[Federal Register: August 14, 2002 (Volume 67, Number 157)]
[Rules and Regulations]
[Page 53181-53273]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr14au02-32]
[[Page 53181]]
-----------------------------------------------------------------------
Part V
Department of Health and Human Services
-----------------------------------------------------------------------
Office of the Secretary
-----------------------------------------------------------------------
45 CFR Parts 160 and 164
Standards for Privacy of Individually Identifiable Health Information;
Final Rule
[[Page 53182]]
-----------------------------------------------------------------------
DEPARTMENT OF HEALTH AND HUMAN SERVICES
Office of the Secretary
45 CFR Parts 160 and 164
RIN 0991-AB14
Standards for Privacy of Individually Identifiable Health
Information
AGENCY: Office for Civil Rights, HHS.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Department of Health and Human Services (``HHS'' or
``Department'') modifies certain standards in the Rule entitled
``Standards for Privacy of Individually Identifiable Health
Information'' (``Privacy Rule''). The Privacy Rule implements the
privacy requirements of the Administrative Simplification subtitle of
the Health Insurance Portability and Accountability Act of 1996.
The purpose of these modifications is to maintain strong
protections for the privacy of individually identifiable health
information while clarifying certain of the Privacy Rule's provisions,
addressing the unintended negative effects of the Privacy Rule on
health care quality or access to health care, and relieving unintended
administrative burdens created by the Privacy Rule.
DATES: This final rule is effective on October 15, 2002.
FOR FURTHER INFORMATION CONTACT: Felicia Farmer, 1-866-OCR-PRIV (1-866-
627-7748) or TTY 1-866-788-4989.
SUPPLEMENTARY INFORMATION: Availability of copies, and electronic
access.
Copies: To order copies of the Federal Register containing this
document, send your request to: New Orders, Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date
of the issue requested and enclose a check or money order payable to
the Superintendent of Documents, or enclose your Visa or Master Card
number and expiration date. Credit card orders can also be placed by
calling the order desk at (202) 512-1800 (or toll-free at 1-866-512-
1800) or by fax to (202) 512-2250. The cost for each copy is $10.00.
Alternatively, you may view and photocopy the Federal Register document
at most libraries designated as Federal Depository Libraries and at
many other public and academic libraries throughout the country that
receive the Federal Register.
Electronic Access: This document is available electronically at the
HHS Office for Civil Rights (OCR) Privacy Web site at http://
www.hhs.gov/ocr/hipaa/, as well as at the web site of the Government
Printing Office at http://www.access.gpo.gov/su_docs/aces/aces140.html.
I. Background
A. Statutory Background
Congress recognized the importance of protecting the privacy of
health information given the rapid evolution of health information
systems in the Health Insurance Portability and Accountability Act of
1996 (HIPAA), Public Law 104-191, which became law on August 21, 1996.
HIPAA's Administrative Simplification provisions, sections 261 through
264 of the statute, were designed to improve the efficiency and
effectiveness of the health care system by facilitating the electronic
exchange of information with respect to certain financial and
administrative transactions carried out by health plans, health care
clearinghouses, and health care providers who transmit information
electronically in connection with such transactions. To implement these
provisions, the statute directed HHS to adopt a suite of uniform,
national standards for transactions, unique health identifiers, code
sets for the data elements of the transactions, security of health
information, and electronic signature.
At the same time, Congress recognized the challenges to the
confidentiality of health information presented by the increasing
complexity of the health care industry, and by advances in the health
information systems technology and communications. Thus, the
Administrative Simplification provisions of HIPAA authorized the
Secretary to promulgate standards for the privacy of individually
identifiable health information if Congress did not enact health care
privacy legislation by August 21, 1999. HIPAA also required the
Secretary of HHS to provide Congress with recommendations for
legislating to protect the confidentiality of health care information.
The Secretary submitted such recommendations to Congress on September
11, 1997, but Congress did not pass such legislation within its self-
imposed deadline.
With respect to these regulations, HIPAA provided that the
standards, implementation specifications, and requirements established
by the Secretary not supersede any contrary State law that imposes more
stringent privacy protections. Additionally, Congress required that HHS
consult with the National Committee on Vital and Health Statistics, a
Federal advisory committee established pursuant to section 306(k) of
the Public Health Service Act (42 U.S.C. 242k(k)), and the Attorney
General in the development of HIPAA privacy standards.
After a set of HIPAA Administrative Simplification standards is
adopted by the Department, HIPAA provides HHS with authority to modify
the standards as deemed appropriate, but not more frequently than once
every 12 months. However, modifications are permitted during the first
year after adoption of the standards if the changes are necessary to
permit compliance with the standards. HIPAA also provides that
compliance with modifications to standards or implementation
specifications must be accomplished by a date designated by the
Secretary, which may not be earlier than 180 days after the adoption of
the modification.
B. Regulatory and Other Actions to Date
HHS published a proposed Rule setting forth privacy standards for
individually identifiable health information on November 3, 1999 (64 FR
59918). The Department received more than 52,000 public comments in
response to the proposal. After reviewing and considering the public
comments, HHS issued a final Rule (65 FR 82462) on December 28, 2000,
establishing ``Standards for Privacy of Individually Identifiable
Health Information'' (``Privacy Rule'').
In an era where consumers are increasingly concerned about the
privacy of their personal information, the Privacy Rule creates, for
the first time, a floor of national protections for the privacy of
their most sensitive information--health information. Congress has
passed other laws to protect consumers' personal information contained
in bank, credit card, other financial records, and even video rentals.
These health privacy protections are intended to provide consumers with
similar assurances that their health information, including genetic
information, will be properly protected. Under the Privacy Rule, health
plans, health care clearinghouses, and certain health care providers
must guard against misuse of individuals' identifiable health
information and limit the sharing of such information, and consumers
are afforded significant new rights to enable them to understand and
control how their health information is used and disclosed.
After publication of the Privacy Rule, HHS received many inquiries
and unsolicited comments through
[[Page 53183]]
telephone calls, e-mails, letters, and other contacts about the impact
and operation of the Privacy Rule on numerous sectors of the health
care industry. Many of these commenters exhibited substantial confusion
and misunderstanding about how the Privacy Rule will operate; others
expressed great concern over the complexity of the Privacy Rule. In
response to these communications and to ensure that the provisions of
the Privacy Rule would protect patients' privacy without creating
unanticipated consequences that might harm patients' access to health
care or quality of health care, the Secretary of HHS opened the Privacy
Rule for additional public comment in March 2001 (66 FR 12738).
After an expedited review of the comments by the Department, the
Secretary decided that it was appropriate for the Privacy Rule to
become effective on April 14, 2001, as scheduled (65 FR 12433). At the
same time, the Secretary directed the Department immediately to begin
the process of developing guidelines on how the Privacy Rule should be
implemented and to clarify the impact of the Privacy Rule on health
care activities. In addition, the Secretary charged the Department with
proposing appropriate changes to the Privacy Rule during the next year
to clarify the requirements and correct potential problems that could
threaten access to, or quality of, health care. The comments received
during the comment period, as well as other communications from the
public and all sectors of the health care industry, including letters,
testimony at public hearings, and meetings requested by these parties,
have helped to inform the Department's efforts to develop proposed
modifications and guidance on the Privacy Rule.
On July 6, 2001, the Department issued its first guidance to answer
common questions and clarify certain of the Privacy Rule's provisions.
In the guidance, the Department also committed to proposing
modifications to the Privacy Rule to address problems arising from
unintended effects of the Privacy Rule on health care delivery and
access. The guidance will soon be updated to reflect the modifications
adopted in this final Rule. The revised guidance will be available on
the HHS Office for Civil Rights (OCR) Privacy Web site at http://
www.hhs.gov/ocr/hipaa/.
In addition, the National Committee for Vital and Health Statistics
(NCVHS), Subcommittee on Privacy and Confidentiality, held public
hearings on the implementation of the Privacy Rule on August 21-23,
2001, and January 24-25, 2002, and provided recommendations to the
Department based on these hearings. The NCVHS serves as the statutory
advisory body to the Secretary of HHS with respect to the development
and implementation of the Rules required by the Administrative
Simplification provisions of HIPAA, including the privacy standards.
Through the hearings, the NCVHS specifically solicited public input on
issues related to certain key standards in the Privacy Rule: consent,
minimum necessary, marketing, fundraising, and research. The resultant
public testimony and subsequent recommendations submitted to the
Department by the NCVHS also served to inform the development of these
proposed modifications.
II. Overview of the March 2002 Notice of Proposed Rulemaking (NPRM)
As described above, through public comments, testimony at public
hearings, meetings at the request of industry and other stakeholders,
as well as other communications, the Department learned of a number of
concerns about the potential unintended effects certain provisions
would have on health care quality and access. On March 27, 2002, in
response to these concerns, and pursuant to HIPAA's provisions for
modifications to the standards, the Department proposed modifications
to the Privacy Rule (67 FR 14776). ]
The Department proposed to modify the following areas or provisions
of the Privacy Rule: consent; uses and disclosures for treatment,
payment, and health care operations; notice of privacy practices;
minimum necessary uses and disclosures, and oral communications;
business associates; uses and disclosures for marketing; parents as the
personal representatives of unemancipated minors; uses and disclosures
for research purposes; uses and disclosures for which authorizations
are required; and de-identification. In addition to these key areas,
the proposal included changes to other provisions where necessary to
clarify the Privacy Rule. The Department also included in the proposed
Rule a list of technical corrections intended as editorial or
typographical corrections to the Privacy Rule.
The proposed modifications collectively were designed to ensure
that protections for patient privacy are implemented in a manner that
maximizes the effectiveness of such protections while not compromising
either the availability or the quality of medical care. They reflected
a continuing commitment on the part of the Department to strong privacy
protections for medical records and the belief that privacy is most
effectively protected by requirements that are not exceptionally
difficult to implement. The Department welcomed comments and
suggestions for alternative ways effectively to protect patient privacy
without adversely affecting access to, or the quality of, health care.
Given that the compliance date of the Privacy Rule for most covered
entities is April 14, 2003, and the Department's interest in having the
compliance date for these revisions also be no later than April 14,
2003, the Department solicited public comment on the proposed
modifications for only 30 days. As stated above, the proposed
modifications addressed public concerns already communicated to the
Department through a wide variety of sources since publication of the
Privacy Rule in December 2000. For these reasons, the Department
believed that 30 days should be sufficient for the public to state its
views fully to the Department on the proposed modifications to the
Privacy Rule. During the 30-day comment period, the Department received
in excess of 11,400 comments.
III. Section-by-Section Description of Final Modifications and
Response to Comments
A. Section 164.501--Definitions
1. Marketing
December 2000 Privacy Rule
The Privacy Rule defined ``marketing'' at Sec. 164.501 as a
communication about a product or service, a purpose of which is to
encourage recipients of the communication to purchase or use the
product or service, subject to certain limited exceptions. To avoid
interfering with, or unnecessarily burdening communications about,
treatment or about the benefits and services of health plans and health
care providers, the Privacy Rule explicitly excluded two types of
communications from the definition of ``marketing:'' (1) communications
made by a covered entity for the purpose of describing the
participating providers and health plans in a network, or describing
the services offered by a provider or the benefits covered by a health
plan; and (2) communications made by a health care provider as part of
the treatment of a patient and for the purpose of furthering that
treatment, or made by a provider or health plan in the course of
managing an individual's treatment or recommending an alternative
treatment. Thus, a health plan could send its
[[Page 53184]]
enrollees a listing of network providers, and a health care provider
could refer a patient to a specialist without either an authorization
under Sec. 164.508 or having to meet the other special requirements in
Sec. 164.514(e) that attach to marketing communications. However, these
communications qualified for the exception to the definition of
``marketing'' only if they were made orally or, if in writing, were
made without remuneration from a third party. For example, it would not
have been marketing for a pharmacy to call a patient about the need to
refill a prescription, even if that refill reminder was subsidized by a
third party; but it would have been marketing for that same, subsidized
refill reminder to be sent to the patient in the mail.
