Federal Register /Vol. 65, No. 250/Thursday, December 28 ... · 82562 Federal Register/Vol. 65, No. 250/Thursday, December 28, 2000/Rules and Regulations and to protect against the

82561Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

A covered entity may only extend thedeadline one time per request foraccounting.

The NPRM did not address whether acovered entity could charge a fee for theaccounting of disclosures.

In the final rule, we provide thatindividuals have a right to receive onefree accounting per 12 month period.For each additional request by anindividual within the 12 month period,the covered entity may charge areasonable, cost-based fee. If it imposessuch a fee, the covered entity mustinform the individual of the fee inadvance and provide the individualwith an opportunity to withdraw ormodify the request in order to avoid orreduce the fee.

Procedures and Documentation

As in the proposed rule, we establishdocumentation requirements forcovered entities subject to thisprovision. In accordance with§ 164.530(j), for disclosures that aresubject to the accounting requirement,the covered entity must retaindocumentation of the informationrequired to be included in theaccounting. The covered entity mustalso retain a copy of any accountingprovided and must document the titlesof the persons or offices responsible forreceiving and processing requests for anaccounting.

Section 164.530—AdministrativeRequirements

Designation of a Privacy Official andContact Person

In § 164.518(a) of the NPRM, weproposed that covered entities berequired to designate an individual asthe covered entity’s privacy official,responsible for the implementation anddevelopment of the entity’s privacypolicies and procedures. We alsoproposed that covered entities berequired to designate a contact person toreceive complaints about privacy andprovide information about the matterscovered by the entity’s notice. Weindicated that the contact person couldbe, but was not required to be, theperson designated as the privacyofficial. We proposed to leaveimplementation details to the discretionof the covered entity. We expectedimplementation to vary widelydepending on the size and nature of thecovered entity, with small officesassigning this as an additional duty toan existing staff person, and largeorganizations creating a full-timeprivacy official. In proposed § 164.512,we also proposed to require the coveredplan or provider’s privacy notice to

include the name of a contact person forprivacy matters.

The final regulation retains therequirements for a privacy official andcontact person as specified in theNPRM. These designations must bedocumented. The designation of privacyofficial and contact person positionswithin affiliated entities will depend onhow the covered entity chooses todesignate the covered entity(ies) under§ 164.504(b). If a subsidiary is defined asa covered entity under this regulation,then a separate privacy official andcontact person is required for thatcovered entity. If several subsidiariesare designated as a single coveredentity, pursuant to § 164.504(b), thentogether they need have only a singleprivacy officer and contact person. Ifseveral covered entities share a noticefor services provided on the samepremises, pursuant to § 164.520(d), thatnotice need designate only one privacyofficial and contact person for theinformation collected under that notice.

These requirements are consistentwith the approach recommended by theJoint Commission on Accreditation ofHealthcare Organizations, and theNational Committee for QualityAssurance, in its paper ‘‘ProtectingPersonal Health Information; Aframework for Meeting the Challengesin a Managed Care Environment.’’ Thispaper notes that ‘‘accountability isenhanced by having focal points whoare responsible for assessing compliancewith policies and procedures * * * ’’(p. 29)

TrainingIn § 164.518(b) of the NPRM we

proposed to require that covered entitiesprovide training on the entities’ policiesand procedures to all members of theworkforce likely to have access toprotected health information. Eachentity would be required to provideinitial training by the date on which thisrule became applicable. After that date,each covered entity would have toprovide training to new members of theworkforce within a reasonable time afterjoining the entity. In addition, weproposed that when a covered entitymade material changes in its privacypolicies or procedures, it would berequired to retrain those members of theworkforce whose duties were related tothe change within a reasonable time ofmaking the change.

The NPRM would have required that,upon completion of the training, thetrainee would be required to sign astatement certifying that he or shereceived the privacy training and wouldhonor all of the entity’s privacy policiesand procedures. Entities would

determine the most effective means ofachieving this training requirement fortheir workforce. We also proposed that,at least every three years after the initialtraining, covered entities would berequired to have each member of theworkforce sign a new statementcertifying that he or she would honor allof the entity’s privacy policies andprocedures. The covered entity wouldhave been required to document itspolicies and procedures for complyingwith the training requirements.

The final regulation requires coveredentities to train all members of theirworkforce on the policies andprocedures with respect to protectedhealth information required by this rule,as necessary and appropriate for themembers of the workforce to carry outtheir functions within the coveredentity. We do not change the proposedtime lines for training existing and newmembers of the workforce, or fortraining due to material changes in thecovered entity’s policies andprocedures. We eliminate both therequirement for employees to sign acertification following training and thetriennial re-certification requirement.Covered entities are responsible forimplementing policies and proceduresto meet these requirements and fordocumenting that training has beenprovided.

SafeguardsIn § 164.518(c) of the NPRM, we

proposed to require covered entities toput in place administrative, technical,and physical safeguards to protect theprivacy of protected health information.We made reference in the preamble tosimilar requirements proposed forcertain electronic information in theNotice of Proposed Rulemaking entitledthe Security and Electronic SignatureStandards (HCFA–0049–P). We statedthat we were proposing parallel andconsistent requirements for safeguardingthe privacy of protected healthinformation. In § 164.518(c)(3) of theNPRM, we required covered entities tohave safeguards to ensure thatinformation was not used in violation ofthe requirements of this subpart or bypeople who did not have properauthorization to access the information.

We do not change the basic proposedrequirements that covered entities haveadministrative, technical and physicalsafeguards to protect the privacy ofprotected health information. Wecombine the proposed requirements intoa single standard that requires coveredentities to safeguard protected healthinformation from accidental orintentional use or disclosure that is aviolation of the requirements of this rule

VerDate 11<MAY>2000 19:16 Dec 27, 2000 Jkt 194001 PO 00000 Frm 00101 Fmt 4701 Sfmt 4700 E:\FR\FM\28DER2.SGM pfrm08 PsN: 28DER2

82562 Federal Register / Vol. 65, No. 250 / Thursday, December 28, 2000 / Rules and Regulations

and to protect against the inadvertentdisclosure of protected healthinformation to persons other than theintended recipient. Limitations onaccess to protected health informationby the covered entities workforce willalso be covered by the policies andprocedures for ‘‘minimum necessary’’use of protected health information,pursuant to § 164.514(d). We expectthese provisions to work in tandem.

