These rules will affect various federal programs, some of which may have requirements that are, or appear to be, inconsistent with the requirements of these regulations. These programs include those operated directly by the federal government (such as health programs for military personnel and veterans) as well as programs in which health services or benefits are provided by the private sector or by state or local governments, but which are governed by various federal laws (such as Medicare, Medicaid, and ERISA).
Congress explicitly included some of these programs in HIPAA, subjecting them directly to the privacy regulation. Section 1171 of the Act defines the term “health plan” to include the following federally conducted, regulated, or funded programs: group plans under ERISA that either have 50 or more participants or are administered by an entity other than the employer who established and maintains the plan; federally qualified health maintenance organizations; Medicare; Medicaid; Medicare supplemental policies; the health care program for active military personnel; the health care program for veterans; the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); the Indian health service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.; and the Federal Employees Health Benefits Program. There also are many other federally conducted, regulated, or funded programs in which individually identifiable health information is created or maintained, but which do not come within the statutory definition of “health plan.” While these latter types of federally conducted, regulated, or assisted programs are not explicitly covered by part C of title XI in the same way that the programs listed in the statutory definition of “health plan” are covered, the statute may nonetheless apply to transactions and other activities conducted under such programs. This is likely to be the case when the federal entity or federally regulated or funded entity provides health services; the requirements of part C may apply to such an entity as a “health care provider.” Thus, the issue of how different federal requirements apply is likely to arise in numerous contexts.
There are a number of authorities under the Public Health Service Act and other legislation that contain explicit confidentiality requirements, either in the enabling legislation or in the implementing regulations. Many of these are so general that there would appear to be no problem of inconsistency, in that nothing in those laws or regulations would appear to restrict the provider's ability to comply with the privacy regulation's requirements.
There may, however, be authorities under which either the requirements of the enabling legislation or of the program regulations would impose requirements that differ from these rules.
For example, regulations applicable to the substance abuse block grant program funded under section 1943(b) of the Public Health Service Act require compliance with 42 CFR part 2, and, thus, raise the issues identified above in the substance abuse confidentiality regulations discussion. There are a number of federal programs which, either by statute or by regulation, restrict the disclosure of patient information to, with minor exceptions, disclosures “required by law.” See, for example, the program of projects for prevention and control of sexually transmitted diseases funded under section 318(e)(5) of the Public Health Service Act (42 CFR 51b.404); the regulations implementing the community health center program funded under section 330 of the Public Health Service Act (42 CFR 51c.110); the regulations implementing the program of grants for family planning services under title X of the Public Health Service Act (42 CFR 59.15); the regulations implementing the program of grants for black lung clinics funded under 30 U.S.C. 437(a) (42 CFR 55a.104); the regulations implementing the program of maternal and child health projects funded under section 501 of the Act (42 CFR 51a.6); the regulations implementing the program of medical examinations of coal miners (42 CFR 37.80(a)). These legal requirements would restrict the grantees or other entities providing services under the programs involved from making many of the disclosures that §§ 164.510 or 164.512 would permit. In some cases, permissive disclosures for treatment, payment, or health care operations would also be limited. Because §§ 164.510 and 164.512 are merely permissive, there would not be a conflict between the program requirements, because it would be possible to comply with both. However, entities subject to both sets of requirements would not have the total range of discretion that they would have if they were subject only to this regulation.
Medicare and Medicaid
Comment: One comment suggested possible inconsistencies between the
regulation and Medicare/Medicaid requirements, such as those under the
Quality Improvement System for Managed Care. This commenter asked that
HHS expand the definition of health care operations to include health
promotion activities and avoid potential conflicts.
Response: We disagree that the privacy regulation would prohibit
managed care plans operating in the Medicare or Medicaid programs from
fulfilling their statutory obligations. To the extent a covered entity
is required by law to use or disclose protected health information in a
particular manner, the covered entity may make such a use or disclosure
under Sec. 164.512(a). Additionally, quality assessment and improvement
activities come within the definition of "health care operations."
Therefore, the specific example provided by the commenter would seem to
be a permissible use or disclosure under Sec. 164.502, even if it were
not a use or disclosure "required by law."
