Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Definitions: Health Care Operations - § 164.501

    As Contained in the HHS HIPAA Privacy Rules

    HHS Guidance: Uses and Disclosures For Treatment, Payment and Health Care Operations

     

    HHS Regulations as Amended January 2013
    Definitions: Health Care Operations - § 164.501

     

    Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions:

    (1) Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; patient safety activities (as defined in 42 CFR 3.20); population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;

    (2) Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;

    (3) Except as prohibited under §164.502(a)(5)(i), underwriting, enrollment, premium rating, and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of §164.514(g) are met, if applicable;

    (4) Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;

    (5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and

    (6) Business management and general administrative activities of the entity, including, but not limited to:

    (i) Management activities relating to implementation of and compliance with the requirements of this subchapter;

    (ii) Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.

    (iii) Resolution of internal grievances;

    (iv) The sale, transfer, merger, or consolidation of all or part of the covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and

    (v) Consistent with the applicable requirements of §164.514, creating de-identified health information or a limited data set, and fundraising for the benefit of the covered entity.

     

    HHS Description of and Commentary From the January 2013 Amendments
    Definitions: Health Care Operations

     

    Proposed Rule

    The definition of “health care operations” at § 164.501 includes at paragraph (3) “underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or benefits….” To avoid confusion with the use of both “underwriting” and “underwriting purposes” in the Privacy Rule, and in recognition of the fact that the proposed definition of “underwriting purposes” includes activities that fall within both the definitions of “payment” and “health care operations” in the Rule, the Department proposed to remove the term “underwriting” from the definition of “health care operations.” We also proposed to add the term “enrollment” to the express list of health care operations activities to make clear that the removal of the term “underwriting” would not impact the use or disclosure of protected health information that is not genetic information for enrollment purposes. These proposed revisions were not intended to be substantive changes to the definition and thus, health plans would be permitted to continue to use or disclose protected health information, except genetic information, for underwriting purposes.

    Overview of Public Comments

    The Department received a few comments on the proposed revisions to the definition of “health care operations.” One commenter supported the inclusion of the word “enrollment.” A few commenters, however, expressed concern and confusion that the removal of the term “underwriting” from the definition of “health care operations” would no longer permit uses or disclosures of even non-genetic protected health information for underwriting.

    Final Rule

    Due to the confusion and concern expressed by the commenters regarding the removal of the term “underwriting” from the definition, we retain the term “underwriting” within the definition of “health care operations” at §164.501 However, to make clear that a health plan may continue to use or disclose only protected health information that is not genetic information for underwriting, we include a reference to the prohibition on using or disclosing genetic information for underwriting purposes within the definition. The final rule also retains the term “enrollment” within the definition because we believe it is helpful to clarify that this is a permitted health care operations activity.

    Patient Safety

    Proposed Rule

    PSQIA [The Patient Safety and Quality Improvement Act of 2005] provides, among other things, that Patient Safety Organizations (PSOs) are to be treated as business associates of covered health care providers. Further, PSQIA provides that the patient safety activities of PSOs are deemed to be health care operations of covered health care providers under the Privacy Rule. See 42 U.S.C. 299b-22(i). To conform to these statutory provisions, we proposed to amend paragraph (1) of the definition of “health care operations” to include an express reference to patient safety activities, as defined in the PSQIA implementing regulation at 42 CFR 3.20. Many health care providers participating in the voluntary patient safety program authorized by PSQIA are HIPAA covered entities.

    PSQIA acknowledges that such providers must also comply with the Privacy Rule and deems patient safety activities to be health care operations under the Privacy Rule. While such types of activities are already encompassed within paragraph (1) of the definition, which addresses various quality activities, we proposed to expressly include patient safety activities within paragraph (1) of the definition of health care operations to conform the definition to PSQIA and to eliminate the potential for confusion. This modification also addresses public comments the Department received during the rulemaking period for the PSQIA implementing regulations, which urged the Department to modify the definition of “health care operations” in the Privacy Rule to expressly reference patient safety activities so that the intersection of the Privacy and PSQIA Rules would be clear. See 73 FR 70732, 70780 (Nov. 21, 2008).

