Industries & Practices

Health Care Industry

    Back

    HIPAA Regulations: General Provisions: Definitions - Protected Health Information - § 160.103

    As Contained in the HHS HIPAA Rules

     

    HHS Regulations as Amended January 2013
    General Provisions: Definitions - Protected Health Information - § 160.103

     

    Protected health information means individually identifiable health information:

    (1) Except as provided in paragraph (2) of this definition, that is:

    (i) Transmitted by electronic media;

    (ii) Maintained in electronic media; or

    (iii) Transmitted or maintained in any other form or medium.

    (2) Protected health information excludes individually identifiable health information:

    (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g;

    (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv);

    (iii) In employment records held by a covered entity in its role as employer; and

    (iv) Regarding a person who has been deceased for more than 50 years.

     

    HHS Description of and Commentary From the January 2013 Amendments
    General Provisions: Definitions - Protected Health Information

     

    Proposed Rule

    For consistency with the proposed modifications to the period of protection for decedent information at § 164.502(f) (discussed below), the Department proposed to modify the definition of “protected health information” at § 160.103 to provide that the Privacy and Security Rules do not protect the individually identifiable health information of persons who have been deceased for more than 50 years.

    Overview of Public Comment

    The public comments received on this proposal are discussed and responded to below in the section describing the modifications to § 164.502(f).

    Final Rule

    For the reasons stated in the section regarding § 164.502(f), the final rule adopts the proposed modification to the definition of “protected health information.”

     

    HHS Description of and Commentary From the August 2002 Revisions
    General Provisions: Definitions - Protected Health Information

     

    Exclusion for Employment Records.

    December 2000 Privacy Rule. The Privacy Rule broadly defines "protected health information" as individually identifiable health information maintained or transmitted by a covered entity in any form or medium. The December 2000 Privacy Rule expressly excluded from the definition of "protected health information" only educational and other records that are covered by the Family Education Rights and Privacy Act of 1974, as amended, 20 U.S.C. 1232g. In addition, throughout the December 2000 preamble to the Privacy Rule, the Department repeatedly stated that the Privacy Rule does not apply to employers, nor does it apply to the employment functions of covered entities, that is, when they are acting in their role as employers. For example, the Department stated:

    Covered entities must comply with this regulation in their health care capacity, not in their capacity as employers. For example, information in hospital personnel files about a nurses' (sic) sick leave is not protected health information under this rule.

    65 FR 82612. However, the definition of protected health information did not expressly exclude personnel or employment records of covered entities.

    March 2002 NPRM. The Department understands that covered entities are also employers, and that this creates two potential sources of confusion about the status of health information. First, some employers are required or elect to obtain health information about their employees, as part of their routine employment activities [e.g., hiring, compliance with the Occupational Safety and Health Administration (OSHA) requirements]. Second, employees of covered health care providers or health plans sometimes seek treatment or reimbursement from that provider or health plan, unrelated to the employment relationship.

    To avoid any confusion on the part of covered entities as to application of the Privacy Rule to the records they maintain as employers, the Department proposed to modify the definition of "protected health information" in § 164.501 to expressly exclude employment records held by a covered entity in its role as employer. The proposed modification also would alleviate the situation where a covered entity would feel compelled to elect to designate itself as a hybrid entity solely to carve out its employment functions. Individually identifiable health information maintained or transmitted by a covered entity in its health care capacity would, under the proposed modification, continue to be treated as protected health information.

    The Department specifically solicited comments on whether the term "employment records" is clear and what types of records would be covered by the term.

    In addition, as discussed in section III.C.1. below, the Department proposed to modify the definition of a hybrid entity to permit any covered entity that engaged in both covered and non-covered functions to elect to operate as a hybrid entity. Under the proposed modification, a covered entity that primarily engaged in covered functions, such as a hospital, would be allowed to elect hybrid entity status even if its only non-covered functions were those related to its capacity as an employer. Indeed, because of the absence of an express exclusion for employment records in the definition of protected health information, some covered entities may have elected hybrid entity status under the misconception that this was the only way to prevent their personnel information from being treated as protected health information under the Rule.

    Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.

    The Department received comments both supporting and opposing the proposal to add an exemption for employment records to the definition of protected health information. Support for the proposal was based primarily on the need for clarity and certainty in this important area. Moreover, commenters supported the proposed exemption for employment records because it reinforced and clarified that the Privacy Rule does not conflict with an employer's obligation under numerous other laws, including OSHA, Family and Medical Leave Act (FMLA), workers' compensation, and alcohol and drug free workplace laws.

