient identification elements in order to adjudicate claims. As
the National Council for Prescription Drug Programs (NCPDP) moves from
optional to required and situational data elements, the question of
whether the specific element of ``patient name'' should be required or
situational will be debated by the NCPDP, by the Designated Standards
Maintenance Organizations, by the National Committee on Vital and
Health Statistics, and ultimately will be decided in rulemaking by the
Secretary.
    Comment: One commenter requested that the minimum necessary
standard be made an administrative requirement rather than a standard
for uses and disclosures, to ease liability concerns with implementing
the standard. The commenter stated that this change would mean that
covered entities would be required to implement reasonable minimum
necessary policies and procedures and would be liable if: (1) They fail
to implement minimum necessary policies and procedures; (2) their
policies and procedures are not reasonable; or (3) they fail to enforce
their policies and procedures. The commenter further explained that
health plans would be liable if their policies and procedures for
requesting health information were unreasonable, but the burden of
liability for the request shifts largely to the entity best suited to
determine whether the amount of information requested is the minimum
necessary.
    Response: The Privacy Rule already requires covered entities to
implement reasonable minimum necessary policies and procedures and to
limit any use, disclosure, or request for protected health information
in a manner consistent with its policies and procedures. The minimum
necessary standard is an appropriate standard for uses and disclosures,
and is not merely an administrative requirement. The Privacy Rule
provides adequate flexibility to adopt minimum necessary policies and
procedures that are workable for the covered entity, thereby minimizing
a covered entity's liability concerns.

Comment: A number of commenters expressed concerns about
application of the minimum necessary standard to disclosures for
workers' compensation purposes. Commenters argued that the standard
will prevent workers' compensation insurers and State administrators,
as well as employers, from obtaining the information needed to pay
injured workers the benefits guaranteed under the State workers'
compensation system. They also argued that the minimum necessary
standard could lead to fraudulent claims and unnecessary legal action
in order to obtain information needed for workers' compensation
purposes.
    Response: The Privacy Rule is not intended to disrupt existing
workers' compensation systems as established by State law. In
particular, the Rule is not intended to impede the flow of health
information that is needed by employers, workers' compensation
carriers, or State officials in order to process or adjudicate claims
and/or coordinate care under the workers' compensation system. To this
end, the Privacy Rule at Sec. 164.512(l) explicitly permits a covered
entity to disclose protected health information as authorized by, and
to the extent necessary to comply with, workers' compensation or other
similar programs established by law that provide benefits for work-
related injuries or illnesses without regard to fault. The minimum
necessary standard permits covered entities to disclose any protected
health information under Sec. 164.512(l) that is reasonably necessary
for workers' compensation purposes and is intended to operate so as to
permit information to be shared for such purposes to the full extent
permitted by State or other law.
    Additionally, where a State or other law requires a disclosure of
protected health information for workers' compensation purposes, such
disclosure is permitted under Sec. 164.512(a). A covered entity also is
permitted to disclose protected health information to a workers'
compensation insurer where the insurer has obtained the individual's
authorization pursuant to Sec. 164.508 for the release of such
information. The minimum necessary provisions do not apply to
disclosures required by law or made pursuant to authorizations. See
Sec. 164.502(b), as modified herein.
    Further, the Department notes that a covered entity is permitted to
disclose information to any person or entity as necessary to obtain
payment for health care services. The minimum necessary provisions
apply to such disclosures but permit the covered entity to disclose the
amount and types of information that are necessary to obtain payment.
    The Department also notes that because the disclosures described
above are permitted by the Privacy Rule, there is no potential for
conflict with State workers' compensation laws, and, thus, no
possibility of preemption of such laws by the Privacy Rule.
    The Department's review of certain States workers' compensation
laws demonstrates that many of these laws address the issue of the
scope of information that is available to carriers and employers. The
Privacy Rule's minimum necessary standard will not create an obstacle
to the type and

[[Page 53199]]

amount of information that currently is provided to employers, workers'
compensation carriers, and State administrative agencies under these
State laws. In many cases, the minimum necessary standard will not
apply to disclosures made pursuant to such laws. In other cases, the
minimum necessary standard applies, but permits disclosures to the full
extent authorized by the workers' compensation laws. For example, Texas
workers' compensation law requires a health care provider, upon the
request of the injured employee or insurance carrier, to furnish
records relating to the treatment or hospitalization for which
compensation is being sought. Since such disclosure is required by law,
it also is permissible under the Privacy Rule at Sec. 164.512(a) and
exempt from the minimum necessary standard. The Texas law further
provides that a health care provider is permitted to disclose to the
insurance carrier records relating to the diagnosis or treatment of the
injured employee without the authorization of the injured employee to
determine the amount of payment or the entitlement to payment. Since
the disclosure only is permitted and not required by Texas law, the
provisions at Sec. 164.512(l) would govern to permit such disclosure.
In this case, the minimum necessary standard would apply to the
disclosure but would allow for information to be disclosed as
authorized by the statute, that is, as necessary to ``determine the
amount of payment or the entitlement to payment.''
    As another example, under Louisiana workers' compensation law, a
health care provider who has treated an employee related to a workers'
compensation claim is required to release any requested medical
information and records relative to the employee's injury to the
employer or the workers' compensation insurer. Again, since such
disclosure is required by law, it is permissible under the Privacy Rule
at Sec. 164.512(a) and exempt from the minimum necessary standard. The
Louisiana law further provides that any information relative to any
other treatment or condition shall be available to the employer or
workers' compensation insurer through a written release by the
claimant. Such disclosure also would be permissible and exempt from the
minimum necessary standard under the Privacy Rule if the individual's
written authorization is obtained consistent with the requirements of
Sec. 164.508.
    The Department understands concerns about the potential chilling
effect of the Privacy Rule on the workers' compensation system.
Therefore, as the Privacy Rule is implemented, the Department will
actively monitor the effects of the Rule on this industry to assure
that the Privacy Rule does not have any unintended negative effects
that disturb the existing workers' compensation systems. If the
Department finds that, despite the above clarification of intent, the
Privacy Rule is being misused and misapplied to interfere with the
smooth operation of the workers' compensation systems, it will consider
proposing modifications to the Rule to clarify the application of the
minimum necessary standard to disclosures for workers' compensation
purposes.
    Comment: Another commenter urged the Department to clarify that a
covered entity can reasonably rely on a determination made by a
financial institution or credit card payment system regarding the
minimum necessary information needed by that financial institution or
payment system to complete a contemplated payment transaction.
    Response: Except to the extent information is required or
situationally required for a standard payment transaction (see 45 CFR
162.1601, 162.1602), the minimum necessary standard applies to a
covered entity's disclosure of protected health information to a
financial institution in order to process a payment transaction. With
limited exceptions, the Privacy Rule does not allow a covered entity to
substitute the judgment of a private, third party for its own
assessment of the minimum necessary information for a disclosure. Under
the exceptions in Sec. 164.514(d)(3)(iii), a covered entity is
permitted reasonably to rely on the request of another covered entity
because, in this case, the requesting covered entity is itself subject
to the minimum necessary standard and, therefore, required to limit its
request to only that information that is reasonably necessary for the
purpose. Thus, the Department does not agree that a covered entity
should generally be permitted reasonably to rely on the request of a
financial institution as the minimum necessary. However, the Department
notes that where, for example, a financial institution is acting as a
business associate of a covered entity, the disclosing covered entity
may reasonably rely on a request from such financial institution,
because in this situation, both the requesting and disclosing entity
are subject to the minimum necessary standard.
    Comment: A number of commenters continued to request additional
guidance with respect to implementing this discretionary standard. Many
expressed support for the statement in the NPRM that HHS intends to
issue further guidance to clarify issues causing confusion and concern
in industry, as well as provide additional technical assistance
materials to help covered entities implement the provisions.
    Response: The Department is aware of the need for additional
guidance in this area and intends to provide technical assistance and
further clarifications as necessary to address these concerns and
questions.
3. Parents as Personal Representatives of Unemancipated Minors \1\
---------------------------------------------------------------------------

    \1\ Throughout this section of the preamble, ``minor'' refers to
an unemancipated minor and ``parent'' refers to a parent, guardian,
or other person acting in loco parentis.
---------------------------------------------------------------------------

    December 2000 Privacy Rule. The Privacy Rule is intended to assure
that parents have appropriate access to health information about their
children. By creating new Federal protections and individual rights
with respect to individually identifiable health information, parents
will generally have new rights with respect to the health information
about their minor children. In addition, the Department intended that
the disclosure of health information about a minor child to a parent
should be governed by State or other applicable law.
    Under the Privacy Rule, parents are granted new rights as the
personal representatives of their minor children. (See
Sec. 164.502(g).) Generally, parents will be able to access and control
the health information about their minor children. (See
Sec. 164.502(g)(3).)
    The Privacy Rule recognizes a limited number of exceptions to this
general rule. These exceptions generally track the ability under State
or other applicable laws of certain minors to obtain specified health
care without parental consent. For example, every State has a law that
permits adolescents to be tested for HIV without the consent of a
parent. These laws are created to assure that adolescents will seek
health care that is essential to their own health, as well as the
public health. In these exceptional cases, where a minor can obtain a
particular health care service without the consent of a parent under
State or other applicable law, it is the minor, and not the parent, who
may exercise the privacy rights afforded to individuals under the
December 2000 Privacy Rule. (See Sec. 164.502(g)(3)(i) and (ii),
redesignated as Sec. 164.502(g)(3)(i)(A) and (B)).
    The December 2000 Privacy Rule also allows the minor to exercise
control of

[[Page 53200]]

protected health information when the parent has agreed to the minor
obtaining confidential treatment (see Sec. 164.502(g)(3)(iii),
redesignated as Sec. 164.502(g)(3)(i)(C) in this final Rule), and
allows a covered health care provider to choose not to treat a parent
as a personal representative of the minor when the provider is
concerned about abuse or harm to the child. (See Sec. 164.502(g)(5).)
    Of course, a covered provider may disclose health information about
a minor to a parent in the most critical situations, even if one of the
limited exceptions discussed above apply. Disclosure of such
information is always permitted as necessary to avert a serious and
imminent threat to the health or safety of the minor. (See
Sec. 164.512(j).) The Privacy Rule adopted in December 2000 also states
that disclosure of health information about a minor to a parent is
permitted if State law authorizes disclosure to a parent, thereby
allowing such disclosure where State law determines it is appropriate.
(See Sec. 160.202, definition of ``more stringent.'') Finally, health
information about the minor may be disclosed to the parent if the minor
involves the parent in his or her health care and does not object to
such disclosure. (See Sec. 164.502(g)(3)(i), redesignated as
Sec. 164.502(g)(3)(i)(A), and Sec. 164.510(b)). The parent will retain
all rights concerning any other health information about his or her
minor child that does not meet one of the few exceptions listed above.
    March 2002 NPRM. After reassessing the parents and minors
provisions in the Privacy Rule, the Department identified two areas in
which there were unintended consequences of the Rule. First, the
language regarding deference to State law, which authorizes or
prohibits disclosure of health information about a minor to a parent,
fails to assure that State or other law governs when the law grants a
provider discretion in certain circumstances to disclose protected
health information to a parent. Second, the Privacy Rule may have
prohibited parental access in certain situations in which State or
other law may have permitted such access.
    The Department proposed changes to these standards where they did
not operate as intended and did not adequately defer to State or other
applicable law with respect to parents and minors. First, in order to
assure that State and other applicable laws that address disclosure of
health information about a minor to his or her parent govern in all
cases, the Department proposed to move the relevant language about the
disclosure of health information from the definition of ``more
stringent'' (see Sec. 160.202) to the standards regarding parents and
minors (see Sec. 164.502(g)(3)). This change would make it clear that
State and other applicable law governs not only when a State explicitly
addresses disclosure of protected health information to a parent but
also when such law provides discretion to a provider. The language
itself is also changed in the proposal to adapt it to the new section.
    Second, the Department proposed to add a new paragraph (iii) to
Sec. 164.502(g)(3) to establish a neutral policy regarding the right of
access of a parent to health information about his or her minor child
under Sec. 164.524, in the rare circumstance in which the parent is
technically not the personal representative of his or her minor child
under the Privacy Rule. This policy would apply particularly where
State or other law is silent or unclear.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The Department received a number of comments on the proposed
changes to the parents and minors provisions of the Privacy Rule. Many
commenters, particularly health care providers involved in provision of
health care to minors, requested that the Department return to the
approach under the Privacy Rule published in December 2000, because
they believed that the proposed approach would discourage minors from
seeking necessary health care. At a minimum, these commenters suggested
that the Department clarify that discretion to grant a parent access
under the proposal is limited to the covered health care provider that
is providing treatment to the minor.
    Supporters of the proposal asserted that the Department was moving
in the right direction, but many also advocated for more parental
rights. They asserted that parents have protected rights to act for
their children and that the Privacy Rule interferes with these rights.
    There were also some commenters that were confused by the new
proposal and others that requested a Federal standard that would
preempt all State laws.
    Final Modifications. The Department will continue to defer to State
or other applicable law and to remain neutral to the extent possible.
However, the Department is adopting changes to the standards in the
December 2000 Privacy Rule, where they do not operate as intended and
are inconsistent with the Department's underlying goals. These
modifications are similar in approach to the NPRM and the rationale for
these changes remains the same as was stated in the NPRM. However, the
Department makes some changes from the language that was proposed, in
order to simplify the provisions and clarify the Department's intent.
    There are three goals with respect to the parents and minors
provisions in the Privacy Rule. First, the Department wants to assure
that parents have appropriate access to the health information about
their minor children to make important health care decisions about
them, while also making sure that the Privacy Rule does not interfere
with a minor's ability to consent to and obtain health care under State
or other applicable law. Second, the Department does not want to
interfere with State or other applicable laws related to competency or
parental rights, in general, or the role of parents in making health
care decisions about their minor children, in particular. Third, the
Department does not want to interfere with the professional
requirements of State medical boards or other ethical codes of health
care providers with respect to confidentiality of health information or
with the health care practices of such providers with respect to
adolescent health care.
    In order to honor these differing goals, the Department has and
continues to take the approach of deferring to State or other
applicable law and professional practice with respect to parents and
minors. Where State and other applicable law is silent or unclear, the
Department has attempted to create standards, implementation
specifications, and requirements that are consistent with such laws and
that permit States the discretion to continue to define the rights of
parents and minors with respect to health information without
interference from the Federal Privacy Rule.
    The Department adopts two changes to the provisions regarding
parents and minors in order to address unintended consequences from the
December 2000 Privacy Rule and to defer to State and other law. The
first change is about disclosure of protected health information to a
parent and the second is about access to the health information by the
parent. Disclosure is about a covered entity providing individually
identifiable information to persons outside the entity, either the
individual or a third party. Access is a particular type of disclosure
that is the right of an individual (directly or through a personal
representative) to review or

[[Page 53201]]

obtain a copy of his or her health information under Sec. 164.524. This
modification treats both activities similarly by deferring to State or
other applicable law.
    The first change, regarding disclosure of protected health
information to a parent, is the same as the change proposed in the
NPRM. In order to assure that State and other applicable laws that
address disclosure of health information about a minor to his or her
parent govern in all cases, the language in the definition of ``more
stringent'' (see Sec. 160.202) that addresses the disclosure of
protected health information about a minor to a parent has been moved
to the standards regarding parents and minors (see Sec. 164.502(g)(3)).
The addition of paragraphs (g)(3)(ii)(A) and (B) of Sec. 164.502,
clarify that State and other applicable law governs when such law
explicitly requires, permits, or prohibits disclosure of protected
health information to a parent.
    In connection with moving the language, the language is changed
from the December 2000 Privacy Rule in order to adapt it to the new
section. Section 164.502(g)(3)(ii)(A) states that a covered entity may
disclose protected health information about a minor to a parent if an
applicable provision of State or other law permits or requires such
disclosure. By adopting this provision, the Department makes clear that
nothing in the regulation prohibits disclosure of health information to
a parent if, and to the extent that, State or other law permits or
requires such disclosure. The Privacy Rule defers to such State or
other law and permits covered entities to act in accordance to such
law. Section 164.502(g)(3)(ii)(B) states that a covered entity may not
disclose protected health information about a minor to a parent if an
applicable provision of State or other law prohibits such disclosure.
Again, regardless of how the Privacy Rule would operate in the absence
of explicit State or other law, if such law prohibits the disclosure of
protected health information about a minor to a parent, so does the
Privacy Rule. The revision also clarifies that deference to State or
other applicable law includes deference to established case law as well
as explicit provisions in statutes or regulations that permit, require,
or prohibit particular disclosures.
    The second change, regarding access to protected health
information, also reflects the same policy as proposed in the NPRM.
There are two provisions that refer to access, in order to clarify the
Department's intent in this area. The first is where there is an
explicit State or other law regarding parental access, and the second
is where State or other law is silent or unclear, which is often the
case with access.
    Like the provisions regarding disclosure of protected health
information to a parent, the final Rule defers to State or other
applicable law regarding a parent's access to health information about
a minor. The change assures that State or other applicable law governs
when the law explicitly requires, permits, or prohibits access to
protected health information about a minor to a parent. This includes
deference to established case law as well as an explicit provision in a
statute or regulation. This issue is addressed in paragraphs
(g)(3)(ii)(A) and (B) of Sec. 164.502 with the disclosure provisions
discussed above.
    In addition to the provision regarding explicit State access laws,
the Department recognizes that the Privacy Rule creates a right of
access that previously did not exist in most States. Most States do not
have explicit laws in this area. In order to address the limited number
of cases in which the parent is not the personal representative of the
minor because one of the exceptions in the parents and minors
provisions are met (see Sec. 164.502(g)(3)(i)(A), (B), or (C)), the
Department adds a provision, Sec. 164.502(g)(3)(ii)(C), similar to a
provision proposed in the NPRM, that addresses those situations in
which State and other law about parental access is not explicit. Under
this provision, a covered entity may provide or deny access to a parent
provided that such discretion is permitted by State or other law. This
new paragraph would assure that the Privacy Rule would not prevent a
covered entity from providing access to a parent if the covered entity
would have been able to provide this access under State or other
applicable law. The new paragraph would also prohibit access by a
parent if providing such access would violate State or other applicable
law.
    It is important to note that this provision regarding access to
health information about a minor in cases in which State and other laws
are silent or unclear will not apply in the majority of cases because,
typically, the parent will be the personal representative of his or her
minor child and will have a right of access to the medical records of
his or her minor children under the Privacy Rule. This provision only
applies in cases in which the parent is not the personal representative
under the Privacy Rule.
    In response to comments by health care providers, the final
modifications also clarify that, the discretion to provide or deny
access to a parent under Sec. 164.502(g)(3)(ii)(C) only may be
exercised by a licensed health care professional, in the exercise of
professional judgment. This is consistent with the policy described in
the preamble to the NPRM, is similar to the approach in the access
provisions in Sec. 164.524(a)(3), and furthers the Department's
interest in balancing the goals of providing appropriate information to
parents and of assuring that minors obtain appropriate access to health
care. This decision should be made by a health care professional, who
is accustomed to exercising professional judgment. A health plan may
also exercise such discretion if the decision is made by a licensed
health care provider.
    The Department takes no position on the ability of a minor to
consent to treatment and no position on how State or other law affects
privacy between the minor and parent. Where State or other law is
unclear, covered entities should continue to conduct the same analysis
of such law as they do now to determine if access is permissible or
not. Because the Privacy Rule defers to State and other law in the area
of parents and minors, the Department assumes that the current
practices of health care providers with respect to access by parents
and confidentiality of minor's records are consistent with State and
other applicable law, and, therefore, can continue under the Privacy
Rule.
    Parental access under this section would continue to be subject to
any limitations on activities of a personal representative in
Sec. 164.502(g)(5) and Sec. 164.524(a)(2) and (3). In cases in which
the parent is not the personal representative of the minor and State or
other law does not require parental access, this provision does not
provide a parent a right to demand access and does not require a
covered entity to provide access to a parent. Furthermore, nothing in
these modifications shall affect whether or not a minor would have a
right to access his or her records. That is, a covered entity's
exercise of discretion to not grant a parent access does not affect the
right of access the minor may have under the Privacy Rule. A covered
entity may deny a parent access in accordance with State or other law
and may be required to provide access to the minor under the Privacy
Rule.
    These changes also do not affect the general provisions, explained
in the section ``December 2000 Privacy Rule'' above, regarding parents
as personal representatives of their minor children or the exceptions
to this general rule, where parents would not be the [[Page 53202]]

personal representatives of their minor children.
    These changes adopted in this Rule provide States with the option
of clarifying the interaction between their laws regarding consent to
health care and the ability of parents to have access to the health
information about the care received by their minor children in
accordance with such laws. As such, this change should more accurately
reflect current State and other laws and modifications to such laws.

Response to Other Public Comments

    Comment: Some commenters urged the Department to retain the
approach to parents and minors that was adopted in December 2000. They
claimed that the NPRM approach would seriously undermine minors'
willingness to seek necessary medical care. Other commenters advocated
full parental access to health information about their minor children,
claiming that the Privacy Rule interferes with parents' rights.
    Response: We believe the approach adopted in the final Rule strikes
the right balance between these concerns. It defers to State law or
other applicable law and preserves the status quo to the greatest
extent possible.
    Comment: Health care providers generally opposed the changes to the
parents and minors provisions claiming that they would eliminate
protection of a minor's privacy, and therefore, would decrease the
willingness of adolescents to obtain necessary health care for
sensitive types of health care services. They also argued that the NPRM
approach is inconsistent with State laws that give minors the right to
consent to certain health care because the purpose of these laws is to
provide minors with confidential health care.
    Response: Issues related to parents' and minors' rights with
respect to health care are best left for the States to decide. The
standards regarding parents and minors are designed to defer to State
law in this area. While we believe that there is a correlation between
State laws that grant minors the authority to consent to treatment and
confidentiality of the information related to such treatment, our
research has not established that these laws bar parental access to
such health information under all circumstances. Therefore, to act in a
manner consistent with State law, the approach adopted in this Final
Rule is more flexible than the standards adopted in December 2000, in
order to assure that the Privacy Rule does not preclude a provider from
granting access to a parent if this is permissible under State law.
However, this new standard would not permit activity that would be
impermissible under State law.
    Some State or other laws may state clearly that a covered entity
must provide a parent access to the medical records of his or her minor
child, even when the minor consents to the treatment without the
parent. In this case, the covered entity must provide a parent access,
subject to the access limitations in the Privacy Rule at
Sec. 164.524(a)(2) and (3). Other laws may state clearly that a covered
entity must not provide a parent access to their minor child's medical
records when the minor consents to the treatment without the parent. In
this case, the covered entity would be precluded from granting access
to the parent. If the State or other law clearly provides a covered
entity with discretion to grant a parent access, then the covered
entity may exercise such discretion, to the extent permitted under such
other law.
    If State law is silent or unclear on its face, then a covered
entity would have to go through the same analysis as it would today to
determine if such law permitted, required, or prohibited providing a
parent with access to a minor's records. That analysis may involve
review of case law, attorney general opinions, legislative history,
etc. If such analysis showed that the State would permit an entity to
provide a parent access to health information about a minor child, and
under the Privacy Rule, the parent would not be the personal
representative of the minor because of one of the limited exceptions in
Sec. 164.502(g)(3)(i), then the covered entity may exercise such
discretion, based on the professional judgment of a licensed health
care provider, to choose whether or not to provide the parent access to
the medical records of his or her minor child. If, as the commenters
suggest, a State consent law were interpreted to prohibit such access,
then such access is prohibited under the Privacy Rule as well.
    Comment: One commenter asserted that the Privacy Rule
inappropriately erects barriers between parents and children.
Specifically, the commenter stated that Sec. 164.502(g)(5) delegates to
private entities government power to decide whether a child may be
subjected to abuse or could be endangered. The commenter also stated
that the access provisions in Sec. 164.502(g)(3) would erect barriers
where State law is silent or unclear.
    Response: The Department does not agree that the Privacy Rule
erects barriers between a parent and a minor child because the relevant
standards are intended to defer to State law. Health care providers
have responsibilities under other laws and professional standards to
report child abuse to the appropriate authorities and to use
professional discretion to protect the child's welfare in abuse
situations. Similarly the Privacy Rule permits (but does not require)
the provider to use professional discretion to act to protect a child
she believes is being abused. If the Privacy Rule were to mandate that
a provider grant a parent access to a medical record in abuse
situations, as the commenter suggests, this would be a change from
current law. In addition, the Privacy Rule does not allow a denial of
parental access to medical records if State or other law would require
such access.
    Comment: Commenters continue to raise preemption issues. A few
commenters called for preemption of all State law in this area. Others
stated that there should be one standard, not 50 standards, controlling
disclosure of protected health information about a minor to a parent
and that the NPRM approach would burden regional and national health
care providers. Others urged preemption of State laws that are less
protective of a minor's privacy, consistent with the general preemption
provisions.
    Response: The Department does not want to interfere with a State's
role in determining the appropriate rights of parents and their minor
children. The claim that the Privacy Rule introduces 50 standards is
inaccurate. These State standards exist today and are not created by
the Privacy Rule. Our approach has been, and continues to be, to defer
to State and other applicable law in this area.
    Comment: One commenter requested the Privacy Rule state that good
faith compliance with the Privacy Rule is an affirmative defense to
enforcement of contrary laws ultimately determined to be more stringent
than the Rule, or that it provide specific guidance on which State laws
conflict with or are more stringent than the Privacy Rule.
    Response: The Privacy Rule cannot dictate how States enforce their
own privacy laws. Furthermore, guidance on whether or not a State law
is preempted would not be binding on a State interpreting its own law.
    Comment: Some commenters remain concerned that a parent will not
get information about a child who receives care in an emergency without
the consent of the parent and that the provisions in Sec. 164.510(b)
are not sufficient.
    Response: As we have stated in previous guidance, a provider
generally can discuss all the health information

[[Page 53203]]

about a minor child with his parent, because the parent usually will be
the personal representative of the child. This is true, under the
Privacy Rule, even if the parent did not provide consent to the
treatment because of the emergency nature of the health care. A parent
may be unable to obtain such information in limited circumstances, such
as when the minor provided consent for the treatment in accordance with
State law or the treating physician suspects abuse or neglect or
reasonably believes that releasing the information to the parent will
endanger the child.
    Comment: A couple of commenters were concerned that the provisions
regarding confidential communications conflict with the Fair Debt
Collection Practices Act (FDCPA), which allows collection agencies to
contact the party responsible for payment of the debt, be it the spouse
or parent (of a minor) of the individual that incurred the debt, and
share information that supports the incurrence and amount of the debt.
They feared that the Privacy Rule would no longer allow collection
agencies to continue this practice.
    Response: Our analysis of the relevant provisions of the Privacy
Rule and the FDCPA does not indicate any conflicts between the two
laws. An entity that is subject to the FDCPA and the Privacy Rule (or
that must act consistent with the Privacy Rule as a business associate
of the covered entity) should be able to comply with both laws, because
the FDCPA permits an entity to exercise discretion to disclose
information about one individual to another.
    The FDCPA allows debt collectors to communicate with the debtor's
spouse or parent if the debtor is a minor. The provisions of the FDCPA
are permissive rather than required.
    Generally, the Privacy Rule permits covered entities to use the
services of debt collectors as the use of such services to obtain
payment for the provision of health care comes within the definition of
``payment.'' The Privacy Rule generally does not identify to whom
information can be disclosed when a covered entity is engaged in its
own payment activities. Therefore, if a covered entity or a debt
collector, as a business associate of a covered entity, needs to
disclose protected health information to a spouse or a parent, the
Privacy Rule generally would not prevent such disclosure. In these
cases where the Privacy Rule would permit disclosure to a parent or
spouse, there should be no concern with the interaction with the FDCPA.
    However, there are some circumstances in which the Privacy Rule may
prohibit a disclosure to a parent or a spouse for payment purposes. For
example, under Sec. 164.522(a), an individual has the right to request
restrictions to the disclosure of health information for payment. A
provider or health plan may choose whether or not to agree to the
request. If the covered entity agreed to a restriction, the covered
entity would be bound by that restriction and would not be permitted to
disclose the individual's health information in violation of that
agreement. Also, Sec. 164.522(b) generally requires covered entities to
accommodate reasonable requests by individuals to receive
communications of protected health information by alternative means or
at alternative locations. However, the covered entity may condition the
accommodation on the individual providing information on how payment
will be handled. In both of these cases, the covered entity has means
for permitting disclosures as permitted by the FDCPA. Therefore, these
provisions of the Privacy Rule need not limit options available under
the FDCPA. However, if the agreed-to restrictions or accommodation for
confidential communications prohibit disclosure to a parent or spouse
of an individual, the covered entity, and the debt collector as a
business associate of the covered entity, would be prohibited from
disclosing such information under the Privacy Rule. In such case,
because the FDCPA would provide discretion to make a disclosure, but
the Privacy Rule would prohibit the disclosure, a covered entity or the
debt collector as a business associate of a covered entity would have
to exercise discretion granted under the FDCPA in a way that complies
with the Privacy Rule. This means not making the disclosure.