Generally, if a communication was marketing, the Privacy Rule
required the covered entity to obtain the individual's authorization to
use or disclose protected health information to make the communication.
However, the Privacy Rule, at Sec. 164.514(e), permitted the covered
entity to make health-related marketing communications without such
authorization, provided it complied with certain conditions on the
manner in which the communications were made. Specifically, the Privacy
Rule permitted a covered entity to use or disclose protected health
information to communicate to individuals about the health-related
products or services of the covered entity or of a third party, without
first obtaining an authorization for that use or disclosure of
protected health information, if the communication: (1) Identified the
covered entity as the party making the communication; (2) identified,
if applicable, that the covered entity received direct or indirect
remuneration from a third party for making the communication; (3) with
the exception of general circulation materials, contained instructions
describing how the individual could opt-out of receiving future
marketing communications; and (4) where protected health information
was used to target the communication about a product or service to
individuals based on their health status or health condition, explained
why the individual had been targeted and how the product or service
related to the health of the individual.
For certain permissible marketing communications, however, the
Department did not believe these conditions to be practicable.
Therefore, Sec. 164.514(e) also permitted a covered entity to make a
marketing communication that occurred in a face-to-face encounter with
the individual, or that involved products or services of only nominal
value, without meeting the above conditions or requiring an
authorization. These provisions, for example, permitted a covered
entity to provide sample products during a face-to-face communication,
or to distribute calendars, pens, and the like, that displayed the name
of a product or provider.
March 2002 NPRM
The Department received many complaints concerning the complexity
and unworkability of the Privacy Rule's marketing requirements. Many
entities expressed confusion over the Privacy Rule's distinction
between health care communications that are excepted from the
definition of ``marketing'' versus those that are marketing but
permitted subject to the special conditions in Sec. 164.514(e). For
example, questions were raised as to whether disease management
communications or refill reminders were ``marketing'' communications
subject to the special disclosure and opt-out conditions in
Sec. 164.514(e). Others stated that it was unclear whether various
health care operations activities, such as general health-related
educational and wellness promotional activities, were to be treated as
marketing under the Privacy Rule.
The Department also learned that consumers were generally
dissatisfied with the conditions required by Sec. 164.514(e). Many
questioned the general effectiveness of the conditions and whether the
conditions would properly protect consumers from unwanted disclosure of
protected health information to commercial entities, and from the
intrusion of unwanted solicitations. They expressed specific
dissatisfaction with the provision at Sec. 164.514(e)(3)(iii) for
individuals to opt-out of future marketing communications. Many argued
for the opportunity to opt-out of marketing communications before any
marketing occurred. Others requested that the Department limit
marketing communications to only those consumers who affirmatively
chose to receive such communications.
In response to these concerns, the Department proposed to modify
the Privacy Rule to make the marketing provisions clearer and simpler.
First, the Department proposed to simplify the Privacy Rule by
eliminating the special provisions for marketing health-related
products and services at Sec. 164.514(e). Instead, any use or
disclosure of protected health information for a communication defined
as ``marketing'' in Sec. 164.501 would require an authorization by the
individual. Thus, covered entities would no longer be able to make any
type of marketing communications that involved the use or disclosure of
protected health information without authorization simply by meeting
the disclosure and opt-out conditions in the Privacy Rule. The
Department intended to effectuate greater consumer privacy protection
by requiring authorization for all uses or disclosures of protected
health information for marketing communications, as compared to the
disclosure and opt-out conditions of Sec. 164.514(e).
Second, the Department proposed minor clarifications to the Privacy
Rule's definition of ``marketing'' at Sec. 164.501. Specifically, the
Department proposed to define ``marketing'' as ``to make a
communication about a product or service to encourage recipients of the
communication to purchase or use the product or service.'' The proposed
modification retained the substance of the ``marketing'' definition,
but changed the language slightly to avoid the implication that in
order for a communication to be marketing, the purpose or intent of the
covered entity in making such a communication would have to be
determined. The simplified language permits the Department to make the
determination based on the communication itself.
Third, with respect to the exclusions from the definition of
``marketing'' in Sec. 164.501, the Department proposed to simplify the
language to avoid confusion and better conform to other sections of the
regulation, particularly in the area of treatment communications. The
proposal retained the exclusions for communications about a covered
entity's own products and services and about the treatment of the
individual. With respect to the exclusion for a communication made ``in
the course of managing the treatment of that individual,'' the
Department proposed to modify the language to use the terms ``case
management'' and ``care coordination'' for that individual. These terms
are more consistent with the terms used in the definition of ``health
care operations,'' and were intended to clarify the Department's
intent.
One substantive change to the definition proposed by the Department
was to eliminate the condition on the above exclusions from the
definition of ``marketing'' that the covered entity could not receive
remuneration from a third party for any written communication. This
limitation was not well understood and treated similar communications
differently. For
[[Page 53185]]
example, a prescription refill reminder was marketing if it was in
writing and paid for by a third party, while a refill reminder that was
not subsidized, or was made orally, was not marketing. With the
proposed elimination of the health-related marketing requirements in
Sec. 164.514(e) and the proposed requirement that any marketing
communication require an individual's prior written authorization,
retention of this condition would have adversely affected a health care
provider's ability to make many common health-related communications.
Therefore, the Department proposed to eliminate the remuneration
prohibition to the exceptions to the definition so as not to interfere
with necessary and important treatment and health-related
communications between a health care provider and patient.
To reinforce the policy requiring an authorization for most
marketing communications, the Department proposed to add a new
marketing provision at Sec. 164.508(a)(3) explicitly requiring an
authorization for a use or disclosure of protected health information
for marketing purposes. Additionally, if the marketing was expected to
result in direct or indirect remuneration to the covered entity from a
third party, the Department proposed that the authorization state this
fact. As noted above, because a use or disclosure of protected health
information for marketing communications required an authorization, the
disclosure and opt-out provisions in Sec. 164.514(e) no longer would be
necessary and the Department proposed to eliminate them. As in the
December 2000 Privacy Rule at Sec. 164.514(e)(2), the proposed
modifications at Sec. 164.508(a)(3) excluded from the marketing
authorization requirements face-to-face communications made by a
covered entity to an individual. The Department proposed to retain this
exception so that the marketing provisions would not interfere with the
relationship and dialogue between health care providers and
individuals. Similarly, the Department proposed to retain the exception
to the authorization requirement for a marketing communication that
involved products or services of nominal value, but proposed to replace
the language with the common business term ``promotional gift of
nominal value.''
As noted above, because some of the proposed simplifications were a
substitute for Sec. 164.514(e), the Department proposed to eliminate
that section, and to make conforming changes to remove references to
Sec. 164.514(e) at Sec. 164.502(a)(1)(vi) and in paragraph (6)(v) of
the definition of ``health care operations'' in Sec. 164.501.
Overview of Public Comments
The following discussion provides an overview of the public comment
received on this proposal. Additional comments received on this issue
are discussed below in the section entitled, ``Response to Other Public
Comments.''
The Department received generally favorable comment on its proposal
to simplify the marketing provisions by requiring authorizations for
uses or disclosures of protected health information for marketing
communications, instead of the special provisions for health-related
products and services at Sec. 164.514(e). Many also supported the
requirement that authorizations notify the individual of marketing that
results in direct or indirect remuneration to the covered entity from a
third party. They argued that for patients to make informed decisions,
they must be notified of potential financial conflicts of interest.
However, some commenters opposed the authorization requirement for
marketing, arguing instead for the disclosure and opt-out requirements
at Sec. 164.514(e) or for a one-time, blanket authorization from an
individual for their marketing activities.
Commenters were sharply divided on whether the Department had
properly defined what is and what is not marketing. Most of those
opposed to the Department's proposed definitions objected to the
elimination of health-related communications for which the covered
entity received remuneration from the definition of ``marketing.'' They
argued that these communications would have been subject to the
consumer protections in Sec. 164.514(e) but, under the proposal, could
be made without any protections at all. The mere presence of
remuneration raised conflict of interest concerns for these commenters,
who feared patients would be misled into thinking the covered entity
was acting solely in the patients' best interest when recommending an
alternative medication or treatment. Of particular concern to these
commenters was the possibility of a third party, such as a
pharmaceutical company, obtaining a health care provider's patient list
to market its own products or services directly to the patients under
the guise of recommending an ``alternative treatment'' on behalf of the
provider. Commenters argued that, even if the parties attempted to
cloak the transaction in the trappings of a business associate
relationship, when the remuneration flowed from the third party to the
covered entity, the transaction was tantamount to selling the patient
lists and ought to be considered marketing.
On the other hand, many commenters urged the Department to broaden
the categories of communications that are not marketing. Several
expressed concern that, under the proposal, they would be unable to
send newsletters and other general circulation materials with
information about health-promoting activities (e.g., screenings for
certain diseases) to their patients or members without an
authorization. Health plans were concerned that they would be unable to
send information regarding enhancements to health insurance coverage to
their members and beneficiaries. They argued, among other things, that
they should be excluded from the definition of ``marketing'' because
these communications would be based on limited, non-clinical protected
health information, and because policyholders benefit and use such
information to fully evaluate the mix of coverage most appropriate to
their needs. They stated that providing such information is especially
important given that individual and market-wide needs, as well as
benefit offerings, change over time and by statute. For example,
commenters informed the Department that some States now require long-
term care insurers to offer new products to existing policyholders as
they are brought to market and to allow policyholders to purchase the
new benefits through a formal upgrade process. These health plans were
concerned that an authorization requirement for routine communications
about options and enhancements would take significant time and expense.
Some insurers also urged that they be allowed to market other lines of
insurance to their health plan enrollees.
A number of commenters urged the Department to exclude any activity
that met the definitions of ``treatment,'' ``payment,'' or ``health
care operations'' from the definition of ``marketing'' so that they
could freely inform customers about prescription discount card and
price subsidy programs. Still others wanted the Department to broaden
the treatment exception to include all health-related communications
between providers and patients.
Final Modifications. The Department adopts the modifications to
marketing substantially as proposed in the NPRM, but makes changes to
the proposed definition of ``marketing'' and further clarifies one of
the exclusions from the definition of ``marketing'' in response to
comments on the proposal. The
[[Page 53186]]
definition of ``marketing'' is modified to close what commenters
characterized as a loophole, that is, the possibility that covered
entities, for remuneration, could disclose protected health information
to a third party that would then be able to market its own products and
services directly to individuals. Also, in response to comments, the
Department clarifies the language in the marketing exclusion for
communications about a covered entity's own products and services.
