Industries & Practices

Health Care Industry

    Back

    HIPAA Regulations: Other Mandatory Federal or State Laws - Relationship to Other Federal Laws

    As Contained in the HHS HIPAA Rules

     

    HHS Description
    Relationship to Other Federal Laws - Other Mandatory Federal or State Laws

     

    Many federal laws require covered entities to provide specific information to specific entities in specific circumstances. If a federal law requires a covered entity to disclose a specific type of information, the covered entity would not need an authorization under § 164.508 to make the disclosure because the final rule permits covered entities to make disclosures that are required by law under § 164.512(a). Other laws, such as the Social Security Act (including its Medicare and Medicaid provisions), the Family and Medical Leave Act, the Public Health Service Act, Department of Transportation regulations, the Environmental Protection Act and its accompanying regulations, the National Labor Relations Act, the Federal Aviation Administration, and the Federal Highway Administration rules, may also contain provisions that require covered entities or others to use or disclose protected health information for specific purposes.

    When a covered entity is faced with a question as to whether the privacy regulation would prohibit the disclosure of protected health information that it seeks to disclose pursuant to a federal law, the covered entity should determine if the disclosure is required by that law. In other words, it must determine if the disclosure is mandatory rather than merely permissible. If it is mandatory, a covered entity may disclose the protected health information pursuant to § 164.512(a), which permits covered entities to disclose protected health information without an authorization when the disclosure is required by law. If the disclosure is not required (but only permitted) by the federal law, the covered entity must determine if the disclosure comes within one of the other permissible disclosures. If the disclosure does not come within one of the provisions for permissible disclosures, the covered entity must obtain an authorization from the individual who is the subject of the information or de-identify the information before disclosing it.

    If another federal law prohibits a covered entity from using or disclosing information that is also protected health information, but the privacy regulation permits the use or disclosure, a covered entity will need to comply with the other federal law and not use or disclose the information.

     

    HHS Response to Comments Received
    Relationship to Other Federal Laws - Other Mandatory Federal or State Laws

     

    Appropriations Laws

    Comment: One comment suggested that the penalty provisions of HIPAA, if extended to the privacy regulation, would require the Secretary to violate "Appropriations Laws" because the Secretary could be in the position of assessing penalties against her own and other federal agencies in their roles as covered entities. Enforcing penalties on these entities would require the transfer of agency funds to the General Fund.

    Response: We disagree. Although we anticipate achieving voluntary compliance and resolving any disputes prior to the actual assessment of penalties, the Department of Justice's Office of Legal Counsel has determined in similar situations that federal agencies have authority to assess penalties against other federal agencies and that doing so is not in violation of the Anti-Deficiency Act, 31 U.S.C. 1341.

    Balanced Budget Act of 1997

    Comment: One comment expressed concern that the regulation would place tremendous burdens on providers already struggling with the effects of the Balanced Budget Act of 1997.

    Response: We appreciate the costs covered entities face when complying with other statutory and regulatory requirements, such as the Balanced Budget Act of 1997. However, HHS cannot address the impact of the Balanced Budget Act or other statutes in the context of this regulation.

    Comment: Another comment stated that the regulation is in direct conflict with the Balanced Budget Act of 1997 ("BBA"). The comment asserts that the regulation's compliance date conflicts with the BBA, as well as Generally Acceptable Accounting Principles. According to the comment, covered entities that made capital acquisitions to ensure compliance with the year 2000 ("Y2K") problem would not be able to account for the full depreciation of these systems until 2005. Because HIPAA requires compliance before that time, the regulation would force premature obsolescence of this equipment because while it is Y2K compliant, it may be HIPAA non-compliant.

    Response: This comment raises two distinct issues--(1) the investment in new equipment and (2) the compliance date. With regard to the first issue, we reject the comment's assertion that the regulation requires covered entities to purchase new information systems or information technology equipment, but realize that some covered entities may need to update their equipment. We have tried to minimize the costs, while responding appropriately to Congress' mandate for privacy rules. We have dealt with the cost issues in detail in the "Regulatory Impact Analysis" section of this Preamble. With regard to the second issue, Congress, not the Secretary, established the compliance data at section 1175(b) of the Act.