    Overview of Public Comments

    The Department received comments supporting the inclusion of patient safety activities in the definition of “health care operations.”

    Final Rule

    The final rule adopts the proposed modification.

     

    HHS Description of and Commentary From the August 2002 Revisions
    Privacy of Individually Identifiable Health Information: Definitions: Health Care Operations

     

    December 2000 Privacy Rule. The Rule's definition of "health care operations" included the disclosure of protected health information for the purposes of due diligence with respect to the contemplated sale or transfer of all or part of a covered entity's assets to a potential successor in interest who is a covered entity, or would become a covered entity as a result of the transaction.

    The Department indicated in the December 2000 preamble of the Privacy Rule its intent to include in the definition of health care operations the actual transfer of protected health information to a successor in interest upon a sale or transfer of its assets. (65 FR 82609.) However, the regulation itself did not expressly provide for the transfer of protected health information upon the sale or transfer of assets to a successor in interest. Instead, the definition of "health care operations" included uses or disclosures of protected health information only for due diligence purposes when a sale or transfer to a successor in interest is contemplated.

    March 2002 NPRM. A number of entities expressed concern about the discrepancy between the intent as expressed in the preamble to the December 2000 Privacy Rule and the actual regulatory language. To address these concerns, the Department proposed to add language to paragraph (6) of the definition of "health care operations" to clarify its intent to permit the transfer of records to a covered entity upon a sale, transfer, merger, or consolidation. This proposed change would prevent the Privacy Rule from interfering with necessary treatment or payment activities upon the sale of a covered entity or its assets.

    The Department also proposed to use the terms "sale, transfer, consolidation or merger" and to eliminate the term "successor in interest" from this paragraph. The Department intended this provision to apply to any sale, transfer, merger or consolidation and believed the current language may not accomplish this goal.

    The Department proposed to retain the limitation that such disclosures are health care operations only to the extent the entity receiving the protected health information is a covered entity or would become a covered entity as a result of the transaction. The Department clarified that the proposed modification would not affect a covered entity's other legal or ethical obligation to notify individuals of a sale, transfer, merger, or consolidation.

    Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal.

    Numerous commenters supported the proposed modifications. Generally, these commenters claimed the modifications would prevent inconvenience to consumers, and facilitate timely access to health care. Specifically, these commenters indicated that health care would be delayed and consumers would be inconvenienced if covered entities were required to obtain individual consent or authorization before they could access health records that are newly acquired assets resulting from the sale, transfer, merger, or consolidation of all or part of a covered entity. Commenters further claimed that the administrative burden of acquiring individual permission and culling records of consumers who do not give consent would be too great, and would cause some entities to simply store or destroy the records instead. Consequently, health information would be inaccessible, causing consumers to be inconvenienced and health care to be delayed. Some commenters noted that the proposed modifications recognize the realities of business without compromising the availability or quality of health care or diminishing privacy protections one would expect in the handling of protected health information during the course of such business transactions.

    Opposition to the proposed modifications was limited, with commenters generally asserting that the transfer of records in such circumstances would not be in the best interests of individuals.

    Final Modifications. The Department agrees with the commenters that supported the proposed modifications and, therefore, adopts the modifications to the definition of health care operations. Thus, "health care operations" includes the sale, transfer, merger, or consolidation of all or part of the covered entity to or with another covered entity, or an entity that will become a covered entity as a result of the transaction, as well as the due diligence activities in connection with such transaction. In response to a comment, the final Rule modifies the phrase "all or part of a covered entity" to read "all or part of the covered entity" to clarify that any disclosure for such activity must be by the covered entity that is a party to the transaction.