C. Section 164.504--Uses and Disclosures: Organizational Requirements

1. Hybrid Entities
    December 2000 Privacy Rule. The Privacy Rule, as published in
December 2000, defined covered entities that primarily engage in
activities that are not ``covered functions,'' that is, functions that
relate to the entity's operation as a health plan, health care
provider, or health care clearinghouse, as hybrid entities. See 45 CFR
164.504(a). Examples of hybrid entities were: (1) corporations that are
not in the health care industry, but that operate on-site health
clinics that conduct the HIPAA standard transactions electronically;
and (2) insurance carriers that have multiple lines of business that
include both health insurance and other insurance lines, such as
general liability or property and casualty insurance.
    Under the December 2000 Privacy Rule, a hybrid entity was required
to define and designate those parts of the entity that engage in
covered functions as one or more health care component(s). A hybrid
entity also was required to include in the health care component(s) any
other components of the entity that support the covered functions in
the same way such support may be provided by a business associate
(e.g., an auditing component). The health care component was to include
such ``business associate'' functions for two reasons: (1) It is
impracticable for the entity to contract with itself; and (2) having to
obtain an authorization for disclosures to such support components
would limit the ability of the hybrid entity to engage in necessary
health care operations functions. In order to limit the burden on
hybrid entities, most of the requirements of the Privacy Rule only
applied to the health care component(s) of the entity and not to the
parts of the entity that do not engage in covered functions.
    The hybrid entity was required to create adequate separation, in
the form of firewalls, between the health care component(s) and other
components of the entity. Transfer of protected health information held
by the health care component to other components of the hybrid entity
was a disclosure under the Privacy Rule and was allowed only to the
same extent such a disclosure was permitted to a separate entity.
    In the preamble to the December 2000 Privacy Rule, the Department
explained that the use of the term ``primary'' in the definition of a
``hybrid entity'' was not intended to operate with mathematical
precision. The Department further explained that it intended a common
sense evaluation of whether the covered entity mostly operates as a
health plan, health care provider, or health care clearinghouse. If an
entity's primary activity was a covered function, then the whole entity
would have been a covered entity and the hybrid entity provisions would
not have applied. However, if the covered entity primarily conducted
non-health activities, it would have qualified as a hybrid entity and
would have been required to comply with the Privacy Rule with respect
to its health care component(s). See 65 FR 82502.
    March 2002 NPRM. Since the publication of the final Rule, concerns
were raised that the policy guidance in the preamble was insufficient
so long as the Privacy Rule itself limited the hybrid entity provisions
to entities that primarily conducted non-health related activities. In
particular, concerns were

[[Page 53204]]

raised about whether entities, which have the health plan line of
business as the primary business and an excepted benefits line, such as
workers' compensation insurance, as a small portion of the business,
qualified as hybrid entities. There were also concerns about how
``primary'' was to be defined, if it was not a mathematical
calculation, and how an entity would know whether or not it was a
hybrid entity based on the guidance in the preamble.
    As a result of these comments, the Department proposed to delete
the term ``primary'' from the definition of ``hybrid entity'' in
Sec. 164.504(a) and permit any covered entity that is a single legal
entity and that performs both covered and non-covered functions to
choose whether or not to be a hybrid entity for purposes of the Privacy
Rule. Under the proposal, any covered entity could be a hybrid entity
regardless of whether the non-covered functions represent the entity's
primary functions, a substantial function, or even a small portion of
the entity's activities. In order to be a hybrid entity under the
proposal, a covered entity would have to designate its health care
component(s). If the covered entity did not designate any health care
component(s), the entire entity would be a covered entity and,
therefore, subject to the Privacy Rule. Since the entire entity would
be the covered entity, Sec. 164.504(c)(2) requiring firewalls between
covered and non-covered portions of hybrid entities would not apply.
    The Department explained in the preamble to the proposal that there
are advantages and disadvantages to being a hybrid entity. Whether or
not the advantages outweigh the disadvantages would be a decision for
each covered entity that qualified as a hybrid entity, taking into
account factors such as how the entity was organized and the proportion
of the entity that must be included in the health care component.
    The Department also proposed to simplify the definition of ``health
care component'' in Sec. 164.504(a) to make clear that a health care
component is whatever the covered entity designates as the health care
component, consistent with the provisions regarding designation in
proposed Sec. 164.504(c)(3)(iii). The Department proposed to move the
specific language regarding which components make up a health care
component to the implementation specification that addresses
designation of health care components at Sec. 164.504(c)(3)(iii). At
Sec. 164.504(c)(3)(iii), the Department proposed that a health care
component could include: (1) Components of the covered entity that
engage in covered functions, and (2) any component that engages in
activities that would make such component a business associate of a
component that performs covered functions, if the two components were
separate legal entities. In addition, the Department proposed to make
clear at Sec. 164.504(c)(3)(iii) that a hybrid entity must designate as
a health care component(s) any component that would meet the definition
of ``covered entity'' if it were a separate legal entity.
    There was some ambiguity in the December 2000 Privacy Rule as to
whether a health care provider that does not conduct electronic
transactions for which the Secretary has adopted standards (i.e., a
non-covered health care provider) and which is part of a larger covered
entity was required to be included in the health care component. To
clarify this issue, the proposal also would allow a hybrid entity the
discretion to include in its health care component a non-covered health
care provider component. Including a non-covered health care provider
in the health care component would subject the non-covered provider to
the Privacy Rule. Accordingly, the Department proposed a conforming
change in Sec. 164.504(c)(1)(ii) to make clear that a reference to a
``covered health care provider'' in the Privacy Rule could include the
functions of a health care provider who does not engage in electronic
transactions, if the covered entity chooses to include such functions
in the health care component.
    The proposal also would permit a hybrid entity to designate
otherwise non-covered portions of its operations that provide services
to the covered functions, such as parts of the legal or accounting
divisions of the entity, as part of the health care component, so that
protected health information could be shared with such functions of the
entity without business associate agreements or individual
authorizations. The proposal would not require that the covered entity
designate entire divisions as in or out of the covered component.
Rather, it would permit the covered entity to designate functions
within such divisions, such as the functions of the accounting division
that support health insurance activities, without including those
functions that support life insurance activities. The Department
proposed to delete as unnecessary and redundant the related language in
paragraph (2)(ii) of the definition of ``health care component'' in the
Privacy Rule that requires the ``business associate'' functions include
the use of protected health information.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The Department received relatively few comments on its proposal
regarding hybrid entities. A number of comments supported the proposal,
appreciative of the added flexibility it would afford covered entities
in their compliance efforts. For example, some drug stores stated that
the proposal would provide them with the flexibility to designate
health care components, whereas under the December 2000 Rule, these
entities would have been required to subject their entire business,
including the ``front end'' of the store which is not associated with
dispensing prescription drugs, to the Privacy Rule's requirements.
    Some health plans and other insurers also expressed strong support
for the proposal. These comments, however, seemed to be based on a
misinterpretation of the uses and disclosures the proposal actually
would permit. These commenters appear to assume that the proposal would
allow information to flow freely between non-covered and covered
functions in the same entity, if that entity chose not to be a hybrid
entity. For example, commenters explained that they interpreted the
proposal to mean that a multi-line insurer which does not elect hybrid
entity status would be permitted to share protected health information
between its covered lines and its otherwise non-covered lines. It was
stated that such latitude would greatly enhance multi-line insurers'
ability to detect and prevent fraudulent activities and eliminate
barriers to sharing claims information between covered and non-covered
lines of insurance where necessary to process a claim.
    Some commenters opposed the Department's hybrid entity proposal,
stating that the proposal would reduce the protections afforded under
the Privacy Rule and would be subject to abuse. Commenters expressed
concerns that the proposal would allow a covered entity with only a
small health care component to avoid the extra protections of creating
firewalls between the health care component and the rest of the
organization. Moreover, one of the commenters stated that the proposal
could allow a covered entity that is primarily performing health care
functions to circumvent the requirements of the Rule for a large part
of its operations by designating itself a hybrid and excluding from the
health

[[Page 53205]]

care component a non-covered health care provider function, such as a
free nurse advice line that does not bill electronically. In addition,
it was stated that the ambiguous language in the proposal could
potentially be construed as allowing a hybrid entity to designate only
the business associate-like functions as the health care component, and
exclude covered functions. The commenter urged the Department to
clarify that a hybrid entity must, at a minimum, designate a component
that performs covered functions as a health care component, and that a
health care provider cannot avoid having its treatment component
considered a health care component by relying on a billing department
to conduct its standard electronic transactions. These commenters urged
the Department to retain the existing policy by requiring those
organizations whose primary functions are not health care to be hybrid
entities and to institute firewall protections between their health
care and other components.
    Final Modifications. After consideration of the comments, the
Department adopts in the final Rule the proposed approach to provide
covered entities that otherwise qualify the discretion to decide
whether to be a hybrid entity. To do so, the Department eliminates the
term ``primary'' from the definition of ``hybrid entity'' at
Sec. 164.504(a). Any covered entity that otherwise qualifies (i.e., is
a single legal entity that performs both covered and non-covered
functions) and that designates health care component(s) in accordance
with Sec. 164.504(c)(3)(iii) is a hybrid entity. A hybrid entity is
required to create adequate separation, in the form of firewalls,
between the health care component(s) and other components of the
entity. Transfer of protected health information held by the health
care component to other components of the hybrid entity continues to be
a disclosure under the Privacy Rule, and, thus, allowed only to the
same extent such a disclosure is permitted to a separate entity.
    Most of the requirements of the Privacy Rule continue to apply only
to the health care component(s) of a hybrid entity. Covered entities
that choose not to designate health care component(s) are subject to
the Privacy Rule in their entirety.

The final Rule regarding hybrid entities is intended to provide a
covered entity with the flexibility to apply the Privacy Rule as best
suited to the structure of its organization, while maintaining privacy
protections for protected health information within the organization.
In addition, the policy in the final Rule simplifies the Privacy Rule
and makes moot any questions about what ``primary'' means for purposes
of determining whether an entity is a hybrid entity.
    The final Rule adopts the proposal's simplified definition of
``health care component,'' which makes clear that a health care
component is what the covered entity designates as the health care
component. The Department makes a conforming change in
Sec. 164.504(c)(2)(ii) to reflect the changes to the definition of
``health care component.'' The final Rule at Sec. 164.504(c)(3)(iii)
requires a health care component to include a component that would meet
the definition of a ``covered entity'' if it were a separate legal
entity. The Department also modifies the language of the final Rule at
Sec. 164.504(c)(3)(iii) to clarify that only a component that performs
covered functions, and a component to the extent that it performs
covered functions or activities that would make such component a
business associate of a component that performs covered functions if
the two components were separate legal entities, may be included in the
health care component. ``Covered functions'' are defined at
Sec. 164.501 as ``those functions of a covered entity the performance
of which makes the entity a health plan, health care provider, or
health care clearinghouse.''
    As in the proposal, the Department provides a hybrid entity with
some discretion as to what functions may be included in the health care
component in two ways. First, the final Rule clarifies that a hybrid
entity may include in its health care component a non-covered health
care provider component. Accordingly, the Department adopts the
proposed conforming change to Sec. 164.504(c)(1)(ii) to make clear that
a reference to a ``covered health care provider'' in the Privacy Rule
may include the functions of a health care provider who does not engage
in electronic transactions for which the Secretary has adopted
standards, if the covered entity chooses to include such functions in
the health care component. A hybrid entity that chooses to include a
non-covered health care provider in its health care component is
required to ensure that the non-covered health care provider, as well
as the rest of the health care component, is in compliance with the
Privacy Rule.
    Second, the final Rule retains the proposed policy to provide
hybrid entities with discretion as to whether or not to include
business associate-like divisions within the health care component. It
is not a violation of the Privacy Rule to exclude such divisions from
the health care component. However, a disclosure of protected health
information from the health care component to such other division that
is not part of the health care component is the same as a disclosure
outside the covered entity. Because an entity cannot have a business
associate contract with itself, such a disclosure likely will require
individual authorization.
    The Department clarifies, in response to comments, that a health
care provider cannot avoid being a covered entity and, therefore, part
of a health care component of a hybrid entity just by relying on a
billing department to conduct standard transactions on its behalf. A
health care provider is a covered entity if standard transactions are
conducted on his behalf, regardless of whether the provider or a
business associate (or billing department within a hybrid entity)
actually conducts the transactions. In such a situation, however,
designating relevant parts of the business associate division as part
of the health care component would facilitate the conduct of health
care operations and payment.
    Also in response to comments, the Department clarifies that even if
a covered entity does not choose to be a hybrid entity, and therefore
is not required to erect firewalls around its health care functions,
the entity still only is allowed to use protected health information as
permitted by the Privacy Rule, for example, for treatment, payment, and
health care operations. Additionally, the covered entity is still
subject to minimum necessary restrictions under Secs. 164.502 and
164.514(d), and, thus, must have policies and procedures that describe
who within the entity may have access to the protected health
information. Under these provisions, workforce members may be permitted
access to protected health information only as necessary to carry out
their duties with respect to the entity's covered functions. For
example, the health insurance line of a multi-line insurer is not
permitted to share protected health information with the life insurance
line for purposes of determining eligibility for life insurance
benefits or any other life insurance purposes absent an individual's
written authorization. However, the health insurance line of a multi-
line insurer may share protected health information with another line
of business pursuant to Sec. 164.512(a), if, for example, State law
requires an insurer that receives a claim under one policy to share
that information with other lines of insurance to determine if the
event also may be payable under

[[Page 53206]]

another insurance policy. Furthermore, the health plan may share
information with another line of business if necessary for the health
plan's coordination of benefits activities, which would be a payment
activity of the health plan.
    Given the above restrictions on information flows within the
covered entity, the Department disagrees with those commenters who
raised concerns that the proposed policy would weaken the Rule by
eliminating the formal requirement for ``firewalls.'' Even if a covered
entity does not designate health care component(s) and, therefore, does
not have to establish firewalls to separate its health care function(s)
from the non-covered functions, the Privacy Rule continues to restrict
how protected health information may be used and shared within the
entity and who gets access to the information.
    Further, the Department does not believe that allowing a covered
entity to exclude a non-covered health care provider component from its
health care component will be subject to abuse. Excluding health care
functions from the health care component has significant implications
under the Rule. Specifically, the Privacy Rule treats the sharing of
protected health information from a health care component to a non-
covered component as a disclosure, subject to the same restrictions as
a disclosure between two legally separate entities. For example, if a
covered entity decides to exclude from its health care component a non-
covered provider, the health care component is then restricted from
disclosing protected health information to that provider for any of the
non-covered provider's health care operations, absent an individual's
authorization. See Sec. 164.506(c). If, however, the non-covered health
care provider function is not excluded, it would be part of the health
care component and that information could be used for its operations
without the individual's authorization.

Response to Other Public Comments

    Comment: A number of academic medical centers expressed concern
that the Privacy Rule prevents them from organizing for compliance in a
manner that reflects the integration of operations between the medical
school and affiliated faculty practice plans and teaching hospitals.
These commenters stated that neither the proposal nor the existing Rule
would permit many academic medical centers to designate themselves as
either a hybrid or affiliated entity, since the components of each must
belong to a single legal entity or share common ownership or control.
These commenters also explained that a typical medical school would not
appear to qualify as an organized health care arrangement (OHCA)
because it does not engage in any of the requisite joint activities,
for example, quality assessment and improvement activities, on behalf
of the covered entity. It was stated that it is essential that there
not be impediments to the flow of information within an academic
medical center. These commenters, therefore, urged that the Department
add a definition of ``academic medical center'' to the Privacy Rule and
modify the definition of ``common control'' to explicitly apply to the
components of an academic medical center, so as to ensure that academic
medical centers qualify as affiliated entities for purposes of the
Rule.
    Response: The Department does not believe that a modification to
include a special rule for academic medical centers is warranted. The
Privacy Rule's organizational requirements at Sec. 164.504 for hybrid
entities and affiliated entities, as well as the definition of
``organized health care arrangement'' in Sec. 164.501, provide covered
entities with much flexibility to apply the Rule's requirements as best
suited to the structure of their businesses. However, in order to
maintain privacy protections, the Privacy Rule places appropriate
conditions on who may qualify for such organizational options, as well
as how information may flow within such constructs. Additionally, if
the commenter is suggesting that information should flow freely between
the covered and non-covered functions within an academic medical
center, the Department clarifies that the Privacy Rule restricts the
sharing of protected health information between covered and non-covered
functions, regardless of whether the information is shared within a
single covered entity or a hybrid entity, or among affiliated covered
entities or covered entities participating in an OHCA. Such uses and
disclosures may only be made as permitted by the Rule.
    Comment: A few commenters expressed concern with respect to
governmental hybrid entities having to include business associate-like
divisions within the health care component or else being required to
obtain an individual's authorization for disclosures to such division.
It was stated that this concept does not take into account the
organizational structures of local governments and effectively forces
such governmental hybrid entities to bring those components that
perform business associate type functions into their covered component.
Additionally, a commenter stated that this places an undue burden on
local government by essentially requiring that functions, such as
auditor/controller or county counsel, be treated as fully covered by
the Privacy Rule in order to minimize otherwise considerable risk.
Commenters, therefore, urged that the Department allow a health care
component to enter into a memorandum of understanding (MOU) or other
agreement with the business associate division within the hybrid
entity. Alternatively, it was suggested that a governmental hybrid
entity be permitted to include in its notice of privacy practices the
possibility that information may be shared with other divisions within
the same government entity for specific purposes.
    Response: The Department clarifies that a covered entity which
chooses to include its business associate division within the health
care component may only do so to the extent such division performs
activities on behalf of, or provides services to, the health care
component. That same division's activities with respect to non-covered
activities may not be included. To clarify this point, the Department
modified the proposed language in Sec. 164.504(c)(3)(iii) to provide
that a health care component may only include a component to the extent
that it performs covered functions or activities that would make such
component a business associate of a component that performs covered
functions if the two components were separate legal entities. For
example, employees within an accounting division may be included within
the health care component to the extent that they provide services to
such component. However, where these same employees also provide
services to non-covered components of the entity, their activities with
respect to the health care component must be adequately separated from
their other non-covered functions.
    While the Department does not believe that a MOU between
governmental divisions within a hybrid entity may be necessary given
the above clarification, the Department notes that a governmental
hybrid entity may elect to have its health care component enter into a
MOU with its business associate division, provided that such agreement
is legally binding and meets the relevant requirements of
Sec. 164.504(e)(3) and (e)(4). Such agreement would eliminate the need
for the health care component to include the business associate
division or for obtaining the

[[Page 53207]]

individual's authorization to disclose to such division.
    Additionally, the Department encourages covered entities to develop
a notice of privacy practices that is as specific as possible, which
may include, for a government hybrid entity, a statement that
information may be shared with other divisions within the government
entity as permitted by the Rule. However, the notice of privacy
practices is not an adequate substitute for, as appropriate, a
memorandum of understanding; designation of business associate
functions as part of a health care component; or alternatively,
conditioning disclosures to such business associate functions on
individuals' authorizations.
    Comment: One commenter requested a clarification that a pharmacy-
convenience store, where the pharmacy itself is a separate enclosure
under supervision of a licensed pharmacist, is not a hybrid entity.
    Response: The Department clarifies that a pharmacy-convenience
store, if a single legal entity, is permitted, but not required, to be
a hybrid entity and designate the pharmacy as the health care
component. Alternatively, such an entity may choose to be a covered
entity in its entirety. However, if the pharmacy and the convenience
store are separate legal entities, the convenience store is not a
covered entity simply by virtue of sharing retail space with the
covered pharmacy.
    Comment: Another commenter stated that the Rule implies that
individual providers, once covered, are covered for all circumstances
even if they are employed by more than one entity--one sending
transactions electronically but not the other--or if the individual
provider changes functions or employment and no longer electronically
transmits standard transactions. This commenter asked that either the
Rule permit an individual provider to be a hybrid entity (recognizing
that there are times when an individual provider may be engaging in
standard transactions, and other times when he is not), or that the
definition of a ``covered entity'' should be modified so that
individual providers are themselves classified as covered entities only
when they are working as individuals.
    Response: A health care provider is not a covered entity based on
his being a workforce member of a health care provider that conducts
the standard transactions. Thus, a health care provider may maintain a
separate uncovered practice (if he does not engage in standard
transactions electronically in connection with that practice), even
though the provider may also practice at a hospital which may be a
covered entity. However, the Rule does not permit an individual
provider to use hybrid entity status to eliminate protections on
information when he is not conducting standard transactions. If a
health care provider conducts standard transactions electronically on
his own behalf, then the protected health information maintained or
transmitted by that provider is covered, regardless of whether the
information is actually used in such transactions.
    Comment: One commenter requested a clarification that employers are
not hybrid entities simply because they may be the plan sponsor of a
group health plan.
    Response: The Department clarifies that an employer is not a hybrid
entity simply because it is the plan sponsor of a group health plan.
The employer/plan sponsor and group health plan are separate legal
entities and, therefore, do not qualify as a hybrid entity. Further,
disclosures from the group health plan to the plan sponsor are governed
specifically by the requirements of Sec. 164.504(f).
    Comment: A few commenters asked the Department to permit a covered
entity with multiple types of health care components to tailor notices
to address the specific privacy practices within a component, rather
than have just one generic notice for the entire covered entity.
    Response: Covered entities are allowed to provide a separate notice
for each separate health care component, and are encouraged to provide
individuals with the most specific notice possible.
2. Group Health Plan Disclosures of Enrollment and Disenrollment
Information to Plan Sponsors
    December 2000 Privacy Rule. The Department recognized the
legitimate need of plan sponsors and employers to access health
information held by group health plans in order to carry out essential
functions related to the group health plan. Therefore, the Privacy Rule
at Sec. 164.504(f) permits a group health plan, and health insurance
issuers or HMOs with respect to the group health plan, to disclose
protected health information to a plan sponsor provided that, among
other requirements, the plan documents are amended appropriately to
reflect and restrict the plan sponsor's uses and disclosures of such
information. The Department further determined that there were two
situations in which protected health information could be shared
between the group health plan and the plan sponsor without individual
authorization or an amendment to the plan documents. First,
Sec. 164.504(f) permits the group health plan to share summary health
information (as defined in Sec. 164.504(a)) with the plan sponsor.
Second, a group health plan is allowed to share enrollment or
disenrollment information with the plan sponsor without amending the
plan documents as required by Sec. 164.504(f). As explained in the
preamble to the December 2000 Privacy Rule, a plan sponsor is permitted
to perform enrollment functions on behalf of its employees without
meeting the requirements of Sec. 164.504(f), as such functions are
considered outside of the plan administration functions. However, the
second exception was not stated in the regulation text.
    March 2002 NPRM. The ability of group health plans to disclose
enrollment or disenrollment information without amending the plan
documents was addressed only in the preamble to the Privacy Rule. The
absence of a specific provision in the regulation text caused many
entities to conclude that plan documents would need to be amended for
enrollment and disenrollment information to be exchanged between plans
and plan sponsors. To remedy this misunderstanding and make its policy
clear, the Department proposed to add an explicit exception at
Sec. 164.504(f)(1)(iii) to clarify that group health plans (or health
insurance issuers or HMOs with respect to group health plans, as
appropriate) are permitted to disclose enrollment or disenrollment
information to a plan sponsor without meeting the plan document
amendment and other related requirements.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    Commenters in general supported the proposed modification. Some
supported the proposal because it was limited to information about
whether an individual is participating or enrolled in a group health
plan and would not permit the disclosure of any other protected health
information. Others asserted that the modification is a reasonable
approach because enrollment and disenrollment information is needed by
plan sponsors for payroll and other employment reasons.
    Final Modifications. The Department adopts the modification to
Sec. 164.504(f)(1)(iii) essentially as proposed. Thus, a group health
plan, or

[[Page 53208]]

a health insurance issuer or HMO acting for a group health plan, may
disclose to a plan sponsor information on whether the individual is
participating in the group health plan, or is enrolled in or has
disenrolled from a health insurance issuer or HMO offered by the plan.
This disclosure can be made without amending the plan documents. In
adopting the modification as a final Rule, the Department deletes the
phrase ``to the plan sponsor'' that appeared at the end of the proposed
new provision, as mere surplusage.
    As a result of the modification, summary health information and
enrollment and disenrollment information are treated consistently.
Under Sec. 164.504(f), as modified, group health plans can share
summary health information and enrollment or disenrollment information
with plan sponsors without having to amend the plan documents. Section
164.520(a) provides that a fully insured group health plan does not
need to comply with the Privacy Rule's notice requirements if the only
protected health information it creates or receives is summary health
information and/or information about individuals' enrollment in, or
disenrollment from, a health insurer or HMO offered by the group health
plan. Similarly, in Sec. 164.530(k), the Department exempts fully
insured group health plans from many of the administrative requirements
in that section if the only protected health information held by the
group health plan is summary health information and/or information
about individuals' enrollment in, or disenrollment from, a health
insurer or HMO offered by the group health plan. Such consistency will
simplify compliance with the Privacy Rule.