    Civil Rights of Institutionalized Persons Act

    Comment: A few comments expressed concern that the privacy regulation would inadvertently hinder the Department of Justice Civil Rights Divisions' investigations under the Civil Rights of Institutionalized Persons Act ("CRIPA"). These comments suggested clearly including civil rights enforcement activities as health care oversight.

    Response: We agree with this comment. We do not intend for the privacy rules to hinder CRIPA investigations. Thus, the final rule includes agencies that are authorized by law to "enforce civil rights laws for which health information is relevant" in the definition of "health oversight agency" at Sec. 164.501. Covered entities are permitted to disclose protected health information to health oversight agencies under Sec. 164.512(d) without an authorization. Therefore, we do not believe the final rule should hinder the Department of Justice's ability to conduct investigations pursuant to its authority in CRIPA.

    Department of Transportation

    Comment: Several commenters stated that the Secretary should recognize in the preamble that it is permissible for employers to condition employment on an individual's delivering a consent to certain medical tests and/or examinations, such as drug-free workplace programs and Department of Transportation ("DOT")-required physical examinations. These comments also suggested that employers should be able to receive certain information, such as pass/fail test and examination results, fitness-to-work assessments, and other legally required or permissible physical assessments without obtaining an authorization. To achieve this goal, these comments suggested defining "health information" to exclude information such as information about how much weight a specific employee can lift.

    Response: We reject the suggestion to define "health information," which Congress defined in HIPAA, so that it excludes individually identifiable health information that may be relevant to employers for these types of examinations and programs. We do not regulate employers. Nothing in the rules prohibit employers from conditioning employment on an individual signing the appropriate consent or authorization. By the same token, however, the rules below do not relieve employers from their obligations under the ADA and other laws that restrict the disclosure of individually identifiable health information.

    Comment: One commenter asserted that the proposed regulation conflicts with the DOT guidelines regarding positive alcohol and drug tests that require the employer be notified in writing of the results. This document contains protected health information. In addition, the treatment center records must be provided to the Substance Abuse Professional ("SAP") and the employer must receive a report from SAP with random drug testing recommendations.

    Response: It is our understanding that DOT requires drug testing of all applicants for employment in safety-sensitive positions or individuals being transferred to such positions. Employers, pursuant to DOT regulations, may condition an employee's employment or position upon first obtaining an authorization for the disclosure of results of these tests to the employer. Therefore, we do not believe the final rules conflict with the DOT requirements, which do not prohibit obtaining authorizations before such information is disclosed to employers.

    Developmental Disabilities Act

    Comment: One commenter urged HHS to ensure that the regulation would not impede access to individually identifiable health information to entities that are part of the Protection and Advocacy System to investigate abuse and neglect as authorized by the Developmental Disabilities Bill of Rights Act.

    Response: The Developmental Disabilities Assistance and Bill of Rights Act of 2000 ("DD Act") mandates specific disclosures of individually identifiable health information to Protection and Advocacy systems designated by the chief elected official of the states and Territories. Therefore, covered entities may make these disclosures under Sec. 164.512(a) without first obtaining an individual's authorization, except in those circumstances in which the DD Act requires the individual's authorization. Therefore, the rules below will not impede the functioning of the existing Protection and Advocacy System.

    Fair Credit Reporting Act

    Comment: A few commenters requested that we exclude information maintained, used, or disclosed pursuant to the Fair Credit Reporting Act ("FCRA") from the requirements of the privacy regulation. These commenters noted that the protection in the privacy regulation duplicate those in the FCRA.

    Response: Although we realize that some overlap between FCRA and the privacy rules may exist, we have chosen not to remove information that may come within the purview of FCRA from the scope of our rules because FCRA's focus is not the same as our Congressional mandate to protect individually identifiable health information.