    Those opposed to the modification were concerned that a covered entity may abuse its access to the individually identifiable health information in its employment records by using that information for discriminatory purposes. Many commenters expressed concern that an employee's health information created, maintained, or transmitted by the covered entity in its health care capacity would be considered an employment record and, therefore, would not be considered protected health information. Some of these commenters argued for the inclusion of special provisions, similar to the "adequate separation" requirements for disclosure of protected health information from group health plan to plan sponsor functions ( § 164.504(f)), to heighten the protection for an employee's individually identifiable health information when moving between a covered entity's health care functions and its employer functions.

    A number of commenters also suggested types of records that the Department should consider to be "employment records" and, therefore, excluded from the definition of "protected health information." The suggested records included records maintained under the FMLA or the Americans with Disabilities Act (ADA), as well as records relating to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty test results. One commenter suggested that health information related to professional athletes should qualify as an employment record.

    Final Modifications. The Department adopts as final the proposed language excluding employment records maintained by a covered entity in its capacity as an employer from the definition of "protected health information." The Department agrees with commenters that the regulation should be explicit that it does not apply to a covered entity's employer functions and that the most effective means of accomplishing this is through the definition of "protected health information."

    The Department is sensitive to the concerns of commenters that a covered entity not abuse its access to an employee's individually identifiable health information which it has created or maintains in its health care, not its employer, capacity. In responding to these concerns, the Department must remain within the boundaries set by the statute, which does not include employers per se as covered entities. Thus, we cannot regulate employers, even when it is a covered entity acting as an employer.

    To address these concerns, the Department clarifies that a covered entity must remain cognizant of its dual roles as an employer and as a health care provider, health plan, or health care clearinghouse. Individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information. It does not matter if the individual is a member of the covered entity's workforce or not. Thus, the medical record of a hospital employee who is receiving treatment at the hospital is protected health information and is covered by the Rule, just as the medical record of any other patient of that hospital is protected health information and covered by the Rule. The hospital may use that information only as permitted by the Privacy Rule, and in most cases will need the employee's authorization to access or use the medical information for employment purposes. When the individual gives his or her medical information to the covered entity as the employer, such as when submitting a doctor's statement to document sick leave, or when the covered entity as employer obtains the employee's written authorization for disclosure of protected health information, such as an authorization to disclose the results of a fitness for duty examination, that medical information becomes part of the employment record, and, as such, is no longer protected health information. The covered entity as employer, however, may be subject to other laws and regulations applicable to the use or disclosure of information in an employee's employment record.

    The Department has decided not to add a definition of the term "employment records" to the Rule. The comments indicate that the same individually identifiable health information about an individual may be maintained by the covered entity in both its employment records and the medical records it maintains as a health care provider or enrollment or claims records it maintains as a health plan. The Department therefore is concerned that a definition of "employment record" may lead to the misconception that certain types of information are never protected health information, and will put the focus incorrectly on the nature of the information rather than the reasons for which the covered entity obtained the information. For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee's authorization, the test results are provided to the provider acting as employer and placed in the employee's employment record. Similarly, the results of a fitness for duty exam will be protected health information when the provider administers the test to one of its employees, but will not be protected health information when the results of the fitness for duty exam are turned over to the provider as employer pursuant to the employee's authorization.

    Furthermore, while the examples provided by commenters represent typical files or records that may be maintained by employers, the Department does not believe that it has sufficient information to provide a complete definition of employment record. Therefore, the Department does not adopt as part of this rulemaking a definition of employment record, but does clarify that medical information needed for an employer to carry out its obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by the covered entity in its role as an employer.

    Response to Other Public Comments.

    Comment: One commenter requested clarification as to whether the term "employment record" included the following information that is either maintained or transmitted by a fully insured group health plan to an insurer or HMO for enrollment and/or disenrollment purposes: (a) the identity of an individual including name, address, birth date, marital status, dependent information and SSN; (b) the individual's choice of plan; (c) the amount of premiums/contributions for coverage of the individual; (d) whether the individual is an active employee or retired; (e) whether the individual is enrolled in Medicare.

    Response: All of this information is protected health information when held by a fully insured group health plan and transmitted to an issuer or HMO, and the Privacy Rule applies when the group health plan discloses such information to any entity, including the plan sponsor. There are special rules in § 164.504(f) which describe the conditions for disclosure of protected health information to the plan sponsor. If the group health plan received the information from the plan sponsor, it becomes protected health information when received by the group health plan. The plan sponsor is not the covered entity, so this information will not be protected when held by a plan sponsor, whether or not it is part of the plan sponsor's "employment record."

