Covered entities subject to these rules are also subject to other federal statutes and regulations. For example, federal programs must comply with the statutes and regulations that govern them. Pursuant to their contracts, Medicare providers must comply with the requirements of the Privacy Act of 1974. Substance abuse treatment facilities are subject to the Substance Abuse Confidentiality provisions of the Public Health Service Act, section 543 and its regulations. And, health care providers in schools, colleges, and universities may come within the purview of the Family Educational Rights and Privacy Act. Thus, covered entities will need to determine how the privacy regulation will affect their ability to comply with these other federal laws.
Many commenters raised questions about how different federal statutes and regulations intersect with the privacy regulation. While we address specific concerns in the response to comments later in the preamble, in this section, we explore some of the general interaction issues. These summaries do not identify all possible conflicts or overlaps of the privacy regulation and other federal laws, but should provide general guidance for complying with both the privacy regulation and other federal laws. The summaries also provide examples of how covered entities can analyze other federal laws when specific questions arise. HHS may consult with other agencies concerning the interpretation of other federal laws as necessary.
Comment: We received several comments that sought clarification of
the interaction of various federal laws and the privacy regulation.
Many of these comments simply listed federal laws and regulations with
which the commenter currently must comply. For example, commenters
noted that they must comply with regulations relating to safety, public
health, and civil rights, including Medicare and Medicaid, the
Americans with Disabilities Act, the Family and Medical Leave Act, the
Federal Aviation Administration regulations, the Department of
Transportation regulations, the Federal Highway Administration
regulations, the Occupational Safety and Health Administration
regulations, and the Environmental Protection Agency regulations, and
alcohol and drug free workplace rules. These commenters suggested that
the regulation state clearly and unequivocally that uses or disclosures
of protected health information for these purposes were permissible.
Some suggested modifying the definition of health care operations to
include these uses specifically. Another suggestion was to add a
section that permitted the transmission of protected health information
to employers when reasonably necessary to comply with federal, state,
or municipal laws and regulations, or when necessary for public or
employee safety and health.
Response: Although we sympathize with entities' needs to evaluate
the existing laws with which they must comply in light of the
requirements of the final regulation, we are unable to respond
substantially to comments that do not pose specific questions. We
offer, however, the following guidance: if an covered entity is
required to disclose protected health information pursuant to a
specific statutory or regulatory scheme, the covered entity generally
will be permitted under Sec. 164.512(a) to make these disclosures
without a consent or authorization; if, however, a statute or
regulation merely suggests a disclosure, the covered entity will need
to determine if the disclosure comes within another category of
permissible disclosure under Secs. 164.510 or 164.512 or,
alternatively, if the disclosure would otherwise come within
Sec. 164.502. If not, the entity will need to obtain a consent or
authorization for the disclosure.
Comment: One commenter sought clarification as to when a disclosure
is considered to be "required" by another law versus "permitted" by
that law.
Responses: We use these terms according to their common usage. By
"required by law," we mean that a covered entity has a legal
obligation to disclose the information. For example, if a statute
states that a covered entity must report the names of all individuals
presenting with gun shot wounds to the emergency room or else be fined
$500 for each violation, a covered entity would be required by law to
disclose the protected health information necessary to comply with this
mandate. The privacy regulation permits this type of disclosure, but
does not require it. Therefore, if a covered entity chose not to comply
with the reporting statute it would violate only the reporting statute
and not the privacy regulation.
On the other hand, if a statute stated that a covered entity may or
is permitted to report the names of all individuals presenting with gun
shot wounds to the emergency room and, in turn, would receive $500 for
each month it made these reports, a covered entity would not be
permitted by Sec. 164.512(a) to disclose the protected health
information. Of course, if another permissible provision applied to
these facts, the covered entity could make the disclosure under that
provision, but it would not be considered to be a disclosure. See
discussion under Sec. 164.512(a) below.
Comment: Several commenters suggested that the proposed rule was
unnecessarily duplicative of existing regulations for federal programs,
such as Medicare, Medicaid, and the Federal Employee Health Benefit
Program.
Response: Congress specifically subjected certain federal programs,
including Medicare, Medicaid, and the Federal Employee Health Benefit
Program to the privacy regulation by including them within the
definition of "health plan." Therefore, covered entities subject to
requirements of existing federal programs will also have to comply with
the privacy regulation.
Comment: One comment asserts that the regulation would not affect
current federal requirements if the current requirements are weaker
than the requirements of the privacy regulation. This same commenter
suggested that current federal requirements will trump both state law
and the proposed regulation, even if Medicaid transactions remain
wholly intrastate.
Response: We disagree. As noted in our discussion of "Relationship
to Other Federal Laws," each law or regulation will need to be
evaluated individually. We similarly disagree with the second assertion
made by the commenter. The final rule will preempt state laws only in
specific instances. For a more detailed analysis, see the preamble
discussion of "Preemption."
Administrative Subpoenas
Comment: One comment stated that the final rule should not impose
new standards on administrative subpoenas that would conflict with
existing laws or administrative or judicial rules that establish
standards for issuing subpoenas. Nor should the final rule conflict
with established standards for the conduct of administrative, civil, or
criminal proceedings, including the rules regarding the discovery of
evidence. Other comments sought further restrictions on access to
protected health information in this context.
Response: Section 164.512(e) below addresses disclosures for
judicial and administrative proceedings. The final rules generally do
not interfere with these existing processes to the extent an individual
served with a subpoena, court order, or other similar process is able
to raise objections already available. See the discussion below under
Sec. 164.512(e) for a fuller response.
