Appropriations Laws
Comment: One comment suggested that the penalty provisions of
HIPAA, if extended to the privacy regulation, would require the
Secretary to violate "Appropriations Laws" because the Secretary
could be in the position of assessing penalties against her own and
other federal agencies in their roles as covered entities. Enforcing
penalties on these entities would require the transfer of agency funds
to the General Fund.
Response: We disagree. Although we anticipate achieving voluntary
compliance and resolving any disputes prior to the actual assessment of
penalties, the Department of Justice's Office of Legal Counsel has
determined in similar situations that federal agencies have authority
to assess penalties against other federal agencies and that doing so is
not in violation of the Anti-Deficiency Act, 31 U.S.C. 1341.
Balanced Budget Act of 1997
Comment: One comment expressed concern that the regulation would
place tremendous burdens on providers already struggling with the
effects of the Balanced Budget Act of 1997.
Response: We appreciate the costs covered entities face when
complying with other statutory and regulatory requirements, such as the
Balanced Budget Act of 1997. However, HHS cannot address the impact of
the Balanced Budget Act or other statutes in the context of this
regulation.
Comment: Another comment stated that the regulation is in direct
conflict with the Balanced Budget Act of 1997 ("BBA"). The comment
asserts that the regulation's compliance date conflicts with the BBA,
as well as Generally Acceptable Accounting Principles. According to the
comment, covered entities that made capital acquisitions to ensure
compliance with the year 2000 ("Y2K") problem would not be able to
account for the full depreciation of these systems until 2005. Because
HIPAA requires compliance before that time, the regulation would force
premature obsolescence of this equipment because while it is Y2K
compliant, it may be HIPAA non-compliant.
Response: This comment raises two distinct issues--(1) the
investment in new equipment and (2) the compliance date. With regard to
the first issue, we reject the comment's assertion that the regulation
requires covered entities to purchase new information systems or
information technology equipment, but realize that some covered
entities may need to update their equipment. We have tried to minimize
the costs, while responding appropriately to Congress' mandate for
privacy rules. We have dealt with the cost issues in detail in the
"Regulatory Impact Analysis" section of this Preamble. With regard to
the second issue, Congress, not the Secretary, established the
compliance data at section 1175(b) of the Act.
Civil Rights of Institutionalized Persons Act
Comment: A few comments expressed concern that the privacy
regulation would inadvertently hinder the Department of Justice Civil
Rights Divisions' investigations under the Civil Rights of
Institutionalized Persons Act ("CRIPA"). These comments suggested
clearly including civil rights enforcement activities as health care
oversight.
Response: We agree with this comment. We do not intend for the
privacy rules to hinder CRIPA investigations. Thus, the final rule
includes agencies that are authorized by law to "enforce civil rights
laws for which health information is relevant" in the definition of
"health oversight agency" at Sec. 164.501. Covered entities are
permitted to disclose protected health information to health oversight
agencies under Sec. 164.512(d) without an authorization. Therefore, we
do not believe the final rule should hinder the Department of Justice's
ability to conduct investigations pursuant to its authority in CRIPA.
Department of Transportation
Comment: Several commenters stated that the Secretary should
recognize in the preamble that it is permissible for employers to
condition employment on an individual's delivering a consent to certain
medical tests and/or examinations, such as drug-free workplace programs
and Department of Transportation ("DOT")-required physical
examinations. These comments also suggested that employers should be
able to receive certain information, such as pass/fail test and
examination results, fitness-to-work assessments, and other legally
required or permissible physical assessments without obtaining an
authorization. To achieve this goal, these comments suggested defining
"health information" to exclude information such as information about
how much weight a specific employee can lift.
Response: We reject the suggestion to define "health
information," which Congress defined in HIPAA, so that it excludes
individually identifiable health information that may be relevant to
employers for these types of examinations and programs. We do not
regulate employers. Nothing in the rules prohibit employers from
conditioning employment on an individual signing the appropriate
consent or authorization. By the same token, however, the rules below
do not relieve employers from their obligations under the ADA and other
laws that restrict the disclosure of individually identifiable health
information.
Comment: One commenter asserted that the proposed regulation
conflicts with the DOT guidelines regarding positive alcohol and drug
tests that require the employer be notified in writing of the results.
This document contains protected health information. In addition, the
treatment center records must be provided to the Substance Abuse
Professional ("SAP") and the employer must receive a report from SAP
with random drug testing recommendations.