Response to Other Public Comments

    Comment: One commenter stated that there needs to be protection for
health information given to group health plans on enrollment forms. In
particular, this commenter suggested that the Department include a
definition of ``enrollment'' or ``disenrollment'' information that
specifies that medical information, such as past or present medical
conditions and doctor or hospital visits, is not enrollment
information, but rather is individually identifiable health
information, and therefore, subject to the Privacy Rule's protections.
    Response: Individually identifiable health information received or
created by the group health plan for enrollment purposes is protected
health information under the Privacy Rule. The modification to
Sec. 164.504(f) being adopted in this rulemaking does not affect this
policy. The Privacy Rule does not define the information that may be
transmitted for enrollment and disenrollment purposes. Rather, the
Department in the Transactions Rule has adopted a standard transaction
for enrollment and disenrollment in a health plan. That standard (ASC
X12N 834, Benefit Enrollment and Maintenance, Version 4010, May 2000,
Washington Publishing Company) specifies the required and situationally
required data elements to be transmitted as part of such a transaction.
While the standard enrollment and disenrollment transaction does not
include any substantial clinical information, the information provided
as part of the transaction may indicate whether or not tobacco use,
substance abuse, or short, long-term, permanent, or total disability is
relevant, when such information is available. However, the Department
clarifies that, in disclosing or maintaining information about an
individual's enrollment in, or disenrollment from, a health insurer or
HMO offered by the group health plan, the group health plan may not
include medical information about the individual above and beyond that
which is required or situationally required by the standard transaction
and still qualify for the exceptions for enrollment and disenrollment
information allowed under the Rule.

Comment: Several commenters recommended that enrollment and
disenrollment information specifically be excluded from the definition
of ``protected health information.'' They argued that this change would
be warranted because enrollment and disenrollment information do not
include health information. They further argued that such a change
would help alleviate confusion surrounding the application of the
Privacy Rule to employers.
    Response: We disagree that enrollment and disenrollment information
should be excluded from the definition of ``protected health
information.'' Enrollment and disenrollment information fall under the
statutory definition of ``individually identifiable health
information,'' since it is received or created by a health plan,
identifies an individual, and relates to the past, present, or future
payment for the provision of health care to an individual. As such, the
Department believes there is no statutory basis to exclude such
information from the definition of ``protected health information.''
The Department believes that the exception to the requirement for group
health plans to amend plan documents that has been added to the Privacy
Rule for enrollment and disenrollment information balances the
legitimate need that plan sponsors have for enrollment and
disenrollment information against the individual's right to have such
information kept private and confidential.
    Comment: Given that, under Sec. 164.504(f)(2), plan sponsors agree
not to use or further disclose protected health information other than
as permitted or required by plan documents or ``required by law,'' one
commenter requested that the definition of ``required by law'' set
forth at Sec. 164.501 should be revised to reflect that it applies not
only to covered entities, but also to plan sponsors who are required to
report under OSHA or similar laws.
    Response: The Department agrees and has made a technical correction
to the definition of ``required by law'' in Sec. 164.501 to reflect
that the definition applies to a requirement under law that compels any
entity, not just a covered entity, to make a use or disclosure of
protected health information.

D. Section 164.506--Uses and Disclosures for Treatment, Payment, and
Health Care Operations

1. Consent
    December 2000 Privacy Rule. Treatment and payment for health care
are core functions of the health care industry, and uses and
disclosures of individually identifiable health information for such
purposes are critical to the effective operation of the health care
system. Health care providers and health plans must also use
individually identifiable health information for certain health care
operations, such as administrative, financial, and legal activities, to
run their businesses and to support the essential health care functions
of treatment and payment. Equally important are health care operations
designed to maintain and improve the quality of health care. In
developing the Privacy Rule, the Department balanced the privacy
implications of uses and disclosures for treatment, payment, and health
care operations and the need for these core activities to continue. The
Department considered the fact that many individuals expect that their
health information will be used and disclosed as necessary to treat
them, bill for treatment, and, to some extent, operate the covered
entity's health care business. Given public expectations with respect
to the use or disclosure of information for such activities and so as
not to interfere with an individual's

[[Page 53209]]

access to quality health care or the efficient payment for such health
care, the Department's goal is, and has always been, to permit these
activities to occur with little or no restriction.
    Consistent with this goal, the Privacy Rule published in December
2000 generally provided covered entities with permission to use and
disclose protected health information as necessary for treatment,
payment, and health care operations. For certain health care providers
that have direct treatment relationships with individuals, such as many
physicians, hospitals, and pharmacies, the December 2000 Privacy Rule
required such providers to obtain an individual's written consent prior
to using or disclosing protected health information for these purposes.
The Department designed consent as a one-time, general permission from
the individual, which the individual would have had the right to
revoke. A health care provider could have conditioned treatment on the
receipt of consent. Other covered entities also could have chosen to
obtain consent but would have been required to follow the consent
standards if they opted to do so.
    The consent requirement for health care providers with direct
treatment relationships was a significant change from the Department's
initial proposal published in November 1999. At that time, the
Department proposed to permit all covered entities to use and disclose
protected health information to carry out treatment, payment, and
health care operations without any requirement that the covered
entities obtain an individual's consent for such uses and disclosures,
subject to a few limited exceptions. Further, the Department proposed
to prohibit covered entities from obtaining an individual's consent for
uses and disclosures of protected health information for these
purposes, unless required by other applicable law.
    The transition provisions of the Privacy Rule permit covered health
care providers that were required to obtain consent to use and disclose
protected health information they created or received prior to the
compliance date of the Privacy Rule for treatment, payment, or health
care operations if they had obtained consent, authorization, or other
express legal permission to use or disclose such information for any of
these purposes, even if such permission did not meet the consent
requirements of the Privacy Rule.
    March 2002 NPRM. The Department heard concerns about significant
practical problems that resulted from the consent requirements in the
Privacy Rule. Covered entities and others provided numerous examples of
obstacles that the consent provisions would pose to timely access to
health care. These examples extended to various types of providers and
various settings. The most troubling, pervasive problem was that health
care providers would not have been able to use or disclose protected
health information for treatment, payment, or health care operations
purposes prior to their initial face-to-face contact with the patient,
something which is routinely done today to provide patients with timely
access to quality health care. A list of some of the more significant
examples and concerns are as follows:
     Pharmacists would not have been able to fill a
prescription, search for potential drug interactions, determine
eligibility, or verify coverage before the individual arrived at the
pharmacy to pick up the prescription if the individual had not already
provided consent under the Privacy Rule.
     Hospitals would not have been able to use information from
a referring physician to schedule and prepare for procedures before the
individual presented at the hospital for such procedure, or the patient
would have had to make a special trip to the hospital to sign the
consent form.
     Providers who do not provide treatment in person may have
been unable to provide care because they would have had difficulty
obtaining prior written consent to use protected health information at
the first service delivery.
     Emergency medical providers were concerned that, if a
situation was urgent, they would have had to try to obtain consent to
comply with the Privacy Rule, even if that would be inconsistent with
appropriate practice of emergency medicine.
     Emergency medical providers were also concerned that the
requirement that they attempt to obtain consent as soon as reasonably
practicable after an emergency would have required significant efforts
and administrative burden which might have been viewed as harassing by
individuals, because these providers typically do not have ongoing
relationships with individuals.
     Providers who did not meet one of the consent exceptions
were concerned that they could have been put in the untenable position
of having to decide whether to withhold treatment when an individual
did not provide consent or proceed to use information to treat the
individual in violation of the consent requirements.
     The right to revoke a consent would have required tracking
consents, which could have hampered treatment and resulted in large
institutional providers deciding that it would be necessary to obtain
consent at each patient encounter instead.
     The transition provisions would have resulted in
significant operational problems, and the inability to access health
records would have had an adverse effect on quality activities, because
many providers currently are not required to obtain consent for
treatment, payment, or health care operations.
     Providers that are required by law to treat were concerned
about the mixed messages to patients and interference with the
physician-patient relationship that would have resulted because they
would have had to ask for consent to use or disclose protected health
information for treatment, payment, or health care operations, but
could have used or disclosed the information for such purposes even if
the patient said ``no.''
    As a result of the large number of treatment-related obstacles
raised by various types of health care providers that would have been
required to obtain consent, the Department became concerned that
individual fixes would be too complex and could possibly overlook
important problems. Instead, the Department proposed an approach
designed to protect privacy interests by affording patients the
opportunity to engage in important discussions regarding the use and
disclosure of their health information through the strengthened notice
requirement, while allowing activities that are essential to quality
health care to occur unimpeded (see section III.H. of the preamble for
a discussion of the strengthened notice requirements).
    Specifically, the Department proposed to make the obtaining of
consent to use and disclose protected health information for treatment,
payment, or health care operations more flexible for all covered
entities, including providers with direct treatment relationships.
Under this proposal, health care providers with direct treatment
relationships with individuals would no longer be required to obtain an
individual's consent prior to using and disclosing information about
him or her for treatment, payment, and health care operations. They,
like other covered entities, would have regulatory permission for such
uses and disclosures.
    The NPRM included provisions to permit covered entities to obtain
consent for uses and disclosures of protected health information for
treatment, payment, or health care

[[Page 53210]]

operations, if they wished to do so. These provisions would grant
providers complete discretion in designing this process. These proposed
changes were partnered, however, by the proposal to strengthen the
notice provisions to require direct treatment providers to make good
faith efforts to obtain a written acknowledgment of receipt of the
notice. The intent was to preserve the opportunity to raise questions
about the entity's privacy policies that the consent requirements
previously provided.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The vast majority of commenters addressed the consent proposal.
Most comments fell into three basic categories: (1) Many comments
supported the NPRM approach to eliminate the consent requirement; (2)
many comments urged the Department to require consent, but make
targeted fixes to address workability issues; and (3) some comments
urged the Department to strengthen the consent requirement.
    The proposed approach of eliminating required consent and making
obtaining of consent permissible, at the entity's discretion, was
supported by many covered entities that asserted that it would provide
the appropriate balance among access to quality health care,
administrative burden, and patient privacy. Many argued that the
appropriate privacy protections were preserved by strengthening the
notice requirement. This approach was also supported by the NCVHS.
    The comments received in response to the NPRM continued to raise
the issues and obstacles described above, and others. For example, in
addition to providing health care services to patients, hospices often
provide psychological and emotional support to family members. These
consultations often take place long distance and would likely be
considered treatment. The consent requirement would make it difficult,
or impossible in some circumstances, for hospices to provide these
important services to grieving family members on a timely basis.
Comments explained that the consent provisions in the Rule pose
significant obstacles to oncologists as well. Cancer treatment is
referral-based. Oncologists often obtain information from other
doctors, hospital, labs, etc., speak with patients by telephone,
identify treatment options, and develop preliminary treatment plans,
all before the initial patient visit. The prior consent requirement
would prevent all of these important preliminary activities before the
first patient visit, which would delay treatment in cases in which such
delay cannot be tolerated.
    Other commenters continued to strongly support a consent
requirement, consistent with their views expressed during the comment
period in March 2001. Some argued that the NPRM approach would
eliminate an important consumer protection and that such a ``radical''
approach to fixing the workability issues was not required. They
recommended a targeted approach to fixing each problem, and suggested
ways to fix each unintended consequence of the consent requirement, in
lieu of removing the requirement to obtain consent.
    A few commenters argued for reinstating a consent requirement, but
making it similar to the proposal for acknowledgment of notice by
permitting flexibility and including a ``good faith'' standard. They
also urged the Department to narrow the definition of health care
operations and require that de-identified information be used where
possible for health care operations.
    Finally, a few commenters continued to assert that consent should
be strengthened by applying it to more covered entities, requiring it
to be obtained more frequently, or prohibiting the conditioning of
treatment on the obtaining of consent.
    Final Modifications. The Department continues to be concerned by
the multitude of comments and examples demonstrating that the consent
requirements would result in unintended consequences that would impede
the provision of health care in many critical circumstances. We are
also concerned that other such unintended consequences may exist which
have yet to be brought to our attention. The Department would not have
been able to address consent issues arising after publication of this
Rule until at least a year had passed from this Rule's publication date
due to statutory limitations on the timing of modifications. The
Department believes in strong privacy protections for individually
identifiable health information, but does not want to compromise timely
access to quality health care. The Department also understands that the
opportunity to discuss privacy practices and concerns is an important
component of privacy, and that the confidential relationship between a
patient and a health care provider includes the patient's ability to be
involved in discussions and decisions related to the use and disclosure
of protected health information about him or her.
    A review of the comments showed that almost all of the commenters
that discussed consent acknowledged that there are unintended
consequences of the consent requirement that would interfere with
treatment. These comments point toward two potential approaches to
fixing these problems. The Department could address these problems by
adopting a single solution that would address most or all of the
concerns, or could address these problems by adopting changes targeted
to each specific problem that was brought to the attention of the
Department. One of the goals in making changes to the Privacy Rule is
to simplify, rather than add complexity to, the Rule. Another goal is
to assure that the Privacy Rule does not hamper necessary treatment.
For both of these reasons, the Department is concerned about adopting
different changes for different issues related to consent and
regulating to address specific examples that have been brought to its
attention. Therefore, the options that the Department most seriously
considered were those that would provide a global fix to the consent
problems. Some commenters provided global options other than the
proposed approach. However, none of these would have resolved the
operational problems created by a mandatory consent.
    The Department also reviewed State laws to understand how they
approached uses and disclosures of health information for treatment,
payment, or health care operations purposes. Of note was the California
Confidentiality of Medical Information Act. Cal. Civ. Code Sec. 56.
This law permits health care providers and health plans to disclose
health information for treatment, payment, and certain types of health
care operations purposes without obtaining consent of the individual.
The California HealthCare Foundation conducted a medical privacy and
confidentiality survey in January 1999 that addressed consumer views on
confidentiality of medical records. The results showed that, despite
the California law that permitted disclosures of health information
without an individual's consent, consumers in California did not have
greater concerns about confidentiality than other health care
consumers. This is true with respect to trust of providers and health
plans to keep health information private and confidential and the level
of access to health information that providers and health plans have.

[[Page 53211]]

    The Department adopts the approach that was proposed in the NPRM,
because it is the only one that resolves the operational problems that
have been identified in a simple and uniform manner. First, this Rule
strengthens the notice requirements to preserve the opportunity for
individuals to discuss privacy practices and concerns with providers.
(See section III.H. of the preamble for the related discussion of
modifications to strengthen the notice requirements.) Second, the final
Rule makes the obtaining of consent to use and disclose protected
health information for treatment, payment, or health care operations
optional on the part of all covered entities, including providers with
direct treatment relationships. A health care provider that has a
direct treatment relationship with an individual is not required by the
Privacy Rule to obtain an individual's consent prior to using and
disclosing information about him or her for treatment, payment, and
health care operations. They, like other covered entities, have
regulatory permission for such uses and disclosures. The fact that
there is a State law that has been using a similar model for years
provides us confidence that this is a workable approach.
    Other rights provided by the Rule are not affected by this
modification. Although covered entities will not be required to obtain
an individual's consent, any uses or disclosures of protected health
information for treatment, payment, or health care operations must
still be consistent with the covered entity's notice of privacy
practices. Also, the removal of the consent requirement applies only to
consent for treatment, payment, and health care operations; it does not
alter the requirement to obtain an authorization under Sec. 164.508 for
uses and disclosures of protected health information not otherwise
permitted by the Privacy Rule or any other requirements for the use or
disclosure of protected health information. The Department intends to
enforce strictly the requirement for obtaining an individual's
authorization, in accordance with Sec. 164.508, for uses and disclosure
of protected health information for purposes not otherwise permitted or
required by the Privacy Rule. Furthermore, individuals retain the right
to request restrictions, in accordance with Sec. 164.522(a). This
allows individuals and covered entities to enter into agreements to
restrict uses and disclosures of protected health information for
treatment, payment, and health care operations that are enforceable
under the Privacy Rule.
    Although consent for use and disclosure of protected health
information for treatment, payment, and health care operations is no
longer mandated, this Final Rule allows covered entities to have a
consent process if they wish to do so. The Department heard from many
commenters that obtaining consent was an integral part of the ethical
and other practice standards for many health care professionals. It,
therefore, does not prohibit covered entities from obtaining consent.
    This final Rule allows covered entities that choose to have a
consent process complete discretion in designing that process. Prior
comments have informed the Department that one consent process and one
set of principles will likely be unworkable. Covered entities that
choose to obtain consent may rely on industry practices to design a
voluntary consent process that works best for their practice area and
consumers, but they are not required to do so.
    This final Rule effectuates these changes in the same manner as
proposed by the NPRM. The consent provisions in Sec. 164.506 are
replaced with a new provision at Sec. 164.506(a) that provides
regulatory permission for covered entities to use or disclose protected
health information for treatment, payment, and health care operations.
A new provision is added at Sec. 164.506(b) that permits covered
entities to obtain consent if they choose to, and makes clear any such
consent process does not override or alter the authorization
requirements in Sec. 164.508. Section 164.506(b) includes a small
change from the proposed version to make it clearer that authorizations
are still required by referring directly to authorizations under
Sec. 164.508.
    Additionally, this final Rule includes a number of conforming
modifications, identical to those proposed in the NPRM, to accommodate
the new approach. The most substantive corresponding changes are at
Secs. 164.502 and 164.532. Section 164.502(a)(1) provides a list of the
permissible uses and disclosures of protected health information, and
refers to the corresponding section of the Privacy Rule for the
detailed requirements. The provisions at Secs. 164.502(a)(1)(ii) and
(iii) that address uses and disclosures of protected health information
for treatment, payment, and health care operations are collapsed into a
single provision, and the language is modified to eliminate the consent
requirement.
    The references in Sec. 164.532 to Sec. 164.506 and to consent,
authorization, or other express legal permission obtained for uses and
disclosures of protected health information for treatment, payment, and
health care operations prior to the compliance date of the Privacy Rule
are deleted. The proposal to permit a covered entity to use or disclose
protected health information for these purposes without consent or
authorization would apply to any protected health information held by a
covered entity whether created or received before or after the
compliance date. Therefore, transition provisions are not necessary.
    This final Rule also includes conforming changes to the definition
of ``more stringent'' in Sec. 160.202; the text of
Sec. 164.500(b)(1)(v), Secs. 164.508(a)(2)(i) and (b)(3)(i), and
Sec. 164.520(b)(1)(ii)(B); the introductory text of Secs. 164.510 and
164.512, and the title of Sec. 164.512 to eliminate references to
required consent.

Response to Other Public Comments

    Comment: There were three categories of commenters with respect to
the Rule's general approach to consent-those that supported the changes
proposed in the NPRM provisions, those that requested targeted changes
to the consent requirement, and those that requested that the consent
requirement be strengthened.
    Many commenters supported the NPRM approach to consent, making
consent to use or disclose protected health information for treatment,
payment, and health care operations voluntary for all covered entities.
These commenters said that this approach provided flexibility for
covered entities to address consent in a way that is consistent with
their practices. These commenters also stated that the NPRM approach
assured that the Privacy Rule would not interfere with or delay
necessary treatment.
    Those that advocated retaining a consent requirement stated that
the NPRM approach would undermine trust in the health care system and
that requiring consent before using or disclosing protected health
information shows respect for the patient's autonomy, underscores the
need to inform the patient of the risks and benefits of sharing
protected health information, and makes it possible for the patient to
make an informed decision. Many of these commenters suggested that the
consent requirement be retained and that the problems raised by consent
be addressed through targeted changes or guidance for each issue.
    Some suggestions targeted to specific problems were: (1) Fix the
problems

[[Page 53212]]

related to filling prescriptions by treating pharmacists as providers
with indirect treatment relationships or by deeming a prescription to
serve as an implied consent; and (2) allow certain uses and disclosures
prior to first patient encounter. Some of these commenters argued that
certain issues could be addressed through guidance on other provisions
in the Rule, rather than a change in the regulation. For example, they
suggested that guidance could explain that physicians who take phone
calls for one another are part of an organized health care arrangement,
or could provide technical assistance about revocations on consent by
identifying when a covered entity has taken action in reliance on a
consent.
    Other suggestions were more general. They included suggestions that
the Department: (1) Substitute a good faith effort requirement for the
current provisions; (2) provide regulatory permission for certain uses
and disclosures of protected heath information prior to first service
delivery; (3) permit oral consent with documentation; (4) retain a
consent requirement for disclosures, but not uses; (5) retain a consent
requirement for payment and operations, but not treatment uses and
disclosures; (6) allow individuals to opt out of the consent
requirement; (7) allow the consent to apply to activities of referred-
to providers, and (8) retain the consent requirement but add
flexibility, not exceptions.
    The third group of commenters requested that the consent
requirement be strengthened. Some requested that the Privacy Rule not
permit conditioning of treatment or enrollment on consent for multiple
uses and disclosures. Others requested that the consent requirement be
extended to covered entities other than providers with direct treatment
relationships, such as health plans. Some commenters also asked that
the consent be time-limited or be required more frequently, such as at
each service delivery.
    Response: The Department recognizes that there are some benefits to
the consent requirement and has considered all options to preserve the
consent requirement while fixing the problems it raises. After
examining each of these options, we do not believe that any would
address all of the issues that were brought to the Department's
attention during the comment process or would be the best approach for
regulating this area. For example, the suggestion to treat pharmacists
as indirect treatment providers would not be consistent with the
current regulatory definition of that term and would not have addressed
other referral situations. This approach was also rejected by some
pharmacists who view themselves as providing treatment directly to
individuals. The suggestion to allow certain uses and disclosures prior
to first patient encounter would not address concerns of tracking
consents, use of historical data for quality purposes, or the concerns
of emergency treatment providers.
    The Department desired a global approach to resolving the problems
raised by the prior consent requirement, so as not to add additional
complexity to the Privacy Rule or apply different standards to
different types of direct treatment providers. This approach is
consistent with the basic goal of the Rule to provide flexibility as
necessary for the standards to work for all sectors of the health care
industry.
    More global approaches suggested were carefully considered, but
each had some flaw or failed to address all of the treatment-related
concerns brought to our attention. For example, those who suggested
that the Rule be modified to require a good faith effort to obtain
consent at first service delivery failed to explain how that approach
would provide additional protection than the approach we proposed. The
Department also decided against eliminating the consent requirement
only for uses and disclosures for treatment, or only for uses of
protected health information but not for disclosures, because these
options fall short of addressing all of the problems raised. Scheduling
appointments and surgeries, and conducting many pre-admission
activities, are health care operations activities, not treatment.
Retaining the consent requirement for payment would be problematic
because, in cases where a provider, such as a pharmacist or hospital,
engages in a payment activity prior to face-to-face contact with the
individual, it would prohibit the provider from contacting insurance
companies to obtain pre-certification or to verify coverage.
    Similarly, the suggestion to limit the prior consent requirement to
disclosures and not to uses would not have addressed all of the
problems raised by the consent requirements. Many of the basic
activities that occur before the initial face-to-face meeting between a
provider and an individual involve disclosures as well as uses. Like
the previous approach, this approach also would prohibit pharmacists
and hospitals from contacting insurance companies to obtain pre-
certification or verify coverage if they did not have the individual's
prior consent to disclose the protected health information for payment.
It also would prohibit a provider from contacting another provider to
ask questions about the medical record and discuss the patient's
condition, because this would be a disclosure and would require
consent.
    There was a substantial amount of support from commenters for the
approach taken in the NPRM. The Department continues to believe that
this approach makes the most sense and meets the goals of not
interfering with access to quality health care and of providing a
single standard that works for the entire health care industry.
Therefore, the Department has adopted the approach proposed in the
NPRM.
    Comment: Some commenters asserted that eliminating the consent
requirement would be a departure from current medical ethical standards
that protect patient confidentiality and common law and State law
remedies for breach of confidentiality that generally require or
support patient consent prior to disclosing patient information for any
reason. Another commenter was concerned that the removal of the consent
requirement from the Privacy Rule will become the de facto industry
standard and supplant professional ethical duties to obtain consent for
the use of protected health information.
    Response: The Privacy Rule provides a floor of privacy protection.
State laws that are more stringent remain in force. In order not to
interfere with such laws and ethical standards, this Rule permits
covered entities to obtain consent. Nor is the Privacy Rule intended to
serve as a ``best practices'' standard. Thus, professional standards
that are more protective of privacy retain their vitality.
    Comment: Some commenters requested that, if the Department adopts
the NPRM approach to eliminate the consent requirement for uses and
disclosures of protected health information for treatment, payment, or
health care operations, the definition of ``health care operations''
should also be narrowed to protect individual expectations of privacy.
    Response: We disagree. As stated in the preamble to the December
2000 Privacy Rule, the Department believes that narrowing the
definition of ``health care operations'' will place serious burdens on
covered entities and impair their ability to conduct legitimate
business and management functions.
    Comment: Some commenters requested that the regulation text state
more specifically that a voluntary consent cannot substitute for an
authorization when an authorization is otherwise required under the
Privacy Rule.