    Under the final definition of "health care operations," a covered entity may use or disclose protected health information in connection with a sale or transfer of assets to, or a consolidation or merger with, an entity that is or will be a covered entity upon completion of the transaction; and to conduct due diligence in connection with such transaction. The modification makes clear it is also a health care operation to transfer records containing protected health information as part of the transaction. For example, if a pharmacy which is a covered entity buys another pharmacy which is also a covered entity, protected health information can be exchanged between the two entities for purposes of conducting due diligence, and the selling entity may transfer any records containing protected health information to the new owner upon completion of the transaction. The new owner may then immediately use and disclose those records to provide health care services to the individuals, as well as for payment and health care operations purposes. Since the information would continue to be protected by the Privacy Rule, any other use or disclosure of the information would require an authorization unless otherwise permitted without authorization by the Rule, and the new owner would be obligated to observe the individual's rights of access, amendment, and accounting. The Privacy Rule would not interfere with other legal or ethical obligations of an entity that may arise out of the nature of its business or relationship with its customers or patients to provide such persons with notice of the transaction or an opportunity to agree to the transfer of records containing personal information to the new owner.

    Response to Other Public Comments.

    Comment: One commenter was concerned about what obligations the parties to a transaction have regarding protected health information that was exchanged as part of a transaction if the transaction does not go through.

    Response: The Department believes that other laws and standard business practices are adequate to address these situations and accordingly does not impose additional requirements of this type. It is standard practice for parties contemplating such transactions to enter into confidentiality agreements. In addition to exchanging protected health information, the parties to such transactions commonly exchange confidential proprietary information. It is a standard practice for the parties to these transaction to agree that the handling of all confidential information, such as proprietary information, will include ensuring that, in the event that the proposed transaction is not consummated, the information is either returned to its original owner or destroyed as appropriate. They may include protected health information in any such agreement, as they determine appropriate to the circumstances and applicable law.

     

    HHS Description from Original Rulemaking
    Definitions - Health Care Operations

     

    The preamble to the proposed rule explained that in order for treatment and payment to occur, protected health information must be used within entities and shared with business partners. In the proposed rule we provided a definition for “health care operations” to clarify the activities we considered to be “compatible with and directly related to” treatment and payment and for which protected health information could be used or disclosed without individual authorization. These activities included conducting quality assessment and improvement activities, reviewing the competence or qualifications and accrediting/licensing of health care professionals and plans, evaluating health care professional and health plan performance, training future health care professionals, insurance activities relating to the renewal of a contract for insurance, conducting or arranging for medical review and auditing services, and compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding. Recognizing the dynamic nature of the health care industry, we acknowledged that the specified categories may need to be modified as the industry evolves.

    The preamble discussion of the proposed general rules listed certain activities that would not be considered health care operations because they were sufficiently unrelated to treatment and payment to warrant requiring an individual to authorize such use or disclosure. Those activities included: marketing of health and non-health items and services; disclosure of protected health information for sale, rent or barter; use of protected health information by a non-health related division of an entity; disclosure of protected health information for eligibility, enrollment, underwriting, or risk rating determinations prior to an individuals' enrollment in a health plan; disclosure to an employer for employment determinations; and fundraising.

    In the final rule, we do not change the general approach of defining health care operations: health care operations are the listed activities undertaken by the covered entity that maintains the protected health information (i.e., one covered entity may not disclose protected health information for the operations of a second covered entity); a covered entity may use any protected health information it maintains for its operations (e.g., a plan may use protected health information about former enrollees as well as current enrollees); we expand the proposed list to reflect many changes requested by commenters.

    We modify the proposal that health care operations represent activities “in support of” treatment and payment functions. Instead, in the final rule, health care operations are the enumerated activities to the extent that the activities are related to the covered entity's functions as a health care provider, health plan or health care clearinghouse, i.e., the entity's “covered functions.” We make this change to clarify that health care operations includes general administrative and business functions necessary for the covered entity to remain a viable business. While it is possible to draw a connection between all the enumerated activities and “treatment and payment,” for some general business activities (e.g., audits for financial disclosure statements) that connection may be tenuous. The proposed concept also did not include the operations of those health care clearinghouses that may be covered by this rule outside their status as business associate to a covered entity. We expand the definition to include disclosures for the enumerated activities of organized health care arrangements in which the covered entity participates. See also the definition of organized health care arrangements, below.