Response: It is our understanding that DOT requires drug testing of
all applicants for employment in safety-sensitive positions or
individuals being transferred to such positions.
Employers, pursuant to DOT regulations, may condition an employee's
employment or position upon first obtaining an authorization for the
disclosure of results of these tests to the employer. Therefore, we do
not believe the final rules conflict with the DOT requirements, which
do not prohibit obtaining authorizations before such information is
disclosed to employers.
Developmental Disabilities Act
Comment: One commenter urged HHS to ensure that the regulation
would not impede access to individually identifiable health information
to entities that are part of the Protection and Advocacy System to
investigate abuse and neglect as authorized by the Developmental
Disabilities Bill of Rights Act.
Response: The Developmental Disabilities Assistance and Bill of
Rights Act of 2000 ("DD Act") mandates specific disclosures of
individually identifiable health information to Protection and Advocacy
systems designated by the chief elected official of the states and
Territories. Therefore, covered entities may make these disclosures
under Sec. 164.512(a) without first obtaining an individual's
authorization, except in those circumstances in which the DD Act
requires the individual's authorization. Therefore, the rules below
will not impede the functioning of the existing Protection and Advocacy
System.
Fair Credit Reporting Act
Comment: A few commenters requested that we exclude information
maintained, used, or disclosed pursuant to the Fair Credit Reporting
Act ("FCRA") from the requirements of the privacy regulation. These
commenters noted that the protection in the privacy regulation
duplicate those in the FCRA.
Response: Although we realize that some overlap between FCRA and
the privacy rules may exist, we have chosen not to remove information
that may come within the purview of FCRA from the scope of our rules
because FCRA's focus is not the same as our Congressional mandate to
protect individually identifiable health information.
To the extent a covered entity seeks to engage in collection
activities or other payment-related activities, it may do so pursuant
to the requirements of this rule related to payment. See discussion of
Secs. 164.501 and 164.502 below.
We understand that some covered entities may be part of, or contain
components that are, entities which meet the definition of "consumer
reporting agencies." As such, these entities are subject to the FCRA.
As described in the preamble to Sec. 164.504, covered entities must
designate what parts of their organizations will be treated as covered
entities for the purpose of these privacy rules. The covered entity component will need to comply with these rules, while the components that are consumer
reporting agencies will need to comply with FCRA.
Comment: One comment suggested that the privacy regulation would
conflict with the FCRA if the regulation's requirement applied to
information disclosed to consumer reporting agencies.
Response: To the extent a covered entity is required to disclose
protected health information to a consumer reporting agency, it may do
so under Sec. 164.512(a). See also discussion under the definition of
"payment" below.
Fair Debt Collection and Practices Act
Comment: Several comments expressed concern that health plans and
health care providers be able to continue using debt collectors in
compliance with the Fair Debt Collections Practices Act and related
laws.
Response: In our view, health plans and health care providers will
be able to continue using debt collectors. Using the services of a debt
collector to obtain payment for the provision of health care comes
within the definition of "payment" and is permitted under the
regulation. Thus, so long as the use of debt collectors is consistent
with the regulatory requirements (such as, providers obtain the proper
consents, the disclosure is of the minimum amount of information
necessary to collect the debt, the provider or health plan enter into a
business associate agreement with the debt collector, etc.), relying
upon debt collectors to obtain reimbursement for the provision of
health care would not be prohibited by the regulation.
Family Medical Leave Act
Comment: One comment suggested that the proposed regulation
adversely affects the ability of an employer to determine an employee's
entitlement to leave under the Family Medical Leave Act ("FMLA") by
affecting the employer's right to receive medical certification of the
need for leave, additional certifications, and fitness for duty
certification at the end of the leave. The commenter sought
clarification as to whether a provider could disclose information to an
employer without first obtaining an individual's consent or
authorization. Another commenter suggested that the final rule
explicitly exclude from the rule disclosures authorized by the FMLA,
because, in the commenter's view, it provides more than adequate
protection for the confidentiality of medical records in the employment
context.
Response: We disagree that the FMLA provides adequate privacy
protections for individually identifiable health information. As we
understand the FMLA, the need for employers to obtain protected health
information under the statute is analogous to the employer's need for
protected health information under the ADA. In both situations,
employers may need protected health information to fulfill their
obligations under these statutes, but neither statute requires covered
entities to provide the information directly to the employer. Thus,
covered entities in these circumstances will need an individual's
authorizations before the disclosure is made to the employer.
