The Food, Drug, and Cosmetic Act, 21 U.S.C. 301, et seq., and its accompanying regulations outline the responsibilities of the Food and Drug Administration with regard to monitoring the safety and effectiveness of drugs and devices. Part of the agency's responsibility is to obtain reports about adverse events, track medical devices, and engage in other types of post marketing surveillance. Because many of these reports contain protected health information, the information within them may come within the purview of the privacy rules. Although some of these reports are required by the Food, Drug, and Cosmetic Act or its accompanying regulations, other types of reporting are voluntary. We believe that these reports, while not mandated, play a critical role in ensuring that individuals receive safe and effective drugs and devices. Therefore, in § 164.512(b)(1)(iii), we have provided that covered entities may disclose protected health information to a person subject to the jurisdiction of the Food and Drug Administration for specified purposes, such as reporting adverse events, tracking medical devices, or engaging in other post marketing surveillance. We describe the scope and conditions of such disclosures in more detail in § 164.512(b).
Comment: A few comments expressed concerns about the use of
protected health information for reporting activities to the Food and
Drug Administration ("FDA"). Their concern focused on the ability to
obtain or disclose protected health information for pre-and post-
marketing adverse event reports, device tracking, and post-marketing
safety and efficacy evaluation.
Response: We agree with this comment and have provided that covered
entities may disclose protected health information to persons subject
to the jurisdiction of the FDA, to comply with the requirements of, or
at the direction of, the FDA with regard to reporting adverse events
(or similar reports with respect to dietary supplements), the tracking
of medical devices, other post-marketing surveillance, or other similar
requirements described at Sec. 164.512(b).
Controlled Substance Act
Comment: One comment expressed concern that the privacy regulation
as proposed would restrict the Drug Enforcement Agency's ("the DEA")
enforcement of the Controlled Substances Act ("CSA"). The comment
suggested including enforcement activities in the definition of
"health oversight agency."
Response: In our view, the privacy regulation should not impede the
DEA's ability to enforce the CSA. First, to the extent the CSA requires
disclosures to the DEA, these disclosures would be permissible under
Sec. 164.512(a). Second, some of the DEA's CSA activities come within
the exception for health oversight agencies which permits disclosures
to health oversight agencies for:
Activities authorized by law, including audits; civil,
administrative, or criminal investigations; inspections * * * civil,
administrative, or criminal proceedings or actions; and other
activity necessary for appropriate oversight of the health care
system.
Therefore, to the extent the DEA is enforcing the CSA, disclosures
to it in its capacity as a health oversight agency are permissible
under Sec. 164.512(d). Alternatively, CSA required disclosures to the
DEA for law enforcement purposes are permitted under Sec. 164.512(f).
When acting as a law enforcement agency under the CSA, the DEA may
obtain the information pursuant to Sec. 164.512(f). Thus, we do not
agree that the privacy regulation will impede the DEA's enforcement of
the CSA. See the preamble discussion of Sec. 164.512 for further
explanation.
Comment: One commenter suggested clarifying the provisions allowing
disclosures that are "required by law" to ensure that the mandatory
reporting requirements the CSA imposes on covered entities, including
making available reports, inventories, and records of transactions, are
not preempted by the regulation.
Response: We agree that the privacy regulation does not alter
covered entities' obligations under the CSA. Because the CSA requires
covered entities manufacturing, distributing, and/or dispensing
controlled substances to maintain and provide to the DEA specific
records and reports, the privacy regulation permits these disclosures
under Sec. 164.512(a). In addition, when the DEA seeks documents to
determine an entity's compliance with the CSA, such disclosures are
permitted under Sec. 164.512(d).
Comment: The same commenter expressed concern that the proposed
privacy regulation inappropriately limits voluntary reporting and would
prevent or deter employees of covered entities from providing the DEA
with information about violations of the CSA.
Response: We agree with the general concerns expressed in this
comment. We do not believe the privacy rules will limit voluntary
reporting of violations of the CSA. The CSA requires certain entities
to maintain several types of records that may include protected health
information. Although reports that included protected health
information may be restricted under these rules, reporting the fact
that an entity is not maintaining proper reports is not. If it were
necessary to obtain protected health information during the
investigatory stages following such a voluntary report, the DEA would
be able to obtain the information in other ways, such as by following
the administrative procedures outlined in Sec. 164.512(e).
We also agree that employees of covered entities who report
violations of the CSA should not be subjected to retaliation by their
employers. Under Sec. 164.502(j), we specifically state that a covered
entity is not considered to have violated the regulation if a workforce
member or business associate in good faith reports violations of laws
or professional standards by covered entities to appropriate
authorities. See discussion of Sec. 164.502(j) below.