    Comment: One commenter asked for clarification as to how the Department would characterize the following items that a covered entity may have: (1) medical file kept separate from the rest of an employment record containing (a) doctor's notes; (b) leave requests; (c) physician certifications; and (d) positive hepatitis test results; (2) FMLA documentation including: (a) physician certification form; and (b) leave requests; (3) occupational injury files containing (a) drug screening; (b) exposure test results; (c) doctor's notes; and (d) medical director's notes.

    Response: As explained above, the nature of the information does not determine whether it is an employment record. Rather, it depends on whether the covered entity obtains or creates the information in its capacity as employer or in its capacity as covered entity. An employment record may well contain some or all of the items mentioned by the commenter; but so too might a treatment record. The Department also recognizes that the employer may be required by law or sound business practice to treat such medical information as confidential and maintain it separate from other employment records. It is the function being performed by the covered entity and the purpose for which the covered entity has the medical information, not its record keeping practices, that determines whether the health information is part of an employment record or whether it is protected health information.

    Comment: One commenter suggested that the health records of professional athletes should qualify as "employment records." As such, the records would not be subject to the protections of the Privacy Rule.

    Response: Professional sports teams are unlikely to be covered entities. Even if a sports team were to be a covered entity, employment records of a covered entity are not covered by this Rule. If this comment is suggesting that the records of professional athletes should be deemed "employment records" even when created or maintained by health care providers and health plans, the Department disagrees. No class of individuals should be singled out for reduced privacy protections. As noted in the preamble to the December 2000 Rule, nothing in this Rule prevents an employer, such as a professional sports team, from making an employee's agreement to disclose health records a condition of employment. A covered entity, therefore, could disclose this information to an employer pursuant to an authorization.

     

    HHS Description from Original Rulemaking
    General Provisions: Definitions - Protected Health Information

     

    We proposed to define “protected health information” to mean individually identifiable health information that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes any other form. For purposes of this definition, we proposed to define “electronically transmitted” as including information exchanged with a computer using electronic media, such as the movement of information from one location to another by magnetic or optical media, transmissions over the Internet, Extranet, leased lines, dial-up lines, private networks, telephone voice response, and “faxback” systems. We proposed that this definition not include “paper-to-paper” faxes, or person-to-person telephone calls, video teleconferencing, or messages left on voice-mail.

    Further, “electronically maintained” was proposed to mean information stored by a computer or on any electronic medium from which the information may be retrieved by a computer, such as electronic memory chips, magnetic tape, magnetic disk, or compact disc optical media.

    The proposal's definition explicitly excluded:

    (1) individually identifiable health information that is part of an “education record” governed by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g.

    (2) individually identifiable health information of inmates of correctional facilities and detainees in detention facilities.

    In this final rule we expand the definition of protected health information to encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form. Specifically, we delete the conditions for individually identifiable health information to be “electronically maintained” or “electronically transmitted” and the corresponding definitions of those terms. Instead, the final rule defines protected health information to be individually identifiable health information that is:

    (1) transmitted by electronic media;

    (2) maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or

    (3) transmitted or maintained in any other form or medium.

    We refer to electronic media, as defined in § 162.103, which means the mode of electronic transmission. It includes the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media.

    The definition of protected health information is set out in this form to emphasize the severability of this provision. As discussed below, we believe we have ample legal authority to cover all individually identifiable health information transmitted or maintained by covered entities. We have structured the definition this way so that, if a court were to disagree with our view of our authority in this area, the rule would still be operational, albeit with respect to a more limited universe of information.

    Other provisions of the rules below may also be severable, depending on their scope and operation. For example, if the rule itself provides a fallback, as it does with respect to the various discretionary uses and disclosures permitted under § 164.512, the provisions would be severable under case law.

    The definition in the final rule retains the exception relating to individually identifiable health information in “education records” governed by FERPA. We also exclude the records described in 20 U.S.C. 1232g(a)(4)(B)(iv). These are records of students held by post-secondary educational institutions or of students 18 years of age or older, used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student's request. (See discussion of FERPA above.)

    We have removed the exception for individually identifiable health information of inmates of correctional facilities and detainees in detention facilities. Individually identifiable health information about inmates is protected health information under the final rule, and special rules for use and disclosure of the protected health information about inmates and their ability to exercise the rights granted in this rule are described below.

     

    HHS Response to Comments Received from Original Rulemaking
    General Provisions: Definitions - Protected Health Information

     

    Comment: An overwhelmingly large number of commenters urged the Secretary to expand privacy protection to all individually identifiable health information, regardless of form, held or transmitted by a covered entity. Commenters provided many arguments in support of their position. They asserted that expanding the scope of covered information under the rule would increase patient confidence in their health care providers and the health care system in general. Commenters stated that patients may not seek care or honestly discuss their health conditions with providers if they do not believe that all of their health information is confidential. In particular, many suggested that this fear would be particularly strong with certain classes of patients, such as persons with disabilities, who may be concerned about potential discrimination, embarrassment or stigmatization, or domestic violence victims, who may hide the real cause of their injuries.