[[Page 53213]]

    Response: The Department agrees and modifies the regulation text,
at Sec. 164.506(b)(2), to make this clear. As stated in the preamble to
the NPRM, the Department intends to enforce strictly the requirement
for obtaining an individual's authorization, in accordance with
Sec. 164.508, for uses and disclosures of protected health information
for purposes not otherwise permitted or required by the Privacy Rule. A
consent obtained voluntarily would not be sufficient to permit a use or
disclosure which, under the Privacy Rule, requires an authorization or
is otherwise expressly conditioned under the Rule. For example, a
consent under Sec. 164.506 could not be obtained in lieu of an
authorization required by Sec. 164.508 or a waiver of authorization by
an IRB or Privacy Board under Sec. 164.512(i) to disclose protected
health information for research purposes.
    Comment: Some commenters requested that, if the Department decides
to allow consent on a voluntary basis, the Privacy Rule include
requirements for those covered entities that voluntarily choose to
obtain consents.
    Response: The goal of the NPRM approach was to enhance flexibility
for covered entities by allowing them to design a consent process that
best matches their needs. The Department learned over the past year
that no single consent process works for all covered entities. In
addition, the Department wants to encourage covered entities to adopt a
consent process, and is concerned that by prescribing particular rules,
it would discourage some covered entities from doing so.
    Comment: Some commenters asserted that the consent requirement
provides individuals with control because providers may not opt to
withhold treatment if a patient refuses consent only for the use or
disclosure of protected health information for health care operations.
    Response: These commenters may not fully understand the consent
requirements in the December 2000 Rule. That requirement did not allow
separate consents for use of protected health information for
treatment, payment, and health care operations. The only way to allow
use of protected health information for treatment but not for health
care operations purposes would have been to invoke the right to request
restrictions (Sec. 164.522(a)); the provider could agree or not agree
to restrict use and disclosure of protected health information for
health care operations. That is also how the Rule will work with these
modifications. The Department is not modifying the right to request
restrictions.
    Comment: Some commenters were confused about the relationship
between the proposed changes to the consent provisions and State law.
Some were concerned that the Privacy Rule would override State consent
laws which provide stronger protections for medical and
psychotherapeutic privacy.
    Response: The Privacy Rule does not weaken the operation of State
laws that require consent to use or disclose health information. The
Privacy Rule permits a covered entity to obtain consent to use or
disclose health information, and, therefore, presents no barrier to the
entity's ability to comply with State law requirements.
    Comment: One commenter suggested that the consent requirement be
retained to protect victims of domestic violence.
    Response: The Department understands the concerns that the Privacy
Rule not endanger victims of domestic violence, but we do not believe
that eliminating the consent requirement will do so. The Department
believes that the provisions that provide real protections to victims
of domestic violence in how information is used or disclosed for
treatment, payment, and health care operations, are provisions that
allow an individual to object to disclosure of directory information
and of protected health information to family members or friends
involved in the individual's care (see Sec. 164.510), that provide an
individual the right to request restrictions (see Sec. 164.522(a)), and
that grant an individual the right to request confidential
communications (see Sec. 164.522(b)). These provisions are not affected
by the changes in this final Rule.
    Comment: One commenter asserted that written consent represents a
signed agreement between the provider and patient regarding the manner
in which covered entities will use and disclose health information in
the future, and that the removal of this requirement would shift
``ownership'' of records from patients to doctors and corporate
entities.
    Response: The Department disagrees with this position. Our research
indicates that a signed consent form is most typically treated as a
waiver of rights by a patient and not as a binding agreement between a
provider and a patient. Further, many States have laws assigning the
ownership of records, apart from any consent requirements. The Privacy
Rule does not address, and is not intended to affect, existing laws
governing the ownership of health records.
    Comment: A few commenters claimed that the signed notice of a
provider's privacy policy is meaningless if the individual has no right
to withhold consent and the NPRM approach would reinforce the fact that
individuals have no say in how their health information is used or
disclosed.
    Response: The Department disagrees. The individual's options under
the consent requirement established by the Privacy Rule published in
December 2000 and the voluntary consent and strengthened notice
provisions adopted by this Rule are the same. Under the previous Rule,
a patient who disagreed with the covered entity's information practices
as stated in the notice could withhold consent and not receive
treatment, or could sign the consent form and obtain treatment despite
concerns about the information practices. The patient could request
that the provider restrict the use and/or disclosure of the
information. Under the Rule as modified, a patient who disagrees with
the covered entity's information practices as stated in the notice, can
choose not to receive treatment from that provider, or can obtain
treatment despite concerns about the information practices. The patient
can request that the provider restrict the use and/or disclosure of the
information. The result, for the patient, is the same.
    Comment: One commenter requested clarification with respect to the
effect of a revocation of voluntary consent and whether agreed-to
restrictions must be honored.
    Response: The final Rule is silent as to how a covered entity
handles the revocation of a voluntary consent under Sec. 164.506(b)(1).
The Rule provides the covered entity that chooses to adopt a consent
process discretion to design the process that works for that entity.
    The change to the consent provision in the Privacy Rule does not
affect the right of an individual under Sec. 164.522(a) to request
restrictions to a use or disclosure of protected health information.
While a covered entity is not required to agree to such restrictions,
it must act in accordance with any restriction it does agree to.
Failure of a covered entity to act in accordance with an agreed-to
restriction is a violation of the Rule.
    Comment: Commenters asked the Department to rename consent to
``consent for information use'' to reduce confusion with consent for
treatment.
    Response: In order to clear up confusion between informed consent
for treatment, which is addressed by State law, and consent to use or
disclose protected health information under the

[[Page 53214]]

Privacy Rule, we changed the title of Sec. 164.506(b) from ``Consent
permitted'' to ``Consent for uses and disclosures of information
permitted.'' The Privacy Rule does not affect informed consent for
treatment.
    Comment: A few commenters requested that the Department modify the
regulation to state that de-identified information should be used for
health care operations where possible.
    Response: The Department continues to encourage covered entities to
use de-identified information wherever possible. As the Department has
made this position clear in the preambles to both the December 2000
Privacy Rule and the March 2002 NPRM, as well as in this preamble, we
do not believe that it is necessary to modify the regulation to include
such language. Further, the minimum necessary requirements, under
Secs. 164.502(b)(2) and 164.514(d), already require a covered entity to
make reasonable efforts to limit protected health information used for
health care operations and other purposes to the minimum necessary to
accomplish the intended purpose, which may, in some cases, be de-
identified information.
    Comment: One commenter requested that the Privacy Rule state that
consent is not required for provider-to-provider communications.
    Response: Prior to these final modifications, the consent
requirements of the Privacy Rule would have required a provider to
obtain written consent to disclose protected health information to
another provider for treatment purposes--which could have interfered
with an individual's ability to obtain timely access to quality care.
This is one reason the Department has eliminated the consent
requirement for treatment, payment, and health care operations.
Providers will not need a patient's consent to consult with other
providers about the treatment of a patient. However, if a provider is
disclosing protected health information to another provider for
purposes other than treatment, payment, or health care operations, an
authorization may be required under Sec. 164.508 (e.g., generally,
disclosures for clinical trials would require an authorization).
    Comment: One commenter asserted that, without a consent
requirement, nothing will stop a health plan from demanding a patient's
mental health records as a condition of payment for physical therapy.
    Response: The Department does not agree that the former consent
requirement is the relevant standard with respect to the activities of
the health plan that concern the commenter. Rather, the Transactions
Rule and the minimum necessary standard of the Privacy Rule prescribe
and limit the health information that may be disclosed as part of
payment transactions between health plans and health care providers.
Although a health plan may request additional information to process a
specific claim, in addition to the required and situational elements
under the Transactions Rule, the request must comply with the Privacy
Rule's minimum necessary requirements. In this example, the health plan
can only request mental health records if they are reasonably necessary
for the plan to process the physical therapy claim.
2. Disclosures for Treatment, Payment, or Health Care Operations of
Another Entity
    December 2000 Privacy Rule. The Privacy Rule permits a covered
entity to use and disclose protected health information for treatment,
payment, or health care operations. For treatment purposes, the Rule
generally allows protected health information to be shared without
restriction. The definition of ``treatment'' incorporates the necessary
interaction of more than one entity. In particular, the definition of
``treatment'' includes the coordination and management of health care
among health care providers or by a health care provider with a third
party, consultations between health care providers, and referrals of a
patient for health care from one health care provider to another. As a
result, covered entities are permitted to disclose protected health
information for treatment purposes regardless of to whom the disclosure
is made, as well as to disclose protected health information for the
treatment activities of another health care provider.
    However, for payment and health care operations, the Privacy Rule,
as published in December 2000, generally limited a covered entity's
uses and disclosures of protected health information to those that were
necessary for its own payment and health care operations activities.
This limitation was explicitly stated in the December 2000 preamble
discussions of the definitions of ``payment'' and ``health care
operations.'' 65 FR 82490, 82495. The Privacy Rule also provided that a
covered entity must obtain authorization to disclose protected health
information for the payment or health care operations of another
entity. The Department intended these requirements to be consistent
with individuals' privacy expectations. See 45 CFR 164.506(a)(5) and
164.508(e).
    March 2002 NPRM. Since the publication of the December 2000 Rule, a
number of commenters raised specific concerns with the restriction that
a covered entity may not disclose protected health information for
another entity's payment and health care operations activities, absent
an authorization. These commenters presented a number of examples where
such a restriction would impede the ability of certain entities to
obtain reimbursement for health care, to conduct certain quality
assurance or improvement activities, such as accreditation, or to
monitor fraud and abuse.
    With regard to payment, for example, the Department heard concerns
of ambulance service providers who explained that they normally receive
the information they need to obtain payment for their treatment
services from the hospital emergency departments to which they
transport their patients. They explained that it is usually not
possible for the ambulance service provider to obtain such information
directly from the individual, nor is it always practicable or feasible
for the hospital to obtain the individual's authorization to provide
payment information to the ambulance service provider. This disclosure
of protected health information from the hospital to the ambulance
service provider was not permitted under the December 2000 Privacy Rule
without an authorization from the patient, because it was a disclosure
by the hospital for the payment activities of the ambulance service
provider.
    Commenters also were concerned about situations in which covered
entities outsource their billing, claims, and reimbursement functions
to accounts receivable management companies. These collectors often
attempt to recover payments from a patient on behalf of multiple health
care providers. Commenters were concerned that the Privacy Rule would
prevent these collectors, as business associates of multiple providers,
from using a patient's demographic information received from one
provider to facilitate collection for another provider's payment.
    With regard to health care operations, the Department also received
comments about the difficulty that the Privacy Rule would place on
health plans trying to obtain information needed for quality assessment
activities. Health plans informed the Department that they need to
obtain individually identifiable health information from health care
providers for the plans' quality-related activities, accreditation, and
performance measures, such as Health Plan Employer Data and Information
Set

[[Page 53215]]

(HEDIS). Commenters explained that the information provided to plans
for payment purposes (e.g., claims or encounter information) may not be
sufficient for quality assessment or accreditation purposes.
    The NCVHS, in response to public testimony on this issue at its
August 2001 hearing, also recommended that the Department amend the
Privacy Rule to allow for uses and disclosures for quality-related
activities among covered entities, without the individual's written
authorization.
    Based on these concerns, the Department proposed to modify
Sec. 164.506 to permit a covered entity to disclose protected health
information for the payment activities of another covered entity or any
health care provider, and also for certain types of health care
operations of another covered entity. The proposal would broaden the
uses and disclosures that are permitted without authorization as part
of treatment, payment, and health care operations so as not to
interfere inappropriately with access to quality and effective health care, while limiting this expansion in order to continue to protect the
privacy expectations of the individual.
    Specifically, the Department proposed the following. First, the
Department proposed to add to Sec. 164.506(c)(1) language stating that
a covered entity may use or disclose protected health information for
its own treatment, payment, or health care operations without prior
permission.
    Second, the Department proposed to include language in
Sec. 164.506(c)(2) to clarify its intent that a covered entity may
share protected health information for the treatment activities of
another health care provider. For example, a primary care provider who
is a covered entity under the Privacy Rule may send a copy of an
individual's medical record to a specialist who needs the information
to treat the same individual, whether or not that specialist is also a
covered entity. No authorization would be required.
    Third, the Department proposed to include language in
Sec. 164.506(c)(3) to permit a covered entity to disclose protected
health information to another covered entity or any health care
provider for the payment activities of that entity. The Department
recognized that not all health care providers who need protected health
information to obtain payment are covered entities, and, therefore,
proposed to allow disclosures of protected health information to both
covered and non-covered health care providers. In addition, the
Department proposed a conforming change to delete the word ``covered''
in paragraph (1)(ii) of the definition of ``payment,'' to permit
disclosures to non-covered providers for their payment activities.
    The Department also proposed to limit disclosures under this
provision to those health plans that are covered by the Privacy Rule.
However, the Department solicited comment on whether plans that are not
covered by the Privacy Rule would be able to obtain the protected
health information that they need for payment purposes.
    Fourth, in Sec. 164.506(c)(4), the Department proposed to permit a
covered entity to disclose protected health information about an
individual to another covered entity for specified health care
operations purposes of the covered entity that receives the
information, provided that both entities have a relationship with the
individual. This proposed expansion was limited in a number of ways.
The proposal would permit such disclosures only for the activities
described in paragraphs (1) and (2) of the definition of ``health care
operations,'' as well as for health care fraud and abuse detection and
compliance programs (as provided for in paragraph (4) of the definition
of ``health care operations''). The activities that fall into
paragraphs (1) and (2) of the definition of ``health care operations''
include quality assessment and improvement activities, population-based
activities relating to improving health or reducing health care costs,
case management, conducting training programs, and accreditation,
certification, licensing, or credentialing activities. The Department
proposed this limitation because it recognized that ``health care
operations'' is a broad term and that individuals are less aware of the
business-related activities that are part of health care operations
than they are of treatment- or payment-related activities. In addition,
many commenters and the NCVHS focused their comments on covered
entities' needs to share protected health information for quality-
related health care operations activities. The proposed provision was
intended to allow information to flow from one covered entity to
another for activities important to providing quality and effective
health care.
    The proposal would have applied only to disclosures of protected
health information to other covered entities. By limiting such
disclosures to those entities that are required to comply with the
Privacy Rule, the Department intended to ensure that the protected
health information remained protected. The Department believed that
this would create the appropriate balance between meeting an
individual's privacy expectations and meeting a covered entity's need
for information for quality-related health care operations.
    Further, such disclosures would be permitted only to the extent
that each entity has, or had, a relationship with the individual who is
the subject of the information being disclosed. Where the relationship
between the individual and the covered entity has ended, a disclosure
of protected health information about the individual would be allowed
only if related to the past relationship. The Department believed that
this limitation would be necessary in order to further protect the
privacy expectations of the individual.
    The proposal made clear that these provisions would not eliminate a
covered entity's responsibility to apply the Privacy Rule's minimum
necessary provisions to both the disclosure of and request for
protected health information for payment and health care operations
purposes. In addition, the proposal strongly encouraged the use of de-
identified information, wherever feasible.
    While the Department stated that it believed it had struck the
right balance with respect to the proposed modification for disclosures
for health care operations, the Department was aware that the proposal
could pose barriers to disclosures for quality-related health care
operations to health plans and health care providers that are not
covered entities, or to entities that do not have a relationship with
the individual. Therefore, the preamble referred commenters to the
Department's request for comment on an approach that would permit for
any health care operations purposes the disclosure of protected health
information that does not contain direct identifiers, subject to a data
use or similar agreement.
    In addition, related to the above modifications and in response to
comments evidencing confusion on this matter, the Department also
proposed to clarify that covered entities participating in an organized
health care arrangement (OHCA) may share protected health information
for the health care operations of the OHCA (Sec. 164.506(c)(5)). The
Department also proposed to remove the language regarding OHCAs from
the definition of ``health care operations'' as unnecessary because
such language now would appear in Sec. 164.506(c)(5).
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional

[[Page 53216]]

comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The Department received a number of comments on its proposal to
permit a covered entity to disclose protected health information for
the payment and health care operations activities of other entities.
    Most of the commenters who addressed the Department's proposed
clarification regarding treatment expressed support for the
clarification. Also, the majority of commenters supported, either
wholly or in part, the Department's proposal to expand the payment and
health care operations disclosures that would be permitted.
    Most commenters generally were supportive of the Department's
proposed approach regarding disclosures for payment. A number of
commenters stated that the proposed expansion is important to
facilitate coordination of benefits for many patients who have multiple
sources of payment for prescription drugs. One commenter, however,
requested that the Department narrow its proposed language to address
only those problems specifically described in the preamble, that is,
payment issues faced by ambulance providers and collection agencies
that are business associates of multiple health care providers. This
commenter stated that, at the very least, covered entities should be
required to obtain assurances from non-covered providers, prior to
disclosure of protected health information, that the recipient will not
use protected health information for any other purpose or disclose it
to others. Another commenter remarked that the proposal to limit
disclosures only to another covered entity or any health care provider
may impede disclosures to reinsurers that are not covered entities.
    While most commenters supported expanding disclosures for health
care operations, many requested that the Department modify the proposal
in a number of ways. For example, a number of health plans and others
requested that the Department eliminate the condition that both covered
entities have a relationship with the individual. Some of these
commenters explained that such a restriction would impede some fraud
and abuse activities, credentialing investigations, and quality
assurance research and outcome studies. Some commenters asked that the
Department clarify that the condition that both covered entities have a
relationship with the individual would not be limited to a current
relationship, but also would include a past relationship with the
individual.
    In addition, many commenters requested that the Department expand
the proposed provision to allow for disclosures for any type of health
care operation of another covered entity, or at least additional
activities beyond those specified in the proposal. Some health plans
commented that they may need information from a health care provider in
order for the health plan to resolve member or internal grievances,
provide customer service, arrange for legal services, or conduct
medical review or auditing activities. A number of commenters requested
that the proposal be expanded to allow for disclosures for another
covered entity's underwriting or premium rating.
    Some commenters also requested that the Department expand the
provision to allow for disclosures to non-covered entities. In
particular, a number of these commenters urged that the Department
allow disclosures to non-covered insurers for fraud and abuse purposes.
Some of these commenters specifically requested that the Department
allow for disclosures to affiliated entities or non-health care
components of the covered entity for purposes of investigating fraud
and abuse. A few commenters requested that the Rule allow for
disclosures to a non-covered health care provider for that provider's
operations. For example, it was explained that an independent emergency
services provider, who is not a covered entity and who often asks for
outcome information on patients it has treated and transported to a
facility because it wants to improve care, would be unable to obtain
such information absent the individual's authorization.
    Some commenters were generally opposed to the proposed expansion of
the disclosures permitted under the Rule for health care operations
purposes, viewing the proposal as a weakening of the Privacy Rule. One
of these commenters urged the Department to implement a targeted
solution allowing disclosures for only those activities specifically
identified as problematic in the preamble, instead of allowing
disclosures for all activities that fall within certain paragraphs
within the definition of ``health care operations.''
    Final Modifications. In this final Rule, the Department adopts its
proposal to allow covered entities to disclose protected health
information for the treatment, payment, and certain health care
operations purposes of another entity. Specifically, the final Rule at
Sec. 164.506(c):
    (1) States that a covered entity may use or disclose protected
health information for its own treatment, payment, or health care
operations.
    (2) Clarifies that a covered entity may use or disclose protected
health information for the treatment activities of any health care
provider.
    (3) Permits a covered entity to disclose protected health
information to another covered entity or any health care provider for
the payment activities of the entity that receives the information.
    (4) Permits a covered entity to disclose protected health
information to another covered entity for the health care operations
activities of the entity that receives the information, if each entity
either has or had a relationship with the individual who is the subject
of the information, the protected health information pertains to such
relationship, and the disclosure is:
    (i) For a purpose listed in paragraphs (1) or (2) of the definition
of ``health care operations,'' which includes quality assessment and
improvement activities, population-based activities relating to
improving health or reducing health care costs, case management and
care coordination, conducting training programs, and accreditation,
licensing, or credentialing activities; or
    (ii) For the purpose of health care fraud and abuse detection or
compliance.
    (5) Clarifies that a covered entity that participates in an
organized health care arrangement may disclose protected health
information about an individual to another covered entity that
participates in the organized health care arrangement for any health
care operations activities of the organized health care arrangement.
    Based on the comments received, the Department believes that the
above provisions strike the appropriate balance between meeting an
individual's privacy expectations and meeting a covered entity's need
for information for reimbursement and quality purposes. The Department
also clarifies that disclosures pursuant to the above provisions may be
made to or by a business associate of a covered entity.
    In Sec. 164.506(c)(2), in response to a comment, the Department
deletes the word ``another'' before ``health care provider'' to
eliminate any implication that the disclosing entity must also be a
health care provider.
    With respect to payment, the majority of commenters were supportive
of the Department's proposal. In response to those commenters who
expressed support for the proposal because it would facilitate
coordination of benefits, the Department clarifies that the definition
of ``payment'' in the

[[Page 53217]]

Privacy Rule allows for uses and disclosures necessary for coordination
of benefits. The new language may, however, reinforce that uses and
disclosures for such purposes are permitted under the Rule.
    The Department does not believe, as suggested by one commenter,
that a targeted approach, one that would address only the problems
raised by the ambulance providers and collection agencies, is a
practical solution to these problems. The Department believes that
these problems may apply in other situations. For example, an indirect
treatment provider, such as a pathologist, may need to obtain health
coverage information about an individual for billing purposes from the
hospital to which the pathologist provided services. If the Department
addressed only these discrete scenarios in this final modification,
each additional similar problem that arises would require another
rulemaking, which would, in and of itself, create a problem because the
Department can change a standard only once per year. In addition, by
creating special rules to address multiple, distinct circumstances, the
Department would have created a substantially more complicated policy
for covered entities to follow and implement.
    The suggestion that the Department require a covered entity to
obtain assurances from non-covered providers, prior to disclosure of
protected health information for payment purposes, that the recipient
will not use protected health information for any other purpose or
disclose it to others, similarly would add a layer of complexity to
payment disclosures. Such a requirement would encumber these
communications and may interfere with the ability of non-covered health
care providers to be paid for treatment they have provided. Moreover,
the Privacy Rule requires a covered entity to apply the minimum
necessary standard to disclosures for a non-covered provider's payment
purposes. Thus, a non-covered provider will receive only the minimum
information reasonably necessary for such purposes. Accordingly, the
Department believes the final Rule appropriately and practically
addresses the issue.
    In response to the comment that the proposal may impede disclosures
to reinsurers who are not covered entities, the Department clarifies
that disclosures to obtain payment under a contract for reinsurance
explicitly are permitted as part of the definition of ``payment,''
regardless of whether the reinsurer is a covered entity. Similarly,
disclosures for the purposes of ceding, securing, or placing a contract
for reinsurance of risk relating to claims for health care are
explicitly permitted as part of the definition of ``health care
operations,'' also without regard to whether the reinsurer is a covered
entity. See the definitions of ``payment'' and ``health care
operations'' in Sec. 164.501.
    With respect to disclosures for the health care operations of
another covered entity, the Department continues to believe that the
condition that both entities have a relationship with the individual is
appropriate to balance an individual's privacy expectations with a
covered entity's need for the information. The Department clarifies
that a covered entity, prior to making a disclosure allowed under this
requirement, is permitted to communicate with another covered entity as
necessary to determine if this condition has been met. Additionally, in
response to comments, the Department adds language to
Sec. 164.506(c)(4) to make clear that the condition that both covered
entities have a relationship with the individual is not limited to a
current relationship. Where the relationship between the covered entity
and the individual has ended, a disclosure of protected health
information about the individual is permitted to the extent the
disclosure is related to the past relationship. For example, the final
Rule would permit a health care provider to disclose protected health
information to a health plan for HEDIS purposes, even if the individual
no longer was covered by the health plan, provided that the period for
which information is needed overlaps with the period for which the
individual was enrolled in the health plan.
    In response to commenters who were concerned that this condition
would impede certain health care operations activities where the
covered entity may not have a relationship with the individual, the
Department notes that the new limited data set provisions in
Sec. 164.514(e) are intended to provide a mechanism for disclosures of
protected health information for quality and other health care
operations where the covered entity requesting the information does not
have a relationship with the individual. Under those provisions, the
final modifications permit a covered entity to disclose protected
health information, with direct identifiers removed, for any health
care operations activities of the entity requesting the information,
subject to a data use agreement. Additionally, as clarified by
Sec. 164.506(c)(5), covered entities that participate in an OHCA may
share protected health information for the health care operations of
the OHCA, without the condition that each covered entity have a
relationship with the individual who is the subject of the information.
The Department believes that such provisions provide adequate avenues
for covered entities to obtain the information they need for health
care operations activities, without eliminating appropriate privacy
protections and conditions on such disclosures.
    The Department also was not persuaded by the comments that the
proposal should be broadened to allow disclosures for other types of
health care operations activities, such as resolution of internal
grievances, customer service, or medical review or auditing activities.
The Department believes that the provisions at Sec. 164.506(c)(5),
which permit covered entities that participate in an OHCA to share
information for any health care operations activities of the OHCA,
adequately provides for such disclosures. For example, a health plan
and the health care providers in its network that participate as part
of the same OHCA are permitted to share information for any of the
activities listed in the definition of ``health care operations.'' The
Department understands the need for entities participating in these
joint arrangements to have shared access to information for health care
operations purposes and intended the OHCA provisions to provide for
such access. Where such a joint arrangement does not exist and fully
identifiable health information is needed, one covered entity may
disclose protected health information for another covered entity's
health care operations pursuant to an individual's authorization as
required by Sec. 164.508. In addition, as described above, a covered
entity also may disclose protected health information as part of a
limited data set, with direct identifiers removed, for such purposes,
as permitted by Sec. 164.514(e).
    With respect to underwriting and premium rating, a few commenters
raised similar concerns that the Department's proposal to expand the
disclosures permitted under health care operations would not allow for
the disclosures between a health insurance issuer and a group health
plan, or the agent or broker as a business associate of the plan,
needed to perform functions related to supplementing or replacing
insurance coverage, such as to solicit bids from prospective issuers.
The Department clarifies that, if more than summary health information
is needed for this purpose, paragraphs (3), (4), and (5) of the
definition of ``organized health