As it proposed to do, the Department eliminates the special
provisions for marketing health-related products and services at
Sec. 164.514(e). Except as provided for at Sec. 164.508(a)(3), a
covered entity must have the individual's prior written authorization
to use or disclose protected health information for marketing
communications and will no longer be able to do so simply by meeting
the disclosure and opt-out provisions, previously set forth in
Sec. 164.514(e). The Department agrees with commenters that the
authorization provides individuals with more control over whether they
receive marketing communications and better privacy protections for
such uses and disclosures of their health information. In response to
commenters who opposed this proposal, the Department does not believe
that an opt-out requirement for marketing communications would provide
a sufficient level of control for patients regarding their health
information. Nor does the Department believe that a blanket
authorization provides sufficient privacy protections for individuals.
Section 164.508(c) sets forth the core elements of an authorization
necessary to give individuals control of their protected health
information. Those requirements give individuals sufficient information
and notice regarding the type of use or disclosure of their protected
health information that they are authorizing. Without such specificity,
an authorization would not have meaning. Indeed, blanket marketing
authorizations would be considered defective under Sec. 164.508(b)(2).
The Department adopts the general definition of ``marketing'' with
one clarification. Thus, ``marketing'' means ``to make a communication
about a product or service that encourages the recipients of the
communication to purchase or use the product or service.'' In removing
the language referencing the purpose of the communication and
substituting the term ``that encourages'' for the term ``to
encourage'', the Department intends to simplify the determination of
whether a communication is marketing. If, on its face, the
communication encourages recipients of the communication to purchase or
use the product or service, the communication is marketing. A few
commenters argued for retaining the purpose of the communication as
part of the definition of ``marketing'' based on their belief that the
intent of the communication was a clearer and more definitive standard
than the effect of the communication. The Department disagrees with
these commenters. Tying the definition of ``marketing'' to the purpose
of the communication creates a subjective standard that would be
difficult to enforce because the intent of the communicator rarely
would be documented in advance. The definition adopted by the Secretary
allows the communication to speak for itself.
The Department further adopts the three categories of
communications that were proposed as exclusions from the definition of
``marketing.'' Thus, the covered entity is not engaged in marketing
when it communicates to individuals about: (1) The participating
providers and health plans in a network, the services offered by a
provider, or the benefits covered by a health plan; (2) the
individual's treatment; or (3) case management or care coordination for
that individual, or directions or recommendations for alternative
treatments, therapies, health care providers, or settings of care to
that individual. For example, a doctor that writes a prescription or
refers an individual to a specialist for follow-up tests is engaging in
a treatment communication and is not marketing a product or service.
The Department continues to exempt from the ``marketing'' definition
the same types of communications that were not marketing under the
Privacy Rule as published in December 2000, but has modified some of
the language to better track the terminology used in the definition of
``health care operations.'' The commenters generally supported this
clarification of the language.
The Department, however, does not agree with commenters that sought
to expand the exceptions from marketing for all communications that
fall within the definitions of ``treatment,'' ``payment,'' or ``health
care operations.'' The purpose of the exclusions from the definition of
marketing is to facilitate those communications that enhance the
individual's access to quality health care. Beyond these important
communications, the public strongly objected to any commercial use of
protected health information to attempt to sell products or services,
even when the product or service is arguably health related. In light
of these strong public objections, ease of administration is an
insufficient justification to categorically exempt all communications
about payment and health care operations from the definition of
``marketing.''
However, in response to comments, the Department is clarifying the
language that excludes from the definition of ``marketing'' those
communications that describe network participants and the services or
benefits of the covered entity. Several commenters, particularly
insurers, were concerned that the reference to a ``plan of benefits''
was too limiting and would prevent them from sending information to
their enrollees regarding enhancements or upgrades to their health
insurance coverage. They inquired whether the following types of
communications would be permissible: enhancements to existing products;
changes in deductibles/copays and types of coverage (e.g., prescription
drug); continuation products for students reaching the age of majority
on parental policies; special programs such as guaranteed issue
products and other conversion policies; and prescription drug card
programs. Some health plans also inquired if they could communicate
with beneficiaries about ``one-stop shopping'' with their companies to
obtain long-term care, property, casualty, and life insurance products.
The Department understands the need for covered health care
providers and health plans to be able to communicate freely to their
patients or enrollees about their own products, services, or benefits.
The Department also understands that some of these communications are
required by State or other law. To ensure that such communications may
continue, the Department is broadening its policy, both of the December
2000 Privacy Rule as well as proposed in the March 2002 NPRM, to allow
covered entities to use protected health information to convey
information to beneficiaries and members about health insurance
products offered by the covered entity that could enhance or substitute
for existing health plan coverage. Specifically, the Department
modifies the relevant exemption from the definition of ``marketing'' to
include communications that describe ``a health-related product or
service (or payment for such product or service) that is provided by,
or included in a plan of benefits of, the covered entity making the
communication, including communications about: the entities
participating in a health care provider network or health plan network;
replacement of, or enhancements to, a
[[Page 53187]]
health plan; and health-related products or services available only to
a health plan enrollee that add value to, but are not part of, a plan
of benefits.'' Thus, under this exemption, a health plan is not
engaging in marketing when it advises its enrollees about other
available health plan coverages that could enhance or substitute for
existing health plan coverage. For example, if a child is about to age
out of coverage under a family's policy, this provision will allow the
plan to send the family information about continuation coverage for the
child. This exception, however, does not extend to excepted benefits
(described in section 2791(c)(1) of the Public Health Service Act, 42
U.S.C. 300gg-91(c)(1)), such as accident-only policies), nor to other
lines of insurance (e.g., it is marketing for a multi-line insurer to
promote its life insurance policies using protected health
information).
Moreover, the expanded language makes clear that it is not
marketing when a health plan communicates about health-related products
and services available only to plan enrollees or members that add value
to, but are not part of, a plan of benefits. The provision of value-
added items or services (VAIS) is a common practice, particularly for
managed care organizations. Communications about VAIS may qualify as a
communication that is about a health plan's own products or services,
even if VAIS are not considered plan benefits for the Adjusted
Community Rate purposes. To qualify for this exclusion, however, the
VAIS must meet two conditions. First, they must be health-related.
Therefore, discounts offered by Medicare+Choice or other managed care
organizations for eyeglasses may be considered part of the plan's
benefits, whereas discounts to attend movie theaters will not. Second,
such items and services must demonstrably ``add value'' to the plan's
membership and not merely be a pass-through of a discount or item
available to the public at large. Therefore, a Medicare+Choice or other
managed care organization could, for example, offer its members a
special discount opportunity for a health/fitness club without
obtaining authorizations, but could not pass along to its members
discounts to a health fitness club that the members would be able to
obtain directly from the health/fitness clubs.
In further response to comments, the Department has added new
language to the definition of ``marketing'' to close what commenters
perceived as a loophole that a covered entity could sell protected
health information to another company for the marketing of that
company's products or services. For example, many were concerned that a
pharmaceutical company could pay a provider for a list of patients with
a particular condition or taking a particular medication and then use
that list to market its own drug products directly to those patients.
The commenters believed the proposal would permit this to happen under
the guise of the pharmaceutical company acting as a business associate
of the covered entity for the purpose of recommending an alternative
treatment or therapy to the individual. The Department agrees with
commenters that the potential for manipulating the business associate
relationship in this fashion should be expressly prohibited. Therefore,
the Department is adding language that would make clear that business
associate transactions of this nature are marketing. Marketing is
defined expressly to include ``an arrangement between a covered entity
and any other entity whereby the covered entity discloses protected
health information to the other entity, in exchange for direct or
indirect remuneration, for the other entity or its affiliate to make a
communication about its own product or service that encourages
recipients of the communication to purchase or use that product or
service.'' These communications are marketing and can only occur if the
covered entity obtains the individual's authorization pursuant to
Sec. 164.508. The Department believes that this provision will make
express the fundamental prohibition against covered entities selling
lists of patients or enrollees to third parties, or from disclosing
protected health information to a third party for the marketing
activities of the third party, without the written authorization of the
individual. The Department further notes that manufacturers that
receive identifiable health information and misuse it may be subject to
action taken under other consumer protection statutes by other Federal
agencies, such as the Federal Trade Commission.
The Department does not, however, agree with commenters who argued
for retention of the provisions that would condition the exclusions
from the ``marketing'' definition on the absence of remuneration.
Except for the arrangements that are now expressly defined as
``marketing,'' the Department eliminates the conditions that
communications are excluded from the definition of ``marketing'' only
if they are made orally, or, if in writing, are made without any direct
or indirect remuneration. The Department does not agree that the simple
receipt of remuneration should transform a treatment communication into
a commercial promotion of a product or service. For example, health
care providers should be able to, and can, send patients prescription
refill reminders regardless of whether a third party pays or subsidizes
the communication. The covered entity also is able to engage a
legitimate business associate to assist it in making these permissible
communications. It is only in situations where, in the guise of a
business associate, an entity other than the covered entity is
promoting its own products using protected health information it has
received from, and for which it has paid, the covered entity, that the
remuneration will place the activity within the definition of
``marketing.''
In addition, the Department adopts the proposed marketing
authorization provision at Sec. 164.508(a)(3), with minor language
changes to conform to the revised ``marketing'' definition. The Rule
expressly requires an authorization for uses or disclosures of
protected health information for marketing communications, except in
two circumstances: (1) When the communication occurs in a face-to-face
encounter between the covered entity and the individual; or (2) the
communication involves a promotional gift of nominal value. A marketing
authorization must include a statement about remuneration, if any. For
ease of administration, the Department has changed the regulatory
provision to require a statement on the authorization whenever the
marketing ``involves'' direct or indirect remuneration to the covered
entity from a third party, rather than requiring the covered entity to
identify those situations where ``the marketing is expected to result
in'' remuneration.
Finally, the Department clarifies that nothing in the marketing
provisions of the Privacy Rule are to be construed as amending,
modifying, or changing any rule or requirement related to any other
Federal or State statutes or regulations, including specifically anti-
kickback, fraud and abuse, or self-referral statutes or regulations, or
to authorize or permit any activity or transaction currently proscribed
by such statutes and regulations. Examples of such laws include the
anti-kickback statute (section 1128B(b) of the Social Security Act),
safe harbor regulations (42 CFR part 1001), Stark law (section 1877 of
the Social Security Act) and regulations (42 CFR parts 411 and 424),
and HIPAA statute on self-referral (section 1128C of the Social
Security Act). The definition
[[Page 53188]]
of ``marketing'' is solely applicable to the Privacy Rule and the
permissions granted by the Rule are only for a covered entity's use or
disclosure of protected health information. In particular, although
this regulation defines the term ``marketing'' to exclude
communications to an individual to recommend, purchase, or use a
product or service as part of the treatment of the individual or for
case management or care coordination of that individual, such
communication by a ``white coat'' health care professional may violate
the anti-kickback statute. Similar examples for pharmacist
communications with patients relating to the marketing of products on
behalf of pharmaceutical companies were identified by the OIG as
problematic in a 1994 Special Fraud Alert (December 19, 1994, 59 FR
65372). Other violations have involved home health nurses and physical
therapists acting as marketers for durable medical equipment companies.
Although a particular communication under the Privacy Rule may not
require patient authorization because it is not marketing, or may
require patient authorization because it is ``marketing'' as the Rule
defines it, the arrangement may nevertheless violate other statutes and
regulations administered by HHS, the Department of Justice, or other
Federal or State agency.