    In addition, we make the following changes and additions to the enumerated subparagraphs:

    (1) We add language to clarify that the primary purpose of the studies encompassed by “quality assessment and improvement activities” must not be to obtain generalizable knowledge. A study with such a purpose would meet the rule's definition of research, and use or disclosure of protected health information would have to meet the requirements of §§ 164.508 or 164.512(i). Thus, studies may be conducted as a health care operation if development of generalizable knowledge is not the primary goal. However, if the study changes and the covered entity intends the results to be generalizable, the change should be documented by the covered entity as proof that, when initiated, the primary purpose was health care operations.

    We add population-based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives, and related functions that do not entail direct patient care. Many commenters recommended adding the term “disease management” to health care operations. We were unable, however, to find a generally accepted definition of the term. Rather than rely on this label, we include many of the functions often included in discussions of disease management in this definition or in the definition of treatment. This topic is discussed further in the comment responses below.

    (2) We have deleted “undergraduate and graduate” as a qualifier for “students,” to make the term more general and inclusive. We add the term “practitioners.” We expand the purposes encompassed to include situations in which health care providers are working to improve their skills. The rule also adds the training of non-health care professionals.

    (3) The rule expands the range of insurance related activities to include those related to the creation, renewal or replacement of a contract for health insurance or health benefits, as well as ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss and excess of loss insurance). For these activities, we also eliminate the proposed requirement that these uses and disclosures apply only to protected health information about individuals already enrolled in a health plan. Under this provision, a group health plan that wants to replace its insurance carrier may disclose certain protected health information to insurance issuers in order to obtain bids on new coverage, and an insurance carrier interested in bidding on new business may use protected health information obtained from the potential new client to develop the product and pricing it will offer. For circumstances in which no new contract is issued, we add a provision in § 164.514(g) restricting the recipient health plan from using or disclosing protected health information obtained for this purpose, other than as required by law. Uses and disclosures in these cases come within the definition of “health care operations,” provided that the requirements of § 164.514(g) are met, if applicable. See § 164.504(f) for requirements for such disclosures by group health plans, as well as specific restrictions on the information that may be disclosed to plan sponsors for such purposes. We note that a covered health care provider must obtain an authorization under § 164.508 in order to disclose protected health information about an individual for purposes of pre-enrollment underwriting; the underwriting is not an “operation” of the provider and that disclosure is not otherwise permitted by a provision of this rule.

    (4) We delete reference to the “compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding” and replace it with a broader reference to conducting or arranging for “legal services.”

    We add two new categories of activities:

    (5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies.

    (6) Business management activities and general administrative functions, such as management activities relating to implementation of and compliance with the requirements of this subchapter, fundraising for the benefit of the covered entity to the extent permitted without authorization under § 164.514(f), and marketing of certain services to individuals served by the covered entity, to the extent permitted without authorization under § 164.514(e) (see discussion in the preamble to that section, below). For example, under this category we permit uses or disclosures of protected health information to determine from whom an authorization should be obtained, for example to generate a mailing list of individuals who would receive an authorization request.

    We add to the definition of health care operations disclosure of protected health information for due diligence to a covered entity that is a potential successor in interest. This provision includes disclosures pursuant to the sale of a covered entity's business as a going concern, mergers, acquisitions, consolidations, and other similar types of corporate restructuring between covered entities, including a division of a covered entity, and to an entity that is not a covered entity but will become a covered entity if the transfer or sale is completed. Other types of sales of assets, or disclosures to organizations that are not and would not become covered entities, are not included in the definition of health care operations and could only occur if the covered entity obtained valid authorization for such disclosure in accordance with § 164.508, or if the disclosure is otherwise permitted under this rule.

    We also add to health care operations disclosure of protected health information for resolution of internal grievances. These uses and disclosures include disclosure to an employee and/or employee representative, for example when the employee needs protected health information to demonstrate that the employer's allegations of improper conduct are untrue. We note that such employees and employee representatives are not providing services to or for the covered entity, and, therefore, no business associate contract is required. Also included are resolution of disputes from patients or enrollees regarding the quality of care and similar matters.