[[Page 53218]]

care arrangement'' may permit the disclosure. These provisions define
the arrangements between group health plans and their health insurance
issuers or HMOs as OHCAs, which are permitted to share information for
each other's health care operations. Such disclosures also may be made
to a broker or agent that is a business associate of the health plan.
The Department clarifies that the OHCA provisions also permit the
sharing of protected health information between such entities even when
they no longer have a current relationship, that is, when a group
health plan needs protected health information from a former issuer.
The Department, therefore, does not believe that a broadening of the
provisions under Sec. 164.506(c)(4), to allow disclosures of protected
health information for other types of health care operations
activities, is warranted.
    The final Rule also adopts the condition proposed in the NPRM that
disclosures for these health care operations may be made only to
another covered entity. The Department continues to consider such a
condition necessary to appropriately balance an individual's privacy
interests with entities' needs for the information. The Department was
not convinced by the commenters who urged that this condition needed to
be eliminated to allow for disclosures to non-covered health care
providers or third parties. The Department believes that permitting
disclosures of protected health information to a non-covered provider
for that provider's treatment and payment purposes is warranted and
appropriate so as not to impede such core activities. However, given
that an individual's health information will no longer be protected
when it is disclosed to a non-covered provider, the Department does not
consider disclosures for a non-covered provider's health care
operations to warrant similar consideration under the Rule. Moreover,
this final Rule at Sec. 164.514(e) permits a covered entity to disclose
a limited data set, with direct identifiers removed, to a non-covered
provider for any of the provider's health care operations purposes,
without individual authorization.
    Also, the Department believes that expanding the provision to allow
disclosures to a third party for any of the third party's business
operations would severely weaken the Privacy Rule and essentially
negate the need for individual authorization. With respect to those
commenters who urged the Department to permit disclosures to non-health
care components of a hybrid entity or to an affiliated entity for the
purposes of investigating fraud and abuse, the Department's position is
that disclosures to a non-health care component within a hybrid entity
or to a non-covered affiliated entity present the same privacy risks as
do disclosures to a non-covered entity. The Privacy Rule, therefore,
permits such disclosures only to the same extent the disclosures are
permitted to a separate entity. This policy is further explained in
section III.C.1. regarding hybrid entities.
    Lastly, the Department believes that the final Rule does in fact
implement a targeted solution to the problems previously identified by
commenters, by allowing disclosures for only quality-related and fraud
and abuse activities. The Department does not believe further limiting
such disclosures to only certain activities within paragraphs (1) and
(2) of the definition of ``health care operations'' is practical or
appropriate. The Department is aware of the important role that these
quality-related activities play in ensuring that individuals have
access to quality health care. Covered entities have a legitimate need
for protected health information in order to conduct these quality
activities, regardless of whether such information is used for HEDIS
purposes or for training. Moreover, as described above, the final Rule
retains a number of conditions on such disclosures that serve to
protect an individual's privacy interests and expectations. In
addition, the Privacy Rule requires that the minimum necessary standard
be applied to both covered entities' requests for and disclosures of
protected health information for such purposes.

Response to Other Public Comments

    Comment: One commenter urged that the Department permit disclosures
among participants in an OHCA only when their privacy notices (or any
joint notice they issue) informs individuals of this possibility.
    Response: The Privacy Rule requires the joint notice of an OHCA to
reflect the fact that the notice covers more than one covered entity
and that, if applicable, the covered entities participating in the OHCA
will share protected health information with each other, as necessary
to carry out treatment, payment, or health care operations relating to
the OHCA. See Sec. 164.520(d). Where the participants of an OHCA choose
to have separate notices, such notices must reflect and describe in
sufficient detail the particular uses and disclosures that each covered
entity may make to place the individual on notice. This detail should
include disclosures to other members of an OHCA, where appropriate.
    Comment: Another commenter requested clarification as to whether a
covered entity (such as an HMO) is permitted to disclose protected
health information for payment and health care operations both to the
group health plan and to the plan's third party administrator or plan
sponsor. The commenter stated that it was not clear from the proposal
whether a covered entity could share protected health information
directly with another covered entity's business associate.
    Response: The Department clarifies that, if the Rule permits a
covered entity to share protected health information with another
covered entity, the covered entity is permitted to disclose protected
health information directly to a business associate acting on behalf of
that other covered entity. This is true with respect to all of the
Rule's provisions. Also, an HMO may disclose protected health
information to a group health plan, or a third party administrator that
is a business associate of the plan, because the relationship between
the HMO and the group health plan is defined as an OHCA for purposes of
the Rule. See Sec. 164.501, definition of ``organized health care
arrangement.'' The group health plan (or the HMO with respect to the
group health plan) may disclose protected health information to a plan
sponsor in accordance with Sec. 164.504(f).
    Comment: Several commenters requested that the Department expand
the definition of ``payment'' to include disclosures to a responsible
party. Additionally, these commenters urged that the Department permit
covered entities (and their business associates) to use and disclose
protected health information as permitted by other law, rather than
only as required by law. These commenters were concerned that the
Privacy Rule would impede the ability of first-party billing companies,
collection agencies, and accounts receivable management companies to
continue to bill and communicate, on behalf of a health care provider,
with the responsible party on an account when that person is different
from the individual to whom health care services were provided; report
outstanding receivables owed by the responsible party on an account to
a credit reporting agency; and perform collection litigation services.
    Response: The Department does not believe a modification to the
definition of ``payment'' is necessary. The Privacy Rule permits a
covered entity, or a business associate acting on behalf of a covered
entity (e.g., a collection agency),

[[Page 53219]]

to disclose protected health information as necessary to obtain payment
for health care, and does not limit to whom such a disclosure may be
made. See the definition of ``payment'' in Sec. 164.501. Therefore, a
collection agency, as a business associate of a covered entity, is
permitted to contact persons other than the individual to whom health
care is provided as necessary to obtain payment for such services.
    Regarding the commenters' concerns about collection or payment
activities otherwise permitted by law, the Department clarifies that
the Privacy Rule permits covered entities to use and disclose protected
health information as required by other law, or as permitted by other
law provided that such use or disclosure does not conflict with the
Privacy Rule. For example, the Privacy Rule permits a collection
agency, as a business associate of a covered health care provider, to
use and disclose protected health information as necessary to obtain
reimbursement for health care services, which could include disclosures
of certain protected health information to a credit reporting agency,
or as part of collection litigation. See the definition of ``payment''
in Sec. 164.501.
    The Department notes, however, that a covered entity, and its
business associate through its contract, is required to reasonably
limit the amount of information disclosed for such purposes to the
minimum necessary, where applicable, as well as abide by any reasonable
requests for confidential communications and any agreed-to restrictions
as required by the Privacy Rule.
    Comment: One commenter asked that the Department clarify that
disclosure by an eye doctor to confirm a contact prescription received
by a mail-order contact company is treatment.
    Response: The Department agrees that disclosure of protected health
information by an eye doctor to a distributor of contact lenses for the
purpose of confirming a contact lens prescription is treatment and is
permissible under Sec. 164.506. In relevant part, treatment is defined
by the Privacy Rule as ``the provision, coordination, or management of
health care and related services by one or more health care providers,
including the coordination or management of health care by a health
care provider with a third party * * *'' Health care is defined, in
part, as ``care, services, or supplies related to the health of an
individual. Health care includes * * * Sale or dispensing of a drug,
device, equipment, or other item in accordance with a prescription.''
Therefore, the dispensing of contact lenses based on a prescription is
health care and the disclosure of protected health information by a
provider to confirm a prescription falls within the provision,
coordination, or management of health care and related services and is
a treatment activity.

E. Uses and Disclosures for Which Authorization Is Required

1. Restructuring Authorization
    December 2000 Privacy Rule. The Privacy Rule requires individual
authorization for uses and disclosures of protected health information
for purposes that are not otherwise permitted or required under the
Rule. To ensure that authorizations are informed and voluntary, the
Rule prohibits, with limited exceptions, covered entities from
conditioning treatment, payment, or eligibility for benefits or
enrollment in a health plan, on obtaining an authorization. The Rule
also permits, with limited exceptions, individuals to revoke an
authorization at any time. Additionally, the Rule sets out core
elements that must be included in any authorization. These elements are
intended to provide individuals with the information they need to make
an informed decision about giving their authorization. This information
includes specific details about the use or disclosure, and provides the
individual fair notice about his or her rights with respect to the
authorization and the potential for the information to be redisclosed.
Additionally, the authorization must be written in plain language so
individuals can read and understand its contents. The Privacy Rule
required that authorizations provide individuals with additional
information for specific circumstances under the following three sets
of implementation specifications: In Sec. 164.508(d), for
authorizations requested by a covered entity for its own uses and
disclosures; in Sec. 164.508(e), for authorizations requested by a
covered entity for another entity to disclose protected health
information to the covered entity requesting the authorization to carry
out treatment, payment, or health care operations; and in
Sec. 164.508(f), for authorizations requested by a covered entity for
research that includes treatment of the individual.
    March 2002 NPRM. Various issues were raised regarding the
authorization requirements. Commenters claimed the authorization
provisions were too complex and confusing. They alleged that the
different sets of implementation specifications were not discrete,
creating the potential for the implementation specifications for
specific circumstances to conflict with the required core elements.
Some covered entities were confused about which authorization
requirements they should implement in any given circumstance. Also,
although the Department intended to permit insurers to obtain necessary
protected health information during contestability periods under State
law, the Rule did not provide an exception to the revocation provision
when other law provides an insurer the right to contest an insurance
policy.
    To address these issues, the Department proposed to simplify the
authorization provisions by consolidating the implementation
specifications into a single set of criteria under Sec. 164.508(c),
thus eliminating paragraphs (d), (e), and (f) which contained separate
implementation specifications. Under the proposal, paragraph (c)(1)
would require all authorizations to contain the following core
elements: (1) A description of the information to be used or disclosed,
(2) the identification of the persons or class of persons authorized to
make the use or disclosure of the protected health information, (3) the
identification of the persons or class of persons to whom the covered
entity is authorized to make the use or disclosure, (4) a description
of each purpose of the use or disclosure, (5) an expiration date or
event, (6) the individual's signature and date, and (7) if signed by a
personal representative, a description of his or her authority to act
for the individual. The proposal also included new language to clarify
that when individuals initiate an authorization for their own purposes,
the purpose may be described as ``at the request of the individual.''
    In the NPRM, the Department proposed that Sec. 164.508(c)(2)
require authorizations to contain the following required notifications:
(1) A statement that the individual may revoke the authorization in
writing, and either a statement regarding the right to revoke and
instructions on how to exercise such right or, to the extent this
information is included in the covered entity's notice, a reference to
the notice, (2) a statement that treatment, payment, enrollment, or
eligibility for benefits may not be conditioned on obtaining the
authorization if such conditioning is prohibited by the Privacy Rule,
or, if conditioning is permitted by the Privacy Rule a statement about
the consequences of refusing to sign the authorization, and (3) a
statement about the potential for the protected health information to
be redisclosed by the recipient.

[[Page 53220]]

    Also under the proposal, covered entities would be required to
obtain an authorization to use or disclose protected health information
for marketing purposes, and to disclose in such authorizations any
direct or indirect remuneration the covered entity would receive from a
third party as a result of obtaining or disclosing the protected health
information. The other proposed changes regarding marketing are
discussed in section III.A.1. of the preamble.
    The NPRM proposed a new exception to the revocation provision at
Sec. 164.508(b)(5)(ii) for authorizations obtained as a condition of
obtaining insurance coverage when other law gives the insurer the right
to contest the policy. Additionally, the Department proposed that the
exception to permit conditioning payment of a claim on obtaining an
authorization be deleted, since the proposed provision to permit the
sharing of protected health information for the payment activities of
another covered entity or a health care provider would eliminate the
need for an authorization in such situations.
    Finally, the Department proposed modifications at
Sec. 164.508(a)(2)(i)(A), (B), and (C), to clarify its intent that the
proposed provisions for sharing protected health information for the
treatment, payment, or health care operations of another entity would
not apply to psychotherapy notes.
    There were a number of proposed modifications concerning
authorizations for research purposes. Those modifications are discussed
in section III.E.2. of the preamble.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    There was overwhelming support for the proposed modifications.
Overall, supporters were of the opinion that the consolidation and
simplification would promote efficiency, simplify compliance, and
reduce confusion. Many commenters claimed the changes would eliminate
barriers to quality health care. Some commenters claimed the proposed
modifications would make the authorization process easier for both
providers and individuals, and one commenter said they would make
authorizations easier to read and understand. A number of commenters
stated the changes would not have adverse consequences for individuals,
and one commenter noted the proposal would preserve the opportunity for
individuals to give a meaningful authorization.
    However, some of the proponents suggested the Department go further
to ease the administrative burden of obtaining authorizations. Some
urged the Department to eliminate some of the required elements which
they perceived as unnecessary to protect privacy, while others
suggested that covered entities should decide which elements were
relevant in a given situation. Some commenters urged the Department to
retain the exception to the prohibition on conditioning payment of a
claim on obtaining an authorization. These commenters expressed fear
that the voluntary consent process and/or the right to request
restrictions on uses and disclosures for treatment, payment, or health
care operations might prevent covered entities from disclosing
protected health information needed for payment purposes, or providers
may be reluctant to cooperate in disclosures for payment purposes based
on inadequately drafted notices.
    Comments were divided on the proposed requirement to disclose
remuneration in marketing authorizations. Recommendations ranged from
requiring the disclosure of remuneration on all authorizations, to
eliminating the requirement altogether.
    Final Modifications. In the final modifications, the Department
adopts the changes proposed in the NPRM. Since the modifications to the
authorization provision are comprehensive, the Department is publishing
this section in its entirety so that it will be easier to use and
understand. Therefore, the preamble addresses all authorization
requirements, and not just those that were modified.
    In Sec. 164.508(a), covered entities are required to obtain an
authorization for uses and disclosures of protected health information,
unless the use or disclosure is required or otherwise permitted by the
Rule. Covered entities may use only authorizations that meet the
requirements of Sec. 164.508(b), and any such use or disclosure will be
lawful only to the extent it is consistent with the terms of such
authorization. Thus, a voluntary consent document will not constitute a
valid permission to use or disclose protected health information for a
purpose that requires an authorization under the Rule.
    Although the requirements regarding uses and disclosures of
psychotherapy notes are not changed substantively, the Department made
minor changes to the language in paragraph (a)(2) to clarify that a
covered entity may not use or disclose psychotherapy notes for purposes
of another covered entity's treatment, payment, or health care
operations without obtaining the individual's authorization. However,
covered entities may use and disclose psychotherapy notes, without
obtaining individual authorization, to carry out its own limited
treatment, payment, or health care operations as follows: (1) Use by
the originator of the notes for treatment, (2) use or disclosure for
the covered entity's own training programs for its mental health
professionals, students, and trainees, and (3) use or disclosure by the
covered entity to defend itself in a legal action or other proceeding
brought by the individual.
    Section 164.508(a)(3) requires covered entities to obtain an
authorization to use or disclose protected health information for
marketing purposes, with two exceptions. The authorization requirements
for marketing and the comments received on these provisions are
discussed in detail in section III.A.1. of the preamble.
    If the marketing involves any direct or indirect remuneration to
the covered entity from a third party, the authorization must state
that fact. The comments on this requirement also are discussed in
section III.A.1. of the preamble. However, a statement concerning
remuneration is not a required notification for other authorizations.
Such a statement was never required for all authorizations and the
Department believes it would be most meaningful for consumers on
authorizations for uses and disclosures of protected health information
for marketing purposes. Some commenters urged the Department to require
remuneration statements on research authorizations. The Department has
not done so because the complexity of such arrangements would make it
difficult to define what constitutes remuneration in the research
context. Moreover, to require covered entities to disclose remuneration
by a third party on authorizations for research would go beyond the
requirements imposed in the December 2000 Rule, which did not require
such a disclosure on authorizations obtained for the research of a
third party. The Department believes that concerns regarding financial
conflicts of interest that arise in research are not limited to privacy
concerns, but also are important to the objectivity of research and to
protecting human subjects from harm. Therefore, in the near future, the
Department plans to issue guidance for the research community on this
important topic.
    Pursuant to Sec. 164.508(b)(1), an authorization is not valid under
the Rule unless it contains all of the

[[Page 53221]]

required core elements and notification statements, which are discussed
below. Covered entities may include additional, non-required elements
so long as they are not inconsistent with the required elements and
statements. The language regarding defective authorizations in
Sec. 164.508(b)(2) is not changed substantively. However, some changes
are made to conform this paragraph to modifications to other parts of
the authorization provision, as well as other sections of the Rule. An
authorization is not valid if it contains any of the following defects:
(1) The expiration date has passed or the expiration event has
occurred, and the covered entity is aware of the fact, (2) any of the
required core elements or notification statements are omitted or
incomplete, (3) the authorization violates the specifications regarding
compounding or conditioning authorizations, or (4) the covered entity
knows that material information in the authorization is false.
    In Sec. 164.508(b)(3) regarding compound authorizations, the
requirements for authorizations for purposes other than research are
not changed. That is, authorizations for use or disclosure of
psychotherapy notes may be combined only with another authorization for
the use or disclosure of psychotherapy notes. Other authorizations may
be combined, unless a covered entity has conditioned the provision of
treatment, payment, enrollment in a health plan, or eligibility for
benefits on one of the authorizations. A covered entity generally may
not combine an authorization with any other type of document, such as a
notice of privacy practices or a written voluntary consent. However,
there are exceptions for research authorizations, which are discussed
in section III.E.2. of the preamble.
    Section 164.508(b)(4) prohibits the conditioning of treatment,
payment, enrollment in a health plan, or eligibility for benefits on
obtaining an authorization, with a few exceptions. The exceptions to
this requirement for research-related treatment, eligibility for
benefits and enrollment in a health plan, and health care solely for
creating protected health information for disclosure to a third party
are not changed. Moreover, the Department eliminates the exception to
the prohibition on conditioning payment of a claim on obtaining an
authorization. Although some insurers urged that this conditioning
authority be retained to provide them with more collection options, the
Department believes this authorization is no longer necessary because
we are adding a new provision in Sec. 164.506 that permits covered
entities to disclose protected health information for the payment
purposes of another covered entity or health care provider. Therefore,
that exception has been eliminated.
    Section 164.508(b)(5) provides individuals the right to revoke an
authorization at any time in writing. The two exceptions to this right
are retained, but with some modification. An individual may not revoke
an authorization if the covered entity has acted in reliance on the
authorization, or if the authorization was obtained as a condition of
obtaining insurance coverage and other law gives the insurer the right
to contest the claim or the policy itself. The Department adopts the
proposed modification to the latter exception so that insurers can
exercise the right to contest an insurance policy under other law.
Public comment was generally supportive of this proposed modification.
    Section 164.508(b)(6) requires covered entities to document and
retain authorizations as required under Sec. 164.530(j). This
requirement is not changed.
    The different sets of implementation criteria are consolidated into
one set of criteria under Sec. 164.508(c), thus eliminating the
confusion and uncertainty associated with different requirements for
specific circumstances. Covered entities may use one authorization form
for all purposes. The Department adopts in paragraph (c)(1), the
following core elements for a valid authorization: (1) A description of
the information to be used or disclosed, (2) the identification of the
persons or class of persons authorized to make the use or disclosure of
the protected health information, (3) the identification of the persons
or class of persons to whom the covered entity is authorized to make
the use or disclosure, (4) a description of each purpose of the use or
disclosure, (5) an expiration date or event, (6) the individual's
signature and date, and (7) if signed by a personal representative, a
description of his or her authority to act for the individual. An
authorization that does not contain all of the core elements does not
meet the requirements for a valid authorization. The Department intends
for the authorization process to provide individuals with the
opportunity to know and understand the circumstances surrounding a
requested authorization.
    To further protect the privacy interests of individuals, when
individuals initiate an authorization for their own purposes, the
purpose may be stated as ``at the request of the individual.'' Other
changes to the core elements pertain to authorizations for research,
and are discussed in section III.E.2. of the preamble.
    Also, under Sec. 164.508(c)(2), an authorization is not valid
unless it contains all of the following: (1) A statement that the
individual may revoke the authorization in writing, and either a
statement regarding the right to revoke, and instructions on how to
exercise such right or, to the extent this information is included in
the covered entity's notice, a reference to the notice, (2) a statement
that treatment, payment, enrollment, or eligibility for benefits may
not be conditioned on obtaining the authorization if such conditioning
is prohibited by the Privacy Rule or, if conditioning is permitted, a
statement about the consequences of refusing to sign the authorization,
and (3) a statement about the potential for the protected health
information to be redisclosed by the recipient. Although the
notification statements are not included in the paragraph on core
elements an authorization is not valid unless it contains both the
required core elements, and all of the required statements. This is the
minimum information the Department believes is needed to ensure
individuals are fully informed of their rights with respect to an
authorization and to understand the consequences of authorizing the use
or disclosure. The required statements must be written in a manner that
is adequate to place the individual on notice of the substance of the
statements.

In response to comments, the Department clarifies that the
statement regarding the potential for redisclosure does not require an
analysis of the risk for redisclosure, but may be a general statement
that the health information may no longer be protected by the Privacy
Rule once it is disclosed by the covered entity. Others objected to
this statement because individuals might be hesitant to sign an
authorization if they knew their protected health information could be
redisclosed and no longer protected by the Rule. In response, the
Department believes that individuals need to know about the
consequences of authorizing the disclosure of their protected health
information. As the commenter recognized, the potential for
redisclosure may, indeed, be an important factor in an individual's
decision to give or deny a requested authorization.
    Others suggested that the statement regarding redisclosure should
be omitted when an authorization is obtained only for a use, since such
a statement would be confusing and

[[Page 53222]]

inappropriate when the covered entity maintains the information.
Similarly, some commenters were concerned that the statement may be
misleading where the recipient of the information, although not a
covered entity, will keep the information confidential. In response,
the Department clarifies that, while a general statement would suffice,
a covered entity has the discretion to provide a more definitive
statement where appropriate. Thus, the covered entity requesting an
authorization for its own use of protected health information may
provide assurances that the information will remain subject to the
Privacy Rule. Similarly, if a third party, such as a researcher, is
seeking an authorization for research, the statement may refer to the
privacy protections that the researcher will provide for the data.
    Under Sec. 164.508(c)(3), authorizations must be written in plain
language so that individuals can understand the information contained
in the form, and thus be able to make an informed decision about
whether to give the authorization. A few commenters urged the
Department to keep the plain language requirement as a core element of
a valid authorization. Under the December 2000 Rule, the plain language
requirement was not a requisite for a valid authorization.
Nevertheless, under both the December 2000 Rule and the final
modifications, authorizations must be written in plain language. The
fact that the plain language requirement is not a core element does not
diminish its importance or effect, and the failure to meet this
requirement is a violation of the Rule.
    Finally, under Sec. 164.508(c)(4), covered entities who seek an
authorization are required to provide the individual with a copy of the
signed authorization form.