Response to Other Public Comments
Comment: Some commenters recommended that the definition of
``marketing'' be broadened to read as follows: ``any communication
about a product or service to encourage recipients of the communication
to purchase or use the product or service or that will make the
recipient aware of the product or service available for purchase or use
by the recipient.'' According to these commenters, the additional
language would capture marketing campaign activities to establish
``brand recognition.''
Response: The Department believes that marketing campaigns to
establish brand name recognition of products is already encompassed
within the general definition of ``marketing'' and that it is not
necessary to add language to accomplish this purpose.
Comment: Some commenters opposed the proposed deletion of
references to the covered entity as the source of the communications,
in the definition of those communications that were excluded from the
``marketing'' definition. They objected to these non-marketing
communications being made by unrelated third parties based on protected
health information disclosed to these third parties by the covered
entity, without the individual's knowledge or authorization.
Response: These commenters appear to have misinterpreted the
proposal as allowing third parties to obtain protected health
information from covered entities for marketing or other purposes for
which the Rule requires an individual's authorization. The deletion of
the specific reference to the covered entity does not permit
disclosures to a third party beyond the disclosures already permitted
by the Rule. The change is intended to be purely editorial: since the
Rule applies only to covered entities, the only entities whose
communications can be governed by the Rule are covered entities, and
thus the reference to covered entities there was redundant. Covered
entities may not disclose protected health information to third parties
for marketing purposes without authorization from the individual, even
if the third party is acting as the business associate of the
disclosing covered entity. Covered entities may, however, use protected
health information to communicate with individuals about the covered
entity's own health-related products or services, the individual's
treatment, or case management or care coordination for the individual.
The covered entity does not need an authorization for these types of
communications and may make the communication itself or use a business
associate to do so.
Comment: Some commenters advocated for reversion to the provision
in Sec. 164.514(e) that the marketing communication identify the
covered entity responsible for the communication, and argued that the
covered entity should be required to identify itself as the source of
the protected health information.
Response: As modified, the Privacy Rule requires the individual's
written authorization for the covered entity to use or disclose
protected health information for marketing purposes, with limited
exceptions. The Department believes that the authorization process
itself will put the individual sufficiently on notice that the covered
entity is the source of the protected health information. To the extent
that the commenter suggests that these disclosures are necessary for
communications that are not ``marketing'as defined by the Rule, the
Department disagrees because such a requirement would place an undue
burden on necessary health-related communications.
Comment: Many commenters opposed the proposed elimination of the
provision that would have transformed a communication exempted from
marketing into a marketing communication if it was in writing and paid
for by a third party. They argued that marketing should include any
activity in which a covered entity receives compensation, directly or
indirectly, through such things as discounts from another provider,
manufacturer, or service provider in exchange for providing information
about the manufacturer or service provider's products to consumers, and
that consumers should be advised whenever such remuneration is involved
and allowed to opt-out of future communications.
Response: The Department considered whether remuneration should
determine whether a given activity is marketing, but ultimately
concluded that remuneration should not define whether a given activity
is marketing or falls under an exception to marketing. In fact, the
Department believes that the provision in the December 2000 Rule that
transformed a treatment communication into a marketing communication if
it was in writing and paid for by a third party blurred the line
between treatment and marketing in ways that would have made the
Privacy Rule difficult to implement. The Department believes that
certain health care communications, such as refill reminders or
informing patients about existing or new health care products or
services, are appropriate, whether or not the covered entity receives
remuneration from third parties to pay for them. The fact that
remuneration is received for a marketing communication does not mean
the communication is biased or inaccurate. For the same reasons, the
Department does not believe that the communications that are exempt
from the definition of ``marketing'' require any special conditions,
based solely on direct or indirect remuneration received by the covered
entity. Requiring disclosure and opt-out conditions on these
communications, as Sec. 164.514(e) had formerly imposed on health-
related marketing communications, would add a layer of complexity to
the Privacy Rule that the Department intended to eliminate.
Individuals, of course, are free to negotiate with covered entities for
limitations on such uses and disclosures, to which the entity may, but
is not required to, agree.
The Department does agree with commenters that, in limited
circumstances, abuses can occur. The Privacy Rule, both as published in
December 2000 and as proposed to be modified in March 2002, has always
prohibited covered entities from selling protected health information
to a third
[[Page 53189]]
party for the marketing activities of the third party, without
authorization. Nonetheless, in response to continued public concern,
the Department has added a new provision to the definition of
``marketing'' to prevent situations in which a covered entity could
take advantage of the business associate relationship to sell protected
health information to another entity for that entity's commercial
marketing purposes. The Department intends this prohibition to address
the potential financial conflict of interest that would lead a covered
entity to disclose protected health information to another entity under
the guise of a treatment exemption.
Comment: Commenters argued that written authorizations (opt-ins)
should be required for the use of clinical information in marketing.
They stated that many consumers do not want covered entities to use
information about specific clinical conditions that an individual has,
such as AIDS or diabetes, to target them for marketing of services for
such conditions.
Response: The Department does not intend to interfere with the
ability of health care providers or health plans to deliver quality
health care to individuals. The ``marketing'' definition excludes
communications for the individual's treatment and for case management,
care coordination or the recommendation of alternative therapies.
Clinical information is critical for these communications and, hence,
cannot be used to distinguish between communications that are or are
not marketing. The covered entity needs the individual's authorization
to use or disclose protected health information for marketing
communications, regardless of whether clinical information is to be
used.
Comment: The proposed modification eliminated the Sec. 164.514
requirements that permitted the use of protected health information to
market health-related products and services without an authorization.
In response to that proposed modification, many commenters asked
whether covered entities would be allowed to make communications about
``health education'' or ``health promoting'' materials or services
without an authorization under the modified Rule. Examples included
communications about health improvement or disease prevention, new
developments in the diagnosis or treatment of disease, health fairs,
health/wellness-oriented classes or support groups.
Response: The Department clarifies that a communication that merely
promotes health in a general manner and does not promote a specific
product or service from a particular provider does not meet the general
definition of ``marketing.'' Such communications may include
population-based activities to improve health or reduce health care
costs as set forth in the definition of ``health care operations'' at
Sec. 164.501. Therefore, communications, such as mailings reminding
women to get an annual mammogram, and mailings providing information
about how to lower cholesterol, about new developments in health care
(e.g., new diagnostic tools), about health or ``wellness'' classes,
about support groups, and about health fairs are permitted, and are not
considered marketing.
Comment: Some commenters asked whether they could communicate with
beneficiaries about government programs or government-sponsored
programs such as information about SCHIP; eligibility for Medicare/
Medigap (e.g., eligibility for limited, six-month open enrollment
period for Medicare supplemental benefits).
Response: The Department clarifies that communications about
government and government-sponsored programs do not fall within the
definition of ``marketing.'' There is no commercial component to
communications about benefits available through public programs.
Therefore, a covered entity is permitted to use and disclose protected
health information to communicate about eligibility for Medicare
supplemental benefits, or SCHIP. As in our response above, these
communications may reflect population-based activities to improve
health or reduce health care costs as set forth in the definition of
``health care operations'' at Sec. 164.501.
Comment: The proposed modification eliminated the Sec. 164.514
requirements that allowed protected health information to be used and
disclosed without authorization or the opportunity to opt-out, for
communications contained in newsletters or similar general
communication devices widely distributed to patients, enrollees, or
other broad groups of individuals. Many commenters requested
clarification as to whether various types of general circulation
materials would be permitted under the proposed modification.
Commenters argued that newsletters or similar general communication
devices widely distributed to patients, enrollees, or other broad
groups of individuals should be permitted without authorizations
because they are ``common'' and ``serve appropriate information
distribution purposes'' and, based on their general circulation, are
less intrusive than other forms of communication.
Response: Covered entities may make communications in newsletter
format without authorization so long as the content of such
communications is not ``marketing,'' as defined by the Rule. The
Department is not creating any special exemption for newsletters.
Comment: One commenter suggested that, even when authorizations are
granted to disclose protected health information for a particular
marketing purpose to a non-covered entity, there should also be an
agreement by the third party not to re-disclose the protected health
information. This same commenter also recommended that the Privacy Rule
place restrictions on non-secure modes of making communications
pursuant to an authorization. This commenter argued that protected
health information should not be disclosed on the outside of mailings
or through voice mail, unattended FAX, or other modes of communication
that are not secure.
Response: Under the final Rule, a covered entity must obtain an
individual's authorization to use or disclose protected health
information for a marketing communication, with some exceptions. If an
individual wanted an authorization to limit the use of the information
by the covered entity, the individual could negotiate with the covered
entity to make that clear in the authorization. Similarly, individuals
can request confidential forms of communication, even with respect to
authorized disclosures. See Sec. 164.522(b).
Comment: Commenters requested that HHS provide clear guidance on
what types of activities constitute a use or disclosure for marketing,
and, therefore, require an authorization.
Response: The Department has modified the ``marketing'' definition
to clarify the types of uses or disclosures of protected health
information that are marketing, and, therefore, require prior
authorization and those that are not marketing. The Department intends
to update its guidance on this topic and address specific examples
raised by commenters at that time.
Comment: A number of commenters wanted the Department to amend the
face-to-face authorization exception. Some urged that it be broadened
to include telephone, mail and other common carriers, fax machines, or
the Internet so that the exception would cover communications between
providers and patients that are not in person. For example, it was
pointed out that some providers, such as home
[[Page 53190]]
delivery pharmacies, may have a direct treatment relationship, but
communicate with patients through other channels. Some raised specific
concerns about communicating with ``shut-ins'' and ``persons living in
rural areas.'' Other commenters asked the Department to make the
exception more narrow to cover only those marketing communications made
by a health care provider, as opposed to by a business associate, or to
cover only those marketing communications of a provider that arise from
a treatment or other essential health care communication.
Response: The Department believes that expanding the face-to-face
authorization exception to include telephone, mail, and other common
carriers, fax machines or the Internet would create an exception
essentially for all types of marketing communications. All providers
potentially use a variety of means to communicate with their patients.
The authorization exclusion, however, is narrowly crafted to permit
only face-to-face encounters between the covered entity and the
individual.
The Department believes that further narrowing the exception to
place conditions on such communications, other than that it be face-to-
face, would neither be practical nor better serve the privacy interests
of the individual. The Department does not intend to police
communications between doctors and patients that take place in the
doctor's office. Further limiting the exception would add a layer of
complexity to the Rule, encumbering physicians and potentially causing
them to second-guess themselves when making treatment or other
essential health care communications. In this context, the individual
can readily stop any unwanted communications, including any
communications that may otherwise meet the definition of ``marketing.''
2. Health Care Operations: Changes of Legal Ownership
December 2000 Privacy Rule. The Rule's definition of ``health care
operations'' included the disclosure of protected health information
for the purposes of due diligence with respect to the contemplated sale
or transfer of all or part of a covered entity's assets to a potential
successor in interest who is a covered entity, or would become a
covered entity as a result of the transaction.
The Department indicated in the December 2000 preamble of the
Privacy Rule its intent to include in the definition of health care
operations the actual transfer of protected health information to a
successor in interest upon a sale or transfer of its assets. (65 FR
82609.) However, the regulation itself did not expressly provide for
the transfer of protected health information upon the sale or transfer
of assets to a successor in interest. Instead, the definition of
``health care operations'' included uses or disclosures of protected
health information only for due diligence purposes when a sale or
transfer to a successor in interest is contemplated.