    We also add use for customer service, including the provision of data and statistical analyses for policyholders, plan sponsors, or other customers, as long as the protected health information is not disclosed to such persons. We recognize that part of the general management of a covered entity is customer service. We clarify that customer service may include the use of protected health information to provide data and statistical analyses. For example, a plan sponsor may want to understand why its costs are rising faster than average, or why utilization in one plant location is different than in another location. An association that sponsors an insurance plan for its members may want information on the relative costs of its plan in different areas. Some plan sponsors may want more detailed analyses that attempt to identify health problems in a work site. We note that when a plan sponsor has several different group health plans, or when such plans provide insurance or coverage through more than one health insurance issuer or HMO, the covered entities may jointly engage in this type of analysis as a health care operation of the organized health care arrangement.

    This activity qualifies as a health care operation only if it does not result in the disclosure of protected health information to the customer. The results of the analyses must be presented in a way that does not disclose protected health information. A disclosure of protected health information to the customer as a health care operation under this provision violates this rule. This provision is not intended to permit covered entities to circumvent other provisions in this rule, including requirements relating to disclosures of protected health information to plan sponsors or the requirements relating to research. See § 164.504(f) and § 164.512(i).

    We use the term customer to provide flexibility to covered entities. We do not intend the term to apply to persons with whom the covered entity has no other business; this provision is intended to permit covered entities to provide service to their existing customer base.

    We note that this definition, either alone or in conjunction with the definition of “organized health care arrangement,” allows an entity such as an integrated staff model HMO, whether legally integrated or whether a group of associated entities, that hold themselves out as an organized arrangement to share protected health information under § 164.506. In these cases, the sharing of protected health information will be either for the operations of the disclosing entity or for the organized health care arrangement in which the entity is participating.

    Whether a disclosure is allowable for health care operations under this provision is determined separately from whether a business associate contract is required. These provisions of the rule operate independently. Disclosures for health care operations may be made to an entity that is neither a covered entity nor a business associate of the covered entity. For example, a covered academic medical center may disclose certain protected health information to community health care providers who participate in one of its continuing medical education programs, whether or not such providers are covered health care providers under this rule. A provider attending a continuing education program is not thereby performing services for the covered entity sponsoring the program and, thus, is not a business associate for that purpose. Similarly, health plans may disclose for due diligence purposes to another entity that may or may not be a covered entity or a business associate.

     

    HHS Response to Comments Received from Original Rulemaking
    Privacy of Individually Identifiable Health Information: Definitions: Health Care Operations

     

    Comment: Several commenters stated that the list of activities within the definition of health care operations was too broad and should be narrowed. They asserted that the definition should be limited to exclude activities that have little or no connection to the care of a particular patient or to only include emergency treatment situations or situations constituting a clear and present danger to oneself or others.

    Response: We disagree. We believe that narrowing the definition in the manner requested will place serious burdens on covered entities and impair their ability to conduct legitimate business and management functions.

    Comment: Many commenters, including physician groups, consumer groups, and privacy advocates, argued that we should limit the information that can be used for health care operations to de-identified data. They argued that if an activity could be done with de-identified data, it should not be incorporated in the definition of health care operations.

    Response: We disagree. We believe that many activities necessary for the business and administrative operations of health plans and health care providers are not possible with de-identified information or are possible only under unduly burdensome circumstances. For example, identified information may be used or disclosed during an audit of claims, for a plan to contact a provider about alternative treatments for specific patients, and in reviewing the competence of health care professionals. Further, not all covered entities have the same ability to de-identify protected health information. Covered entities with highly automated information systems will be able to use de-identified data for many purposes. Other covered entities maintain most of their records on paper, so a requirement to de-identify information would place too great a burden on the legitimate and routine business functions included in the definition of health care operations. Small business, which are most likely to have largely paper records, would find such a blanket requirement particularly burdensome.