We do not prescribe the particularmeasures that covered entities must taketo meet this standard, because thenature of the required policies andprocedures will vary with the size of thecovered entity and the type of activitiesthat the covered entity undertakes. (Thatis, as with other provisions of this rule,this requirement is ‘‘scalable.’’)Examples of appropriate safeguardsinclude requiring that documentscontaining protected health informationbe shredded prior to disposal, andrequiring that doors to medical recordsdepartments (or to file cabinets housingsuch records) remain locked andlimiting which personnel are authorizedto have the key or pass-code. We intendthis to be a common sense, scalable,standard. We do not require coveredentities to guarantee the safety ofprotected health information against allassaults. Theft of protected healthinformation may or may not signal aviolation of this rule, depending on thecircumstances and whether the coveredentity had reasonable policies to protectagainst theft. Organizations such as theAssociation for Testing and Materials(ASTM) and the American HealthInformation Management Association(AHIMA) have developed a body ofrecommended practices for handling ofprotected health information thatcovered entities may find useful.

We note that the proposed HIPAASecurity Standards would requirecovered entities to safeguard the privacyand integrity of health information. Forelectronic information, compliance withboth regulations will be required.

In § 164.518(c)(2) of the NPRM weproposed requirements for verificationprocedures to establish identity andauthority for permitted disclosures ofprotected health information.

In the final rule, this material hasbeen moved to § 164.514(h).

Use or Disclosure of Protected HealthInformation by Whistleblowers

In § 164.518(c)(4) of the NPRM, thisprovision was entitled ‘‘ImplementationSpecification: Disclosures bywhistleblowers.’’ It is now retitled‘‘Disclosures by whistleblowers,’’ withcertain changes, and moved to§ 164.502(j)(1).

Complaints to the Covered Entity

In § 164.518(d) of the NPRM, weproposed to require covered entities tohave a mechanism for receivingcomplaints from individuals regardingthe health plan’s or provider’scompliance with the requirements ofthis proposed rule. We did not requirethat the health plan or provider developa formal appeals mechanism, nor that‘‘due process’’ or any similar standardbe applied. Additionally, there was norequirement to respond in anyparticular manner or time frame.

We proposed two basic requirementsfor the complaint process. First, thecovered health plan or health careprovider would be required to identifyin the notice of information practices acontact person or office for receivingcomplaints. Second, the health plan orprovider would be required to maintaina record of the complaints that are filedand a brief explanation of theirresolution, if any.

In the final rule, we retain therequirement for an internal complaintprocess for compliance with this rule,including the two basic requirements ofidentifying a contact person anddocumenting complaints received andtheir dispositions, if any. We expand thescope of complaints that coveredentities must have a means of receivingto include complaints concerningviolations of the covered entity’sprivacy practices, not just violations ofthe rule. For example, a covered entitymust have a mechanism for receiving acomplaint that patient information isused at a nursing station in a way thatit can also be viewed by visitors to thehospital, regardless of whether thepractices at the nursing stations mightconstitute a violation of this rule.

Sanctions

In § 164.518(e) of the NPRM, weproposed to require all covered entitiesto develop, and apply whenappropriate, sanctions against membersof its workforce who failed to complywith privacy policies or procedures ofthe covered entity or with therequirements of the rule. Coveredentities would be required to developand impose sanctions appropriate to thenature of the violation. The preamblestated that the type of sanction appliedwould vary depending on factors suchas the severity of the violation, whetherthe violation was intentional orunintentional, and whether theviolation indicated a pattern or practiceof improper use or disclosure ofprotected health information. Sanctionscould range from a warning totermination. The NPRM preamble

language also stated that coveredentities would be required to applysanctions against business associatesthat violated the proposed rule.

In the final rule, we retain therequirement for sanctions againstmembers of a covered entity’sworkforce. We also require a coveredentity to have written policies andprocedures for the application ofappropriate sanctions for violations ofthis subpart and to document thosesanctions. These sanctions do not applyto whistleblower activities that meet theprovisions of § 164.502(j) or complaints,investigations, or opposition that meetthe provisions of § 164.530(g)(2). Weeliminate language regarding businessassociates from this section.Requirements with respect to businessassociates are stated in § 164.504.

Duty To Mitigate

In proposed § 164.518(f), we wouldhave required covered entities to havepolicies and procedures for mitigating,to the extent practicable, any deleteriouseffect of a use or disclosure of protectedhealth information in violation of therequirements of this subpart. The NPRMpreamble also included specificlanguage applying this requirement toharm caused by members of the coveredentity’s workforce and businessassociates.

With respect to business associates,the NPRM preamble but not the NPRMrule text, stated that covered entitieswould have a duty to take reasonablesteps in response to breaches of contractterms. Covered entities generally wouldnot be required to monitor the activitiesof their business associates, but wouldbe required to take steps to addressproblems of which they become aware,and, where the breach was serious orrepeated, would also be required tomonitor the business associate’sperformance to ensure that the wrongfulbehavior had been remedied.Termination of the arrangement wouldbe required only if it became clear thata business associate could not be reliedupon to maintain the privacy ofprotected health information providedto it.

In the final rule, we clarify thisrequirement by imposing a duty forcovered entities to mitigate any harmfuleffect of a use or disclosure of protectedhealth information that is known to thecovered entity. We apply the duty tomitigate to a violation of the coveredentity’s policies and procedures, not justa violation of the requirements of thesubpart. We resolve the ambiguities inthe NPRM by imposing this duty oncovered entities for harm caused by



either members of their workforce or bytheir business associates.

We eliminate the language regardingpotential breaches of business associatecontracts from this section. All otherrequirements with respect to businessassociates are stated in § 164.504.

Refraining from Intimidating orRetaliatory Acts

In § 164.522(d)(4) of the NPRM, in theCompliance and Enforcement section,we proposed that one of theresponsibilities of a covered entitywould be to refrain from intimidating orretaliatory acts. Specifically, the ruleprovided that ‘‘[a] covered entity maynot intimidate, threaten, coerce,discriminate against, or take otherretaliatory action against any individualfor the filing of a complaint under thissection, for testifying, assisting,participating in any manner in aninvestigation, compliance review,proceeding or hearing under this Act, oropposing any act or practice madeunlawful by this subpart.’’