March 2002 NPRM. A number of entities expressed concern about the
discrepancy between the intent as expressed in the preamble to the
December 2000 Privacy Rule and the actual regulatory language. To
address these concerns, the Department proposed to add language to
paragraph (6) of the definition of ``health care operations'' to
clarify its intent to permit the transfer of records to a covered
entity upon a sale, transfer, merger, or consolidation. This proposed
change would prevent the Privacy Rule from interfering with necessary
treatment or payment activities upon the sale of a covered entity or
its assets.
The Department also proposed to use the terms ``sale, transfer,
consolidation or merger'' and to eliminate the term ``successor in
interest'' from this paragraph. The Department intended this provision
to apply to any sale, transfer, merger or consolidation and believed
the current language may not accomplish this goal.
The Department proposed to retain the limitation that such
disclosures are health care operations only to the extent the entity
receiving the protected health information is a covered entity or would
become a covered entity as a result of the transaction. The Department
clarified that the proposed modification would not affect a covered
entity's other legal or ethical obligation to notify individuals of a
sale, transfer, merger, or consolidation.
Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
Numerous commenters supported the proposed modifications.
Generally, these commenters claimed the modifications would prevent
inconvenience to consumers, and facilitate timely access to health
care. Specifically, these commenters indicated that health care would
be delayed and consumers would be inconvenienced if covered entities
were required to obtain individual consent or authorization before they
could access health records that are newly acquired assets resulting
from the sale, transfer, merger, or consolidation of all or part of a
covered entity. Commenters further claimed that the administrative
burden of acquiring individual permission and culling records of
consumers who do not give consent would be too great, and would cause
some entities to simply store or destroy the records instead.
Consequently, health information would be inaccessible, causing
consumers to be inconvenienced and health care to be delayed. Some
commenters noted that the proposed modifications recognize the
realities of business without compromising the availability or quality
of health care or diminishing privacy protections one would expect in
the handling of protected health information during the course of such
business transactions.
Opposition to the proposed modifications was limited, with
commenters generally asserting that the transfer of records in such
circumstances would not be in the best interests of individuals.
Final Modifications. The Department agrees with the commenters that
supported the proposed modifications and, therefore, adopts the
modifications to the definition of health care operations. Thus,
``health care operations'' includes the sale, transfer, merger, or
consolidation of all or part of the covered entity to or with another
covered entity, or an entity that will become a covered entity as a
result of the transaction, as well as the due diligence activities in
connection with such transaction. In response to a comment, the final
Rule modifies the phrase ``all or part of a covered entity'' to read
``all or part of the covered entity'' to clarify that any disclosure
for such activity must be by the covered entity that is a party to the
transaction.
Under the final definition of ``health care operations,'' a covered
entity may use or disclose protected health information in connection
with a sale or transfer of assets to, or a consolidation or merger
with, an entity that is or will be a covered entity upon completion of
the transaction; and to conduct due diligence in connection with such
transaction. The modification makes clear it is also a health care
operation to transfer records containing protected health information
as part of the transaction. For example, if a pharmacy which is a
covered entity buys another pharmacy which is also a covered entity,
protected health information can be exchanged between the two entities
for purposes of conducting due diligence, and the selling entity may
[[Page 53191]]
transfer any records containing protected health information to the new
owner upon completion of the transaction. The new owner may then
immediately use and disclose those records to provide health care
services to the individuals, as well as for payment and health care
operations purposes. Since the information would continue to be
protected by the Privacy Rule, any other use or disclosure of the
information would require an authorization unless otherwise permitted
without authorization by the Rule, and the new owner would be obligated
to observe the individual's rights of access, amendment, and
accounting. The Privacy Rule would not interfere with other legal or
ethical obligations of an entity that may arise out of the nature of
its business or relationship with its customers or patients to provide
such persons with notice of the transaction or an opportunity to agree
to the transfer of records containing personal information to the new
owner.
Response to Other Public Comments
Comment: One commenter was concerned about what obligations the
parties to a transaction have regarding protected health information
that was exchanged as part of a transaction if the transaction does not
go through.
Response: The Department believes that other laws and standard
business practices are adequate to address these situations and
accordingly does not impose additional requirements of this type. It is
standard practice for parties contemplating such transactions to enter
into confidentiality agreements. In addition to exchanging protected
health information, the parties to such transactions commonly exchange
confidential proprietary information. It is a standard practice for the
parties to these transaction to agree that the handling of all
confidential information, such as proprietary information, will include
ensuring that, in the event that the proposed transaction is not
consummated, the information is either returned to its original owner
or destroyed as appropriate. They may include protected health
information in any such agreement, as they determine appropriate to the
circumstances and applicable law. ]
3. Protected Health Information: Exclusion for Employment Records
December 2000 Privacy Rule. The Privacy Rule broadly defines
``protected health information'' as individually identifiable health
information maintained or transmitted by a covered entity in any form
or medium. The December 2000 Privacy Rule expressly excluded from the
definition of ``protected health information'' only educational and
other records that are covered by the Family Education Rights and
Privacy Act of 1974, as amended, 20 U.S.C. 1232g. In addition,
throughout the December 2000 preamble to the Privacy Rule, the
Department repeatedly stated that the Privacy Rule does not apply to
employers, nor does it apply to the employment functions of covered
entities, that is, when they are acting in their role as employers. For
example, the Department stated:
Covered entities must comply with this regulation in their
health care capacity, not in their capacity as employers. For
example, information in hospital personnel files about a nurses'
(sic) sick leave is not protected health information under this
rule.
65 FR 82612. However, the definition of protected health information
did not expressly exclude personnel or employment records of covered
entities.
March 2002 NPRM. The Department understands that covered entities
are also employers, and that this creates two potential sources of
confusion about the status of health information. First, some employers
are required or elect to obtain health information about their
employees, as part of their routine employment activities [e.g.,
hiring, compliance with the Occupational Safety and Health
Administration (OSHA) requirements]. Second, employees of covered
health care providers or health plans sometimes seek treatment or
reimbursement from that provider or health plan, unrelated to the
employment relationship.
To avoid any confusion on the part of covered entities as to
application of the Privacy Rule to the records they maintain as
employers, the Department proposed to modify the definition of
``protected health information'' in Sec. 164.501 to expressly exclude
employment records held by a covered entity in its role as employer.
The proposed modification also would alleviate the situation where a
covered entity would feel compelled to elect to designate itself as a
hybrid entity solely to carve out its employment functions.
Individually identifiable health information maintained or transmitted
by a covered entity in its health care capacity would, under the
proposed modification, continue to be treated as protected health
information.
The Department specifically solicited comments on whether the term
``employment records'' is clear and what types of records would be
covered by the term.
In addition, as discussed in section III.C.1. below, the Department
proposed to modify the definition of a hybrid entity to permit any
covered entity that engaged in both covered and non-covered functions
to elect to operate as a hybrid entity. Under the proposed
modification, a covered entity that primarily engaged in covered
functions, such as a hospital, would be allowed to elect hybrid entity
status even if its only non-covered functions were those related to its
capacity as an employer. Indeed, because of the absence of an express
exclusion for employment records in the definition of protected health
information, some covered entities may have elected hybrid entity
status under the misconception that this was the only way to prevent
their personnel information from being treated as protected health
information under the Rule.
Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
The Department received comments both supporting and opposing the
proposal to add an exemption for employment records to the definition
of protected health information. Support for the proposal was based
primarily on the need for clarity and certainty in this important area.
Moreover, commenters supported the proposed exemption for employment
records because it reinforced and clarified that the Privacy Rule does
not conflict with an employer's obligation under numerous other laws,
including OSHA, Family and Medical Leave Act (FMLA), workers'
compensation, and alcohol and drug free workplace laws.
Those opposed to the modification were concerned that a covered
entity may abuse its access to the individually identifiable health
information in its employment records by using that information for
discriminatory purposes. Many commenters expressed concern that an
employee's health information created, maintained, or transmitted by
the covered entity in its health care capacity would be considered an
employment record and, therefore, would not be considered protected
health information. Some of these commenters argued for the inclusion
of special provisions, similar to the ``adequate separation''
requirements for disclosure of protected health information from group
health plan to plan sponsor functions (Sec. 164.504(f)), to heighten
the protection for an employee's individually identifiable health
information when moving between a covered entity's
[[Page 53192]]
health care functions and its employer functions.
A number of commenters also suggested types of records that the
Department should consider to be ``employment records'' and, therefore,
excluded from the definition of ``protected health information.'' The
suggested records included records maintained under the FMLA or the
Americans with Disabilities Act (ADA), as well as records relating to
occupational injury, disability insurance eligibility, sick leave
requests and justifications, drug screening results, workplace medical
surveillance, and fitness-for-duty test results. One commenter
suggested that health information related to professional athletes
should qualify as an employment record.
Final Modifications. The Department adopts as final the proposed
language excluding employment records maintained by a covered entity in
its capacity as an employer from the definition of ``protected health
information.'' The Department agrees with commenters that the
regulation should be explicit that it does not apply to a covered
entity's employer functions and that the most effective means of
accomplishing this is through the definition of ``protected health
information.''
The Department is sensitive to the concerns of commenters that a
covered entity not abuse its access to an employee's individually
identifiable health information which it has created or maintains in
its health care, not its employer, capacity. In responding to these
concerns, the Department must remain within the boundaries set by the
statute, which does not include employers per se as covered entities.
Thus, we cannot regulate employers, even when it is a covered entity
acting as an employer.
To address these concerns, the Department clarifies that a covered
entity must remain cognizant of its dual roles as an employer and as a
health care provider, health plan, or health care clearinghouse.
Individually identifiable health information created, received, or
maintained by a covered entity in its health care capacity is protected
health information. It does not matter if the individual is a member of
the covered entity's workforce or not. Thus, the medical record of a
hospital employee who is receiving treatment at the hospital is
protected health information and is covered by the Rule, just as the
medical record of any other patient of that hospital is protected
health information and covered by the Rule. The hospital may use that
information only as permitted by the Privacy Rule, and in most cases
will need the employee's authorization to access or use the medical
information for employment purposes. When the individual gives his or
her medical information to the covered entity as the employer, such as
when submitting a doctor's statement to document sick leave, or when
the covered entity as employer obtains the employee's written
authorization for disclosure of protected health information, such as
an authorization to disclose the results of a fitness for duty
examination, that medical information becomes part of the employment
record, and, as such, is no longer protected health information. The
covered entity as employer, however, may be subject to other laws and
regulations applicable to the use or disclosure of information in an
employee's employment record.
The Department has decided not to add a definition of the term
``employment records'' to the Rule. The comments indicate that the same
individually identifiable health information about an individual may be
maintained by the covered entity in both its employment records and the
medical records it maintains as a health care provider or enrollment or
claims records it maintains as a health plan. The Department therefore
is concerned that a definition of ``employment record'' may lead to the
misconception that certain types of information are never protected
health information, and will put the focus incorrectly on the nature of
the information rather than the reasons for which the covered entity
obtained the information. For example, drug screening test results will
be protected health information when the provider administers the test
to the employee, but will not be protected health information when,
pursuant to the employee's authorization, the test results are provided
to the provider acting as employer and placed in the employee's
employment record. Similarly, the results of a fitness for duty exam
will be protected health information when the provider administers the
test to one of its employees, but will not be protected health
information when the results of the fitness for duty exam are turned
over to the provider as employer pursuant to the employee's
authorization.