    Protected health information that is de-identified pursuant to § 164.514(a) is not subject to this rule. We hope this provides covered entities capable of de-identifying information with the incentive to do so.

    Comment: Some commenters requested that we permit the use of demographic data (geographic, location, age, gender, and race) separate from all other data for health care operations. They argued that demographic data was needed to establish provider networks and monitor providers to ensure that the needs of ethnic and minority populations were being addressed.

    Response: The use of demographic data for the stated purposes is within the definition of health care operations; a special rule is not necessary.

    Comment: Some commenters pointed out that the definition of health care operations is similar to, and at times overlaps with, the definition of research. In addition, a number of commenters questioned whether or not research conducted by the covered entity or its business partner must only be applicable to and used within the covered entity to be considered health care operations. Others questioned whether such studies or research performed internal to a covered entity are “health care operations” even if generalizable results may be produced.

    Response: We agree that some health care operations have many of the characteristics of research studies and in the NPRM asked for comments on how to make this distinction. While a clear answer was not suggested in any of the comments, the comments generally together with our fact finding lead to the provisions in the final rule. The distinction between health care operations and research rests on whether the primary purpose of the study is to produce “generalizable knowledge.” We have modified the definition of health care operations to include “quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities.” If the primary purpose of the activity is to produce generalizable knowledge, the activity fits within this rule's definition of “research” and the covered entity must comply with §§ 164.508 or 164.512, including obtaining an authorization or the approval of an institutional review board or privacy board. If not and the activity otherwise meets the definition of health care operations, the activity is not research and may be conducted under the health care operations provisions of this rule.

    In some instances, the primary purpose of the activity may change as preliminary results are analyzed. An activity that was initiated as an internal outcomes evaluation may produce information that the covered entity wants to generalize. If the purpose of a study changes and the covered entity does intend to generalize the results, the covered entity should document the change in status of the activity to establish that they did not violate the requirements of this rule. (See definition of “research,” below, for further information on the distinction between “research” and “health care operations.”)

    We note that the difficulty in determining when an activity is for the internal operations of an entity and when it is a research activity is a long-standing issue in the industry. The variation among commenters' views is one of many indications that, today, there is not consensus on how to draw this line. We do not resolve the larger issue here, but instead provide requirements specific to the information covered by this rule.

    Comment: Several commenters asked that disease management and disability management activities be explicitly included in the definition of health care operations. Many health plans asserted that they would not be able to provide disease management, wellness, and health promotion activities if the activity were solely captured in the rule's definition of “treatment.” They also expressed concern that “treatment” usually applies to an individual, not to a population, as is the practice for disease management.

    Response: We were unable to find generally accepted definitions of the terms 'disease management' and 'disability management.' Rather than rely on this label, we include many of the functions often included in discussions of disease management in this definition or in the definition of treatment, and modify both definitions to address the commenters' concerns. For example, we have revised the definition of health care operations to include population-based activities related to improving health or reducing health care costs. This topic is discussed further in the comment responses regarding the definition of 'treatment,' below.

    Comment: Several commenters urged that the definition of health care operations be illustrative and flexible, rather than structured in the form of a list as in the proposed rule. They believed it would be impossible to identify all the activities that constitute health care operations. Commenters representing health plans were concerned that the “static” nature of the definition would stifle innovation and could not reflect the new functions that health plans may develop in the future that benefit consumers, improve quality, and reduce costs. Other commenters, expressed support for the approach taken in the proposed rule, but felt the list was too broad.

    Response: In the final rule, we revise the proposed definition of health care operations to broaden the list of activities included, but we do not agree with the comments asking for an illustrative definition rather than an inclusive list. Instead, we describe the activities that constitute health care operations in broad terms and categories, such as “quality assessment” and “business planning and development.” We believe the use of broadly stated categories will allow industry innovation, but without the privacy risks entailed in an illustrative approach.

    Comment: Several commenters noted that utilization review and internal quality review should be included in the definition. They pointed out that both of these activities were discussed in the preamble to the proposed rule but were not incorporated into the regulation text.