In the final rule, we continue torequire that entities refrain fromintimidating or retaliatory acts;however, the provisions have beenmoved to the AdministrativeRequirements provisions in § 164.530.This change is not just clerical; inmaking this change, we apply thisprovision to the privacy rule alonerather than to all the HIPAAadministrative simplification rules. (Thecompliance and enforcement provisionsthat were in § 164 are now in Part 160,Subpart C.)

We continue to prohibit retaliationagainst individuals for filing acomplaint with the Secretary, but alsoprohibit retaliation against any otherperson who files such a complaint. Thisis the case because the term‘‘individual’’ is generally limited to theperson who is the subject of theinformation. The final rule prohibitsretaliation against persons, not justindividuals, for testifying, assisting, orparticipating in an investigation,compliance review, proceeding orhearing under Part C of Title XI. Theproposed regulation referenced the‘‘Act,’’ which is defined in Part 160 asthe Social Security Act. Because weonly intend to protect activities such asparticipation in investigations andhearings under the AdministrativeSimplification provisions of HIPAA, thefinal rule references Part C of Title XI ofthe Social Security Act.

The proposed rule would haveprohibited retaliatory actions againstindividuals for opposing any act orpractice made unlawful by this subpart.The final rule retains this provision, but

applies it to any person, only if theperson ‘‘has a good faith belief that thepractice opposed is unlawful, themanner of the opposition is reasonableand does not involve a disclosure ofprotected health information inviolation of this subpart.’’ The final ruleprovides additional protections, whichhad been included in the preamble tothe proposed rule. Specifically, weprohibit retaliatory actions againstindividuals who exercise any right, orparticipate in any process established bythe privacy rule (Part 164 Subpart E),and include as an example the filing ofa complaint with the covered entity.

Waiver of RightsIn the final regulation, but not in the

proposed regulation, we provide that acovered entity may not requireindividuals to waive their rights to filea complaint with the Secretary or theirother rights under this rule as acondition of the provision of treatment,payment, enrollment in a health plan oreligibility for benefits. This provisionensures that covered entities do not takeaway the rights that individuals havebeen provided in Parts 160 and 164.

Requirements for Policies andProcedures, and DocumentationRequirements

In § 164.520 of the NPRM, weproposed to require covered entities todevelop and document their policiesand procedures for implementing therequirements of the rule. In the finalregulation we retain this approach, butspecify which standards must bedocumented in each of the relevantsections. In this section, we state thegeneral administrative requirementsapplicable to all policies and proceduresrequired throughout the regulation.

In § 164.530(i), (j), and (k) of the finalrule, we amend the NPRM language inseveral respects. In § 164.530(i) werequire that the policies and proceduresbe reasonably designed to comply withthe standards, implementationspecifications, and other requirementsof the relevant part of the regulation,taking into account the size of thecovered entity and the nature of theactivities undertaken by the coveredentity that relate to protected healthinformation. However, we clarify thatthe requirements that policies andprocedures be reasonably designed maynot be interpreted to permit or excuseany action that violates the privacyregulation. Where the covered entity hasstated in its notice that it reserves theright to change information practices,we allow the new practice to apply toinformation created or collected prior tothe effective date of the new practice

and establish requirements for makingthis change. We also establish theconditions for making changes if thecovered entity has not reserved the rightto change its practices.

We require covered entities to modifyin a prompt manner their policies andprocedures to comply with changes inrelevant law and, where the change alsoaffects the practices stated in the notice,to change the notice. We make clear thatnothing in our requirements regardingchanges to policies and procedures orchanges to the notice may be used by acovered entity to excuse a failure tocomply with applicable law.

In § 164.530(j), we require that thepolicies and procedures requiredthroughout the regulation be maintainedin writing, and that any othercommunication, action, activity, ordesignation that must be documentedunder this regulation be documented inwriting. We note that ‘‘writing’’ includeselectronic storage; paper records are notrequired. We also note that, if a coveredentity is required to document the titleof a person, we mean the job title orsimilar description of the relevantposition or office.

We require covered entities to retainany documentation required under thisrule for at least six years (the statute oflimitations period for the civil penalties)from the date of the creation of thedocumentation, or the date when thedocument was last in effect, which everis later. This generalizes the NPRMprovision to cover all documentationrequired under the rule. The languageon ‘‘last was in effect’’ is a change fromthe NPRM which was worded ‘‘unless alonger period applies under thissubpart.’’

This approach is consistent with theapproach recommended by the JointCommission on Accreditation ofHealthcare Organizations, and theNational Committee for QualityAssurance, in its paper ‘‘ProtectingPersonal Health Information; Aframework for Meeting the Challengesin a Managed Care Environment.’’ Thispaper notes that ‘‘MCOs [Managed CareOrganizations] should have clearlydefined policies and procedures fordealing with confidentiality issues.’’ (p.29).

Standards for Certain Group HealthPlans

We add a new provision (§ 164.530(k))to clarify the administrativeresponsibilities of group health plansthat offer benefits through issuers andHMOs. Specifically, a group health planthat provides benefits solely through anissuer or HMO, and that does not create,receive or maintain protected health



information other than summary healthinformation or information regardingenrollment and disenrollment, is notsubject to the requirements of thissection regarding designation of aprivacy official and contact person,workforce training, safeguards,complaints, mitigation, or policies andprocedures. Such a group health plan isonly subject to the requirements of thissection regarding documentation withrespect to its plan documents. Issuersand HMOs are covered entities underthis rule, and thus have independentobligations to comply with this sectionwith respect to the protected healthinformation they maintain about theenrollees in such group health plans.The group health plans subject to thisprovision will have only limitedprotected health information. Therefore,imposing these requirements on thegroup health plan would imposeburdens not outweighed by acorresponding enhancement in privacyprotections.

Section 164.532—Transition ProvisionsIn the NPRM, we did not address the

effect of the regulation on consents andauthorizations covered entities obtainedprior to the compliance date of theregulation.

In the final rule, we clarify that, incertain circumstances, a covered entitymay continue to rely upon consents,authorizations, or other express legalpermissions obtained prior to thecompliance date of this regulation to useor disclose protected health informationeven if these consents, authorizations,or permissions do not meet therequirements set forth in §§ 164.506 or164.508.