Furthermore, while the examples provided by commenters represent
typical files or records that may be maintained by employers, the
Department does not believe that it has sufficient information to
provide a complete definition of employment record. Therefore, the
Department does not adopt as part of this rulemaking a definition of
employment record, but does clarify that medical information needed for
an employer to carry out its obligations under FMLA, ADA, and similar
laws, as well as files or records related to occupational injury,
disability insurance eligibility, sick leave requests and
justifications, drug screening results, workplace medical surveillance,
and fitness-for-duty tests of employees, may be part of the employment
records maintained by the covered entity in its role as an employer.
Response to Other Public Comments
Comment: One commenter requested clarification as to whether the
term ``employment record'' included the following information that is
either maintained or transmitted by a fully insured group health plan
to an insurer or HMO for enrollment and/or disenrollment purposes: (a)
the identity of an individual including name, address, birth date,
marital status, dependent information and SSN; (b) the individual's
choice of plan; (c) the amount of premiums/contributions for coverage
of the individual; (d) whether the individual is an active employee or
retired; (e) whether the individual is enrolled in Medicare.
Response: All of this information is protected health information
when held by a fully insured group health plan and transmitted to an
issuer or HMO, and the Privacy Rule applies when the group health plan
discloses such information to any entity, including the plan sponsor.
There are special rules in Sec. 164.504(f) which describe the
conditions for disclosure of protected health information to the plan
sponsor. If the group health plan received the information from the
plan sponsor, it becomes protected health information when received by
the group health plan. The plan sponsor is not the covered entity, so
this information will not be protected when held by a plan sponsor,
whether or not it is part of the plan sponsor's ``employment record.''
Comment: One commenter asked for clarification as to how the
Department would characterize the following items that a covered entity
may have: (1) medical file kept separate from the rest of an employment
record containing (a) doctor's notes; (b) leave requests; (c) physician
certifications; and (d) positive hepatitis test results; (2) FMLA
documentation including: (a) physician certification form; and (b)
leave requests; (3) occupational injury files containing (a) drug
screening; (b) exposure test results; (c) doctor's notes; and (d)
medical director's notes.
[[Page 53193]]
Response: As explained above, the nature of the information does
not determine whether it is an employment record. Rather, it depends on
whether the covered entity obtains or creates the information in its
capacity as employer or in its capacity as covered entity. An
employment record may well contain some or all of the items mentioned
by the commenter; but so too might a treatment record. The Department
also recognizes that the employer may be required by law or sound
business practice to treat such medical information as confidential and
maintain it separate from other employment records. It is the function
being performed by the covered entity and the purpose for which the
covered entity has the medical information, not its record keeping
practices, that determines whether the health information is part of an
employment record or whether it is protected health information.
Comment: One commenter suggested that the health records of
professional athletes should qualify as ``employment records.'' As
such, the records would not be subject to the protections of the
Privacy Rule.
Response: Professional sports teams are unlikely to be covered
entities. Even if a sports team were to be a covered entity, employment
records of a covered entity are not covered by this Rule. If this
comment is suggesting that the records of professional athletes should
be deemed ``employment records'' even when created or maintained by
health care providers and health plans, the Department disagrees. No
class of individuals should be singled out for reduced privacy
protections. As noted in the preamble to the December 2000 Rule,
nothing in this Rule prevents an employer, such as a professional
sports team, from making an employee's agreement to disclose health
records a condition of employment. A covered entity, therefore, could
disclose this information to an employer pursuant to an authorization.
B. Section 164.502--Uses and Disclosures of Protected Health
Information: General Rules
1. Incidental Uses and Disclosures
December 2000 Privacy Rule. The December 2000 Rule did not
explicitly address incidental uses and disclosures of protected health
information. Rather, the Privacy Rule generally requires covered
entities to make reasonable efforts to limit the use or disclosure of,
and requests for, protected health information to the minimum necessary
to accomplish the intended purpose. See Sec. 164.502(b). Additionally,
Sec. 164.530(c) of the Privacy Rule requires covered entities to
implement appropriate administrative, technical, and physical
safeguards to reasonably safeguard protected health information from
any intentional or unintentional use or disclosure that violates the
Rule.
Protected health information includes individually identifiable
health information (with limited exceptions) in any form, including
information transmitted orally, or in written or electronic form. See
the definition of ``protected health information'' at Sec. 164.501.
March 2002 NPRM. After publication of the Privacy Rule, the
Department received a number of concerns and questions as to whether
the Privacy Rule's restrictions on uses and disclosures will prohibit
covered entities from engaging in certain common and essential health
care communications and practices in use today. In particular, concern
was expressed that the Privacy Rule establishes absolute, strict
standards that would not allow for the incidental or unintentional
disclosures that could occur as a by-product of engaging in these
health care communications and practices. It was argued that the
Privacy Rule would, in effect, prohibit such practices and, therefore,
impede many activities and communications essential to effective and
timely treatment of patients.
For example, some expressed concern that health care providers
could no longer engage in confidential conversations with other
providers or with patients, if there is a possibility that they could
be overheard. Similarly, others questioned whether they would be
prohibited from using sign-in sheets in waiting rooms or maintaining
patient charts at bedside, or whether they would need to isolate X-ray
lightboards or destroy empty prescription vials. These concerns seemed
to stem from a perception that covered entities are required to prevent
any incidental disclosure such as those that may occur when a visiting
family member or other person not authorized to access protected health
information happens to walk by medical equipment or other material
containing individually identifiable health information, or when
individuals in a waiting room sign their name on a log sheet and
glimpse the names of other patients.
The Department, in its July 6 guidance, clarified that the Privacy
Rule is not intended to impede customary and necessary health care
communications or practices, nor to require that all risk of incidental
use or disclosure be eliminated to satisfy its standards. The guidance
promised that the Department would propose modifications to the Privacy
Rule to clarify that such communications and practices may continue, if
reasonable safeguards are taken to minimize the chance of incidental
disclosure to others.
Accordingly, the Department proposed to modify the Privacy Rule to
add a new provision at Sec. 164.502(a)(1)(iii) which would explicitly
permit certain incidental uses and disclosures that occur as a result
of a use or disclosure otherwise permitted by the Privacy Rule. The
proposal described an incidental use or disclosure as a secondary use
or disclosure that cannot reasonably be prevented, is limited in
nature, and that occurs as a by-product of an otherwise permitted use
or disclosure. The Department proposed that an incidental use or
disclosure be permissible only to the extent that the covered entity
had applied reasonable safeguards as required by Sec. 164.530(c), and
implemented the minimum necessary standard, where applicable, as
required by Secs. 164.502(b) and 164.514(d).
Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
The Department received many comments on its proposal to permit
certain incidental uses and disclosures, the majority of which
expressed strong support for the proposal. Many of these commenters
indicated that such a policy would help to ensure that essential health
care communications and practices are not chilled by the Privacy Rule.
A few commenters opposed the Department's proposal to permit certain
incidental uses and disclosures, one of whom asserted that the burden
on medical staff to take precautions not to be overheard is minimal
compared to the potential harm to patients if incidental disclosures
were to be considered permissible.
Final Modifications. In response to the overwhelming support of
commenters on this proposal, the Department adopts the proposed
provision at Sec. 164.502(a)(1)(iii), explicitly permitting certain
incidental uses and disclosures that occur as a by-product of a use or
disclosure otherwise permitted under the Privacy Rule. As in the
proposal, an incidental use or disclosure is permissible only to the
extent that the covered entity has applied reasonable safeguards as
[[Page 53194]]
required by Sec. 164.530(c), and implemented the minimum necessary
standard, where applicable, as required by Secs. 164.502(b) and
164.514(d). The Department continues to believe, as was stated in the
proposed Rule, that so long as reasonable safeguards are employed, the
burden of impeding such communications is not outweighed by any
benefits that may accrue to individuals' privacy interests.
However, an incidental use or disclosure that occurs as a result of
a failure to apply reasonable safeguards or the minimum necessary
standard, where required, is not a permissible use or disclosure and,
therefore, is a violation of the Privacy Rule. For example, a hospital
that permits an employee to have unimpeded access to patients' medical
records, where such access is not necessary for the employee to do her
job, is not applying the minimum necessary standard and, therefore, any
incidental use or disclosure that results from this practice would be
an unlawful use or disclosure under the Privacy Rule.
In response to the few comments that opposed the proposal to permit
certain incidental uses and disclosures, the Department reiterates that
the Privacy Rule must not impede essential health care communications
and practices. Prohibiting all incidental uses and disclosures would
have a chilling effect on normal and important communications among
providers, and between providers and their patients, and, therefore,
would negatively affect individuals' access to quality health care. The
Department does not intend with this provision to obviate the need for
medical staff to take precautions to avoid being overheard, but rather,
will only allow incidental uses and disclosures where appropriate
precautions have been taken.
The Department clarifies, in response to a comment, that this
provision applies, subject to reasonable safeguards and the minimum
necessary standard, to an incidental use or disclosure that occurs as a
result of any permissible use or disclosure under the Privacy Rule made
to any person, and not just to incidental uses and disclosures
resulting from treatment communications or only to communications among
health care providers or other medical staff. For example, a provider
may instruct an administrative staff member to bill a patient for a
particular procedure, and may be overheard by one or more persons in
the waiting room. Assuming that the provider made reasonable efforts to
avoid being overheard and reasonably limited the information shared, an
incidental disclosure resulting from such conversation is permissible
under the Rule.
In the proposal, the Department did not address whether or not
incidental disclosures would need to be included in the accounting of
disclosures required by Sec. 164.528. However, one commenter urged the
Department to exclude incidental disclosures from the accounting. The
Department agrees with this commenter and clarifies that covered
entities are not required to include incidental disclosures in an
accounting of disclosures provided to the individual pursuant to
Sec. 164.528. The Department does not believe such a requirement would
be practicable; in many instances, the covered entity may not know that
an incidental disclosure occurred. To make this policy clear, the
Department includes an explicit exception for such disclosures to the
accounting standard at Sec. 164.528(a)(1).
Response to Other Public Comments
Comment: One commenter expressed concern that the requirement
reasonably to safeguard protected health information would be
problematic because any unintended use or disclosure could arguably
demonstrate a failure to ``reasonably safeguard.'' This commenter
requested that the Department either delete the language in
Sec. 164.530(c)(2)(ii) or modify the language to make clear that the
fact that an incidental use or disclosure occurs does not imply that
safeguards were not reasonable.
Response: The Department clarifies that the fact that an incidental
use or disclosure occurs does not by itself imply that safeguards were
not reasonable. However, the Department does not believe that a
modification to the proposed language is necessary to express this
intent. The language proposed and now adopted at Sec. 164.530(c)(2)(ii)
requires only that the covered entity reasonably safeguard protected
health information to limit incidental uses or disclosures, not that
the covered entity prevent all incidental uses and disclosures. Thus,
the Department expects that incidental uses and disclosures will occur
and permits such uses and disclosures to the extent the covered entity
has in place reasonable safeguards and has applied the minimum
necessary standard, where applicable.
Comment: Another commenter requested that the Department clarify
its proposal to assure that unintended disclosures will not result in
civil penalties.
Response: The Department's authority to impose civil monetary
penalties on violations of the Privacy Rule is defined in HIPAA.