Comment: One commenter stated that Medicare should not be able to
require the disclosure of psychotherapy notes because it would destroy
a practitioner's ability to treat patients effectively.
Response: If the Title XVIII of the Social Security Act requires
the disclosure of psychotherapy notes, the final rule permits, but does
not require, a covered entity to make such a disclosure under
Sec. 164.512(a). If, however, the Social Security Act does not require
such disclosures, Medicare does not have the discretion to require the
disclosure of psychotherapy notes as a public policy matter because the
final rule provides that covered entities, with limited exceptions,
must obtain an individual's authorization before disclosing
psychotherapy notes. See Sec. 164.508(a)(2).
Public Health Services Act
Comment: One comment suggested that the Public Health Service Act
places more stringent rules regarding the disclosure of information on
Federally Qualified Health Centers than the proposed privacy regulation
suggested. Therefore, the commenter suggested that the final rule
exempt Federally Qualified Health Centers from the rules requirements
Response: We disagree. Congress expressly included Federally
Qualified Health Centers, a provider of medical or other health
services under the Social Security Act section 1861(s), within its
definition of health care provider in section 1171 of the Act;
therefore, we cannot exclude them from the regulation.
Comment: One commenter noted that no conflicts existed between the
proposed rule and the Public Health Services Act.
Response: As we discuss in the "Relationship to Other Federal
Laws" section of the preamble, the Public Health Service Act contains
explicit confidentiality requirements that are so general as not to
create problems of inconsistency. We recognized, however, that in some
cases, that law or its accompanying regulations may contain greater
restrictions. In those situations, a covered entity's ability to make
what are permissive disclosures under this privacy regulation would be
limited by those laws.
TRICARE
Comment: One comment expressed concern regarding the application of
the "minimum necessary" standard to investigations of health care
providers under the TRICARE (formerly the CHAMPUS) program. The comment
also expressed concern that health care providers would be able to
avoid providing their records to such investigators because the
proposed Sec. 164.510 exceptions were not mandatory disclosures.
Response: In our view, neither the minimum necessary standard nor
the final Secs. 164.510 and 164.512 permissive disclosures will impede
such investigations. The regulation requires covered entities to make
all reasonable efforts not to disclose more than the minimum amount of
protected health information necessary to accomplish the intended purpose of the use or
disclosure. This requirement, however, does not apply to uses or
disclosures that are required by law. See Sec. 164.502(b)(2)(iv). Thus,
if the disclosure to the investigators is required by law, the minimum
necessary standard will not apply. Additionally, the final rule
provides that covered entities rely, if such reliance is reasonable, on
assertions from public officials about what information is reasonably
necessary for the purpose for which it is being sought. See
Sec. 164.514(d)(3)(iii).
We disagree with the assertion that providers will be able to avoid
providing their records to investigators. Nothing in this rule permits
covered entities to avoid disclosures required by other laws.
WIC
Comment: One comment called on other federal agencies to examine
their regulations and policies regarding the use and disclosure of
protected health information. The comment suggested that other agencies
revise their regulations and policies to avoid duplicative,
contradictory, or more stringent requirements. The comment noted that
the U.S. Department of Agriculture's Special Supplemental Nutrition
Program for Women, Infants, and Children ("WIC") does not release WIC
data. Because the commenter believed the regulation would not prohibit
the disclosure of WIC data, the comment stated that the Department of
Agriculture should now release such information.
Response: We support other federal agencies to whom the rules apply
in their efforts to review existing regulations and policies regarding
protected health information. However, we do not agree with the
suggestion that other federal agencies that are not covered entities
must reduce the protections or access-related rights they provide for
individually identifiable health information they hold.
Organ Donation
Comment: One commenter expressed concern about the potential impact
of the regulation on the organ donation program under 42 CFR part 482.
Response: In the final rule, we add provisions allowing the use or
disclosure of protected health information to organ procurement
organizations or other entities engaged in the procurement, banking, or
transplantation of cadaveric organs, eyes, or tissue for the purpose of
facilitating donation and transplantation. See Sec. 164.512(h).