We realize that a covered entity maywish to rely upon a consent,authorization, or other express legalpermission obtained from an individualprior to the compliance date of thisregulation which permits the use ordisclosure of individually identifiablehealth information for activities thatcome within treatment, payment, orhealth care operations (as defined in§ 164.501), but that do not meet therequirements for consents set forth in§ 164.506. In the final rule, we permit acovered entity to rely upon suchconsent, authorization, or permission touse or disclose protected healthinformation that it created or receivedbefore the applicable compliance date ofthe regulation to carry out the treatment,payment, or health care operations aslong as it meets two requirements. First,the covered entity may not make anyuse or disclosure that is expresslyexcluded from the consent,authorization, or permission. Second,

the covered entity must comply with alllimitations expressed in the consent,authorization, or permission. Thus, wedo not require a covered entity to obtaina consent that meets the requirements of§ 164.506 to use or disclose thispreviously obtained protected healthinformation as long as the use ordisclosure is consistent with therequirements of this section. However, acovered entity will need to obtain aconsent that meets the requirements of§ 164.506 to the extent that it is requiredto obtain a consent under § 164.506from an individual before it may use ordisclose any protected healthinformation it creates or receives afterthe date by which it must comply withthis rule.

Similarly, we recognize that a coveredentity may wish to rely upon a consent,authorization, or other express legalpermission obtained from an individualprior to the applicable compliance dateof this regulation that specificallypermits the covered entity to use ordisclose individually identifiable healthinformation for activities other than tocarry out treatment, payment, or healthcare operations. In the final rule, wepermit a covered entity to rely uponsuch a consent, authorization, orpermission to use or disclose protectedhealth information that it created orreceived before the applicablecompliance date of the regulation for thespecific activities described in theconsent, authorization, or permission aslong as the covered entity complies withtwo requirements. First, the coveredentity may not make any use ordisclosure that is expressly excludedfrom the consent, authorization, orpermission. Second, the covered entitymust comply with all limitationsexpressed in the consent, authorization,or permission. Thus, we do not requireda covered entity to obtain anauthorization that meets therequirements of § 164.508 to use ordisclose this previously obtainedprotected health information so long asthe use or disclosure is consistent withthe requirements of this section.However, a covered entity will need toobtain an authorization that meets therequirements of § 164.508, to the extentthat it is required to obtain anauthorization under this rule, from anindividual before it may use or discloseany protected health information itcreates or receives after the date bywhich it must comply with this rule.

Additionally, the final ruleacknowledges that covered entities maywish to rely upon consents,authorizations, or other express legalpermission obtained from an individualprior to the applicable compliance date

for a specific research project thatincludes the treatment of individuals,such as clinical trials. These consents,authorizations, or permissions mayspecifically permit a use or disclosure ofindividually identifiable healthinformation for purposes of the project.Alternatively, they may be generalconsents to participate in the project. Acovered entity may use or discloseprotected health information it createdor received before or after to theapplicable compliance date of this rulefor purposes of the project provided thatthe covered entity complies with alllimitations expressed in the consent,authorization, or permission.

If, pursuant to this section, a coveredentity relies upon a previously obtainedconsent, authorization, or other expresslegal permission and agrees to a requestfor a restriction by an individual under§ 164.522(a), any subsequent use ordisclosure under that consent,authorization, or permission mustcomply with the agreed upon restrictionas well.

We believe it is necessary tograndfather in previously obtainedconsents, authorizations, or otherexpress legal permissions in thesecircumstances to ensure that importantfunctions of the health care system arenot impeded. We link the effectivenessof such consents, authorizations, orpermissions in these circumstances tothe applicable compliance date to givecovered entities sufficient notice of therequirements set forth in §§ 164.506 and164.508.

The rule does not change the pasteffectiveness of consents,authorizations, or other express legalpermissions that do not come withinthis section. This means that uses ordisclosures of individually identifiablehealth information made prior to thecompliance date of this regulation arenot subject to sanctions, even if theywere made pursuant to documents orpermissions that do not meet therequirements of this rule or were madewithout permission. This rule altersonly the future effectiveness of thepreviously obtained consents,authorizations, or permissions. Coveredentities are not required to rely uponthese consents, authorizations, orpermissions and may obtain newconsents or authorizations that meet theapplicable requirements of §§ 164.506and 164.508.

When reaching this decision, weconsidered requiring all covered entitiesto obtain new consents or authorizationsconsistent with the requirements of§§ 164.506 and 164.508 before theywould be able to use or discloseprotected health information obtained



after the compliance date of these rules.We rejected this option because werecognize that covered entities may notalways be able to obtain new consentsor authorizations consistent with therequirements of §§ 164.506 and 164.508from all individuals upon whoseinformation they rely. We also refrainedfrom impeding the rights of coveredentities to exercise their interests in therecords they have created. We do notrequire covered entities with existingrecords or databases to destroy orremove the protected health informationfor which they do not have validconsents or authorizations that meet therequirements of §§ 164.506 and 164.508.Covered entities may rely upon theconsents, authorizations, or permissionsthey obtained from individuals prior tothe applicable compliance date of thisregulation consistent with theconstraints of those documents and therequirements discussed above.

We note that if a covered entityobtains before the applicablecompliance date of this regulation aconsent that meets the requirements of§ 164.506, an authorization that meetsthe requirements of § 164.508, or an IRBor privacy board waiver of authorizationthat meets the requirements of§ 164.512(i), the consent, authorization,or waiver is effective for uses ordisclosures that occur after thecompliance date and that are consistentwith the terms of the consent,authorization, or waiver.

Section 164.534—Compliance Dates forInitial Implementation of the PrivacyStandards

In the NPRM, we provided that acovered entity must be in compliancewith this subpart not later than 24months following the effective date ofthis rule, except that a covered entitythat is a small health plan must be incompliance with this subpart not laterthan 36 months following the effectivedate of the rule.

The final rule did not make anysubstantive changes. The format ischanged so as to more clearly presentthe various compliance dates. The finalrule lists the types of covered entitiesand then the various dates that wouldapply to each of these entities.

III. Section-by-Section Discussion ofComments

The following describes theprovisions in the final regulation, andthe changes we make to the proposedprovisions section-by-section. Followingeach section are our responses to thecomments to that section. This sectionof the preamble is organized to follow

the corresponding section of the finalrule, not the NPRM.