    In addition, commenters felt that a more uniform standard that covered all records would reduce the complexity, burden, cost, and enforcement problems that would result from the NPRM's proposal to treat electronic and non-electronic records differently. Specifically, they suggested that such a standard would eliminate any confusion regarding how to treat mixed records (paper records that include information that has been stored or transmitted electronically) and would eliminate the need for health care providers to keep track of which portions of a paper record have been (or will be) stored or transmitted electronically, and which are not. Many of these commenters argued that limiting the definition to information that is or has at one time been electronic would result in different protections for electronic and paper records, which they believe would be unwarranted and give consumers a false sense of security. Other comments argued that the proposed definition would cause confusion for providers and patients and would likely cause difficulties in claims processing. Many others complained about the difficulty of determining whether information has been maintained or transmitted electronically. Some asked us to explicitly list the electronic functions that are intended to be excluded, such as voice mail, fax, etc. It was also recommended that the definitions of 'electronic transmission' and 'electronic maintenance' be deleted. It was stated that the rule may apply to many medical devices that are regulated by the FDA. A commenter also asserted that the proposal's definition was technically flawed in that computers are also involved in analog electronic transmissions such as faxes, telephone, etc., which is not the intent of the language. Many commenters argued that limiting the definition to information that has been electronic would create a significant administrative burden, because covered entities would have to figure out how to apply the rule to some but not all information.

    Others argued that covering all individually identifiable health information would eliminate any disincentives for covered entities to convert from paper to computerized record systems. These commenters asserted that under the proposed limited coverage, contrary to the intent of HIPAA's administrative simplification standards, providers would avoid converting paper records into computerized systems in order to bypass the provisions of the regulation. They argued that treating all records the same is consistent with the goal of increasing the efficiency of the administration of health care services.

    Lastly, in the NPRM, we explained that while we chose not to extend our regulatory coverage to all records, we did have the authority to do so. Several commenters agreed with our interpretation of the statute and our authority and reiterated such statements in arguing that we should expand the scope of the rule in this regard.

    Response: We find these commenters' arguments persuasive and extend protections to individually identifiable health information transmitted or maintained by a covered entity in any form (subject to the exception for “education records” governed by FERPA and records described at 20 U.S.C. 1232g(a)(4)(B)(iv)). We do so for the reasons described by the commenters and in our NPRM, as well as because we believe that the approach in the final rule creates a logical, consistent system of protections that recognizes the dynamic nature of health information use and disclosure in a continually shifting health care environment. Rules that are specific to certain formats or media, such as “electronic” or “paper,” cannot address the privacy threats resulting from evolving forms of data capture and transmission or from the transfer of the information from one form to another. This approach avoids the somewhat artificial boundary issues that stem from defining what is and is not electronic.

    In addition, we have reevaluated our reasons for not extending privacy protections to all paper records in the NPRM and after review of comments believe such justifications to be less compelling than we originally thought. For example, in the NPRM, we explained that we chose not to cover all paper records in order to focus on the public concerns about health information confidentiality in electronic communications, and out of concern that the potential additional burden of covering all records may not be justified because of the lower privacy risks presented by records that are in paper form only. As discussed above however, a great many commenters asserted that dealing with a mixture of protected and non-protected records is more burdensome, and that public concerns over health information confidentiality are not at all limited to electronic communications.

    We note that medical devices in and of themselves, for example, pacemakers, are not protected health information for purposes of this regulation. However, information in or from the device may be protected health information to the extent that it otherwise meets the definition.

    Comment: Numerous commenters argued that the proposed coverage of any information other than that which is transmitted electronically and/or in a HIPAA transaction exceeds the Secretary's authority under section 264(c)(1) of HIPAA. The principal argument was that the initial language in section 264(c)(1) (“If language governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act ... is not enacted by [August 21, 1999], the Secretary ... shall promulgate final regulations containing such standards...”) limits the privacy standards to “information transmitted in connection with the [HIPAA] transactions.” The precise argument made by some commenters was that the grant of authority is contained in the words “such standards,” and that the referent of that phrase was “standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a)...”.