    To the extent a covered entity seeks to engage in collection activities or other payment-related activities, it may do so pursuant to the requirements of this rule related to payment. See discussion of Secs. 164.501 and 164.502 below.

    We understand that some covered entities may be part of, or contain components that are, entities which meet the definition of "consumer reporting agencies." As such, these entities are subject to the FCRA. As described in the preamble to Sec. 164.504, covered entities must designate what parts of their organizations will be treated as covered entities for the purpose of these privacy rules. The covered entity component will need to comply with these rules, while the components that are consumer reporting agencies will need to comply with FCRA.

    Comment: One comment suggested that the privacy regulation would conflict with the FCRA if the regulation's requirement applied to information disclosed to consumer reporting agencies.

    Response: To the extent a covered entity is required to disclose protected health information to a consumer reporting agency, it may do so under Sec. 164.512(a). See also discussion under the definition of "payment" below.

    Fair Debt Collection and Practices Act

    Comment: Several comments expressed concern that health plans and health care providers be able to continue using debt collectors in compliance with the Fair Debt Collections Practices Act and related laws.

    Response: In our view, health plans and health care providers will be able to continue using debt collectors. Using the services of a debt collector to obtain payment for the provision of health care comes within the definition of "payment" and is permitted under the regulation. Thus, so long as the use of debt collectors is consistent with the regulatory requirements (such as, providers obtain the proper consents, the disclosure is of the minimum amount of information necessary to collect the debt, the provider or health plan enter into a business associate agreement with the debt collector, etc.), relying upon debt collectors to obtain reimbursement for the provision of health care would not be prohibited by the regulation.

    Family Medical Leave Act

    Comment: One comment suggested that the proposed regulation adversely affects the ability of an employer to determine an employee's entitlement to leave under the Family Medical Leave Act ("FMLA") by affecting the employer's right to receive medical certification of the need for leave, additional certifications, and fitness for duty certification at the end of the leave. The commenter sought clarification as to whether a provider could disclose information to an employer without first obtaining an individual's consent or authorization. Another commenter suggested that the final rule explicitly exclude from the rule disclosures authorized by the FMLA, because, in the commenter's view, it provides more than adequate protection for the confidentiality of medical records in the employment context.

    Response: We disagree that the FMLA provides adequate privacy protections for individually identifiable health information. As we understand the FMLA, the need for employers to obtain protected health information under the statute is analogous to the employer's need for protected health information under the ADA. In both situations, employers may need protected health information to fulfill their obligations under these statutes, but neither statute requires covered entities to provide the information directly to the employer. Thus, covered entities in these circumstances will need an individual's authorizations before the disclosure is made to the employer.

    Federal Common Law

    Comment: One commenter did not want the privacy rules to interfere with the federal common law governing collective bargaining agreements permitting employers to insist on the cooperation of employees with medical fitness evaluations.

    Response: We do not seek to interfere with legal medical fitness evaluations. These rules require a covered entity to have an individual's authorization before the information resulting from such evaluations is disclosed to the employer unless another provision of the rule applies. We do not prohibit employers from conditioning employment, accommodations, or other benefits, when legally permitted to do so, upon the individual/employee providing an authorization that would permit the disclosure of protected health information to employers by covered entities. See Sec. 164.508(b)(4) below.

    Federal Employees Compensation Act

    Comment: One comment noted that the Federal Employees Compensation Act ("FECA") requires claimants to sign a release form when they file a claim. This commenter suggested that the privacy regulation should not place additional restrictions on this type of release form.

    Response: We agree. In the final rule, we have added a new provision, Sec. 164.512(l), that permits covered entities to make disclosures authorized under workers' compensation and similar laws. This provision would permit covered entities to make disclosures authorized under FECA and not require a different release form.