General Comments

We received many comments on therule overall, not to a particularprovision. We respond to thosecomments here. Similar comments, butdirected to a specific provision in theproposed rule, are answered below inthe corresponding section of thispreamble.

Comments on the Need for PrivacyStandards, and Effects of thisRegulation on Current Protections

Comment: Many commentersexpressed the opinion that federallegislation is necessary to protect theprivacy of individuals’ healthinformation. One comment advocatedCongressional efforts to provide acomprehensive federal health privacylaw that would integrate the substanceabuse regulations with the privacyregulation.

Response: We agree thatcomprehensive privacy legislation isurgently needed. This administrationhas urged the Congress to pass suchlegislation. While this regulation willimprove the privacy of individuals’health information, only legislation canprovide the full array of privacyprotection that individuals need anddeserve.

Comment: Many commenters notedthat they do not go to a physician, or donot completely share health informationwith their physician, because they areconcerned about who will have accessto that information. Many physicianscommented on their patients’ reluctanceto share information because of fear thattheir information will later be usedagainst them.

Response: We agree that strong federalprivacy protections are necessary toenhance patients’ trust in the healthcare system.

Comment: Many commentersexpressed concerns that this regulationwill allow access to health informationby those who today do not have suchaccess, or would allow their physicianto disclose information which may notlawfully be disclosed today. Many ofthese commenters stated that today,they consent to every disclosure ofhealth information about them, and thatabsent their consent the privacy of theirhealth information is ‘‘absolute.’’ Othersstated that, today, health information isdisclosed only pursuant to a judicialorder. Several commenters wereconcerned that this regulation wouldoverride stronger state privacyprotection.

Response: This regulation does not,and cannot, reduce current privacyprotections. The statutory language ofthe HIPAA specifically mandates thatthis regulation does not preempt statelaws that are more protective of privacy.

As discussed in more detail in laterthis preamble, while many peoplebelieve that they must be askedpermission prior to any release of healthinformation about them, current lawsgenerally do not impose such arequirement. Similarly, as discussed inmore detail later in this preamble,judicial review is required today onlyfor a small proportion of releases ofhealth information.

Comment: Many commenters assertedthat today, medical records ‘‘belong’’ topatients. Others asserted that patientsown their medical information andhealth care providers and insurancecompanies who maintain health recordsshould be viewed as custodians of thepatients’ property.

Response: We do not intend to changecurrent law regarding ownership of orresponsibility for medical records. Indeveloping this rule we reviewedcurrent law on this and related issues,and built on that foundation.

Under state laws, medical records areoften the property of the health careprovider or medical facility that createdthem. Some state laws also providepatients with access to medical recordsor an ownership interest in the healthinformation in medical records.However, these laws do not divest thehealth care provider or the medicalfacility of its ownership interest inmedical records. These statutestypically provide a patient the right toinspect or copy health information fromthe medical record, but not the right totake the provider’s original copy of anitem in the medical record. If aparticular state law provides greaterownership rights, this regulation leavessuch rights in place.

Comment: Some commenters arguedthat the use and disclosure of sensitivepersonal information must be strictlyregulated, and violation of suchregulations should subject an entity tosignificant penalties and sanctions.

Response: We agree, and share thecommenters’ concern that the penaltiesin the HIPAA statute are not sufficientto fully protect individuals’ privacyinterests. The need for strongerpenalties is among the reasons webelieve Congress should passcomprehensive privacy legislation.

Comment: Many commentersexpressed the opinion that the proposedruled should provide stricter privacyprotections.



Response: We received nearly 52,000comments on the proposed regulation,and make substantial changes to theproposal in response to thosecomments. Many of these changes willstrengthen the protections that wereproposed in the NPRM.

Comment: Many comments expressconcerns that their health informationwill be given to their employers.

Response: We agree that employeraccess to health information is aparticular concern. In this finalregulation, we make significant changesto the NPRM that clarify and provideadditional safeguards governing whenand how the health plans covered bythis regulation may disclose healthinformation to employers.

Comment: Several commenters arguedthat individuals should be able to suefor breach of privacy.

Response: We agree, but do not havethe legislative authority to grant aprivate right of action to sue under thisstatute. Only Congress can grant thatright.

Objections to Government Access toProtected Health Information

Comment: Many commenters urgedthe Department not to create agovernment database of healthinformation, or a tracking system thatwould enable the government to trackindividuals health information.

Response: This regulation does notcreate such a database or trackingsystem, nor does it enable futurecreation of such a database. Thisregulation describes the ways in whichhealth plans, health care clearinghouses,and certain health care providers mayuse and disclose identifiable healthinformation with and without theindividual’s consent.

Comment: Many commenters objectedto government access to or control overtheir health information, which theybelieve the proposed regulation wouldprovide.

Response: This regulation does notincrease current government access tohealth information. This rule setsminimum privacy standards. It does notrequire disclosure of health information,other than to the subject of the recordsor for enforcement of this rule. Healthplans and health care providers are freeto use their own professional ethics andjudgement to adopt stricter policies fordisclosing health information.

Comment: Some commenters viewedthe NPRM as creating fewer hurdles forgovernment access to protected healthinformation than for access to protectedhealth information by privateorganizations. Some health careproviders commented that the NPRM

would impose substantial newrestrictions on private sector use anddisclosure of protected healthinformation, but would makegovernment access to protected healthinformation easy. One consumeradvocacy group made the sameobservation.

Response: We acknowledge that manyof the national priority purposes forwhich we allow disclosure of protectedhealth information without consent orauthorization are for governmentfunctions, and that many of thegovernmental recipients of suchinformation are not governed by thisrule. It is the role of government toundertake functions in the broaderpublic interest, such as public healthactivities, law enforcement,identification of deceased individualsthrough coroners’ offices, and militaryactivities. It is these public purposeswhich can sometimes outweigh anindividual’s privacy interest. In thisrule, we specify the circumstances inwhich that balance is tipped toward thepublic interest with respect to healthinformation. We discuss the rationalebehind each of these permitteddisclosures in the relevant preamblesections below.

Miscellaneous Comments

Comment: Many commenters objectedto the establishment of a uniqueidentifier for health care or otherpurposes.