    Commenters also argued that this limitation on the Secretary's authority is discernible from the statutory purpose statement at section 261 of HIPAA, from the title to section 1173(a) (“Standards to Enable Electronic Exchange”), and from various statements in the legislative history, such as the statement in the Conference Report that the “Secretary would be required to establish standards and modifications to such standards regarding the privacy of individually identifiable health information that is in the health information network.” H. Rep. No. 104-736,104th Cong., 2d Sess., at 265. It was also argued that extension of coverage beyond the HIPAA transactions would be inconsistent with the underlying statutory trade-off between facilitating accessibility of information in the electronic transactions for which standards are adopted under section 1173(a) and protecting that information through the privacy standards.

    Other commenters argued more generally that the Secretary's authority was limited to information in electronic form only, not information in any other form. These comments tended to focus on the statutory concern with regulating transactions in electronic form and argued that there was no need to have the privacy standards apply to information in paper form, because there is significantly less risk of breach of privacy with respect to such information.

    The primary justifications provided by commenters for restricting the scope of covered individually identifiable health information under the regulation were that such an approach would reduce the complexity, burden, cost, and enforcement problems that would result from a rule that treats electronic and non-electronic records differently; would appropriately limit the rule's focus to the security risks that are inherent in electronic transmission or maintenance of individually identifiable health information; and would conform these provisions of the rule more closely with their interpretation of the HIPAA statutory language.

    Response: We disagree with these commenters. We believe that restricting the scope of covered information under the rule consistent with any of the comments described above would generate a number of policy concerns. Any restriction in the application of privacy protections based on the media used to maintain or transmit the information is by definition arbitrary, unrelated to the potential use or disclosure of the information itself and therefore not responsive to actual privacy risks. For example, information contained in a paper record may be scanned and transmitted worldwide almost as easily as the same information contained in an electronic claims transaction, but would potentially not be protected.

    In addition, application of the rule to only the standard transactions would leave large gaps in the amount of health information covered. This limitation would be particularly harmful for information used and disclosed by health care providers, who are likely to maintain a great deal of information never contained in a transaction.

    We disagree with the arguments that the Secretary lacks legal authority to cover all individually identifiable health information transmitted or maintained by covered entities. The arguments raised by these comments have two component parts: (1) that the Secretary's authority is limited by form, to individually identifiable health information in electronic form only; and (2) that the Secretary's authority is limited by content, to individually identifiable health information that is contained in what commenters generally termed the “HIPAA transactions,” i.e., information contained in a transaction for which a standard has been adopted under section 1173(a) of the Act.

    With respect to the issue of form, the statutory definition of “health information” at section 1171(4) of the Act defines such information as “any information, whether oral or recorded in any form or medium” (emphasis added) which is created or received by certain entities and relates to the health condition of an individual or the provision of health care to an individual (emphasis added). “Individually identifiable health information”, as defined at section 1171(6) of the Act, is information that is created or received by a subset of the entities listed in the definition of “health information”, relates to the same subjects as “health information,” and is, in addition, individually identifiable. Thus, “individually identifiable health information” is, as the term itself implies, a subset of “health information.” As “health information,” “individually identifiable health information” means, among other things, information that is “oral or recorded in any form or medium.” Therefore, the statute does not limit “individually identifiable health information” to information that is in electronic form only.

    With respect to the issue of content, the limitation of the Secretary's authority to information in HIPAA transactions under section 264(c)(1) is more apparent than real. While the first sentence of section 264(c)(1) may be read as limiting the regulations to standards with respect to the privacy of individually identifiable health information “transmitted in connection with the [HIPAA] transactions,” what that sentence in fact states is that the privacy regulations must “contain” such standards, not be limited to such standards. The first sentence thus sets a statutory minimum, first for Congress, then for the Secretary. The second sentence of section 264(c)(1) directs that the regulations “address at least the subjects in subsection (b) [of section 264].” Section 264(b), in turn, refers only to “individually identifiable health information”, with no qualifying language, and refers back to subsection (a) of section 264, which is not limited to HIPAA transactions. Thus, the first and second sentences of section 264(c)(1) can be read as consistent with each other, in which case they direct the issuance of privacy standards with respect to individually identifiable health information. Alternatively, they can be read as ambiguous, in which case one must turn to the legislative history.

    The legislative history of section 264 does not reflect the content limitation of the first sentence of section 264(c)(1). Rather, the Conference Report summarizes this section as follows: “If Congress fails to enact privacy legislation, the Secretary is required to develop standards with respect to privacy of individually identifiable health information not later than 42 months from the date of enactment.” Id., at 270. This language indicates that the overriding purpose of section 264(c)(1) was to postpone the Secretary's duty to issue privacy standards (which otherwise would have been controlled by the time limits at section 1174(a)), in order to give Congress more time to pass privacy legislation. A corollary inference, which is also supported by other textual evidence in section 264 and Part C of title XI, is that if Congress failed to act within the time provided, the original statutory scheme was to kick in. Under that scheme, which is set out in section 1173(e) of the House bill, the standards to be adopted were “standards with respect to the privacy of individually identifiable health information.” Thus, the legislative history of section 264 supports the statutory interpretation underlying the rules below.

