Industries & Practices

Health Care Industry


    HIPAA Regulations: Food, Drug, and Cosmetic Act - Relationship to Other Federal Laws,

    As Contained in the HHS HIPAA  Rules


    HHS Description
    Relationship to Other Federal Laws - Food, Drug, and Cosmetic Act


    The Food, Drug, and Cosmetic Act, 21 U.S.C. 301, et seq., and its accompanying regulations outline the responsibilities of the Food and Drug Administration with regard to monitoring the safety and effectiveness of drugs and devices. Part of the agency's responsibility is to obtain reports about adverse events, track medical devices, and engage in other types of post marketing surveillance. Because many of these reports contain protected health information, the information within them may come within the purview of the privacy rules. Although some of these reports are required by the Food, Drug, and Cosmetic Act or its accompanying regulations, other types of reporting are voluntary. We believe that these reports, while not mandated, play a critical role in ensuring that individuals receive safe and effective drugs and devices. Therefore, in § 164.512(b)(1)(iii), we have provided that covered entities may disclose protected health information to a person subject to the jurisdiction of the Food and Drug Administration for specified purposes, such as reporting adverse events, tracking medical devices, or engaging in other post marketing surveillance. We describe the scope and conditions of such disclosures in more detail in § 164.512(b).


    HHS Response to Comments Received
    Relationship to Other Federal Laws - Food, Drug, and Cosmetic Act


    Comment: A few comments expressed concerns about the use of protected health information for reporting activities to the Food and Drug Administration ("FDA"). Their concern focused on the ability to obtain or disclose protected health information for pre-and post- marketing adverse event reports, device tracking, and post-marketing safety and efficacy evaluation.

    Response: We agree with this comment and have provided that covered entities may disclose protected health information to persons subject to the jurisdiction of the FDA, to comply with the requirements of, or at the direction of, the FDA with regard to reporting adverse events (or similar reports with respect to dietary supplements), the tracking of medical devices, other post-marketing surveillance, or other similar requirements described at Sec. 164.512(b).

    Controlled Substance Act

    Comment: One comment expressed concern that the privacy regulation as proposed would restrict the Drug Enforcement Agency's ("the DEA") enforcement of the Controlled Substances Act ("CSA"). The comment suggested including enforcement activities in the definition of "health oversight agency."

    Response: In our view, the privacy regulation should not impede the DEA's ability to enforce the CSA. First, to the extent the CSA requires disclosures to the DEA, these disclosures would be permissible under Sec. 164.512(a). Second, some of the DEA's CSA activities come within the exception for health oversight agencies which permits disclosures to health oversight agencies for:

    Activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections * * * civil, administrative, or criminal proceedings or actions; and other activity necessary for appropriate oversight of the health care system.

    Therefore, to the extent the DEA is enforcing the CSA, disclosures to it in its capacity as a health oversight agency are permissible under Sec. 164.512(d). Alternatively, CSA required disclosures to the DEA for law enforcement purposes are permitted under Sec. 164.512(f). When acting as a law enforcement agency under the CSA, the DEA may obtain the information pursuant to Sec. 164.512(f). Thus, we do not agree that the privacy regulation will impede the DEA's enforcement of the CSA. See the preamble discussion of Sec. 164.512 for further explanation.

    Comment: One commenter suggested clarifying the provisions allowing disclosures that are "required by law" to ensure that the mandatory reporting requirements the CSA imposes on covered entities, including making available reports, inventories, and records of transactions, are not preempted by the regulation.

    Response: We agree that the privacy regulation does not alter covered entities' obligations under the CSA. Because the CSA requires covered entities manufacturing, distributing, and/or dispensing controlled substances to maintain and provide to the DEA specific records and reports, the privacy regulation permits these disclosures under Sec. 164.512(a). In addition, when the DEA seeks documents to determine an entity's compliance with the CSA, such disclosures are permitted under Sec. 164.512(d).

    Comment: The same commenter expressed concern that the proposed privacy regulation inappropriately limits voluntary reporting and would prevent or deter employees of covered entities from providing the DEA with information about violations of the CSA.

    Response: We agree with the general concerns expressed in this comment. We do not believe the privacy rules will limit voluntary reporting of violations of the CSA. The CSA requires certain entities to maintain several types of records that may include protected health information. Although reports that included protected health information may be restricted under these rules, reporting the fact that an entity is not maintaining proper reports is not. If it were necessary to obtain protected health information during the investigatory stages following such a voluntary report, the DEA would be able to obtain the information in other ways, such as by following the administrative procedures outlined in Sec. 164.512(e).

    We also agree that employees of covered entities who report violations of the CSA should not be subjected to retaliation by their employers. Under Sec. 164.502(j), we specifically state that a covered entity is not considered to have violated the regulation if a workforce member or business associate in good faith reports violations of laws or professional standards by covered entities to appropriate authorities. See discussion of Sec. 164.502(j).