    Response: We agree and have modified the regulation text to incorporate quality assessment and improvement activities, including the development of clinical guidelines and protocol development.

    Comment: Several commenters stated that the proposal did not provide sufficient guidance regarding compiling and analyzing information in anticipation of or for use in legal proceedings. In particular, they raised concerns about the lack of specificity as to when “anticipation” would be triggered.

    Response: We agree that this provision was confusing and have replaced it with a broader reference to conducting or arranging for legal services generally.

    Comment: Hospital representatives pointed out the pressure on health care facilities to improve cost efficiencies, make cost-effectiveness studies, and benchmark essential health care operations. They emphasized that such activities often use identifiable patient information, although the products of the analyses usually do not contain identifiable health information. Commenters representing state hospital associations pointed out that they routinely receive protected health information from hospitals for analyses that are used by member hospitals for such things as quality of care benchmark comparisons, market share analysis, determining physician utilization of hospital resources, and charge comparisons.

    Response: We have expanded the definition of health care operations to include use and disclosure of protected health information for the important functions noted by these commenters. We also allow a covered entity to engage a business associate to provide data aggregation services. See § 164.504(e).

    Comment: Several commenters argued that many activities that are integral to the day-to-day operations of a health plan have not been included in the definition. Examples provided by the commenters include: issuing plan identification cards, customer service, computer maintenance, storage and back-up of radiologic images, and the installation and servicing of medical equipment or computer systems.

    Response: We agree with the commenters that there are activities not directly part of treatment or payment that are more closely associated with the administrative or clerical functions of the plan or provider that need to be included in the definition. To include such activities in the definition of health care operations, we eliminate the requirement that health care operations be directly related to treatment and payment, and we add to this definition the new categories of business management (including general administrative activities) and business planning activities.

    Comment: One commenter asked for clarification on whether cost-related analyses could also be done by providers as well as health plans.

    Response: Health care operations, including business management functions, are not limited to health plans. Any covered entity can perform health care operations.

    Comment: One commenter stated that the proposed rule did not address what happens to records when a covered entity is sold or merged with another entity.

    Response: We agree and add to the definition of health care operations disclosures of protected health information for due diligence to a covered entity that is a potential successor in interest. This provision includes disclosures pursuant to the sale of a covered entity's business as a going concern, mergers, acquisitions, consolidations, and other similar types of corporate restructuring between covered entities, including a division of a covered entity, and to an entity that is not a covered entity but will become a covered entity if the reorganization or sale is completed. Other types of sales of assets, or disclosures to organizations that are not and would not become covered entities, are not included in the definition of health care operations and could only occur if the covered entity obtained valid authorization for such disclosure in accordance with § 164.508 or if the disclosure is otherwise permitted under this rule.

    Once a covered entity is sold or merged with another covered entity, the successor in interest becomes responsible for complying with this regulation with respect to the transferred information.

    Comment: Several commenters expressed concern that the definition of health care operations failed to include the use of protected health information for the underwriting of new health care policies and took issue with the exclusion of uses and disclosures of protected health information of prospective enrollees. They expressed the concern that limiting health care operations to the underwriting and rating of existing members places a health plan in the position of not being able to evaluate prudently and underwrite a consumer's health care risk.

    Response: We agree that covered entities should be able to use the protected health information of prospective enrollees to underwrite and rate new business and change the definition of health care operations accordingly. The definition of health care operations below includes underwriting, premium rating, and other activities related to the creation of a contract of health insurance.

    Comment: Several commenters stated that group health plans needed to be able to use and disclose protected health information for purposes of soliciting a contract with a new carrier and rate setting.

    Response: We agree and add “activities relating to the ... replacement of a contract of insurance” to cover such disclosures. See § 164.504 for the rules for plan sponsors of group health plans to obtain such information.

    Comment: Commenters from the business community supported our recognition of the importance of financial risk transfer mechanisms in the health care marketplace by including “reinsurance” in the definition of health care operations. However, they stated that the term “reinsurance” alone was not adequate to capture “stop-loss insurance” (also referred to as excess of loss insurance), another type of risk transfer insurance.