    Comment: Many commenters were opposed to the rule covering specific forms of communication or records that could potentially be considered covered information, i.e., faxes, voice mail messages, etc. A subset of these commenters took issue particularly with the inclusion of oral communications within the scope of covered information. The commenters argued that covering information when it takes oral form (e.g., verbal discussions of a submitted claim) makes the regulation extremely costly and burdensome, and even impossible to administer. Another commenter also offered that it would make it nearly impossible to discuss health information over the phone, as the covered entity cannot verify that the person on the other end is in fact who he or she claims to be.

    Response: We disagree. Covering oral communications is an important part of keeping individually identifiable health information private. If the final rule were not to cover oral communication, a conversation about a person's protected health information could be shared with anyone. Therefore, the same protections afforded to paper and electronically based information must apply to verbal communication as well. Moreover, the Congress explicitly included “oral” information in the statutory definition of health information.

    Comment: A few commenters supported, without any change, the approach proposed in the NPRM to limit the scope of covered information to individually identifiable health information in any form once the information is transmitted or maintained electronically. These commenters asserted that our statutory authority limited us accordingly. Therefore, they believed we had proposed protections to the extent possible within the bounds of our statutory authority and could not expand the scope of such protections without new legislative authority.

    Response: We disagree with these commenters regarding the limitations under our statutory authority. As explained above, we have the authority to extend the scope of the regulation as we have done in the final rule. We also note here that most of these commenters who supported the NPRM's proposed approach, voiced strong support for extending the scope of coverage to all individually identifiable health information in any form, but concluded that we had done what we could within the authority provided.

    Comment: One commenter argued that the term “transaction” is generally understood to denote a business matter, and that the NPRM applied the term too broadly by including hospital directory information, communication with a patient's family, researchers' use of data and many other non-business activities.

    Response: This comment reflects a misunderstanding of our use of the term “transaction.” The uses and disclosures described in the comment are not “transactions” as defined in § 160.103. The authority to regulate the types of uses and disclosures described is provided under section 264 of Pub. L. 104-191. The conduct of the activities noted by the commenters are not related to the determination of whether a health care provider is a covered entity. We explain in the preamble that a health care provider is a covered entity if it transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act.

    Comment: A few commenters asserted that the Secretary has no authority to regulate “use” of protected health information. They stated that although section 264(b) mentions that the Secretary should address “uses and disclosures,” no other section of HIPAA employs the term “use.”

    Response: We disagree with these commenters. As they themselves note, the authority to regulate use is given in section 264(b) and is sufficient.

    Comment: Some commenters requested clarification as to how certain types of health information, such as photographs, faxes, X-Rays, CT-scans, and others would be classified as protected or not under the rule.

    Response: All types of individually identifiable health information in any form, including those described, when maintained or transmitted by a covered entity are covered in the final rule.

    Comment: A few commenters requested clarification with regard to the differences between the definitions of individually identifiable health information and protected health information.

    Response: In expanding the scope of covered information in the final rule, we have simplified the distinction between the two definitions. In the final rule, protected health information is the subset of individually identifiable health information that is maintained or transmitted by covered entity, and thereby protected by this rule. For additional discussion of protected health information and individually identifiable health information, see the descriptive summary of § 164.501.

    Comment: A few commenters remarked that the federal government has no right to access or control any medical records and that HHS must get consent in order to store or use any individually identifiable health information.

    Response: We understand the commenters' concern. It is not our intent, nor do we through this rule create any government right of access to medical records, except as needed to investigate possible violations of the rule. Some government programs, such as Medicare, are authorized under other law to gain access to certain beneficiary records for administrative purposes. However, these programs are covered by the rule and its privacy protections apply.

    Comment: Some commenters asked us to clarify how schools would be treated by the rule. Some of these commenters worried that privacy would be compromised if schools were exempted from the provisions of the final rule. Other commenters thought that school medical records were included in the provisions of the NPRM.

    Response: We agree with the request for clarification and provide guidance regarding the treatment of medical records in schools in the "Relationship to Other Federal Laws" preamble discussion of FERPA, which governs the privacy of education records.

    Comment: One commenter was concerned that only some information from a medical chart would be included as covered information. The commenter was especially concerned that transcribed material might not be considered covered information.