Response to Other Public Comments

    Comment: A number of commenters specifically expressed support of
the proposed authorization requirement for marketing, and urged the
Department to adopt the requirement. However, one commenter claimed
that requiring authorizations for marketing would reduce hospitals'
ability to market their programs and services effectively in order to
compete in the marketplace, and that obtaining, storing, and
maintaining marketing authorizations would be too burdensome.
    Response: In light of the support in the comments, the Department
has adopted the proposed requirement for an authorization before a
covered entity may use or disclose protected health information for
marketing. However, the commenter is mistaken that this requirement
will interfere with a hospital's ability to promote its own program and
services within the community. First, such broad-based marketing is
likely taking place without resort to protected health information,
through dissemination of information about the hospital through
community-wide mailing lists. Second, under the Privacy Rule, a
communication is not marketing if a covered entity is describing its
own products and services. Therefore, nothing in the Rule will inhibit
a hospital from competing in the marketplace by communicating about its
programs and services.
    Comment: One commenter suggested that authorizations for marketing
should clearly indicate that they are comprehensive and may contain
sensitive protected health information.
    Response: The Department treats all individually identifiable
health information as sensitive and equally deserving of protections
under the Privacy Rule. The Rule requires all authorizations to contain
the specified core elements to ensure individuals are given the
information they need to make an informed decision. One of the core
elements for all authorizations is a clear description of the
information that is authorized to be used or disclosed in specific and
meaningful terms. The authorization process provides the individual
with the opportunity to ask questions, negotiate how their information
will be used and disclosed, and ultimately to control whether these
uses and disclosures will be made.
    Comment: Several commenters urged the Department to retain the
existing structure of the implementation specifications, whereby the
notification statements about the individual's right to revoke and the
potential for redisclosure are ``core elements.'' It was argued that
this information is essential to an informed decision. One of the
commenters claimed that moving them out of the core elements and only
requiring a statement adequate to put the person on notice of the
information would increase uncertainty, and that these two elements are
too important to risk inadequate explanation.
    Response: The Department agrees that the required notification
statements are essential information that a person needs in order to
make an informed decision about authorizing the use or disclosure of
protected health information. Individuals need to know what rights they
have with respect to an authorization, and how they can exercise those
rights. However, separating the core elements and notification
statements into two different subparagraphs does not diminish the
importance or effect of the notification statements. The Department
clarifies that both the core elements and the notification statements
are required, and both must be included for an authorization to be
valid.
    Comment: Several commenters urged the Department to eliminate
unnecessary authorization contents. They argued the test should be
whether the person needs the information to protect his or her privacy,
and cited the disclosure of remuneration by a third party as an example
of unnecessary content, alleging that the disclosure of remuneration is
not relevant to protecting privacy. One commenter suggested that
covered entities should be given the flexibility to decide which
contents are applicable in a given situation.
    Response: The Department believes the core elements are all
essential information. Individuals need to know this information to
make an informed decision about giving the authorization to use or
disclose their protected health information. Therefore, the Department
believes all of the core elements are necessary content in all
situations. The Department does not agree that the remuneration
statement required on an authorization for uses and disclosures of an
individual's protected health information for marketing purposes is not
relevant to protecting privacy. Individuals exercise control over the
privacy of their protected health information by either giving or
denying an authorization, and remuneration from a third party to the
covered entity for obtaining an authorization for marketing is an
important factor in making that choice.
    Comment: One commenter suggested that covered entities should not
be required to state on an authorization a person's authority to act on
an individual's behalf, and they should be trusted to require such
identification or proof of legal authority when the authorization is
signed. The commenter stated that this requirement only increases
administrative burden for covered entities.
    Response: The Department does not agree. The authorization
requirement is intended to give individuals some control over uses and
disclosures of protected health information that are not otherwise
permitted or required by the Rule. Therefore, the Rule requires that
covered entities verify and document a person's authority to sign an
authorization on an individual's behalf, since that person is
exercising the individual's control of the information. Furthermore,
the Department understands that it is a

[[Page 53223]]

current industry standard to verify and document a person's authority
to sign any legal permission on another person's behalf. Thus, the
requirement should not result in any undue administrative burden for
covered entities.
    Comment: One commenter suggested that the Department should require
authorizations to include a complete list of entities that will use and
share the information, and that the individual should be notified
periodically of any changes to the list so that the individual can
provide written authorization for the changes.
    Response: It may not always be feasible or practical for covered
entities to include a comprehensive list of persons authorized to use
and share the information disclosed pursuant to an authorization.
However, individuals may discuss this option with covered entities, and
they may refuse to sign an authorization that does not meet their
expectations. Also, subject to certain limitations, individuals may
revoke an authorization at any time.
    Comment: One commenter asked for clarification that a health plan
may not condition a provider's participation in the health plan on
seeking authorization for the disclosure of psychotherapy notes,
arguing that this practice would coerce providers to request, and
patients to provide, an authorization to disclose psychotherapy notes.
    Response: The Privacy Rule does not permit a health plan to
condition enrollment, eligibility for benefits, or payment of a claim
on obtaining the individual's authorization to use or disclose
psychotherapy notes. Nor may a health care provider condition treatment
on an authorization for the use or disclosure of psychotherapy notes.
In a situation such as the one described by the commenter, the
Department would look closely at whether the health plan was attempting
to accomplish indirectly that which the Rule prohibits. These
prohibitions are to ensure that the individual's permission is wholly
voluntary and informed with regard to such an authorization. To meet
these standards, in the circumstances set forth in the comment, the
Department would expect the provider subject to such a requirement by
the health plan to explain to the individual in very clear terms that,
while the provider is required to ask, the individual remains free to
refuse to authorize the disclosure and that such refusal will have no
effect on either the provision of treatment or the individual's
coverage under, and payment of claims by, the health plan.
    Comment: A few commenters suggested the Department should allow
covered entities to combine an authorization with other documents, such
as the notice acknowledgment, claiming it would reduce administrative
burden and paperwork, as well as reduce patient confusion and waiting
times, without compromising privacy protections.
    Response: The Department disagrees that combining an authorization
with other documents, such as the notice acknowledgment, would be less
confusing for individuals. To the contrary, the Department believes
that combining unrelated documents would be more confusing. However,
the Rule does permit an authorization to be combined with other
authorizations so long as the provision of treatment, payment,
enrollment in a health plan or eligibility for benefits is not
conditioned on obtaining any of the authorizations, and the
authorization is not for the use or disclosure of psychotherapy notes.
    Also, authorizations must contain the same information, whether it
is a separate document or combined with another document; and the
individual must be given the opportunity to read and discuss that
information. Combining an authorization with routine paperwork
diminishes individuals' ability to make a considered and informed
judgment to permit the use or disclosure of their medical information
for some other purpose.
    Comment: One commenter stated that the requirement for covered
entities to use only authorizations that are valid under the Rule must
be an unintended result of the Rule, because covered entities would
have to use only valid authorizations when requesting information from
non-covered entities. The commenter did not believe the Department
intended this requirement to apply with respect to non-covered
entities, and gave the example of dental health plans obtaining
protected health information in connection with paper claims submitted
by dental offices. The commenter requested clarification that health
plans may continue to use authorization forms currently in use for all
claims submitted by non-covered entities.
    Response: The commenter misapprehends the Rule's requirements. The
requirements apply to uses and disclosure of protected health
information by covered entities. In the example provided, where a
health plan is requesting additional information in support of a claim
for payment by a non-covered health care provider, the health plan is
not required to use an authorization. The plan does not need the
individual's authorization to use protected health information for
payment purposes, and the non-covered health care provider is not
subject to any of the Rule's requirements. Therefore, the exchange of
information may occur as it does today. The Department notes that,
based on the modifications regarding consent adopted in this
rulemaking, neither a consent nor an authorization would be required in
this example even if the health care provider was also a covered
entity.
    Comment: Several commenters urged the Department to add a
transition provision to permit hospitals to use protected health
information in already existing databases for marketing and outreach to
the communities they serve. Commenters claimed that these databases are
important assets that would take many years to rebuild, and hospitals
may not have an already existing authorization or other express legal
permission for such use of the information. They contended that,
without a transition provision, these databases would become useless
under the Rule. Commenters suggested the Department should adopt an
``opt out'' provision that would allow continued use of these databases
to initially communicate with the persons listed in the database; at
that time, they could obtain authorization for future communications,
thus providing a smooth transition.
    Response: Covered entities are provided a two-year period in which
to come into compliance with the Privacy Rule. One of the purposes of
the compliance period is to allow covered entities sufficient time to
undertake actions such as those described in the comment (obtaining the
legal permissions that would permit databases to continue to operate
after the compliance date). An additional transition period for these
activities has not been justified by the commenters. However, the
Department notes that a covered entity is permitted to use the
information in a database for communications that are either excepted
from or that do not meet the definition of ``marketing'' in
Sec. 164.501, without individual authorization. For example, a hospital
may use protected health information in an existing database to
distribute information about the services it provides, or to distribute
a newsletter with general health or wellness information that does not
promote a particular product or service.

[[Page 53224]]

2. Research Authorizations
    December 2000 Privacy Rule. The Privacy Rule requires covered
entities to obtain an individual's voluntary and informed authorization
before using or disclosing protected health information for any purpose
that is not otherwise permitted or required under the Rule. Uses and
disclosures of protected health information for research purposes are
subject to the same authorization requirements as uses and disclosures
for other purposes. However, for research that includes treatment of
the individual, the December 2000 Privacy Rule prescribed special
authorization requirements at Sec. 164.508(f). The December 2000
Privacy Rule, at Sec. 164.508(b)(5), also permitted individuals to
revoke their authorization at any time, with limited exceptions.
Further, the December 2000 Privacy Rule prohibited the combining of the
authorization for the use or disclosure of existing protected health
information with any other legal permission related to the research
study.
    March 2002 NPRM. Several of those who commented on the December
2000 Privacy Rule argued that certain authorization requirements in
Sec. 164.508 were unduly complex and burdensome as applied to research
uses and disclosures. In particular, several commenters favored
eliminating the Rule's specific provisions at Sec. 164.508(f) for
authorizations for uses and disclosures of protected health information
for research that includes treatment of the individual. The Department
also heard from several provider groups who argued in favor of
permitting covered entities to combine all of the research
authorizations required by the Privacy Rule with the informed consent
to participate in the research. Commenters also noted that the Rule's
requirement for an ``expiration date or event that relates to the
individual or the purpose of the use or disclosure'' runs counter to
the needs of research databases and repositories that are often
retained indefinitely.
    In response to these concerns, the Department proposed to a number
of modifications to simplify the authorization requirements both
generally, and in certain circumstances, as they specifically applied
to uses and disclosures of protected health information for research.
In particular, the Department proposed a single set of authorization
requirements for all uses and disclosures, including those for research
purposes. This proposal would eliminate the additional authorization
requirements for the use and disclosure of protected health information
created for research that includes treatment of the individual.
Consistent with this proposed change, the Department further proposed
to modify the requirements prohibiting the conditioning of
authorizations at Sec. 164.508(b)(4)(i) to remove the reference to
Sec. 164.508(f).
    In addition, the Department proposed that the Privacy Rule permit
an authorization for the use or disclosure of protected health
information to be combined with any other legal permission related to
the research study, including another authorization or consent to
participate in the research.
    Finally, the Department proposed to provide explicitly that the
statement, ``end of a research study,'' or similar language be
sufficient to meet the requirement for an expiration date in
Sec. 164.508(c)(1)(v). Additionally, the Department proposed that the
statement ``none'' or similar language be sufficient to meet this
provision if the authorization was for a covered entity to use or
disclose protected health information for the creation or maintenance
of a research database or repository.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The vast majority of commenters were very supportive of the
proposed revisions to the Rule's provisions for research
authorizations. However, the Department did hear from several
commenters that the Privacy Rule's requirement for an expiration date
or event should be eliminated for all research uses and disclosures of
protected health information, not just for uses and disclosures for the
creation or maintenance of a research database or repository, as was
proposed in the NPRM. These commenters were concerned that the Privacy
Rule would prohibit important uses and disclosures of protected health
information after the termination of a research project, such as the
reporting of research results to the Food and Drug Administration (FDA)
for an FDA investigational new drug application, unless the covered
entity obtained another patient authorization. In addition, several of
these commenters cited confusion in defining repositories and
databases. Some of these commenters stated that an individual who
authorizes information to be used for an indeterminate time most likely
expects and intends for the information to be used and disclosed if
needed well into the future, regardless of whether or not the research
involves the use or disclosure of protected health information for the
creation or maintenance of a database or repository.
    Several commenters responded to the Department's request for
comments on how to appropriately limit uses and disclosures following
revocation of an authorization, while preserving the integrity of the
research. The NPRM attempted to clarify that ``even though a revocation
will prevent a covered entity from further disclosing protected health
information for research purposes, the exception to this requirement is
intended to allow for certain continued uses of information as
appropriate to preserve the integrity of the research study.'' However,
the NPRM further stated that ``if covered entities were permitted to
continue using or disclosing protected health information for the
research project even after an individual had revoked his or her
authorization, this would undermine the primary objective of the
authorization requirements to be a voluntary, informed choice of the
individual.'' Several commenters were concerned and confused by the
NPRM's statements. In particular, the Department received comments
urging that the regulation permit covered entities to use and disclose
research data already obtained, even after an individual has withdrawn
his or her authorization. These commenters suggested that once a
subject has authorized the use and disclosure of protected health
information for research and the covered entity has relied on the
authorization, the covered entity must retain the ability to use or
disclose the subject's pre-withdrawal information for purposes
consistent with the overall research. One commenter argued that it
would be inadequate for the reliance exception at Sec. 164.508(b)(5) to
be interpreted to permit continued uses of the individual's information
as appropriate only to account for an individual's withdrawal from the
study. In this commenter's opinion, most research would call for the
continued use of protected health information obtained prior to an
individual's revocation of their authorization to safeguard statistical
validity and truly to preserve the integrity of human research.
    Final Modifications. The Department agrees with the commenters that
supported the NPRM's proposed simplification of authorizations for
research uses and disclosures of protected health information and,
therefore, adopts the modifications to these provisions as proposed in
the NPRM. The final Rule requires a single

[[Page 53225]]

set of authorization requirements for all uses and disclosures,
including those for research purposes, and permits an authorization for
the use or disclosure of protected health information to be combined
with any other legal permission related to the research study,
including another authorization or consent to participate in the
research.
    In addition, in response to commenters' concerns that the Rule
would prohibit important uses and disclosures of protected health
information after the termination of a research project, the final Rule
eliminates the requirement for an expiration date for all uses and
disclosures of protected health information for research purposes, not
only for the creation and maintenance of a research database or
repository. The Department agrees that the line between research
repositories and databases in particular, and research data collection
in general, is sometimes arbitrary and unclear. If the authorization
for research uses and disclosures of protected health information does
not have an expiration date, the final Rule at Sec. 164.508(c)(1)(v),
requires that this fact be stated on the authorization form. Patients
continue to control whether protected health information about them may
be used or disclosed for research, since the authorization must include
an expiration date or event, or a statement that the authorization will
have no expiration date. In addition, patients will be permitted to
revoke their authorization at any time during the research project,
except as specified under Sec. 164.508(b)(5). However, the Department
notes that researchers may choose to include, and covered entities may

choose to require, an expiration date when appropriate.
    Although the final Rule does not modify the revocation provision at
Sec. 164.508(b)(5), in response to commenters' concerns, the Department
clarifies that this provision permits covered entities to continue
using and disclosing protected health information that was obtained
prior to the time the individual revoked his or her authorization, as
necessary to maintain the integrity of the research study. An
individual may not revoke an authorization to the extent the covered
entity has acted in reliance on the authorization. For research uses
and disclosures, this reliance exception at Sec. 164.508(b)(5)(i)
permits the continued use and disclosure of protected health
information already obtained pursuant to a valid authorization to the
extent necessary to preserve the integrity of the research study. For
example, the reliance exception would permit the continued use and
disclosure of protected health information to account for a subject's
withdrawal from the research study, as necessary to incorporate the
information as part of a marketing application submitted to the FDA, to
conduct investigations of scientific misconduct, or to report adverse
events. However, the reliance exception would not permit a covered
entity to continue disclosing additional protected health information
to a researcher or to use for its own research purposes information not
already gathered at the time an individual withdraws his or her
authorization. The Department believes that this clarification of the
Rule will minimize the negative effects on research caused by
participant withdrawal and will allow for important continued uses and
disclosures to occur, while maintaining privacy protections for
research subjects.

Response to Other Public Comments

    Comment: In opposition to the March 2002 NPRM, one commenter
suggested prohibiting the combining of authorization forms with an
informed consent when the covered entity disclosing the protected
health information is not otherwise participating in research. The
commenter argued that the NPRM would allow covered entities to receive
more information than necessary to fulfill a patient's authorization
request, such as information about the particular type or purpose of
the study itself, and could, thereby, violate the patient's privacy.
    Response: The Department acknowledges the concern raised by these
commenters; however, prohibiting the combination of authorization forms
with an informed consent reduces the flexibility proposed in the March
2002 NPRM. Since the final modifications permit--but do not require--
such combining of forms, the Department has decided to leave it to the
discretion of researchers or the IRBs to determine whether the
combining of authorization forms and consent forms for research would
be appropriate for a particular research study.
    Comment: Some commenters supported retaining the December 2000
Privacy Rule requirement that a description of the extent to which
protected health information will be used or disclosed for treatment,
payment, or health care operations be included in an authorization to
use or disclose protected health information for a research study that
includes treatment of individuals. These commenters argued that an
individual's ability to make informed decisions requires that he or she
know how research information will and will not be used and disclosed.
    Response: The Department agrees with the majority of the commenters
who were in support of the March 2002 NPRM proposal to eliminate the
additional authorization requirements for research that includes
treatment, and has adopted these proposed modifications in the final
Rule. Retaining the distinction between research that involves
treatment and research that does not would require overly subjective
decisions without providing commensurate privacy protections for
individuals. However, the Department notes that it may sometimes be
advisable for authorization forms to include a statement regarding how
protected health information obtained for a research study will be used
and disclosed for treatment, payment, and health care operations, if
such information would assist individuals in making informed decisions
about whether or not to provide their authorization for a research
study.
    Comment: One commenter argued that expiration dates should be
included on authorizations and that extensions should be required for
all research uses and disclosures made after the expiration date or
event has passed.
    Response: The Department disagrees. We have determined that an
expiration date or event would not always be feasible or desirable for
some research uses and disclosures of protected health information. By
allowing for no expiration date, the final Rule permits without
separate patient authorization important disclosures even after the
``termination of the research project'' that might otherwise be
prohibited. However, the final Rule contains the requirement that the
patient authorization specify if the authorization would not have an
expiration date or event. Therefore, patients will have this
information to make an informed decision about whether to sign the
authorization.
    Comment: Another commenter suggested permitting covered entities/
researchers to continue using or disclosing protected health
information even after a revocation of the initial authorization but
only if an IRB or Privacy Board approved the continuation. This
commenter argued that such review by an IRB or Privacy Board would
protect privacy, while permitting continued uses and disclosures of
protected health information for important purposes.

[[Page 53226]]

    Response: As stated above, the Department agrees that it may
sometimes be necessary to continue using and disclosing protected
health information even after an individual has revoked his or her
authorization in order to preserve the integrity of a research study.
Therefore, the Department has clarified that the reliance exception at
Sec. 164.508(b)(5)(i) would permit the continued use and disclosure of
protected health information already obtained pursuant to a valid
authorization to the extent necessary to preserve the integrity of the
research study. A requirement for documentation of IRB or Privacy Board
review and approval of the continued use or disclosure of protected
health information after an individual's authorization had been revoked
could protect patient privacy. However, the Department believes that
the additional burden on the IRB or Privacy Board could be substantial,
and is not warranted at this time.
    Comment: A commenter requested clarification that the ``reliance
exception'' does not permit covered entities as researchers to continue
analyzing data once an individual has revoked his or her authorization.
    Response: As discussed above, the Department disagrees with this
comment. Patient privacy must be balanced against other public goods,
such as research and the risk of compromising such research projects if
researchers could not continue to use such data. The Department
determined that permitting continued uses and disclosures of protected
health information already obtained to protect the integrity of
research, even after an individual's authorization has been revoked,
would pose minimal privacy risk to individuals without compromising
research.
    Comment: Several commenters suggested permitting the proposed
authorization requirement for a ``description of each purpose of the
requested use or disclosure'' at Sec. 164.508 to be sufficiently broad
to encompass future unspecified research. These commenters argued that
this option would reduce the burden for covered entities and
researchers by permitting covered entities to use or disclose protected
health information for re-analysis without having to obtain an
additional authorization from the individual. Some discussed the
possibility that burden for patients would also be reduced because they
would not have to provide additional authorizations. These commenters
also argued that such a provision would more directly align the Rule
with the Common Rule, which permits broad informed consent for
secondary studies if the IRB deems the original informed consent to be
adequate.
    Response: The Department disagrees with broadening the required
``description of the purpose of the use or disclosure'' because of the
concern that patients would lack necessary information to make an
informed decision. In addition, unlike the Common Rule, the Privacy
Rule does not require IRB or Privacy Board review of research uses and
disclosures made with individual authorization. Therefore, instead of
IRBs or Privacy Boards reviewing the adequacy of existing patient
authorizations, covered entities would be left to decide whether or not
the initial authorization was broad enough to cover subsequent research
analyses. Furthermore, it should be noted that patient authorization
would not be required for such re-analysis if, with respect to the re-
analysis, the covered entity obtains IRB or Privacy Board waiver of
such authorization as required by Sec. 164.512(i). For these reasons,
the Department has decided to retain the requirement that each purpose
of the requested use or disclosure described in the authorization form
be research study specific. However, the Department understands that,
in the past, some express legal permissions and informed consents have
not been study-specific and sometimes authorize the use or disclosure
of information for future unspecified research. Furthermore, some IRB-
approved waivers of informed consent have been for future unspecified
research. Therefore, the final Rule at Sec. 164.532 permits covered
entities to rely on an express legal permission, informed consent, or
IRB-approved waiver of informed consent for future unspecified
research, provided the legal permission, informed consent or IRB-
approved waiver was obtained prior to the compliance date.
    Comment: Several commenters suggested retaining the authorization
element requiring a statement regarding ``the potential for information
disclosed pursuant to the authorization to be subject to redisclosure
by the recipient and no longer protected by this Rule'' but with one
addition. This addition would state that ``researchers could only use
or disclose the protected health information for purposes approved by
the IRB or as required by law or regulation.'' These commenters argued
that this would be clearer to participants and would prevent the
misconception that their information would not be protected by any
confidentiality standards.
    Response: The Department recognizes the concern of the commenters
seeking to supplement the requirement, but points out that, although
the final Rule will not require this addition, it is permissible to
include such a statement in the authorization. In addition, since the
Privacy Rule does not require IRB or Privacy Board review of research
uses and disclosures made with patient authorization, the Department
determined that adding the commenters' suggestion to the final Rule
would be inappropriate. Section III.E.1. above provides further
discussion of this provision.

F. Section 164.512--Uses and Disclosures for Which Authorization or
Opportunity To Agree or Object Is Not Required

1. Uses and Disclosures Regarding FDA-Regulated Products and Activities
    December 2000 Privacy Rule. The Privacy Rule permits covered
entities to disclose protected health information without consent or
authorization for public health purposes. Generally, these disclosures
may be made to public health authorities, as well as to contractors and
agents of public health authorities. However, in recognition of the
essential role of drug and medical device manufacturers and other
private persons in carrying out the Food and Drug Administration's
(FDA) public health mission, the December 2000 Privacy Rule permitted
covered entities to make such disclosures to a person who is subject to
the jurisdiction of the FDA, but only for the following specified
purposes: (1) To report adverse events, defects or problems, or
biological product deviations with respect to products regulated by the
FDA (if the disclosure is made to the person required or directed to
report such information to the FDA); (2) to track products (if the
disclosure is made to the person required or directed to report such
information to the FDA); (3) for product recalls, repairs, or
replacement; and (4) for conducting post-marketing surveillance to
comply with FDA requirements or at the direction of the FDA.
    March 2002 NPRM. The Department heard a number of concerns about
the scope of the disclosures permitted for FDA-regulated products and
activities and the failure of the Privacy Rule to reflect the breadth
of the public health activities currently conducted by private sector
entities subject to the jurisdiction of the FDA on a voluntary basis.
These commenters claimed the Rule would constrain important public
health surveillance and reporting activities by

[[Page 53227]]

impeding the flow of needed information to those subject to the
jurisdiction of the FDA. For instance, there were concerns that the
Rule would have a chilling effect on current voluntary reporting
practices. The FDA gets the vast majority of information concerning
problems with FDA-regulated products, including drugs, medical devices,
biological products, and food indirectly through voluntary reports made
by health care providers to the manufacturers. These reports are
critically important to public health and safety. The December 2000
Rule permitted such disclosures only when made to a person ``required
or directed'' to report the information to the FDA or to track the
product. The manufacturer may or may not be required to report such
problems to the FDA, and the covered entities who make these reports
are not in a position to know whether the recipient of the information
is so obligated. Consequently, many feared that this uncertainty would
cause covered entities to discontinue their practices of voluntary
reporting of adverse events related to FDA-regulated products or
entities.
    Some covered entities also expressed fears of the risk of liability
should they inadvertently report the information to a person who is not
subject to the jurisdiction of the FDA or to the wrong manufacturer.
Hence, they urged the Department to provide a ``good-faith'' safe
harbor to protect covered entities from enforcement actions arising
from unintentional violations of the Privacy Rule.
    A number of commenters, including some subject to the jurisdiction
of the FDA, suggested that it is not necessary to disclose identifiable
health information for some or all of these public health purposes,
that identifiable health information is not reported to the FDA, and
that information without direct identifiers (such as name, mailing
address, phone number, social security number, and email address) is
sufficient for post-marketing surveillance purposes.
    The Rule is not intended to discourage or prevent adverse event
reporting or otherwise disrupt the flow of essential information that
the FDA and persons subject to the jurisdiction of the FDA need in
order to carry out their important public health activities. Therefore,
the Department proposed some modifications to the Rule to address these
issues in the NPRM. Specifically, the Department proposed to remove
from Secs. 164.512(b)(1)(iii)(A) and (B) the phrase ``if the disclosure
is made to a person required or directed to report such information to
the Food and Drug Administration'' and to remove from subparagraph (D)
the phrase ``to comply with requirements or at the direction of the
Food and Drug Administration.'' In lieu of this language, the
Department proposed to describe at the outset the public health
purposes for which disclosures may be made. The proposed language read:
``A person subject to the jurisdiction of the Food and Drug
Administration (FDA) with respect to an FDA-regulated product or
activity for which that person has responsibility, for the purpose of
activities related to the quality, safety or effectiveness of such FDA-
regulated product or activity.''
    The proposal retained the specific activities identified in
paragraphs (A), (B), (C), and (D) as examples of common FDA purposes
for which disclosures would be permitted, but eliminated the language
that would have made this listing the only activities for which such
disclosures would be allowed. These activities include reporting of
adverse events and other product defects, the tracking of FDA-regulated
products, enabling product recalls, repairs, or replacement, and
conducting post-marketing surveillance. Additionally, the Department
proposed to include ``lookback'' activities in paragraph (C), which are
necessary for tracking blood and plasma products, as well as
quarantining tainted blood or plasma and notifying recipients of such
tainted products.
    In addition to these specific changes, the Department solicited
comments on whether a limited data set should be required or permitted
for some or all public health purposes, or if a special rule should be
developed for public health reporting. The Department also requested
comments as to whether the proposed modifications would be sufficient,
or if additional measures, such as a good-faith safe harbor, would be
needed for covered entities to continue to report vital information
concerning FDA-regulated products or activities on a voluntary basis.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The proposed changes received wide support. The overwhelming
majority of commenters urged the Department to adopt the proposed
changes, claiming it would reduce the chilling effect that the Rule
would otherwise have on current voluntary reporting practices, which
are an important means of identifying adverse events, defects, and
other problems regarding FDA-regulated products. Several commenters
further urged the Department to provide a good-faith safe harbor to
allay providers' fears of inadvertently violating the Rule, stating
that covered entities would otherwise be reluctant to risk liability to
make these important public health disclosures.
    A few commenters opposed the proposed changes, expressing concern
that the scope of the proposal was too broad. They were particularly
concerned that including activities related to ``quality'' or
``effectiveness'' would create a loophole for manufacturers to obtain
and use protected health information for purposes the average person
would consider unrelated to public health or safety, such as using
information to market products to individuals. Some of these commenters
said the Department should retain the exclusive list of purposes and
activities for which such disclosures may be made, and some urged the
Department to retain the ``required or directed'' language, as it
creates an essential nexus to a government authority or requirement. It
was also suggested that the chilling effect on reporting of adverse
events could be counteracted by a more targeted approach. Commenters
were also concerned that the proposal would permit disclosure of much
more protected health information to non-covered entities that are not
obligated by the Rule to protect the privacy of the information.
Comments regarding use of a limited data set for public health
disclosures are discussed in section III.G.1. of the preamble.
    Final Modifications. In the final modifications, the Department
adopts the language proposed in the NPRM. Section 164.512(b)(1)(iii),
as modified, permits covered entities to disclose protected health
information, without authorization, to a person subject to the
jurisdiction of the FDA with respect to an FDA-regulated product or
activity for which that person has responsibility, for the purpose of
activities related to the quality, safety, or effectiveness of such
FDA-regulated product or activity. Such purposes include, but are not
limited to, the following activities and purposes listed in
subparagraphs (A) through (D): (1) To collect or report adverse events
(or similar activities regarding food or dietary supplements), product
defects or problems (including problems with the use or labeling of a
product), or biological product deviations, (2) to track FDA-regulated
products, (3) to enable product recalls, repairs, or replacement, or
for lookback (including locating and notifying persons who have