Response: This regulation does notcreate an identifier. We assume thesecomments refer to the unique healthidentifier that Congress directed theSecretary to promulgate undersection1173(b) of the Social SecurityAct, added by section 262 of the HIPAA.Because of the public concerns aboutsuch an identifier, in the summer of1998 Vice President Gore announcedthat the Administration would notpromulgate such a regulation untilcomprehensive medical privacyprotections were in place. In the fall ofthat year, Congress prohibited theDepartment from promulgating such anidentifier, and that prohibition remainsin place. The Department has no plansto promulgate a unique health identifier.

Comment: Many commenters askedthat we withdraw the proposedregulation and not publish a final rule.

Response: Under section 264 of theHIPAA, the Secretary is required byCongress to promulgate a regulationestablishing standards for healthinformation privacy. Further, for thereasons explained throughout thispreamble above, we believe that theneed to protect health information

privacy is urgent and that thisregulation is in the public’s interest.

Comment: Many commenters expressthe opinion that their consent should berequired for all disclosure of their healthinformation.

Response: We agree that consentshould be required prior to release ofhealth information for many purposes,and impose such a requirement in thisregulation. Requiring consent prior toall release of health information,however, would unduly jeopardizepublic safety and make many operationsof the health care system impossible.For example, requiring consent prior torelease of health information to a publichealth official who is attempting to trackthe source of an outbreak or epidemiccould endanger thousands of lives.Similarly, requiring consent before anoversight official could audit a healthplan would make detection of healthcare fraud all but impossible; it couldtake health plans months or years tolocate and obtain the consent of allcurrent and past enrollees, and thehealth plan would not have a strongincentive to do so. These uses ofmedical information are clearly in thepublic interest.

In this regulation, we must balanceindividuals’ privacy interests against thelegitimate public interests in certainuses of health information. Where thereis an important public interest, thisregulation imposes proceduralsafeguards that must be met prior torelease of health information, in lieu ofa requirement for consent. In someinstances the procedural safeguardsconsist of limits on the circumstances inwhich information may be disclosed, inothers the safeguards consist of limitson what information may be disclosed,and in other cases we require some formof legal process (e.g., a warrant orsubpoena) prior to release of healthinformation. We also allow disclosure ofhealth information without consentwhere other law mandates thedisclosures. Where such other lawexists, another public entity has madethe determination that the publicinterests outweigh the individual’sprivacy interests, and we do not upsetthat determination in this regulation. Inshort, we tailor the safeguards to matchthe specific nature of the publicpurpose. The specific safeguards areexplained in each section of thisregulation below.

Comment: Many comments addressmatters not relevant to this regulation,such as alternative fuels, hospitalreimbursement, and gulf war syndrome.

Response: These and similar mattersare not relevant to this regulation andwill not be addressed further.



Comment: A few commentersquestioned why this level of detail isneeded in response to the HIPAACongressional mandate.

Response: This level of detail isnecessary to ensure that individuals’rights with respect to their healthinformation are clear, while alsoensuring that information necessary forimportant public functions, such asprotecting public health, promotingbiomedical research, fighting health carefraud, and notifying family members indisaster situations, will not be impairedby this regulation. We designed this ruleto reflect current practices and changesome of them. The comments and ourfact finding revealed the complexity ofcurrent health information practices,and we believe that the complexityentailed in reflecting those practices isbetter public policy than a perhapssimpler rule that disturbed importantinformation flows.

Comment: A few comments statedthat the goal of administrativesimplification should never override theprivacy of individuals.

Response: We believe that privacy isa necessary component ofadministrative simplification, not acompeting interest.

Comment: At least one commentersaid that the goal of administrativesimplification is not well served by theproposed rule.

Response: Congress recognized thatprivacy is a necessary component ofadministrative simplification. Thestandardization of electronic healthinformation mandated by the HIPAAthat make it easier to share thatinformation for legitimate purposes alsomake the inappropriate sharing of thatinformation easier. For this reason,Congress included a mandate forprivacy standards in this section of theHIPAA. Without appropriate privacyprotections, public fear and instances ofabuse would make it impossible for usto take full advantage of theadministrative and costs benefitsinherent in the administrativesimplification standards.

Comment: At least one commenterasked us to require psychotherapists toassert any applicable legal privilege onpatients’ behalf when protected healthinformation is requested.

Response: Whether and when toassert a claim of privilege on a patient’sbehalf is a matter for other law and forthe ethics of the individual health careprovider. This is not a decision that canor should be made by the federalgovernment.

Comment: One commenter called forHHS to consider the privacy regulationin conjunction with the other HIPAA

standards. In particular, this commentfocused on the belief that the SecurityStandards should be compatible withthe existing and emerging health careand information technology industrystandards.

Response: We agree that both thisregulation and the final SecurityRegulation should be compatible withexisting and emerging technologyindustry standards. This regulation is‘‘technology neutral.’’ We do notmandate the use of any particulartechnologies, but rather set standardswhich can be met through a variety ofmeans.

Comment: Several commentersclaimed that the statutory authoritygiven under HIPAA cannot providemeaningful privacy protections becausemany entities with access to protectedhealth information, such as employers,worker’s compensation carriers, and lifeinsurance companies, are not coveredentities. These commenters expressedsupport for comprehensive legislation toclose many of the existing loopholes.

Response: We agree with thecommenters that comprehensivelegislation is necessary to provide fullprivacy protection and have called formembers of Congress to pass suchlegislation to prevent unauthorized andpotentially harmful uses and disclosuresof information.

Part 160—Subpart A—GeneralProvisions

Section 160.103—Definitions

Business AssociateThe response to comments on the

definition of ‘‘business partner,’’renamed in this rule as ‘‘businessassociate,’’ is included in the responseto comments on the requirements forbusiness associates in the preamblediscussion of § 164.504.

Covered EntityComment: A number of commenters

urged the Department to expand orclarify the definition of ‘‘covered entity’’to include certain entities other thanhealth care clearinghouses, health plans,and health care providers who conductstandard transactions. For example,several commenters asked that theDepartment generally expand the scopeof the rule to cover all entities thatreceive or maintain individuallyidentifiable health information; othersspecifically urged the Department tocover employers, marketing firms, andlegal entities that have access toindividually identifiable healthinformation. Some commenters askedthat life insurance and casualtyinsurance carriers be considered

covered entities for purposes of thisrule. One commenter recommended thatPharmacy Benefit Management (PBM)companies be considered coveredentities so that they may use anddisclose protected health informationwithout authorization.