    Response: We agree with the commenters that stop-loss and excess of loss insurance are functionally equivalent to reinsurance and add these to the definition of health care operations.

    Comment: Commenters from the employer community explained that there is a trend among employers to contract with a single insurer for all their insurance needs (health, disability, workers' compensation). They stated that in these integrated systems, employee health information is shared among the various programs in the system. The commenters believed the existing definition poses obstacles for those employers utilizing an integrated health system because of the need to obtain authorizations before being permitted to use protected health information from the health plan to administer or audit their disability or workers' compensation plan.

    Other commenters representing employers stated that some employers wanted to combine health information from different insurers and health plans providing employee benefits to their workforces, including its group health plan, workers' compensation insurers, and disability insurers, so that they could have more information in order to better manage the occurrences of disability and illness among their workforces. They expressed concern that the proposed rule would not permit such sharing of information.

    Response: While we agree that integrating health information from different benefit programs may produce efficiencies as well as benefits for individuals, the integration also raises significant privacy concerns, particularly if there are no safeguards on uses and disclosures from the integrated data. Under HIPAA, we do not have jurisdiction over many types of insurers that use health information, such as workers' compensation insurers or insurers providing disability income benefits, and we cannot address the extent to which they provide individually identifiable health information to a health plan, nor do we prohibit a health plan from receiving such information. Once a health plan receives identifiable health information, however, the information becomes protected and may only be used and disclosed as otherwise permitted by this rule.

    We clarify, however, that a covered entity may provide data and statistical analyses for its customers as a health care operation, provided that it does not disclose protected health information in a way that would otherwise violate this rule. A group health plan or health insurance issuer or HMO, or their business associate on their behalf, may perform such analyses for an employer customer and provide the results in de-identified form to the customer, using integrated data received from other insurers, as long as protected health information is not disclosed in violation of this rule. See the definition of “health care operations,” § 164.501. If the employer sponsors more than one group health plan, or if its group health plan provides coverage through more than one health insurance issuer or HMO, the different covered entities may be an organized health care arrangement and be able to jointly participate in such an analysis as part of the health care operations of such organized health care arrangement. See the definitions of “health care operations” and “organized health care arrangement,” § 164.501. We further clarify that a plan sponsor providing plan administration to a group health plan may participate in such an analysis, provided that the requirements of § 164.504(f) and other parts of this rule are met.

    The results described above are the same whether the health information that is being combined is from separate insurers or from one entity that has a health component and also provides excepted benefits. See the discussion relating to health care components, § 164.504.

    We note that under the arrangements described above, the final rule provides substantial flexibility to covered entities to provide general data and statistical analyses, resulting in the disclosure of de-identified information, to employers and other customers. An employer also may receive protected health information from a covered entity for any purpose, including those described in comment above, with the authorization of the individual. See § 164.508.

    Comment: A number of commenters asserted that the proposed definition appeared to limit training and educational activities to that of health care professionals, students, and trainees. They asked that we expand the definition to include other education-related activities, such as continuing education for providers and training of non-health care professionals as needed for supporting treatment or payment.

    Response: We agree with the commenters that the definition of health care operations was unnecessarily limiting with respect to educational activities and expand the definition of health care operations to include “conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers.” We clarify that medical rounds are considered treatment, not health care operations.

    Comment: A few commenters outlined the need to include the training of non-health care professionals, such as health data analysts, administrators, and computer programmers within the definition of health care operations. It was argued that, in many cases, these professionals perform functions which support treatment and payment and will need access to protected health information in order to carry out their responsibilities.

    Response: We agree and expand the definition of health care operations to include training of non-health care professionals.

    Comment: One commenter stated that the definition did not explicitly include physician credentialing and peer review.

    Response: We have revised the definition to specifically include “licensing or credentialing activities.” In addition, peer review activities are captured in the definition as reviewing the competence or qualifications of health care professionals and evaluating practitioner and provider performance.