[[Page 53228]]

received products that have been withdrawn, recalled, or are the
subject of lookback), and (4) to conduct post-marketing surveillance.
    The Department believes these modifications are necessary to remove
barriers that could prevent or chill the continued flow of vital
information between health care providers and manufacturers of food,
drugs, medical and other devices, and biological products. Health care
providers have been making these disclosures to manufacturers for many
years, and commenters opposed to the proposal did not cite any examples
of abuses of information disclosed for such purposes. Furthermore, both
the individuals who are the subjects of the information and the general
public benefit from these disclosures, which are an important means of
identifying and dealing with FDA-regulated products on the market that
potentially pose a health or safety threat. For example, FDA learns a
great deal about the safety of a drug after it is marketed as a result
of voluntary adverse event reports made by covered entities to the
product's manufacturer. The manufacturer is required to submit these
safety reports to FDA, which uses the information to help make the
product safer by, among other things, adding warnings or changing the
product's directions for use. The modifications provide the necessary
assurances to covered entities that such voluntary reporting may
continue.
    Although the list of permissible disclosures is no longer
exclusive, the Department disagrees with commenters that asserted the
modifications permit virtually unlimited disclosures for FDA purposes.
As modified, such disclosures must still be made to a person subject to
the jurisdiction of the FDA. The disclosure also must relate to FDA-
regulated products or activities for which the person using or
receiving the information has responsibility, and be made only for
activities related to the safety, effectiveness, or quality of such
FDA-regulated product or activity. These terms are terms of art with
commonly accepted and understood meanings in the FDA context, meanings
of which providers making such reports are aware. This limits the
possibility that FDA-regulated manufacturers and entities will able to
abuse this provision to obtain information to which they would
otherwise not be entitled.
    Moreover, Sec. 164.512(b)(1) specifically limits permissible
disclosures to those made for public health activities and purposes.
While a disclosure related to the safety, quality or effectiveness of
an FDA-regulated product is a permissible disclosure, the disclosure
also must be for a ``public health'' activity or purpose. For example,
it is not permissible under Sec. 164.512(b)(1)(iii) for a covered
entity to disclose protected health information to a manufacturer to
allow the manufacturer to evaluate the effectiveness of a marketing
campaign for a prescription drug. In this example, although the
disclosure may be related to the effectiveness of an FDA-regulated
activity (the advertising of a prescription drug), the disclosure is
made for the commercial purposes of the manufacturer rather than for a
public health purpose.
    A disclosure related to a ``quality'' defect of an FDA-regulated
product is also permitted. For instance, the public health exception
permits a covered entity to contact the manufacturer of a product to
report drug packaging quality defects. However, this section does not
permit all possible reports from a covered entity to a person subject
to FDA jurisdiction about product quality. It would not be permissible
for a provider to furnish a manufacturer with a list of patients who
prefer a different flavored cough syrup over the flavor of the
manufacturer's product. Such a disclosure generally would not be for a
public health purpose. However, a disclosure related to the flavor of a
product would be permitted under this section if the covered entity
believed that a difference in the product's flavor indicated, for
example, a possible manufacturing problem or suggested that the product
had been tampered with in a way that could affect the product's safety.
    The Department clarifies that the types of disclosures that covered
entities are permitted to make to persons subject to FDA jurisdiction
are those of the type that have been traditionally made over the years.
These reports include, but are not limited to, those made for the
purposes identified in paragraphs (A)-(D) of Sec. 164.512(b)(1)(iii) of
this final Rule.
    Also, the minimum necessary standard applies to public health
disclosures, including those made to persons subject to the
jurisdiction of the FDA. There are many instances where a report about
the quality, safety, or effectiveness of an FDA-regulated product can
be made without disclosing protected health information. Such may be
the case with many adverse drug events where it is important to know
what happened but it may not be important to know to whom. However, in
other circumstances, such as device tracking or blood lookback, it is
essential for the manufacturer to have identifying patient information
in order to carry out its responsibilities under the Food, Drug, and
Cosmetic Act. Therefore, identifiable health information can be
disclosed for these purposes, consistent with the minimum necessary
standard.

As the Department stated in the preamble of the NPRM, ``a person''
subject to the jurisdiction of the FDA does not mean that the
disclosure must be made to a specific individual. The Food, Drug, and
Cosmetic Act defines ``person'' to include an individual, partnership,
corporation, and association. Therefore, covered entities may continue
to disclose protected health information to the companies subject to
FDA's jurisdiction that have responsibility for the product or
activity. Covered entities may identify responsible companies by using
information obtained from product labels or product labeling (written
material about the product that accompanies the product) including
sources of labeling, such as the Physician's Desk Reference.
    The Department believes these modifications effectively balance the
privacy interests of individuals with the interests of public health
and safety. Since the vast majority of commenters were silent on the
question of the potential need for a ``good faith'' exception, the
Department believes that these modifications will be sufficient to
preserve the current public health activities of persons subject to the
jurisdiction of the FDA, without such a safe harbor. However, the
Department will continue to evaluate the effect of the Rule to
determine whether there is need for further modifications or guidance.

Response to Other Public Comments

    Comment: A few commenters urged the Department to include foreign
public health authorities in the Rule's definition of ``public health
authority.'' These commenters claimed that medical products are often
distributed in multiple countries, and the associated public health
issues are experienced globally. They further claimed that requiring
covered entities to obtain the permission of a United States-based
public health authority before disclosing protected health information
to a foreign government public health authority will impede important
communications.
    Response: The Department notes that covered entities are permitted
to disclose protected health information for public health purposes, at
the direction of a public health authority, to an official of a foreign
government agency that is acting in collaboration with a public health
authority. The

[[Page 53229]]

Department does not have sufficient information at this time as to any
potential impacts or workability issues that could arise from this
language and, therefore, does not modify the Rule in this regard.
    Comment: Some commenters, who opposed the proposal as a weakening
of the Privacy Rule, suggested that the Department implement a more
targeted approach to address only those issues raised in the preamble
to the NPRM, such as voluntary adverse event reporting activities,
rather than broadening the provision generally.
    Response: The NPRM was intended to address a number of issues in
addition to the concern that the December 2000 Privacy Rule would chill
reporting of adverse events to entities from whom the FDA receives much
of its adverse event information. For instance, the text of the
December 2000 Privacy Rule did not expressly permit disclosure of
protected health information to FDA-regulated entities for the purpose
of enabling ``lookback,'' which is an activity performed by the blood
and plasma industry to identify and quarantine blood and blood products
that may be at increased risk of transmitting certain blood-borne
diseases, and which includes the notification of individuals who
received possibly tainted products, permitting them to seek medical
attention and counseling. The NPRM also was intended to simplify the
public health reporting provision and to make it more readily
understandable. Finally, the approach proposed in the NPRM, and adopted
in this final Rule, is intended to add flexibility to the public health
reporting provision of the December 2000 Rule, whose exclusive list of
permissible disclosures was insufficiently flexible to assure that
Sec. 164.512(b)(1)(iii) will allow legitimate public health reporting
activities that might arise in the future.

    In addition, the Department clarifies that the reporting of adverse
events is not restricted to the FDA or persons subject to the
jurisdiction of the FDA. A covered entity may, under Sec. 164.512(b),
disclose protected health information to a public health authority that
is authorized to receive or collect a report on an adverse event. In
addition, to the extent an adverse event is required to be reported by
law, the disclosure of protected health information for this purpose is
also permitted under Sec. 164.512(a). For example, a Federally funded
researcher who is a covered health care provider under the Privacy Rule
may disclose protected health information related to an adverse event
to the National Institutes of Health (NIH) if required to do so by NIH
regulations. Even if not required to do so, the researcher may also
disclose adverse events directly to NIH as a public health authority.
To the extent that NIH has public health matters as part of its
official mandate it qualifies as a public health authority under the
Privacy Rule, and to the extent it is authorized by law to collect or
receive reports about injury and other adverse events such collection
would qualify as a public health activity.
2. Institutional Review Board (IRB) or Privacy Board Approval of a
Waiver of Authorization
    December 2000 Privacy Rule. The Privacy Rule builds upon existing
Federal regulations governing the conduct of human subjects research.
In particular, the Rule at Sec. 164.512(i) establishes conditions under
which covered entities can use and disclose protected health
information for research purposes without individual authorization if
the covered entity first obtains either of the following:
     Documentation of approval of a waiver of authorization
from an Institutional Review Board (IRB) or a Privacy Board. The
Privacy Rule specifies requirements that must be documented, including
the Board's determination that eight defined waiver criteria had been
met.
     Where a review of protected health information is
conducted preparatory to research or where research is conducted solely
on decedents' information, certain representations from the researcher,
including that the use or disclosure is sought solely for such a
purpose and that the protected health information is necessary for the
purpose.
    March 2002 NPRM. A number of commenters informed the Department
that the eight waiver criteria in the December 2000 Privacy Rule were
confusing, redundant, and internally inconsistent. These commenters
urged the Department to simplify these provisions, noting that they
would be especially burdensome and duplicative for research that was
currently governed by the Common Rule. In response to these comments,
the Department proposed the following modifications to the waiver
criteria for all research uses and disclosures of protected health
information, regardless of whether or not the research is subject to
the Common Rule:
     The Department proposed to delete the criterion that ``the
alteration or waiver will not adversely affect the privacy rights and
the welfare of the individuals,'' because it may conflict with the
criterion regarding the assessment of minimal privacy risk.
     In response to commenters' concerns about the overlap and
potential inconsistency among several of the Privacy Rule's criteria,
the Department proposed to turn the following three criteria into
factors that must be considered as part of the IRB's or Privacy Board's
assessment of minimal risk to privacy:
     There is an adequate plan to protect the identifiers from
improper use and disclosure;
     There is an adequate plan to destroy the identifiers at
the earliest opportunity consistent with the conduct of the research,
unless there is a health or research justification for retaining the
identifiers, or such retention is otherwise required by law; and
     There are adequate written assurances that the protected
health information will not be reused or disclosed to any other person
or entity, except as required by law, for authorized oversight of the
research project, or for other research for which the use or disclosure
of protected health information would be permitted by this subpart.
     In response to concerns that the following waiver
criterion was unnecessarily duplicative of other provisions to protect
patients' confidentiality interests, the Department proposed to
eliminate the criterion that: ``the privacy risks to individuals whose
protected health information is to be used or disclosed are reasonable
in relation to the anticipated benefits, if any, to the individual, and
the importance of the knowledge that may reasonably be expected to
result from the research.''
    In sum, the NPRM proposed that the following waiver criteria
replace the waiver criteria in the December 2000 Privacy Rule at
Sec. 164.512(i)(2)(ii):
    (1) The use or disclosure of protected health information involves
no more than a minimal risk to the privacy of individuals, based on, at
least, the presence of the following elements:
    (a) An adequate plan to protect the identifiers from improper use
and disclosure;
    (b) An adequate plan to destroy the identifiers at the earliest
opportunity consistent with conduct of the research, unless there is a
health or research justification for retaining the identifiers or such
retention is otherwise required by law; and
    (c) Adequate written assurances that the protected health
information will not be reused or disclosed to any other person or
entity, except as required by law, for authorized oversight of the

[[Page 53230]]

research project, or for other research for which the use or disclosure
of protected health information would be permitted by this subpart;
    (2) The research could not practicably be conducted without the
waiver or alteration; and
    (3) The research could not practicably be conducted without access
to and use of the protected health information.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    The overwhelming majority of commenters were supportive of the
Department's proposed modifications to the Privacy Rule's waiver
criteria. These commenters found that the proposed revisions adequately
addressed earlier concerns that the waiver criteria in the December
2000 Rule were confusing, redundant, and internally inconsistent.
However, a few commenters argued that some of the proposed criteria
continued to be too subjective and urged that they be eliminated.
    Final Modifications. The Department agrees with the majority of
commenters that supported the proposed waiver criteria, and adopts the
modifications as proposed in the NPRM. The criteria safeguard patient
privacy, require attention to issues sometimes currently overlooked by
IRBs, and are compatible with the Common Rule. Though IRBs and Privacy
Boards may initially struggle to interpret the criteria, as a few
commenters mentioned, the Department intends to issue guidance
documents to address this concern. Furthermore, the Department notes
that experience and guidance have enabled IRBs to successfully
implement the Common Rule's waiver criteria, which also require
subjective determinations.
    This final Rule also contains a conforming modification in
Sec. 164.512(i)(2)(iii) to replace ``(i)(2)(ii)(D)'' with
``(i)(2)(ii)(C).''

Response to Other Public Comments

    Comment: It was suggested that the Department eliminate the March
2002 NPRM waiver criterion that requires IRBs or Privacy Boards to
determine if there is an ``adequate plan to protect identifiers from
improper use and disclosure,'' in order to avoid the IRB having to make
subjective decisions.
    Response: The Department disagrees with the commenter that the
waiver criterion adopted in this final Rule is too subjective for an
IRB or a Privacy Board to use. First, the consideration of whether
there is an adequate plan to protect identifiers from improper use and
disclosure is one of three factors that an IRB or Privacy Board must
weigh in determining that the use or disclosure of protected health
information for the research proposal involves no more than a minimal
risk to the privacy of the individual. The Department does not believe
that the minimal risk determination, which is based upon a similar
waiver criterion in the Common Rule, is made unduly subjective by
requiring the IRB to take into account the researcher's plans for
maintaining the confidentiality of the information.
    Second, as noted in the discussion of these provisions in the
proposal, the Privacy Rule is intended to supplement and build upon the
human subject protections already afforded by the Common Rule and the
Food and Drug Administration's human subject protection regulations.
One provision already in effect under these authorities is that, to
approve a study, an IRB must determine that ``when appropriate, there
are adequate provisions to protect the privacy of subjects and to
maintain the confidentiality of data.'' (Common Rule Sec. __.111(a)(7),
21 CFR 56.111(a)(7).) The Department, therefore, believes that IRBs and
Privacy Boards are accustomed to making the type of determinations
required under the Privacy Rule.
    Nonetheless, as stated above, the Department is prepared to respond
to actual issues that may arise during the implementation of these
provisions and to provide the guidance necessary to address concerns of
IRBs, Privacy Boards, and researchers in this area.
    Comment: A few commenters requested elimination of the waiver
element at Sec. 164.512(i)(2)(ii)(A)(2) that would require the IRB or
Privacy Board to determine that ``there is an adequate plan to destroy
identifiers at the earliest opportunity consistent with the conduct of
the research, unless there is a health or research justification for
their retention or such retention is required by law.'' These
commenters argued that this requirement may lead to premature
destruction of the data, which may hinder investigations of defective
data analysis or research misconduct.
    Response: The waiver element at Sec. 164.512(i)(2)(ii)(A)(2)
accounts for these concerns by permitting the retention of identifiers
if there is a health or research justification, or if such retention is
required by law. It is expected that IRBs and Privacy Boards will
consider the need for continued analysis of the data, research, and
possible investigations of research misconduct when considering whether
this waiver element has been met. In addition, destroying identifiers
at the earliest opportunity helps to ensure that the use or disclosure
of protected health information will indeed pose no more than ``minimal
risk to the privacy of individuals.'' Requiring the researcher to
justify the need to retain patient identifiers provides needed
flexibility for research, while maintaining the goal of protecting
individuals' privacy interests. If additional issues arise after
implementation, the Department can most appropriately address them
through guidance.
    Comment: Commenters also requested clarification of the proposed
waiver element at Sec. 164.512(i)(2)(ii)(A)(3), that will require an
IRB or Privacy Board to determine that there are ``adequate written
assurances that the protected health information would not be reused or
disclosed to any other person or entity, except as required by law, for
authorized oversight of the research project, or for other research for
which the use or disclosure of protected health information would be
permitted by this subpart.'' Specifically, the commenter's concern
centered on what effect this criterion could have on retrospective
studies involving data re-analysis.
    Response: The Department clarifies that the Privacy Rule permits
the use or disclosure of protected health information for retrospective
research studies involving data re-analysis only if such use or
disclosure is made either with patient authorization or a waiver of
patient authorization as permitted by Sec. 164.508 or Sec. 164.512(i),
respectively. If issues develop in the course of implementation, the
Department intends to provide the guidance necessary to address these
questions.
    Comment: A few commenters suggested clarifying that recruitment for
clinical trials by a covered entity using protected health information
in the covered entity's possession is a health care operation function,
not a marketing function. These commenters argued that a partial IRB or
Privacy Board waiver of authorization for recruitment purposes would be
too burdensome for the covered entity, and would prevent covered health
care providers from communicating with their patients about the
availability of clinical trials.
    Response: Research recruitment is neither a marketing nor a health
care operations activity. Under the Rule, a covered entity is permitted
to disclose protected health information to the individual who is the
subject of the information, regardless of the purpose of the
disclosure. See Sec. 164.502(a)(1)(i). Therefore, covered health care
providers and patients may continue to discuss the option of enrolling
in a clinical trial without patient authorization, and

[[Page 53231]]

without an IRB or Privacy Board waiver of patient authorization.
However, where a covered entity wants to disclose an individual's
information to a third party for purposes of recruitment in a research
study, the covered entity first must obtain either authorization from
that individual as required at Sec. 164.508, or a waiver of
authorization as permitted at Sec. 164.512(i).
    Comment: It was suggested that the Rule should permit covered
health care providers to obtain an authorization allowing the use of
protected health information for recruitment into clinical trials
without specifying the person to whom the information would be
disclosed and the exact information to be disclosed, but retaining the
authorization requirements of specified duration and purpose, and
adding a requirement for the minimum necessary use or disclosure.
    Response: The Department understands that the Privacy Rule will
alter some research recruitment but disagrees with the commenter's
proposal to permit broad authorizations for recruitment into clinical
trials. The Department decided not to adopt this suggestion because
such a blanket authorization would not provide individuals with
sufficient information to make an informed choice about whether to sign
the authorization. In addition, adopting this change also would be
inconsistent with Department's decision to eliminate the distinction in
the Rule between research that includes treatment and research that
does not.
    Comment: It was suggested that the Department exempt from the
Privacy Rule research that is already covered by the Common Rule and/or
FDA's human subject protection regulations. Commenters stated that this
would reduce the burden of complying with the Rule for covered entities
and researchers already governed by human subject protection
regulations, while requiring those not previously subject to compliance
with human subject protection regulations to protect individuals'
privacy.
    Response: Many who commented on the December 2000 Privacy Rule
argued for this option as well. The Department had previously
considered, but chose not to adopt, this approach. Since the Common
Rule and the FDA's human subject protection regulations contain only
two requirements that specifically address confidentiality protections,
the Privacy Rule will strengthen existing human subject privacy
protections for research. More importantly, the Privacy Rule creates
equal standards of privacy protection for research governed by the
existing regulations and research that is not.
    Comment: It was argued that the waiver provision should be
eliminated. The commenter argued that IRBs or Privacy Boards should not
have the right to waive a person's privacy rights, and that individuals
should have the right to authorize all uses and disclosures of
protected health information about themselves.
    Response: The Department disagrees that safeguarding individuals'
privacy interests requires that individuals be permitted to authorize
all uses and disclosures of protected health information about
themselves. In developing the Privacy Rule, the Department carefully
weighed individuals' privacy interests with the need for identifiable
health information for certain public policy and national priority
purposes. The Department believes that the Privacy Rule reflects an
appropriate balance. For example, the Rule appropriately allows for the
reporting of information necessary to ensure public health, such as
information about a contagious disease that may be indicative of a
bioterrorism event, without individual authorization. With respect to
research, the Department strongly believes that continued improvements
in our nation's health require that researchers be permitted access to
protected health information without individual authorization in
certain limited circumstances. However, we do believe that researchers'
ability to use protected health information without a patient's
authorization is a privilege that requires strong confidentiality
protections to ensure that the information is not misused. The
Department believes that the safeguards required by the final Rule
achieve the appropriate balance between protecting individuals' privacy
interests, while permitting researchers to access protected health
information for important, and potentially life-saving, studies.
    Comment: A few commenters stated that, if the Rule permits covered
entities to release protected health information to sponsor-initiated
registries related to quality, safety, or effectiveness of FDA-
regulated products, then this permission should apply to academic
institutes and non-profit organizations as well. Otherwise, the
commenters argued, the Rule establishes a double standard for research
registries created by FDA-regulated entities versus registries created
by academic or non-profit sponsored entities.
    Response: The provisions under Sec. 164.512(b)(iii) are intended to
allow the disclosure of information to FDA-regulated entities for the
limited purpose of conducting public health activities to ensure the
qualify, safety, or effectiveness of FDA-regulated products, including
drugs, medical devices, biological products, and food. Thus, the
Department does not believe a modification to the research provisions
is appropriate. The Privacy Rule permits covered entities to disclose
protected health information to a registry for research purposes,
including those sponsored by academic and non-profit organizations, if
such disclosure: is required by law under Sec. 164.512(a), is made
pursuant to an IRB or Privacy Board waiver of authorization under
Sec. 164.512(i), is made pursuant to the individual's authorization as
provided by Sec. 164.508, or consists only of a limited data set as
provided by Sec. 164.514(e).
    Comment: It was suggested that the Department modify the Rule's
definition of ``research'' or the provision for preparatory research to
explicitly permit the building and maintenance of research databases
and repositories. The commenter further asserted that, under the Common
Rule, ``research'' signifies an actual research protocol, and would not
include a data or tissue compilation that is undertaken to facilitate
future protocols. Therefore, since the Privacy Rule and the Common Rule
have the same definition of ``research,'' this commenter was concerned
that the Privacy Rule would not permit a pre-research practice in which
a covered entity compiles protected health information in a systematic
way to either assist researchers in their reviews that are preparatory
to research, or to conduct future research.
    Response: The Department does not believe such a modification is
necessary. Under the Common Rule, the Office for Human Research
Protections (OHRP) has interpreted the definition of ``research'' to
include the development of a repository or database for future research
purposes. In fact, OHRP has issued guidance on this issue, which can be
found at the following URL: http://ohrp.osophs.dhhs.gov/humansubjects/
guidance/reposit.htm. The Department interprets the definition of
``research'' in the Privacy Rule to be consistent with what is
considered research under the Common Rule. Thus, the development of
research repositories and databases for future research are considered
research for the purposes of the Privacy Rule.
    Comment: A commenter suggested eliminating the minimum necessary
requirement for uses and disclosures made pursuant to a waiver of
authorization by an IRB or Privacy [[Page 53232]]

Board. The commenter argued that this proposal would lessen covered
entities' concern that they would be held responsible for an IRB or
Privacy Board's inappropriate determination and would, thus, increase
the likelihood that covered entities would rely on the requesting
researcher's IRB or Privacy Board documentation that patient
authorization could be waived as permitted at Sec. 164.512(i). This
commenter further argued that this proposal would discourage covered
entities from imposing duplicate review by the covered entities' own
IRB or Privacy Board, thereby decreasing burden for covered entities,
researchers, IRBs, and Privacy Boards.
    Response: Although the Secretary acknowledges the concern of these
commenters, the Rule at Sec. 164.514(d)(3)(iii)(D) already permits
covered entities to reasonably rely on documentation from an external
IRB or Privacy Board as meeting the minimum necessary requirement,
provided the documentation complies with the applicable requirements of
Sec. 164.512(i). The Department understands that covered entities may
elect to require duplicate IRB or Privacy Board reviews before
disclosing protected health information to requesting researchers, but
has determined that eliminating the minimum necessary requirement would
pose inappropriate and unnecessary risk to individuals' privacy. For
example, if the covered entity has knowledge that the documentation of
IRB or Privacy Board approval was fraudulent with respect to the
protected health information needed for a research study, the covered
entity should not be permitted to rely on the IRB or Privacy Board's
documentation as fulfilling the minimum necessary requirement.
Therefore, in the revised Final Rule, the Department has retained the
minimum necessary requirement for research uses and disclosures made
pursuant to Sec. 164.512(i).