Specifically, HIPAA added section 1176 to the Social Security Act,
which prescribes the Secretary's authority to impose civil monetary
penalties. Therefore, in the case of a violation of a disclosure
provision in the Privacy Rule, a penalty may not be imposed, among
other things, if the person liable for the penalty did not know and, by
exercising reasonable diligence would not have known, that such person
violated the provision. HIPAA also provides for criminal penalties
under certain circumstances, but the Department of Justice, not this
Department, has authority for criminal penalties.
Comment: One commenter requested that the Department clarify how
covered entities should implement technical and physical safeguards
when they do not yet know what safeguards the final Security Rule will
require.
Response: Each covered entity should assess the nature of the
protected health information it holds, and the nature and scope of its
business, and implement safeguards that are reasonable for its
particular circumstances. There should be no potential for conflict
between the safeguards required by the Privacy Rule and the final
Security Rule standards, for several reasons. First, while the Privacy
Rule applies to protected health information in all forms, the Security
Rule will apply only to electronic health information systems that
maintain or transmit individually identifiable health information.
Thus, all safeguards for protected health information in oral, written,
or other non-electronic forms will be unaffected by the Security Rule.
Second, in preparing the final Security Rule, the Department is working
to ensure the Security Rule requirements for electronic information
systems work ``hand in glove'' with any relevant requirements in the
Privacy Rule, including Sec. 164.530.
Comment: One commenter argued that while this new provision is
helpful, it does not alleviate covered entities' concerns that routine
practices, often beneficial for treatment, will be prohibited by the
Privacy Rule. This commenter stated that, for example, specialists
provide certain types of therapy to patients in a group setting, and,
in some cases, where family members are also present.
Response: The Department reiterates that the Privacy Rule is not
intended to impede common health care communications and practices that
are essential in providing health care to the individual. Further, the
Privacy Rule's new provision permitting certain incidental uses and
disclosures is
[[Page 53195]]
intended to increase covered entities' confidence that such practices
can continue even where an incidental use or disclosure may occur,
provided that the covered entity has taken reasonable precautions to
safeguard and limit the protected health information disclosed. For
example, this provision should alleviate concerns that common
practices, such as the use of sign-in sheets and calling out names in
waiting rooms will not violate the Rule, so long as the information
disclosed is appropriately limited. With regard to the commenters'
specific example, disclosure of protected health information in a group
therapy setting would be a treatment disclosure, and thus permissible
without individual authorization. Further, Sec. 164.510(b) generally
permits a covered entity to disclose protected health information to a
family member or other person involved in the individual's care. In
fact, this section specifically provides that, where the individual is
present during a disclosure, the covered entity may disclose protected
health information if it is reasonable to infer from the circumstances
that the individual does not object to the disclosure. Absent
countervailing circumstances, the individual's agreement to participate
in group therapy or family discussions is a good basis for such a
reasonable inference. As such disclosures are permissible disclosures
in and of themselves, they would not be incidental disclosures.
Comment: Some commenters, while in support of permitting incidental
uses and disclosures, requested that the Department provide additional
guidance in this area by providing additional examples of permitted
incidental uses and disclosures and/or clarifying what would constitute
``reasonable safeguards.''
Response: The reasonable safeguards and minimum necessary standards
are flexible and adaptable to the specific business needs and
circumstances of the covered entity. Given the discretion covered
entities have in implementing these standards, it is difficult for the
Department to provide specific guidance in this area that is generally
applicable to many covered entities. However, the Department intends to
provide future guidance through frequently asked questions or other
materials in response to specific scenarios that are raised by
industry.
2. Minimum Necessary Standard
December 2000 Privacy Rule. The Privacy Rule generally requires
covered entities to make reasonable efforts to limit the use or
disclosure of, and requests for, protected health information to the
minimum necessary to accomplish the intended purpose. See
Sec. 164.502(b). Protected health information includes individually
identifiable health information (with limited exceptions) in any form,
including information transmitted orally, or in written or electronic
form. See the definition of ``protected health information'' at
Sec. 164.501. The minimum necessary standard is intended to make
covered entities evaluate their practices and enhance protections as
needed to limit unnecessary or inappropriate access to, and disclosures
of, protected health information.
The Privacy Rule contains some exceptions to the minimum necessary
standard. The minimum necessary requirements do not apply to uses or
disclosures that are required by law, disclosures made to the
individual or pursuant to an authorization initiated by the individual,
disclosures to or requests by a health care provider for treatment
purposes, uses or disclosures that are required for compliance with the
regulations implementing the other administrative simplification
provisions of HIPAA, or disclosures to the Secretary of HHS for
purposes of enforcing this Rule. See Sec. 164.502(b)(2).
The Privacy Rule sets forth requirements for implementing the
minimum necessary standard with regard to a covered entity's uses,
disclosures, and requests at Sec. 164.514(d). A covered entity is
required to develop and implement policies and procedures appropriate
to the entity's business practices and workforce that reasonably
minimize the amount of protected health information used, disclosed,
and requested. For uses of protected health information, the policies
and procedures must identify the persons or classes of persons within
the covered entity who need access to the information to carry out
their job duties, the categories or types of protected health
information needed, and the conditions appropriate to such access. For
routine or recurring requests and disclosures, the policies and
procedures may be standard protocols. Non-routine requests for, and
disclosures of, protected health information must be reviewed
individually.
With regard to disclosures, the Privacy Rule permits a covered
entity to rely on the judgment of certain parties requesting the
disclosure as to the minimum amount of information that is needed. For
example, a covered entity is permitted reasonably to rely on
representations from a public official, such as a State workers'
compensation official, that the information requested is the minimum
necessary for the intended purpose. Similarly, a covered entity is
permitted reasonably to rely on the judgment of another covered entity
that the information requested is the minimum amount of information
reasonably necessary to fulfill the purpose for which the request has
been made. See Sec. 164.514(d)(3)(iii).
March 2002 NPRM. The Department proposed a number of minor
modifications to the minimum necessary standard to clarify the
Department's intent or otherwise conform these provisions to other
proposed modifications. First, the Department proposed to separate
Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii)
and (iii)) to eliminate confusion regarding the exception to the
minimum necessary standard for uses or disclosures made pursuant to an
authorization under Sec. 164.508, and the separate exception for
disclosures made to the individual. Second, to conform to the proposal
to eliminate the special authorizations required by the Privacy Rule at
Sec. 164.508(d), (e), and (f), the Department proposed to exempt from
the minimum necessary standard any uses or disclosures for which the
covered entity had received an authorization that meets the
requirements of Sec. 164.508, rather than just those authorizations
initiated by the individual.
Third, the Department proposed to modify Sec. 164.514(d)(1) to
delete the term ``reasonably ensure'' in response to concerns that the
term connotes an absolute, strict standard and, therefore, is
inconsistent with the Department's intent that the minimum necessary
requirements be reasonable and flexible to the unique circumstances of
the covered entity. In addition, the Department proposed to generally
revise the language in Sec. 164.514(d)(1) to be more consistent with
the description of standards elsewhere in the Privacy Rule.
Fourth, so that the minimum necessary standard would be applied
consistently to requests for, and disclosures of, protected health
information, the Department proposed to add a provision to
Sec. 164.514(d)(4) to make the implementation specifications for
applying the minimum necessary standard to requests for protected
health information by a covered entity more consistent with the
corresponding implementation specifications for disclosures.
Specifically, for requests not made on a routine and recurring basis,
the Department proposed to add the requirement that a covered entity
must implement the minimum
[[Page 53196]]
necessary standard by developing and implementing criteria designed to
limit its request for protected health information to the minimum
necessary to accomplish the intended purpose.
Overview of Public Comments. The following discussion provides an
overview of the public comment received on this proposal. Additional
comments received on this issue are discussed below in the section
entitled, ``Response to Other Public Comments.''
The Department received a number of comments on its proposal to
exempt from the minimum necessary standard any use or disclosure of
protected health information for which the covered entity has received
an authorization that meets the requirements of Sec. 164.508. Many
commenters supported this proposal. A few commenters generally urged
that the minimum necessary standard be applied to uses and disclosures
pursuant to an authorization. A few other commenters appeared to
misinterpret the policy in the December 2000 Rule and urged that the
Department retain the minimum necessary standard for disclosures
``pursuant to an authorization other than disclosures to an
individual.'' Some commenters raised specific concerns about
authorizations for psychotherapy notes and the particular need for
minimum necessary to be applied in these cases.
A number of commenters expressed support for the Department's
statements in the preamble to the proposed Rule reinforcing that the
minimum necessary standard is intended to be flexible to account for
the characteristics of the entity's business and workforce, and not
intended to override the professional judgment of the covered entity.
Similarly, some commenters expressed support for the Department's
proposal to remove the term ``reasonably ensure'' from
Sec. 164.514(d)(1). However, a few commenters expressed concerns that
the proposed alternative language actually would implement a stricter
standard than that included in the December 2000 Privacy Rule.
Final Modifications. In this final Rule, the Department adopts the
proposed policy to exempt from the minimum necessary standard any uses
or disclosures for which the covered entity has received an
authorization that meets the requirements of Sec. 164.508. The final
modification adopts the proposal to eliminate the special
authorizations that were required by the December 2000 Privacy Rule at
Sec. 164.508(d), (e), and (f). (See section III.E.1. of the preamble
for a detailed discussion of the modifications to the authorization
requirements of the Privacy Rule.) Since the only authorizations to
which the minimum necessary standard applied are being eliminated in
favor of a single consolidated authorization, the final Rule
correspondingly eliminates the minimum necessary provisions that
applied to the now-eliminated special authorizations. All uses and
disclosures made pursuant to any authorization are exempt from the
minimum necessary standard.
In response to commenters who opposed this proposal as a potential
weakening of privacy protections or who wanted the minimum necessary
requirements to apply to authorizations other than disclosures to the
individual, the Department notes that nothing in the final Rule
eliminates an individual's control over his or her protected health
information with respect to an authorization. All authorizations must
include a description of the information to be used and disclosed that
identifies the information in a specific and meaningful fashion as
required by Sec. 164.508(c)(1)(i). If the individual does not wish to
release the information requested, the individual has the right to not
sign the authorization or to negotiate a narrower authorization with
the requestor.
Additionally, in response to those commenters who raised specific
concerns with respect to authorizations which request release of
psychotherapy notes, the Department clarifies that the final Rule does
not require a covered entity to use and disclose protected health
information pursuant to an authorization. Rather, as with most other
uses and disclosures under the Privacy Rule, this is only a permissible
use or disclosure. If a covered health care provider is concerned that
a request for an individual's psychotherapy notes is not warranted or
is excessive, the provider may consult with the individual to determine
whether or not the authorization is consistent with the individual's
wishes.
Further, the Privacy Rule does not permit a health plan to
condition enrollment, eligibility for benefits, or payment of a claim
on obtaining the individual's authorization to use or disclose
psychotherapy notes. Nor may a health care provider condition treatment
on an authorization for the use or disclosure of psychotherapy notes.
Thus, the Department believes that these additional protections
appropriately and effectively protect an individual's privacy with
respect to psychotherapy notes.
The final Rule also retains for clarity the proposal to separate
Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii)
and (iii)); commenters did not explicitly address or raise issues with
this proposed clarification.
In response to concerns that the proposed language at
Sec. 164.514(d)(1) would implement a stricter standard, the Department
disagrees and, therefore, adopts the proposed language. The language in
Sec. 164.514(d)(1) describes the standard: covered entities are
required to meet the requirements in the implementation specifications
of Sec. 164.514(d)(2) through (d)(5). The implementation specifications
describe what covered entities must do reasonably to limit uses,
disclosures, and requests to the minimum necessary. Thus, the
Department believes that the language in the implementation
specifications is adequate to reflect the Department's intent that the
minimum necessary standard is reasonable and flexible to accommodate
the unique circumstances of the covered entity.