Federal Common Law
Comment: One commenter did not want the privacy rules to interfere
with the federal common law governing collective bargaining agreements
permitting employers to insist on the cooperation of employees with
medical fitness evaluations.
Response: We do not seek to interfere with legal medical fitness
evaluations. These rules require a covered entity to have an
individual's authorization before the information resulting from such
evaluations is disclosed to the employer unless another provision of
the rule applies. We do not prohibit employers from conditioning
employment, accommodations, or other benefits, when legally permitted
to do so, upon the individual/employee providing an authorization that
would permit the disclosure of protected health information to
employers by covered entities. See Sec. 164.508(b)(4) below.
Federal Employees Compensation Act
Comment: One comment noted that the Federal Employees Compensation
Act ("FECA") requires claimants to sign a release form when they file
a claim. This commenter suggested that the privacy regulation should
not place additional restrictions on this type of release form.
Response: We agree. In the final rule, we have added a new
provision, Sec. 164.512(l), that permits covered entities to make
disclosures authorized under workers' compensation and similar laws.
This provision would permit covered entities to make disclosures
authorized under FECA and not require a different release form.
Federal Employees Health Benefits Program
Comment: A few comments expressed concern about the preemption
effect on FEHBP and wanted clarification that the privacy regulation
does not alter the existing preemptive scope of the program.
Response: We do not intend to affect the preemptive scope of the
FEHBP. The Federal Employee Health Benefit Act of 1998 preempts any
state law that "relates to" health insurance or plans. 5 U.S.C.
8902(m). The final rule does not attempt to alter the preemptive scope
Congress has provided to the FEHBP.
Comment: One comment suggested that in the context of FEHBP HHS
should place the enforcement responsibilities of the privacy regulation
with Office of Personnel Management, as the agency responsible for
administering the program.
Response: We disagree. Congress placed enforcement with the
Secretary. See section 1176 of the Act.
Federal Rules of Civil Procedure
Comment: A few comments suggested revising proposed Sec. 164.510(d)
so that it is consistent with the existing discovery procedure under
the Federal Rules of Civil Procedure or local rules.
Response: We disagree that the rules regarding disclosures and uses
of protected health information for judicial and administrative
procedures should provide only those protections that exist under
existing discovery rules. Although the current process may be
appropriate for other documents and information requested during the
discovery process, the current system, as exemplified by the Federal
Rules of Civil Procedure, does not provide sufficient protection for
protected health information. Under current discovery rules, private
attorneys, government officials, and others who develop such requests
make the initial determinations as to what information or documentation
should be disclosed. Independent third-party review, such as that by a
court, only becomes necessary if a person of whom the request is made
refuses to provide the information. If this happens, the person seeking
discovery must obtain a court order or move to compel discovery. In our
view this system does not provide sufficient protections to ensure that
unnecessary and unwarranted disclosures of protected health information
does not occur. For a related discuss, see the preamble regarding
"Disclosures for Judicial and Administrative Proceedings" under
Sec. 164.512(e).
Federal Rules of Evidence
Comment: Many comments requested clarification that the privacy
regulation does not conflict or interfere with the federal or state
privileges. In particular, one of these comments suggested that the
final regulation provide that disclosures for a purpose recognized by
the regulation not constitute a waiver of federal or state privileges.
Response: We do not intend for the privacy regulation to interfere
with federal or state rules of evidence that create privileges.
Consistent with The Uniform Health-Care Information Act drafted by the
National Conference of Commissioners on Uniform State Laws, we do not
view a consent or an authorization to function as a waiver of federal
or state privileges. For further discussion of the effect of consent or
authorization on federal or state privileges, see preamble discussions
in Secs. 164.506 and 164.508.
Comment: Other comments applauded the Secretary's references to
Jaffee v. Redman, 518 U.S. 1 (1996), which recognized a
psychotherapist-patient privilege, and asked the Secretary to
incorporate expressly this privilege into the final regulation.
Response: We agree that the psychotherapist-patient relationship is
an important one that deserves protection. However, it is beyond the
scope our mandate to create specific evidentiary privileges. It is also
unnecessary because the United States Supreme Court has adopted this
privilege.
Comment: A few comments discussed whether one remedy for violating
the privacy regulation should be to exclude or suppress evidence
obtained in violation of the regulation. One comment supported using
this penalty, while another opposed it.
Response: We do not have the authority to mandate that courts apply
or not apply the exclusionary rule to evidence obtained in violation of
the regulation. This issue is in the purview of the courts.