In addition, a few commenters askedthe Department to clarify that thedefinition includes providers who donot directly conduct electronictransactions if another entity, such as abilling service or hospital, does so ontheir behalf.

Response: We understand that manyentities may use and discloseindividually identifiable healthinformation. However, our jurisdictionunder the statute is limited to healthplans, health care clearinghouses, andhealth care providers who transmit anyhealth information electronically inconnection with any of the standardfinancial or administrative transactionsin section 1173(a) of the Act. These arethe entities referred to in section1173(a)(1) of the Act and thus listed in§ 160.103 of the final rule.Consequently, once protected healthinformation leaves the purview of one ofthese covered entities, their businessassociates, or other related entities (suchas plan sponsors), the information is nolonger afforded protection under thisrule. We again highlight the need forcomprehensive federal legislation toeliminate such gaps in privacyprotection.

We also provide the followingclarifications with regard to specificentities.

We clarify that employers andmarketing firms are not covered entities.However, employers may be plansponsors of a group health plan that isa covered entity under the rule. In sucha case, specific requirements apply tothe group health plan. See the preambleon § 164.504 for a discussion of specific‘‘firewall’’ and other organizationalrequirements for group health plans andtheir employer sponsors. The final rulealso contains provisions addressingwhen an insurance issuer providingbenefits under a group health plan maydisclose summary health information toa plan sponsor.

With regard to life and casualtyinsurers, we understand that suchbenefit providers may use and discloseindividually identifiable healthinformation. However, Congress did notinclude life insurers and casualtyinsurance carriers as ‘‘health plans’’ forthe purposes of this rule and thereforethey are not covered entities. See thediscussion regarding the definition of‘‘health plan’’ and excepted benefits.



In addition, we clarify that a PBM isa covered entity only to the extent thatit meets the definition of one or more ofthe entities listed in § 160.102. Whenproviding services to patients throughmanaged care networks, it is likely thata PBM is acting as a business associateof a health plan, and may thus use anddisclose protected health informationpursuant to the relevant provisions ofthis rule. PBMs may also be businessassociates of health care providers. Seethe preamble sections on §§ 164.502,164.504, and 164.506 for discussions ofthe specific requirements related tobusiness associates and consent.

Lastly, we clarify that health careproviders who do not submit HIPAAtransactions in standard form becomecovered by this rule when other entities,such as a billing service or a hospital,transmit standard electronictransactions on their behalf. Theprovider could not circumvent theserequirements by assigning the task to acontractor.

Comment: Many commenters urgedthe Department to restrict or clarify thedefinition of ‘‘covered entity’’ toexclude certain entities, such asdepartment-operated hospitals (publichospitals); state Crime VictimCompensation Programs; employers;and certain lines of insurers, such asworkers’ compensation insurers,property and casualty insurers,reinsurers, and stop-loss insurers. Onecommenter expressed concern thatclergy, religious practitioners, and otherfaith-based service providers wouldhave to abide by the rule and asked thatthe Department exempt prayer healingand non-medical health care.

Response: The Secretary provides thefollowing clarifications in response tothese comments. To the extent that a‘‘department-operated hospital’’ meetsthe definition of a ‘‘health careprovider’’ and conducts any of thestandard transactions, it is a coveredentity for the purposes of this rule. Weagree that a state Crime VictimCompensation Program is not a coveredentity if it is not a health care providerthat conducts standard transactions,health plan, or health careclearinghouse. Further, as describedabove, employers are not coveredentities.

In addition, we agree that workers’compensation insurers, property andcasualty insurers, reinsurers, and stop-loss insurers are not covered entities, asthey do not meet the statutory definitionof ‘‘health plan.’’ See further discussionin the preamble on § 160.103 regardingthe definition of ‘‘health plan.’’However, activities related to ceding,securing, or placing a contract for

reinsurance, including stop-lossinsurance, are health care operations inthe final rule. As such, reinsurers andstop-loss insurers may obtain protectedhealth information from coveredentities.

Also, in response to the commentregarding religious practitioners, theDepartment clarifies that ‘‘health care’’as defined under the rule does notinclude methods of healing that aresolely spiritual. Therefore, clergy orother religious practitioners that providesolely religious healing services are nothealth care providers within themeaning of this rule, and consequentlynot covered entities for the purposes ofthis rule.

Comment: A few commentersexpressed general uncertainty andrequested clarification as to whethercertain entities were covered entities forthe purposes of this rule. Onecommenter was uncertain as to whetherthe rule applies to certain social serviceentities, in addition to clinical socialworkers that the commenter believes areproviders. Other commenters askedwhether researchers or non-governmental entities that collect andanalyze patient data to monitor andevaluate quality of care are coveredentities. Another commenter requestedclarification regarding the definition’sapplication to public health agenciesthat also are health care providers aswell as how the rule affects publichealth agencies in their data collectionfrom covered entities.

Response: Whether the professionalsdescribed in these comments arecovered by this rule depends on theactivities they undertake, not on theirprofession or degree. The definitions inthis rule are based on activities andfunctions, not titles. For example, asocial service worker whose activitiesmeet this rule’s definition of health carewill be a health care provider. If thatsocial service worker also transmitsinformation in a standard HIPAAtransaction, he or she will be a coveredhealth entity under this rule. Anothersocial service worker may provideservices that do not meet the rule’sdefinition of health care, or may nottransmit information in a standardtransaction. Such a social serviceworker is not a covered entity under thisrule. Similarly, researchers in and ofthemselves are not covered entities.However, researchers may also be healthcare providers if they provide healthcare. In such cases, the persons, orentities in their role as health careproviders may be covered entities ifthey conduct standard transactions.

With regard to public health agenciesthat are also health care providers, the

health care provider ‘‘component’’ ofthe agency is the covered entity if thatcomponent conducts standardtransactions. See discussion of ‘‘healthcare components’’ below. As to the datacollection activities of a public healthagency, the final rule in § 164.512(b)permits a covered entity to discloseprotected health information to publichealth authorities under specifiedcircumstances, and permits publichealth agencies that are also coveredentities to use protected healthinformation for these purposes. See§ 164.512(b) for further details.