    Response: As stated above, all individually identifiable health information in any form, including transcribed or oral information, maintained or transmitted by a covered entity is covered under the provisions of the final rule.

    Comment: In response to our solicitation of comments on the scope of the definition of protected health information, many commenters asked us to narrow the scope of the proposed definition to include only information in electronic form. Others asked us to include only information from the HIPAA standard transactions.

    Response: For the reasons stated by the commenters who asked us to expand the proposed definition, we reject these comments. We reject these approaches for additional reasons, as well. Limiting the protections to electronic information would, in essence, protect information only as long as it remained in a computer or other electronic media; the protections in the rule could be avoided simply by printing out the information. This approach would thus result in the illusion, but not the reality, of privacy protections. Limiting protection to information in HIPAA transactions has many of the problems in the proposed approach: it would fail to protect significant amounts of health information, would force covered entities to figure out which information had and had not been in such a transaction, and could cause the administrative burdens the commenters feared would result from protecting some but not all information.

    Comment: A few commenters asserted that the definition of protected health information should explicitly include “genetic” information. It was argued that improper disclosure and use of such information could have a profound impact on individuals and families.

    Response: We agree that the definition of protected health information includes genetic information that otherwise meets the statutory definition. But we believe that singling out specific types of protected health information for special mention in the regulation text could wrongly imply that other types are not included.

    Comment: One commenter recommended that the definition of protected health information be modified to clarify that an entity does not become a 'covered entity' by providing a device to an individual on which protected health information may be stored, provided that the company itself does not store the individual's health information.”

    Response: We agree with the commenter's analysis, but believe the definition is sufficiently clear without a specific amendment to this effect.

    Comment: One commenter recommended that the definition be amended to explicitly exclude individually identifiable health information maintained, used, or disclosed pursuant to the Fair Credit Reporting Act, as amended, 15 U.S.C. 1681. It was stated that a disclosure of payment history to a consumer reporting agency by a covered entity should not be considered protected health information. Another commenter recommended that health information, billing information, and a consumer's credit history be exempted from the definition because this flow of information is regulated by both the Fair Credit Reporting Act (FCRA) and the Fair Debt Collection Practices Act (FDCPA).

    Response: We disagree. To the extent that such information meets the definition of protected health information, it is covered by this rule. These statutes are designed to protect financial, not health, information. Further, these statutes primarily regulate entities that are not covered by this rule, minimizing the potential for overlap or conflict. The protections in this rule are more appropriate for protecting health information. However, we add provisions to the definition of payment which should address these concerns. See the definition of 'payment' in § 164.501.

    Comment: An insurance company recommended that the rule require that medical records containing protected health information include a notation on a cover sheet on such records.

    Response: Since we have expanded the scope of protected health information, there is no need for covered entities to distinguish among their records, and such a notation is not needed. This uniform coverage eliminates the mixed record problem and resultant potential for confusion.

    Comment: A government agency requested clarification of the definition to address the status of information that flows through dictation services.

    Response: A covered entity may disclose protected health information for transcription of dictation under the definition of health care operations, which allows disclosure for “general administrative” functions. We view transcription and clerical services generally as part of a covered entity's general administrative functions. An entity transcribing dictation on behalf of a covered entity meets this rule's definition of business associate and may receive protected health information under a business associate contract with the covered entity and subject to the other requirements of the rule.

    Comment: A commenter recommended that information transmitted for employee drug testing be exempted from the definition.

    Response: We disagree that is necessary to specifically exclude such information from the definition of protected health information. If a covered entity is involved, triggering this rule, the employer may obtain authorization from the individuals to be tested. Nothing in this rule prohibits an employer from requiring an employee to provide such an authorization as a condition of employment.

    Comment: A few commenters addressed our proposal to exclude individually identifiable health information in education records covered by FERPA. Some expressed support for the exclusion. One commenter recommended adding another exclusion to the definition for the treatment records of students who attend institutions of post secondary education or who are 18 years old or older to avoid confusion with rules under FERPA. Another commenter suggested that the definition exclude health information of participants in “Job Corps programs” as it has for educational records and inmates of correctional facilities.

    Response: We agree with the commenter on the potential for confusion regarding records of students who attend post-secondary schools or who are over 18, and therefore in the final rule we exclude records defined at 20 U.S.C. 1232g(a)(4)(B)(iv) from the definition of protected health information. For a detailed discussion of this change, refer to the “Relationship to Other Federal Laws” section of the preamble. We find no similar reason to exclude “Job Corps programs” from the requirements of this regulation.