    Federal Employees Health Benefits Program

    Comment: A few comments expressed concern about the preemption effect on FEHBP and wanted clarification that the privacy regulation does not alter the existing preemptive scope of the program.

    Response: We do not intend to affect the preemptive scope of the FEHBP. The Federal Employee Health Benefit Act of 1998 preempts any state law that "relates to" health insurance or plans. 5 U.S.C. 8902(m). The final rule does not attempt to alter the preemptive scope Congress has provided to the FEHBP.

    Comment: One comment suggested that in the context of FEHBP HHS should place the enforcement responsibilities of the privacy regulation with Office of Personnel Management, as the agency responsible for administering the program.

    Response: We disagree. Congress placed enforcement with the Secretary. See section 1176 of the Act.

    Federal Rules of Civil Procedure

    Comment: A few comments suggested revising proposed Sec. 164.510(d) so that it is consistent with the existing discovery procedure under the Federal Rules of Civil Procedure or local rules.

    Response: We disagree that the rules regarding disclosures and uses of protected health information for judicial and administrative procedures should provide only those protections that exist under existing discovery rules. Although the current process may be appropriate for other documents and information requested during the discovery process, the current system, as exemplified by the Federal Rules of Civil Procedure, does not provide sufficient protection for protected health information. Under current discovery rules, private attorneys, government officials, and others who develop such requests make the initial determinations as to what information or documentation should be disclosed. Independent third-party review, such as that by a court, only becomes necessary if a person of whom the request is made refuses to provide the information. If this happens, the person seeking discovery must obtain a court order or move to compel discovery. In our view this system does not provide sufficient protections to ensure that unnecessary and unwarranted disclosures of protected health information does not occur. For a related discuss, see the preamble regarding "Disclosures for Judicial and Administrative Proceedings" under Sec. 164.512(e).

    Federal Rules of Evidence

    Comment: Many comments requested clarification that the privacy regulation does not conflict or interfere with the federal or state privileges. In particular, one of these comments suggested that the final regulation provide that disclosures for a purpose recognized by the regulation not constitute a waiver of federal or state privileges.

    Response: We do not intend for the privacy regulation to interfere with federal or state rules of evidence that create privileges. Consistent with The Uniform Health-Care Information Act drafted by the National Conference of Commissioners on Uniform State Laws, we do not view a consent or an authorization to function as a waiver of federal or state privileges. For further discussion of the effect of consent or authorization on federal or state privileges, see preamble discussions in Secs. 164.506 and 164.508.

    Comment: Other comments applauded the Secretary's references to Jaffee v. Redman, 518 U.S. 1 (1996), which recognized a psychotherapist-patient privilege, and asked the Secretary to incorporate expressly this privilege into the final regulation.

    Response: We agree that the psychotherapist-patient relationship is an important one that deserves protection. However, it is beyond the scope our mandate to create specific evidentiary privileges. It is also unnecessary because the United States Supreme Court has adopted this privilege.

    Comment: A few comments discussed whether one remedy for violating the privacy regulation should be to exclude or suppress evidence obtained in violation of the regulation. One comment supported using this penalty, while another opposed it.

    Response: We do not have the authority to mandate that courts apply or not apply the exclusionary rule to evidence obtained in violation of the regulation. This issue is in the purview of the courts.

    Federal Tort Claims Act

    Comment: One comment contended that the proposed regulation's requirement mandating covered entities to name the subjects of protected health information disclosed under a business partner contract as third party intended beneficiaries under the contract would have created an impermissible right of action against the government under the Federal Tort Claims Act ("FTCA").

    Response: Because we have deleted the third party beneficiary provisions from the final rules, this comment is moot.

    Comment: Another comment suggested the regulation would hamper the ability of federal agencies to disclose protected health information to their attorneys, the Department of Justice, during the initial stages of the claims brought under the FTCA.