G. Section 164.514--Other Requirements Relating to Uses and Disclosures
of Protected Health Information

1. De-Identification of Protected Health Information
    December 2000 Privacy Rule. At Sec. 164.514(a)-(c), the Privacy
Rule permits a covered entity to de-identify protected health
information so that such information may be used and disclosed freely,
without being subject to the Privacy Rule's protections. Health
information is de-identified, or not individually identifiable, under
the Privacy Rule, if it does not identify an individual and if the
covered entity has no reasonable basis to believe that the information
can be used to identify an individual. In order to meet this standard,
the Privacy Rule provides two alternative methods for covered entities
to de-identify protected health information.
    First, a covered entity may demonstrate that it has met the
standard if a person with appropriate knowledge and experience applying
generally acceptable statistical and scientific principles and methods
for rendering information not individually identifiable makes and
documents a determination that there is a very small risk that the
information could be used by others to identify a subject of the
information. The preamble to the Privacy Rule refers to two government
reports that provide guidance for applying these principles and
methods, including describing types of techniques intended to reduce
the risk of disclosure that should be considered by a professional when
de-identifying health information. These techniques include removing
all direct identifiers, reducing the number of variables on which a
match might be made, and limiting the distribution of records through a
``data use agreement'' or ``restricted access agreement'' in which the
recipient agrees to limits on who can use or receive the data.
    Alternatively, covered entities may choose to use the Privacy
Rule's safe harbor method for de-identification. Under the safe harbor
method, covered entities must remove all of a list of 18 enumerated
identifiers and have no actual knowledge that the information remaining
could be used, alone or in combination, to identify a subject of the
information. The identifiers that must be removed include direct
identifiers, such as name, street address, social security number, as
well as other identifiers, such as birth date, admission and discharge
dates, and five-digit zip code. The safe harbor requires removal of
geographic subdivisions smaller than a State, except for the initial
three digits of a zip code if the geographic unit formed by combining
all zip codes with the same initial three digits contains more than
20,000 people. In addition, age, if less than 90, gender, ethnicity,
and other demographic information not listed may remain in the
information. The safe harbor is intended to provide covered entities
with a simple, definitive method that does not require much judgment by
the covered entity to determine if the information is adequately de-
identified.
    The Privacy Rule also allows for the covered entity to assign a
code or other means of record identification to allow de-identified
information to be re-identified by the covered entity, if the code is
not derived from, or related to, information about the subject of the
information. For example, the code cannot be a derivation of the
individual's social security number, nor can it be otherwise capable of
being translated so as to identify the individual. The covered entity
also may not use or disclose the code for any other purpose, and may
not disclose the mechanism (e.g., algorithm or other tool) for re-
identification.
    The Department is cognizant of the increasing capabilities and
sophistication of electronic data matching used to link data elements
from various sources and from which, therefore, individuals may be
identified. Given this increasing risk to individuals' privacy, the
Department included in the Privacy Rule the above stringent standards
for determining when information may flow unprotected. The Department
also wanted the standards to be flexible enough so the Privacy Rule
would not be a disincentive for covered entities to use or disclose de-
identified information wherever possible. The Privacy Rule, therefore,
strives to balance the need to protect individuals' identities with the
need to allow de-identified databases to be useful.
    March 2002 NPRM. The Department heard a number of concerns
regarding the de-identification standard in the Privacy Rule. These
concerns generally were raised in the context of using and disclosing
information for research, public health purposes, or for certain health
care operations. In particular, concerns were expressed that the safe
harbor method for de-identifying protected health information was so
stringent that it required removal of many of the data elements that
were essential to analyses for research and these other purposes. The
comments, however, demonstrated little consensus as to which data
elements were needed for such analyses and were largely silent
regarding the feasibility of using the Privacy Rule's alternative
statistical method to de-identify information.
    Based on the comments received, the Department was not convinced of
the need to modify the safe harbor standard for de-identified
information. However, the Department was aware that a number of
entities were confused by potentially conflicting provisions within the
de-identification standard. These entities argued that, on the one
hand, the Privacy Rule treats information as de-identified if all
listed identifiers on the information are stripped, including

[[Page 53233]]

any unique, identifying number, characteristic, or code. Yet, the
Privacy Rule permits a covered entity to assign a code or other record
identification to the information so that it may be re-identified by
the covered entity at some later date.
    The Department did not intend such a re-identification code to be
considered one of the unique, identifying numbers or codes that
prevented the information from being de-identified. Therefore, the
Department proposed a technical modification to the safe harbor
provisions explicitly to except the re-identification code or other
means of record identification permitted by Sec. 164.514(c) from the
listed identifiers (Sec. 164.514(b)(2)(i)(R)).
    Overview of Public Comments. The following provides an overview of
the public comment received on this proposal. Additional comments
received on this issue are discussed below in the section entitled,
``Response to Other Public Comments.''
    All commenters on our clarification of the safe harbor re-
identification code not being an enumerated identifier supported our
proposed regulatory clarification.
    Final Modifications. Based on the Department's intent that the re-
identification code not be considered one of the enumerated identifiers
that must be excluded under the safe harbor for de-identification, and
the public comment supporting this clarification, the Department adopts
the provision as proposed. The re-identification code or other means of
record identification permitted by Sec. 164.514(c) is expressly
excepted from the listed safe harbor identifiers at
Sec. 164.514(b)(2)(i)(R).

Response to Other Public Comments

    Comment: One commenter asked if data can be linked inside the
covered entity and a dummy identifier substituted for the actual
identifier when the data is disclosed to the external researcher, with
control of the dummy identifier remaining with the covered entity.
    Response: The Privacy Rule does not restrict linkage of protected
health information inside a covered entity. The model that the
commenter describes for the dummy identifier is consistent with the re-
identification code allowed under the Rule's safe harbor so long as the
covered entity does not generate the dummy identifier using any
individually identifiable information. For example, the dummy
identifier cannot be derived from the individual's social security
number, birth date, or hospital record number.
    Comment: Several commenters who supported the creation of de-
identified data for research based on removal of facial identifiers
asked if a keyed-hash message authentication code (HMAC) can be used as
a re-identification code even though it is derived from patient
information, because it is not intended to re-identify the patient and
it is not possible to identify the patient from the code. The
commenters stated that use of the keyed-hash message authentication
code would be valuable for research, public health and bio-terrorism
detection purposes where there is a need to link clinical events on the
same person occurring in different health care settings (e.g. to avoid
double counting of cases or to observe long-term outcomes).
    These commenters referenced Federal Information Processing Standard
(FIPS) 198: ``The Keyed-Hash Message Authentication Code.'' This
standard describes a keyed-hash message authentication code (HMAC) as a
mechanism for message authentication using cryptographic hash
functions. The HMAC can be used with any iterative approved
cryptographic hash function, in combination with a shared secret key. A
hash function is an approved mathematical function that maps a string
of arbitrary length (up to a pre-determined maximum size) to a fixed
length string. It may be used to produce a checksum, called a hash
value or message digest, for a potentially long string or message.
    According to the commenters, the HMAC can only be breached when the
key and the identifier from which the HMAC is derived and the de-
identified information attached to this code are known to the public.
It is common practice that the key is limited in time and scope (e.g.
only for the purpose of a single research query) and that data not be
accumulated with such codes (with the code needed for joining records
being discarded after the de-identified data has been joined).
    Response: The HMAC does not meet the conditions for use as a re-
identification code for de-identified information. It is derived from
individually identified information and it appears the key is shared
with or provided by the recipient of the data in order for that
recipient to be able to link information about the individual from
multiple entities or over time. Since the HMAC allows identification of
individuals by the recipient, disclosure of the HMAC violates the Rule.
It is not solely the public's access to the key that matters for these
purposes; the covered entity may not share the key to the re-
identification code with anyone, including the recipient of the data,
regardless of whether the intent is to facilitate re-identification or
not.
    The HMAC methodology, however, may be used in the context of the
limited data set, discussed below. The limited data set contains
individually identifiable health information and is not a de-identified
data set. Creation of a limited data set for research with a data use
agreement, as specified in Sec. 164.514(e), would not preclude
inclusion of the keyed-hash message authentication code in the limited
data set. The Department encourages inclusion of the additional
safeguards mentioned by the commenters as part of the data use
agreement whenever the HMAC is used.
    Comment: One commenter requested that HHS update the safe harbor
de-identification standard with prohibited 3-digit zip codes based on
2000 Census data.
    Response: The Department stated in the preamble to the December
2000 Privacy Rule that it would monitor such data and the associated
re-identification risks and adjust the safe harbor as necessary.
Accordingly, the Department provides such updated information in
response to the above comment. The Department notes that these three-
digit zip codes are based on the five-digit zip Code Tabulation Areas
created by the Census Bureau for the 2000 Census. This new methodology
also is briefly described below, as it will likely be of interest to
all users of data tabulated by zip code.
    The Census Bureau will not be producing data files containing U.S.
Postal Service zip codes either as part of the Census 2000 product
series or as a post Census 2000 product. However, due to the public's
interest in having statistics tabulated by zip code, the Census Bureau
has created a new statistical area called the Zip Code Tabulation Area
(ZCTA) for Census 2000. The ZCTAs were designed to overcome the
operational difficulties of creating a well-defined zip code area by
using Census blocks (and the addresses found in them) as the basis for
the ZCTAs. In the past, there has been no correlation between zip codes
and Census Bureau geography. Zip codes can cross State, place, county,
census tract, block group and census block boundaries. The geographic
entities the Census Bureau uses to tabulate data are relatively stable
over time. For instance, census tracts are only defined every ten
years. In contrast, zip codes can change more frequently. Because of
the ill-defined nature of zip code boundaries, the Census Bureau has no
file (crosswalk) showing the relationship

[[Page 53234]]

between US Census Bureau geography and US Postal Service zip codes.
    ZCTAs are generalized area representations of U.S. Postal Service
(USPS) zip code service areas. Simply put, each one is built by
aggregating the Census 2000 blocks, whose addresses use a given zip
code, into a ZCTA which gets that zip code assigned as its ZCTA code.
They represent the majority USPS five-digit zip code found in a given
area. For those areas where it is difficult to determine the prevailing
five-digit zip code, the higher-level three-digit zip code is used for
the ZCTA code. For further information, go to: http://www.census.gov/
geo/www/gazetteer/places2k.html.
    Utilizing 2000 Census data, the following three-digit ZCTAs have a
population of 20,000 or fewer persons. To produce a de-identified data
set utilizing the safe harbor method, all records with three-digit zip
codes corresponding to these three-digit ZCTAs must have the zip code
changed to 000. The 17 restricted zip codes are: 036, 059, 063, 102,
203, 556, 692, 790, 821, 823, 830, 831, 878, 879, 884, 890, and 893.
2. Limited Data Sets
    March 2002 NPRM. As noted above, the Department heard many concerns
that the de-identification standard in the Privacy Rule could curtail
important research, public health, and health care operations
activities. Specific concerns were raised by State hospital
associations regarding their current role in using patient information
from area hospitals to conduct and disseminate analyses that are useful
for hospitals in making decisions about quality and efficiency
improvements. Similarly, researchers raised concerns that the
impracticality of using de-identified data would significantly increase
the workload of IRBs because waivers of individual authorization would
need to be sought more frequently for research studies even though no
direct identifiers were needed for the studies. Many of these
activities and studies were also being pursued for public health
purposes. Some commenters urged the Department to permit covered
entities to disclose protected health information for research if the
protected health information is facially de-identified, that is,
stripped of direct identifiers, so long as the research entity provides
assurances that it will not use or disclose the information for
purposes other than research and will not identify or contact the
individuals who are the subjects of the information.
    In response to these concerns, the Department, in the NPRM,
requested comments on an alternative approach that would permit uses
and disclosures of a limited data set which would not include direct
identifiers but in which certain potentially identifying information
would remain. The Department proposed limiting the use or disclosure of
any such limited data set to research, public health, and health care
operations purposes only.
    From the de-identification safe harbor list of identifiers, we
proposed the following as direct identifiers that would have to be
removed from any limited data set: name, street address, telephone and
fax numbers, e-mail address, social security number, certificate/
license number, vehicle identifiers and serial numbers, URLs and IP
addresses, and full face photos and any other comparable images. The
proposed limited data set could include the following identifiable
information: admission, discharge, and service dates; date of death;
age (including age 90 or over); and five-digit zip code.
    The Department solicited comment on whether one or more other
geographic units smaller than State, such as city, county, precinct,
neighborhood or other unit, would be needed in addition to, or be
preferable to, the five-digit zip code. In addition, to address
concerns raised by commenters regarding access to birth date for
research or other studies relating to young children or infants, the
Department clarified that the Privacy Rule de-identification safe
harbor allows disclosure of the age of an individual, including age
expressed in months, days, or hours. Given that the limited data set
could include all ages, including age in months, days, or hours (if
preferable), the Department requested comment on whether date of birth
would be needed and, if so, whether the entire date would be needed, or
just the month and year.
    In addition, to further protect privacy, the Department proposed to
condition the disclosure of the limited data set on covered entities
obtaining from the recipients a data use or similar agreement, in which
the recipient would agree to limit the use of the limited data set to
the purposes specified in the Privacy Rule, to limit who can use or
receive the data, and agree not to re-identify the data or contact the
individuals.
    Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
    Almost all those who commented on this issue supported the basic
premise of the limited data set for research, public health, and health
care operations. Many of these commenters used the opportunity to
reiterate their opposition to the safe harbor and statistical de-
identification methods, and some misinterpreted the limited data set
proposal as creating another safe-harbor form of de-identified data. In
general, commenters agreed with the list of direct identifiers proposed
in the preamble of the NPRM; some recommended changes. The requirement
of a data use agreement was similarly widely supported, although a few
commenters viewed it as unnecessary and others offered additional terms
which they argued would make the data use agreement more effective.
Others questioned the enforceability of the data use agreements.
    A few commenters argued that the limited data set would present a
significant risk of identification of individuals because of the
increased ability to use the other demographic variables (e.g., race,
gender) in such data sets to link to other publicly available data.
Some of these commenters also argued that the development of computer-
based solutions to support the statistical method of de-identification
is advancing rapidly and can support, in some cases better than the
limited data set, many of the needs for research, public health and
health care operations. These commenters asserted that authorization of
the limited data set approach would undermine incentives to further
develop statistical techniques for de-identification that may be more
protective of privacy.
    Most commenters who supported the limited data set concept favored
including the five-digit zip code, but also wanted other geographic
units smaller than a State to be included in the limited data set.
Examples of other geographic units that commenters argued are needed
for research, public health or health care operational purposes were
county, city, full zip code, census tract, and neighborhood. Various
analytical needs were cited to support these positions, such as
tracking the occurrence of a particular disease to the neighborhood
level or using county level data for a needs assessment of physician
specialties. A few commenters opposed inclusion of the 5-digit zip code
in the limited data set, recommending that the current Rule, which
requires data aggregation at the 3-digit zip code level, remain the
standard.
    Similarly, the majority of commenters addressing the issue
supported inclusion of the full birth date in the

[[Page 53235]]

limited data set. These commenters asserted that the full birth date
was needed for longitudinal studies, and similar research, to assure
accuracy of data. Others stated that while they preferred access to the
full birth date, their data needs would be satisfied by inclusion of at
least the month and year of birth in the limited data set. A number of
commenters also opposed inclusion of the date of birth in the limited
data as unduly increasing the risk of identification of individuals.
    Final Modifications. In view of the support in the public comments
for the concept of a limited data set, the Department determines that
adoption of standards for the use and disclosure of protected health
information for this purpose is warranted. Therefore, the Department
adds at Sec. 164.514(e) a new standard and implementation
specifications for a limited data set for research, public health, or
health care operations purposes if the covered entity (1) uses or
discloses only a ``limited data set'' as defined at Sec. 164.514(e)(2),
and (2) obtains from the recipient of the limited data set a ``data use
agreement'' as defined at Sec. 164.514(e)(4). In addition, the
Department adds to the permissible uses and disclosures in
Sec. 164.502(a) express reference to the limited data set standards.
    The implementation specifications do not delineate the data that
can be released through a limited data set. Rather, the Rule specifies
the direct identifiers that must be removed for a data set to qualify as a limited data set. As with the de-identification safe harbor
provisions, the direct identifiers listed apply to protected health
information about the individual or about relatives, employers, or
household members of the individual. The direct identifiers include all
of the facial identifiers proposed in the preamble to the NPRM: (1)
Name; (2) street address (renamed postal address information, other
than city, State and zip code); (3) telephone and fax numbers; (4) e-
mail address; (5) social security number; (6) certificate/license
numbers; (7) vehicle identifiers and serial numbers; (8) URLs and IP
addresses; and (9) full face photos and any other comparable images.
The public comment generally supported the removal of this facially
identifying information.
    In addition to these direct identifiers, the Department designates
the following information as direct identifiers that must be removed
before protected health information will be considered a limited data
set: (1) Medical record numbers, health plan beneficiary numbers, and
other account numbers; (2) device identifiers and serial numbers; and
(3) biometric identifiers, including finger and voice prints. Only a
few commenters specifically stated a need for some or all of these
identifiers as part of the limited data set. For example, one commenter
wanted an (encrypted) medical record number to be included in the
limited data set to support disease management planning and program
development to meet community needs and quality management. Another
commenter wanted the health plan beneficiary number included in the
limited data set to permit researchers to ensure that results
indicating sex, gender or ethnic differences were not influenced by the
participant's health plan. And a few commenters wanted device
identifiers and serial numbers included in the limited data set, to
facilitate product recalls and patient safety initiatives. However, the
Department has not been persuaded that the need for these identifiers
outweighs the potential privacy risks to the individual by their
release as part of a limited data set, particularly when the Rule makes
other avenues available for the release of information that may
directly identify an individual.
    The Department does not include in the list of direct identifiers
the ``catch-all'' category from the de-identification safe harbor of
``any other unique identifying number, characteristic or code.'' While
this requirement is essential to assure that the de-identification safe
harbor does in fact produce a de-identified data set, it is difficult
to define in advance in the context of a limited data set. Since our
goal in establishing a limited data set is not to create de-identified
information and since the data use agreement constrains further
disclosure of the information, we determined that it would only add
complexity to implementation of the limited data set with little added
protection.
    In response to wide public support, the Department does not
designate as a direct identifier any dates related to the individual or
any geographic subdivision other than street address. Therefore, as
part of a limited data set, researchers and others involved in public
health studies will have access to dates of admission and discharge, as
well as dates of birth and death for the individual. We agree with
commenters who asserted that birth date is critical for certain
research, such as longitudinal studies where there is a need to track
individuals across time and for certain infant-related research. Rather
than adding complexity to the Rule by trying to carve out an exception
for these specific situations, and other justifiable uses, we rely on
the minimum necessary requirement to keep the Rule simple while
avoiding abuse. Birth date should only be disclosed where the
researcher and covered entity agree that it is needed for the purpose
of the research. Further, even though birth date may be included with a
limited data set, the Department clarifies, as it did in the preamble
to the proposed rulemaking, that the Privacy Rule allows the age of an
individual to be expressed in years or in months, days, or hours as
appropriate.
    Moreover, the limited data set may include the five-digit zip code
or any other geographic subdivision, such as State, county, city,
precinct and their equivalent geocodes, except for street address. We
substitute for street address the term postal address information,
other than city, State and zip code in order to make clear that
individual elements of postal address such as street name by itself are
also direct identifiers. Commenters identified a variety of needs for
various geographical codes (county, city, neighborhood, census tract,
precinct) to support a range of essential research, public health and
health care operations activities. Some of the examples provided
included the need to analyze local geographic variations in disease
burdens or in the provision of health services, conducting research
looking at pathogens or patterns of health risks which may need to
compare areas within a single zip code, or studies to examine data by
county or neighborhood when looking for external causes of disease, as
would be the case for illnesses and diseases such as bladder cancer
that may have environmental links. The Department agrees with these
commenters that a variety of geographical designations other than five-
digit zip code are needed to permit useful and significant studies and
other research to go forward unimpeded. So long as an appropriate data
use agreement is in place, the Department does not believe that there
is any greater privacy risk in including in the limited data set such
geographic codes than in releasing the five-digit zip code.
    Finally, the implementation specifications adopted at
Sec. 164.514(e) require a data use agreement between the covered entity
and the recipient of the limited data set. The need for a data use
agreement and the core elements of such an agreement were widely
supported in the public comment.
    In the NPRM, we asked whether additional conditions should be added
to the data use agreement. In response, a few commenters made specific

[[Page 53236]]

suggestions. These included prohibiting further disclosure of the
limited data set except as required by law, prohibiting further
disclosure without the written consent of the covered entity, requiring
that the recipient safeguard the information received in the limited
data set, prohibiting further disclosure unless the data has been de-
identified utilizing the statistical or safe harbor methods of the
Privacy Rule, and limiting use of the data to the purpose for which it
was received.
    In response to these comments, in the final Rule we specify that
the covered entity must enter into a data use agreement with the
intended recipient which establishes the permitted uses and disclosures
of such information by the recipient, consistent with the purposes of
research, public health, or health care operations, limits who can use
or receive the data, and requires the recipient to agree not to re-
identify the data or contact the individuals. In addition, the data use
agreement must contain adequate assurances that the recipient use
appropriate safeguards to prevent use or disclosure of the limited data
set other than as permitted by the Rule and the data use agreement, or
as required by law. These adequate assurances are similar to the
existing requirements for business associate agreements.
    Since the data use agreement already requires the recipient to
limit who can use or receive the data, and to prevent uses and
disclosures beyond those stated in the agreement, and since we could
not anticipate all the possible scenarios under which a limited data
set with a data use agreement would be created, the Department
concluded that adding any of the other suggested restrictions would
bring only marginal additional protection while potentially impeding
some of the purposes intended for the limited data set. The Department
believes the provisions of the data use agreement provide a firm
foundation for protection of the information in the limited data set,
but encourages and expects covered entities and data recipients to
further strengthen their agreements to conform to current practices.
    We do not specify the form of the data use agreement. Thus, private
parties might choose to enter into a formal contract, while two
government agencies might use a memorandum of understanding to specify
the terms of the agreement. In the case of a covered entity that wants
to create and use a limited data set for its own research purposes, the
requirements of the data use agreement could be met by having affected
workforce members sign an agreement with the covered entity, comparable
to confidentiality agreements that employees handling sensitive
information frequently sign.
    A few commenters questioned the enforceability of the data use
agreements. The Department clarifies that, if the recipient breaches a
data use agreement, HHS cannot take enforcement action directly against
that recipient unless the recipient is a covered entity. Where the
recipient is a covered entity, the final modifications provide that
such covered entity is in noncompliance with the Rule if it violates a
data use agreement. See Sec. 164.514(e)(4)(iii)(B). Additionally, the
Department clarifies that the disclosing covered entity is not liable
for breaches of the data use agreement by the recipient of the limited
data set. However, similar to business associate agreements, if a
covered entity knows of a pattern of activity or practice of the data
recipient that constitutes a material breach or violation of the data
recipient's obligation under the data use agreement, then it must take
reasonable steps to cure the breach or end the violation, as
applicable, and, if unsuccessful, discontinue disclosure of protected
health information to the recipient and report the problem to the
Secretary. And the recipient is required to report to the covered
entity any improper uses or disclosures of limited data set information
of which it becomes aware. We also clarify that the data use agreement
requirements apply to disclosures of the limited data set to agents and
subcontractors of the original limited data set recipient.
    In sum, we have created the limited data set option because we
believe that this mechanism provides a way to allow important research,
public health and health care operations activities to continue in a
manner consistent with the privacy protections of the Rule. We agree
with those commenters who stated that the limited data set is not de-
identified information, as retention of geographical and date
identifiers measurably increases the risk of identification of the
individual through matching of data with other public (or private) data
sets. However, we believe that the limitations on the specific uses of
the limited data set, coupled with the requirements of the data use
agreement, will provide sufficient protections for privacy and
confidentiality of the data. The December 2000 Privacy Rule preamble on
the statistical method for de-identification discussed the data use
agreement as one of the techniques identified that can be used to
reduce the risk of disclosure. A number of Federal agencies that
distribute data sets for research or other uses routinely employ data
use agreements successfully to protect and otherwise restrict further
use of the information.
    We note that, while disclosures of protected health information for
certain public health purposes is already allowed under
Sec. 164.512(b), the limited data set provision may permit disclosures
for some public health activities not allowed under that section. These
might include disease registries maintained by private organizations or
universities or other types of studies undertaken by the private sector
or non-profit organizations for public health purposes.
    In response to comments, the Department clarifies that, when a
covered entity discloses protected health information in a limited data
set to a researcher who has entered into an appropriate data use
agreement, the covered entity does not also need to have documentation
from an IRB or a Privacy Board that individual authorization has been
waived for the purposes of the research. However, the covered entity
may not disclose any of the direct identifiers listed in
Sec. 164.514(e) without either the individual's authorization or
documentation of an IRB or Privacy Board waiver of that authorization.
    The Department further clarifies that there are other requirements
in the Privacy Rule that apply to disclosure of a limited data set,
just as they do to other disclosures. For example, any use, disclosure,
or request for a limited data set must also adhere to the minimum
necessary requirements of the Rule. The covered entity could accomplish
this by, for example, requiring the data requestor, in the data use
agreement, to specify not only the purposes of the limited data set,
but also the particular data elements, or categories of data elements,
requested. The covered entity may reasonably rely on a requested
disclosure as the minimum necessary, consistent with the provisions of
Sec. 164.514(d)(3)(iii). As an example of the use of the minimum
necessary standard, a covered entity who believes that another covered
entity's request to include date of birth in the limited data set is
not warranted is free to negotiate with the recipient about that
requirement. If the entity requesting a limited data set including date
of birth is not one on whose request a covered entity may reasonably
rely under Sec. 164.514(d)(3)(iii), and the covered entity believes
inclusion of date of birth is not warranted, the covered entity must
either negotiate a reasonably.

References:

Institute of Medicine (US) Committee on Health Research and the Privacy of Health Information: The HIPAA Privacy Rule; Nass SJ, Levit LA, Gostin LO, editors. Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research. Washington (DC): National Academies Press (US); 2009. 1, Introduction. Available from: http://www.ncbi.nlm.nih.gov/books/NBK9576/

 

Author: Dr. K. Gates