    Comment: Some commenters voiced support for the exclusion of the records of inmates from the definition of protected health information, maintaining that correctional agencies have a legitimate need to share some health information internally without authorization between health service units in various facilities and for purposes of custody and security. Other commenters suggested that the proposed exclusion be extended to individually identifiable health information: created by covered entities providing services to inmates or detainees under contract to such facilities; of “former” inmates; and of persons who are in the custody of law enforcement officials, such as the United States Marshals Service and local police agencies. They stated that corrections and detention facilities must be able to share information with law enforcement agencies such as the United States Marshals Service, the Immigration and Naturalization Services, county jails, and U.S. Probation Offices.

    Another commenter said that there is a need to have access to records of individuals in community custody and explained that these individuals are still under the control of the state or local government and the need for immediate access to records for inspections and/or drug testing is necessary.

    A number of commenters were opposed to the proposed exclusion to the definition of protected health information, arguing that the proposal was too sweeping. Commenters stated that while access without consent is acceptable for some purposes, it is not acceptable in all circumstances. Some of these commenters concurred with the sharing of health care information with other medical facilities when the inmate is transferred for treatment. These commenters recommended that we delete the exception for jails and prisons and substitute specific language about what information could be disclosed and the limited circumstances or purposes for which such disclosures could occur.

    Others recommended omission of the proposed exclusion entirely, arguing that excluding this information from protection sends the message that, with respect to this population, abuses do not matter. Commenters argued that inmates and detainees have a right to privacy of medical records and that individually identifiable health information obtained in these settings can be misused, e.g., when communicated indiscriminately, health information can trigger assaults on individuals with stigmatized conditions by fellow inmates or detainees. It can also lead to the denial of privileges, or inappropriately influence the deliberations of bodies such as parole boards.

    A number of commenters explicitly took issue with the exclusion relative to individuals, and in particular youths, with serious mental illness, seizure disorders, and emotional or substance abuse disorders. They argued that these individuals come in contact with criminal justice authorities as a result of behaviors stemming directly from their illness and assert that these provisions will cause serious problems. They argue that disclosing the fact that an individual was treated for mental illness while incarcerated could seriously impair the individual's reintegration into the community. Commenters stated that such disclosures could put the individual or family members at risk of discrimination by employers and in the community at large.

    Some commenters asserted that the rule should be amended to prohibit jails and prisons from disclosing private medical information of individuals who have been discharged from these facilities. They argued that such disclosures may seriously impair individuals' rehabilitation into society and subject them to discrimination as they attempt to re-establish acceptance in the community.

    Response: We find commenters' arguments against a blanket exemption from privacy protection for inmates persuasive. We agree health information in these settings may be misused, which consequently poses many risks to the inmate or detainee and in some cases, their families as described above by the commenters. Accordingly, we delete this exception from the definition of “protected health information” in the final rule. The final rule considers individually identifiable health information of individuals who are prisoners and detainees to be protected health information to the extent that it meets the definition and is maintained or transmitted by a covered entity.

    At the same time, we agree with those commenters who explained that correctional facilities have legitimate needs for use and sharing of individually identifiable health information inmates without authorization. Therefore, we add a new provision (§ 164.512(k)(5)) that permits a covered entity to disclose protected health information about inmates without individual consent, authorization, or agreement to correctional institutions for specified health care and other custodial purposes. For example, covered entities are permitted to disclose for the purposes of providing health care to the individual who is the inmate, or for the health and safety of other inmates or officials and employees of the facility. In addition, a covered entity may disclose protected health information as necessary for the administration and maintenance of the safety, security, and good order of the institution. See the preamble discussion of the specific requirements at § 164.512(k)(5), as well as discussion of certain limitations on the rights of individuals who are inmates with regard to their protected health information at §§ 164.506, 164.520, 164.524, and 164.528.

    We also provide the following clarifications. Covered entities that provide services to inmates under contract to correctional institutions must treat protected health information about inmates in accordance with this rule and are permitted to use and disclose such information to correctional institutions as allowed under § 164.512(k)(5).

    As to former inmates, the final rule considers such persons who are released on parole, probation, supervised release, or are otherwise no longer in custody, to be individuals who are not inmates. Therefore, the permissible disclosure provision at § 164.512(k)(5) does not apply in such cases. Instead, a covered entity must apply privacy protections to the protected health information about former inmates in the same manner and to the same extent that it protects the protected health information of other individuals. In addition, individuals who are former inmates hold the same rights as all other individuals under the rule.

    As to individuals in community custody, the final rule considers inmates to be those individuals who are incarcerated in or otherwise confined to a correctional institution. Thus, to the extent that community custody confines an individual to a particular facility, § 164.512(k)(5) is applicable.