    Response: We disagree. The regulation applies only to federal agencies that are covered entities. To the extent an agency is not a covered entity, it is not subject to the regulation; to the extent an agency is a covered entity, it must comply with the regulation. A covered entity that is a federal agency may disclose relevant information to its attorneys, who are business associates, for purposes of health care operations, which includes uses or disclosures for legal functions. See Sec. 164.501 (definitions of "business associate" and "health care operations"). The final rule provides specific provisions describing how federal agencies may provide adequate assurances for these types of disclosures of protected health information. See Sec. 164.504(e)(3).

    Foreign Standards

    Comment: One comment asked how the regulation could be enforced against foreign countries (or presumably entities in foreign countries) that solicit medical records from entities in the United States.

    Response: We do not regulate solicitations of information. To the extent a covered entity wants to comply with a request for disclosure of protected health information to foreign countries or entities within foreign countries, it will need to comply with the privacy rules before making the disclosure. If the covered entity fails to comply with the rules, it will be subject to enforcement proceedings.

    Inspector General Act

    Comment: One comment requested the Secretary to clarify in the preamble that the privacy regulation does not preempt the Inspector General Act.

    Response: We agree that to the extent the Inspector General Act requires uses or disclosures of protected health information, the privacy regulation does not preempt it. The final rule provides that to the extent required under section 201(a)(5) of the Act, nothing in this subchapter should be construed to diminish the authority of any Inspector General, including the authority provided in the Inspector General Act of 1978. See discussion of Sec. 160.102 above.

    National Labor Relations Act

    Comment: A few comments expressed concern that the regulation did not address the obligation of covered entities to disclose protected health information to collective bargaining representatives under the National Labor Relations Act.

    Response: The final rule does not prohibit disclosures that covered entities must make pursuant to other laws. To the extent a covered entity is required by law to disclose protected health information to collective bargaining representatives under the NLRA, it may to so without an authorization. Also, the definition of "health care operations" at Sec. 164.501 permits disclosures to employee representatives for purposes of grievance resolution.

    Reporting Requirement

    Comment: One comment noted that federal agencies must provide information to certain entities pursuant to various federal statutes. For example, federal agencies must not withhold information from a Congressional oversight committee or the General Accounting Office. Similarly, some federal agencies must provide the Bureau of the Census and the National Archives and Records Administration with certain information. This comment expressed concern that the privacy regulation would conflict with these requirements. Additionally, the commenter asked whether the privacy notice would need to contain these uses and disclosures and recommended that a general statement that these federal agencies would disclose protected health information when required by law be considered sufficient to meet the privacy notice requirements.

    Response: To the extent a federal agency acting as a covered entity is required by federal statute to disclose protected health information, the regulation permits the disclosure as required by law under Sec. 164.512(a). The notice provisions at Sec. 164.520(b)(1)(ii)(B) require covered entities to provide a brief description of the purposes for which the covered entity is permitted or required by the rules to use or disclose protected health information without an individual's written authorization. If these statutes require the disclosures, covered entities subject to the requirement may make the disclosure pursuant to Sec. 164.512(a). Thus, their notice must include a description of the category of these disclosures. For example, a general statement such as the covered entity "will disclose your protected health information to comply with legal requirements" should suffice.

    Comment: One comment stressed that the final rule should not inadvertently preempt mandatory reporting laws duly enacted by federal, state, or local legislative bodies. This commenter also suggested that the final rule not prevent the reporting of violations to law enforcement agencies.

    Response: We agree. Like the proposed rule, the final rule permits covered entities to disclose protected health information when required by law under Sec. 164.512(a). To the extent a covered entity is required by law to make a report to law enforcement agencies or is otherwise permitted to make a disclosure to a law enforcement agency as described in Sec. 164.512(f), it may do so without an authorization. Alternatively, a covered entity may always request that individuals authorize these disclosures.

    Security Standards

    Comment: One comment called for HHS to consider the privacy regulation in conjunction with the other HIPAA standards. In particular, this comment focused on the belief that the security standards should be compatible with the existing and emerging health care and information technology industry standards.