Federal Tort Claims Act
Comment: One comment contended that the proposed regulation's
requirement mandating covered entities to name the subjects of
protected health information disclosed under a business partner
contract as third party intended beneficiaries under the contract would
have created an impermissible right of action against the government
under the Federal Tort Claims Act ("FTCA").
Response: Because we have deleted the third party beneficiary
provisions from the final rules, this comment is moot.
Comment: Another comment suggested the regulation would hamper the
ability of federal agencies to disclose protected health information to
their attorneys, the Department of Justice, during the initial stages
of the claims brought under the FTCA.
Response: We disagree. The regulation applies only to federal
agencies that are covered entities. To the extent an agency is not a
covered entity, it is not subject to the regulation; to the extent an
agency is a covered entity, it must comply with the regulation. A
covered entity that is a federal agency may disclose relevant
information to its attorneys, who are business associates, for purposes
of health care operations, which includes uses or disclosures for legal
functions. See Sec. 164.501 (definitions of "business associate" and
"health care operations"). The final rule provides specific
provisions describing how federal agencies may provide
adequate assurances for these types of disclosures of protected health
information. See Sec. 164.504(e)(3).
Foreign Standards
Comment: One comment asked how the regulation could be enforced
against foreign countries (or presumably entities in foreign countries)
that solicit medical records from entities in the United States.
Response: We do not regulate solicitations of information. To the
extent a covered entity wants to comply with a request for disclosure
of protected health information to foreign countries or entities within
foreign countries, it will need to comply with the privacy rules before
making the disclosure. If the covered entity fails to comply with the
rules, it will be subject to enforcement proceedings.
Inspector General Act
Comment: One comment requested the Secretary to clarify in the
preamble that the privacy regulation does not preempt the Inspector
General Act.
Response: We agree that to the extent the Inspector General Act
requires uses or disclosures of protected health information, the
privacy regulation does not preempt it. The final rule provides that to
the extent required under section 201(a)(5) of the Act, nothing in this
subchapter should be construed to diminish the authority of any
Inspector General, including the authority provided in the Inspector
General Act of 1978. See discussion of Sec. 160.102 above.
National Labor Relations Act
Comment: A few comments expressed concern that the regulation did
not address the obligation of covered entities to disclose protected
health information to collective bargaining representatives under the
National Labor Relations Act.
Response: The final rule does not prohibit disclosures that covered
entities must make pursuant to other laws. To the extent a covered
entity is required by law to disclose protected health information to
collective bargaining representatives under the NLRA, it may to so
without an authorization. Also, the definition of "health care
operations" at Sec. 164.501 permits disclosures to employee
representatives for purposes of grievance resolution.
Reporting Requirement
Comment: One comment noted that federal agencies must provide
information to certain entities pursuant to various federal statutes.
For example, federal agencies must not withhold information from a
Congressional oversight committee or the General Accounting Office.
Similarly, some federal agencies must provide the Bureau of the Census
and the National Archives and Records Administration with certain
information. This comment expressed concern that the privacy regulation
would conflict with these requirements. Additionally, the commenter
asked whether the privacy notice would need to contain these uses and
disclosures and recommended that a general statement that these federal
agencies would disclose protected health information when required by
law be considered sufficient to meet the privacy notice requirements.
Response: To the extent a federal agency acting as a covered entity
is required by federal statute to disclose protected health
information, the regulation permits the disclosure as required by law
under Sec. 164.512(a). The notice provisions at
Sec. 164.520(b)(1)(ii)(B) require covered entities to provide a brief
description of the purposes for which the covered
entity is permitted or required by the rules to use or disclose
protected health information without an individual's written
authorization. If these statutes require the disclosures, covered
entities subject to the requirement may make the disclosure pursuant to
Sec. 164.512(a). Thus, their notice must include a description of the
category of these disclosures. For example, a general statement such as
the covered entity "will disclose your protected health information to
comply with legal requirements" should suffice.
Comment: One comment stressed that the final rule should not
inadvertently preempt mandatory reporting laws duly enacted by federal,
state, or local legislative bodies. This commenter also suggested that
the final rule not prevent the reporting of violations to law
enforcement agencies.
Response: We agree. Like the proposed rule, the final rule permits
covered entities to disclose protected health information when required
by law under Sec. 164.512(a). To the extent a covered entity is
required by law to make a report to law enforcement agencies or is
otherwise permitted to make a disclosure to a law enforcement agency as
described in Sec. 164.512(f), it may do so without an authorization.