Commenters also generally did not address the Department's proposed
clarification to make the implementation specifications for requests of
protected health information consistent with those for disclosures of
protected health information. Consequently, as commenters did not raise
concerns with the proposal, this final Rule adopts the proposed
provision at Sec. 164.514(d)(4). For requests of protected health
information not made on a routine and recurring basis, a covered entity
must implement the minimum necessary standard by developing and
implementing criteria designed to limit its request for protected
health information to the minimum necessary to accomplish the intended
purpose.
Response to Other Public Comments
Comment: Many commenters recommended changes to the minimum
necessary standard unrelated to the proposed modifications. For
example, some commenters urged that the Department exempt from the
minimum necessary standard all uses of protected health information, or
at least uses of protected health information for treatment purposes.
Alternatively, one commenter urged that the minimum necessary standard
be applied to disclosures for treatment purposes. Others requested that
the Department exempt uses and disclosures for payment and health care
operations from the standard, or exempt disclosures to another covered
entity for such purposes. A few commenters argued that the minimum
necessary standard should not apply to disclosures to another covered
entity. Some urged that the minimum
[[Page 53197]]
necessary standard be eliminated entirely.
Response: The Department did not propose modifications relevant to
these comments, nor did it seek comment on these issues. The proposed
modifications generally were intended to address those problems or
issues that presented workability problems for covered entities or
otherwise had the potential to impede an individual's timely access to
quality health care. Moreover, the proposed modifications to the
minimum necessary standard were either minor clarifications of the
Department's intent with respect to the standard or would conform the
standard to other proposed modifications. The Department has, in
previous guidance as well as in the preamble to the December 2000
Privacy Rule, explained its position with respect to the above
concerns. The minimum necessary standard is derived from
confidentiality codes and practices in common use today. We continue to
believe that it is sound practice not to use or disclose private
medical information that is not necessary to satisfy a request or
effectively carry out a function. The privacy benefits of retaining the
minimum necessary standard outweigh the burden involved with
implementing the standard. The Department reiterates that position
here.
Further, the Department designed the minimum necessary standard to
be sufficiently flexible to accommodate the various circumstances of
any covered entity. Covered entities will develop their own policies
and procedures to meet this standard. A covered entity's policies and
procedures may and should allow the appropriate individuals within an
entity to have access to protected health information as necessary to
perform their jobs with respect to the entity's covered functions. The
Department is not aware of any workability issues with this standard.
With respect to disclosures to another covered entity, the Privacy
Rule permits a covered entity reasonably to rely on another covered
entity's request for protected health information as the minimum
necessary for the intended disclosure. See Sec. 164.514(d)(3)(iii). The
Department does not believe, therefore, that a blanket exception for
such disclosures is justified. The covered entity who holds the
information always retains discretion to make its own minimum necessary
determination.
Lastly, the Department continues to believe that the exception for
disclosures to or requests by health care providers for treatment
purposes is appropriate to ensure that access to timely and quality
treatment is not impeded.
As the Privacy Rule is implemented, the Department will monitor the
workability of the minimum necessary standard and consider proposing
revisions, where appropriate, to ensure that the Privacy Rule does not
hinder timely access to quality health care.
Comment: One commenter requested that the Department state in the
preamble that the minimum necessary standard may not be used to
interfere with or obstruct essential health plan payment and health
care operations activities, including quality assurance, disease
management, and other activities. Another commenter asked that the
final Rule's preamble acknowledge that, in some cases, the minimum
protected health information necessary for payment or health care
operations will be the entire record. One commenter urged that the Rule
be modified to presume that disclosure of a patient's entire record is
justified, and that such disclosure does not require individual review,
when requested for disease management purposes.
Response: The minimum necessary standard is not intended to impede
essential treatment, payment, or health care operations activities of
covered entities. Nor is the Rule intended to change the way covered
entities handle their differences with respect to disclosures of
protected health information. The Department recognizes that, in some
cases, an individual's entire medical record may be necessary for
payment or health care operations purposes, including disease
management purposes. However, the Department does not believe that
disclosure of a patient's entire medical record is always justified for
such purposes. The Privacy Rule does not prohibit the request for, or
release of, entire medical records in such circumstances, provided that
the covered entity has documented the specific justification for the
request or disclosure of the entire record.
Comment: A few commenters requested that the Department add to the
regulatory text some of the statements included in the preamble to the
proposed modifications. For example, commenters asked that the final
Rule state that the minimum necessary standard is ``intended to be
consistent with, and not override, professional judgement and
standards.'' Similarly, others requested that the regulation specify
that ``covered entities must implement policies and procedures based on
their own assessment of what protected health information is reasonably
necessary for a particular purpose, given the characteristics of their
business and their workforce, and using their own professional
judgment.''
Response: It is the Department's policy that the minimum necessary
standard is intended to be consistent with, and not override,
professional judgment and standards, and that covered entities must
implement policies and procedures based on their own assessment of what
protected health information is reasonably necessary for a particular
purpose, given the characteristics of their business and their
workforce. However, the Department does not believe a regulatory
modification is necessary because the Department has made its policy
clear not only in the preamble to the proposed modifications but also
in previous guidance and in this preamble.
Comment: A commenter argued that the Department should exempt
disclosures for any of the standard transactions as required by the
Transactions Rule, when information is requested by a health plan or
its business associate.
Response: The Department disagrees. The Privacy Rule already
exempts from the minimum necessary standard data elements that are
required or situationally required in any of the standard transactions
(Sec. 164.502(b)(2)(v)). If, however, a standard transaction permits
the use of optional data elements, the minimum necessary standard
applies. For example, the standard transactions adopted for the
outpatient pharmacy sector use optional data elements. The payer
currently specifies which of the optional data elements are needed for
payment of its particular pharmacy claims. The minimum necessary
standard applies to the payer's request for such information. A
pharmacist is permitted to rely on the payer's request for information,
if reasonable to do so, as the minimum necessary for the intended
disclosure.
Comment: A few commenters expressed concerns with respect to a
covered entity's disclosures for research purposes. Specifically, one
commenter was concerned that a covered entity will not accept
documentation of an external IRB's waiver of authorization for purposes
of reasonably relying on the request as the minimum necessary. It was
suggested that the Department deem that a disclosure to a researcher
based on appropriate documentation from an IRB or Privacy Board meets
the minimum necessary standard.
Response: The Department understands commenters' concerns that
covered entities may decline to
[[Page 53198]]
participate in research studies, but believes that the Rule already
addresses this concern. The Privacy Rule explicitly permits a covered
entity reasonably to rely on a researcher's documentation or the
representations of an IRB or Privacy Board pursuant to Sec. 164.512(i)
that the information requested is the minimum necessary for the
research purpose. This is true regardless of whether the documentation
is obtained from an external IRB or Privacy Board or one that is
associated with the covered entity. The preamble to the March 2002 NPRM
further reinforced this policy by stating that reasonable reliance on
an IRB's documentation of approval of the waiver criteria and a
description of the data needed for the research as required by
Sec. 164.512(i) would satisfy a covered entity's obligations with
respect to limiting the disclosure to the minimum necessary. The
Department reiterates this policy here and believes that this should
give covered entities sufficient confidence in accepting IRB waivers of
authorization.
Comment: A number of commenters requested that the Department limit
the amount of information that pharmacy benefits managers (PBM) may
demand from pharmacies as part of their claims payment activities.
Response: The health plan, as a covered entity, is obligated to
instruct the PBM, as its business associate acting through the business
associate contract, to request only the minimum amount of information
necessary to pay a claim. The pharmacist may rely on this determination
if reasonable to do so, and then does not need to engage in a separate
minimum necessary assessment. If a pharmacist does not agree that the
amount of information requested is reasonably necessary for the PBM to
fulfill its obligations, it is up to the pharmacist and PBM to
negotiate a resolution of the dispute as to the amount of information
needed by the PBM to carry out its obligations and that the pharmacist
is willing to provide, recognizing that the PBM is not required to pay
claims if it has not received the information it believes is necessary
to process the claim in accordance with its procedures, including fraud
prevention procedures.
The standard for electronic pharmacy claims, adopted by the
Secretary in the Transactions Rule, includes optional data elements and
relies on each payer to specify the data elements required for payment
of its claims. Understandably, the majority of health plans require
some patient identification elements in order to adjudicate claims. As
the National Council for Prescription Drug Programs (NCPDP) moves from
optional to required and situational data elements, the question of
whether the specific element of ``patient name'' should be required or
situational will be debated by the NCPDP, by the Designated Standards
Maintenance Organizations, by the National Committee on Vital and
Health Statistics, and ultimately will be decided in rulemaking by the
Secretary.
Comment: One commenter requested that the minimum necessary
standard be made an administrative requirement rather than a standard
for uses and disclosures, to ease liability concerns with implementing
the standard. The commenter stated that this change would mean that
covered entities would be required to implement reasonable minimum
necessary policies and procedures and would be liable if: (1) They fail
to implement minimum necessary policies and procedures; (2) their
policies and procedures are not reasonable; or (3) they fail to enforce
their policies and procedures. The commenter further explained that
health plans would be liable if their policies and procedures for
requesting health information were unreasonable, but the burden of
liability for the request shifts largely to the entity best suited to
determine whether the amount of information requested is the minimum
necessary.
Response: The Privacy Rule already requires covered entities to
implement reasonable minimum necessary policies and procedures and to
limit any use, disclosure, or request for protected health information
in a manner consistent with its policies and procedures. The minimum
necessary standard is an appropriate standard for uses and disclosures,
and is not merely an administrative requirement. The Privacy Rule
provides adequate flexibility to adopt minimum necessary policies and
procedures that are workable for the covered entity, thereby minimizing
a covered entity's liability concerns.
Comment: A number of commenters expressed concerns about
application of the minimum necessary standard to disclosures for
workers' compensation purposes. Commenters argued that the standard
will prevent workers' compensation insurers and State administrators,
as well as employers, from obtaining the information needed to pay
injured workers the benefits guaranteed under the State workers'
compensation system. They also argued that the minimum necessary
standard could lead to fraudulent claims and unnecessary legal action
in order to obtain information needed for workers' compensation
purposes.
Response: The Privacy Rule is not intended to disrupt existing
workers' compensation systems as established by State law. In
particular, the Rule is not intended to impede the flow of health
information that is needed by employers, workers' compensation
carriers, or State officials in order to process or adjudicate claims
and/or coordinate care under the workers' compensation system. To this
end, the Privacy Rule at Sec. 164.512(l) explicitly permits a covered
entity to disclose protected health information as authorized by, and
to the extent necessary to comply with, workers' compensation or other
similar programs established by law that provide benefits for work-
related injuries or illnesses without regard to fault. The minimum
necessary standard permits covered entities to disclose any protected
health information under Sec. 164.512(l) that is reasonably necessary
for workers' compensation purposes and is intended to operate so as to
permit information to be shared for such purposes to the full extent
permitted by State or other law.
Additionally, where a State or other law requires a disclosure of
protected health information for workers' compensation purposes, such
disclosure is permitted under Sec. 164.512(a). A covered entity a