    Response: We agree that the security standards and the privacy rules should be compatible with one another and are working to ensure that the final rules in both areas function together. Because we are addressing comments regarding the privacy rules in this preamble, we will consider the comment about the security standard as we finalize that set of rules.

    Tribal Law

    Comments: One commenter suggested that the consultation process with tribal governments described in the NPRM was inadequate under Executive Order No. 13084. In addition, the commenter expressed concern that the disclosures for research purposes as permitted by the NPRM would conflict with a number of tribal laws that offer individuals greater privacy rights with respect to research and reflects cultural appropriateness. In particular, the commenter referenced the Health Research Code for the Navajo Nation which creates a entity with broader authority over research conducted on the Navajo Nation than the local IRB and requires informed consent by study participants. Other laws mentioned by the commenter included the Navajo Nation Privacy and Access to Information Act and a similar policy applicable to all health care providers within the Navajo Nation. The commenter expressed concern that the proposed regulation research provisions would override these tribal laws.

    Response: We disagree with the comment that the consultation with tribal governments undertaken prior to the proposed regulation is inadequate under Executive Order No. 13084. As stated in the proposed regulation, the Department consulted with representatives of the National Congress of American Indians and the National Indian Health Board, as well as others, about the proposals and the application of HIPAA to the Tribes, and the potential variations based on the relationship of each Tribe with the IHS for the purpose of providing health services. In addition, Indian and tribal governments had the opportunity to, and did, submit substantive comments on the proposed rules.

    Additionally, disclosures permitted by this regulation do not conflict with the policies as described by this commenter. Disclosures for research purposes under the final rule, as in the proposed regulation, are permissive disclosures only. The rule describes the outer boundaries of permissible disclosures. A covered health care provider that is subject to the tribal laws of the Navajo Nation must continue to comply with those tribal laws. If the tribal laws impose more stringent privacy standards on disclosures for research, such as requiring informed consent in all cases, nothing in the final rule would preclude compliance with those more stringent privacy standards. The final rule does not interfere with the internal governance of the Navajo Nation or otherwise adversely affect the policy choices of the tribal government with respect to the cultural appropriateness of research conducted in the Navajo Nation.

    Veterans Affairs

    Comment: One comment sought clarification about how disclosures of protected health information would occur within the Veterans Affairs programs for veterans and their dependents.

    Response: We appreciate the commenter's request for clarification as to how the rules will affect disclosures of protected health information in the specific context of Veteran's Affairs programs. Veterans health care programs under 38 U.S.C. chapter 17 are defined as "health plans." Without sufficient details as to the particular aspects of the Veterans Affairs programs that this comment views as problematic, we cannot comment substantively on this concern.

    Comment: One comment suggested that the final regulation clarify that the analysis applied to the substance abuse regulations apply to laws governing Veteran's Affairs health records.

    Response: Although we realize some difference may exist between the laws, we believe the discussion of federal substance abuse confidentiality regulations in the "Relationship to Other Federal Laws" preamble provides guidance that may be applied to the laws governing Veteran's Affairs ("VA") health records. In most cases, a conflict will not exist between these privacy rules and the VA programs. For example, some disclosures allowed without patient consent or authorization under the privacy regulation may not be within the VA statutory list of permissible disclosures without a written consent. In such circumstances, the covered entity would have to abide by the VA statute, and no conflict exists. If the disclosures permitted by the VA statute come within the permissible disclosures of our rules, no conflict exists. In some cases, our rules may demand additional requirements, such as obtaining the approval of a privacy board or Institutional Review Board if a covered entity seeks to disclose protected health information for research purposes without the individual's authorization. A covered entity subject to the VA statute will need to ensure that it meets the requirements of both that statute and the regulation below. If a conflict arises, the covered entity should evaluate the specific potential conflicting provisions under the implied repeal analysis set forth in the "Relationship to Other Federal Laws" discussion in the preamble.