Alternatively, a covered entity may always request that individuals
authorize these disclosures.
Security Standards
Comment: One comment called for HHS to consider the privacy
regulation in conjunction with the other HIPAA standards. In
particular, this comment focused on the belief that the security
standards should be compatible with the existing and emerging health
care and information technology industry standards.
Response: We agree that the security standards and the privacy
rules should be compatible with one another and are working to ensure
that the final rules in both areas function together. Because we are
addressing comments regarding the privacy rules in this preamble, we
will consider the comment about the security standard as we finalize
that set of rules.
Tribal Law
Comments: One commenter suggested that the consultation process
with tribal governments described in the NPRM was inadequate under
Executive Order No. 13084. In addition, the commenter expressed concern
that the disclosures for research purposes as permitted by the NPRM
would conflict with a number of tribal laws that offer individuals
greater privacy rights with respect to research and reflects cultural
appropriateness. In particular, the commenter referenced the Health
Research Code for the Navajo Nation which creates a entity with broader
authority over research conducted on the Navajo Nation than the local
IRB and requires informed consent by study participants. Other laws
mentioned by the commenter included the Navajo Nation Privacy and
Access to Information Act and a similar policy applicable to all health
care providers within the Navajo Nation. The commenter expressed
concern that the proposed regulation research provisions would override
these tribal laws.
Response: We disagree with the comment that the consultation with
tribal governments undertaken prior to the proposed regulation is
inadequate under Executive Order No. 13084. As stated in the proposed
regulation, the Department consulted with representatives of the
National Congress of American Indians and the National Indian Health
Board, as well as others, about the proposals and the application of
HIPAA to the Tribes, and the potential variations based on the
relationship of each Tribe with the IHS for the purpose of providing
health services. In addition, Indian and tribal governments had the
opportunity to, and did, submit substantive comments on the proposed
rules.
Additionally, disclosures permitted by this regulation do not
conflict with the policies as described by this commenter. Disclosures
for research purposes under the final rule, as in the proposed
regulation, are permissive disclosures only. The rule describes the
outer boundaries of permissible disclosures. A covered health care
provider that is subject to the tribal laws of the Navajo Nation must
continue to comply with those tribal laws. If the tribal laws impose
more stringent privacy standards on disclosures for research, such as
requiring informed consent in all cases, nothing in the final rule
would preclude compliance with those more stringent privacy standards.
The final rule does not interfere with the internal governance of the
Navajo Nation or otherwise adversely affect the policy choices of the
tribal government with respect to the cultural appropriateness of
research conducted in the Navajo Nation.
Veterans Affairs
Comment: One comment sought clarification about how disclosures of
protected health information would occur within the Veterans Affairs
programs for veterans and their dependents.
Response: We appreciate the commenter's request for clarification
as to how the rules will affect disclosures of protected health
information in the specific context of Veteran's Affairs programs.
Veterans health care programs under 38 U.S.C. chapter 17 are defined as
"health plans." Without sufficient details as to the particular
aspects of the Veterans Affairs programs that this comment views as
problematic, we cannot comment substantively on this concern.
Comment: One comment suggested that the final regulation clarify
that the analysis applied to the substance abuse regulations apply to
laws governing Veteran's Affairs health records.
Response: Although we realize some difference may exist between the
laws, we believe the discussion of federal substance abuse
confidentiality regulations in the "Relationship to Other Federal
Laws" preamble provides guidance that may be applied to the laws
governing Veteran's Affairs ("VA") health records. In most cases, a
conflict will not exist between these privacy rules and the VA
programs. For example, some disclosures allowed without patient consent
or authorization under the privacy regulation may not be within the VA
statutory list of permissible disclosures without a written consent. In
such circumstances, the covered entity would have to abide by the VA
statute, and no conflict exists. If the disclosures permitted by the VA
statute come within the permissible disclosures of our rules, no
conflict exists. In some cases, our rules may demand additional
requirements, such as obtaining the approval of a privacy board or
Institutional Review Board if a covered entity seeks to disclose
protected health information for research purposes without the
individual's authorization. A covered entity subject to the VA statute
will need to ensure that it meets the requirements of both that statute
and the regulation below. If a conflict arises, the covered entity
should evaluate the specific potential conflicting provisions under the
implied repeal analysis set forth in the "Relationship to Other
Federal Laws" discussion in the preamble.