Comment: A few commentersrequested that the Department clarifythat device manufacturers are notcovered entities. They stated that theproposal did not provide enoughguidance in cases where the‘‘manufacturer supplier’’ has only onepart of its business that acts as the‘‘supplier,’’ and additional detail isneeded about the relationship of the‘‘supplier component’’ of the companyto the rest of the business. Similarly,another commenter asserted that drug,biologics, and device manufacturersshould not be covered entities simply byvirtue of their manufacturing activities.

Response: We clarify that if a suppliermanufacturer is a Medicare supplier,then it is a health care provider, and itis a covered entity if it conductsstandard transactions. Further, weclarify that a manufacturer of suppliesrelated to the health of a particularindividual, e.g., prosthetic devices, is ahealth care provider because themanufacturer is providing ‘‘health care’’as defined in the rule. However, thatmanufacturer is a covered entity only ifit conducts standard transactions. Wedo not intend that a manufacturer ofsupplies that are generic and notcustomized or otherwise specificallydesigned for particular individuals, e.g.,ace bandages for a hospital, is a healthcare provider. Such a manufacturer isnot providing ‘‘health care’’ as definedin the rule and is therefore not a coveredentity. We note that, even if such amanufacturer is a covered entity, it maybe an ‘‘indirect treatment provider’’under this rule, and thus not subject toall of the rule’s requirements.

With regard to a ‘‘suppliercomponent,’’ the final rule addresses thestatus of the unit or unit(s) of a largerentity that constitute a ‘‘health carecomponent.’’ See further discussionunder § 164.504 of this preamble.

Finally, we clarify that drug,biologics, and device manufacturers arenot health care providers simply byvirtue of their manufacturing activities.The manufacturer must be providinghealth care consistent with the final



rule’s definition in order to beconsidered a health care provider.

Comment: A few commenters askedthat the Department clarify thatpharmaceutical manufacturers are notcovered entities. It was explained thatpharmaceutical manufacturers providesupport and guidance to doctors andpatients with respect to the proper useof their products, provide free productsfor doctors to distribute to patients, andoperate charitable programs that providepharmaceutical drugs to patients whocannot afford to buy the drugs theyneed.

Response: A pharmaceuticalmanufacturer is only a covered entity ifthe manufacturer provides ‘‘health care’’according to the rule’s definition andconducts standard transactions. In theabove case, a pharmaceuticalmanufacturer that provides support andguidance to doctors and patientsregarding the proper use of theirproducts is providing ‘‘health care’’ forthe purposes of this rule, and therefore,is a health care provider to the extentthat it provides such services. Thepharmaceutical manufacturer that is ahealth care provider is only a coveredentity, however, if it conducts standardtransactions. We note that this rulepermits a covered entity to discloseprotected health information to anyperson for treatment purposes, withoutspecific authorization from theindividual. Therefore, a covered healthcare provider is permitted to discloseprotected health information to apharmaceutical manufacturer fortreatment purposes. Providing freesamples to a health care provider doesnot in itself constitute health care. Forfurther analysis of pharmacy assistanceprograms, see response to comment on§ 164.501, definition of ‘‘payment.’’

Comment: Several commenters askedabout the definition of ‘‘covered entity’’and its application to health careentities within larger organizations.

Response: A detailed discussion ofthe final rule’s organizationalrequirements and firewall restrictionsfor ‘‘health care components’’ of largerentities, as well as for affiliated, andother entities is found at the discussionof § 164.504 of this preamble. Thefollowing responses to commentsprovide additional information withrespect to particular ‘‘componententity’’ circumstances.

Comment: Several commenters askedthat we clarify the definition of coveredentity to state that with respect topersons or organizations that providehealth care or have created health plansbut are primarily engaged in otherunrelated businesses, the term ‘‘coveredentity’’ encompasses only the health

care components of the entity.Similarly, others recommended thatonly the component of a governmentagency that is a provider, health plan, orclearinghouse should be considered acovered entity.

Other commenters requested that werevise proposed § 160.102 to apply onlyto the component of an entity thatengages in the transactions specified inthe rule. Commenters stated thatcompanies should remain free toemploy licensed health care providersand to enter into corporate relationshipswith provider institutions without fearof being considered to be a coveredentity. Another commenter suggestedthat the regulation not apply to theprovider-employee or employer whenneither the provider nor the companyare a covered entity.

Some commenters specifically arguedthat the definition of ‘‘covered entity’’did not contemplate an integratedhealth care system and one commenterstated that the proposal would disruptthe multi-disciplinary, collaborativeapproach that many take to health caretoday by treating all components asseparate entities. Commenters,therefore, recommended that the ruletreat the integrated entity, not itsconstituent parts, as the covered entity.

A few commenters asked that theDepartment further clarify the definitionwith respect to the uniqueorganizational models and relationshipsof academic medical centers and theirparent universities and the rules thatgovern information exchange within theinstitution. One commenter askedwhether faculty physicians who arepaid by a medical school or facultypractice plan and who are on themedical staff of, but not paid directlyby, a hospital are included within thecovered entity. Another commenterstated that it appears that only thehealth center at an academic institutionis the covered entity. Uncertainty wasalso expressed as to whether othercomponents of the institution that mightcreate protected health information onlyincidentally through the conduct ofresearch would also be covered.

Response: The Departmentunderstands that in today’s health careindustry, the relationships among healthcare entities and non-health careorganizations are highly complex andvaried. Accordingly, the final rule givescovered entities some flexibility tosegregate or aggregate its operations forpurposes of the application of this rule.The new component entity provisioncan be found at §§ 164.504(b)-(c). Inresponse to the request for clarificationon whether the rule would apply to aresearch component of the covered

entity, we point out that if the researchactivities fall outside of the health carecomponent they would not be subject tothe rule. One organization may have oneor several ‘‘health care component(s)’’that each perform one or more of thehealth care functions of a coveredentity, i.e., health care provider, healthplan, health care clearinghouse. Inaddition, the final rule permits coveredentities that are affiliated, i.e., sharecommon ownership or control, todesignate themselves, or their healthcare components, together to be a singlecovered entity for purposes of the rule.

It appears from the comments thatthere is not a common understanding ofthe meaning of ‘‘integrated deliverysystem.’’ Arrangements that apply thislabel to themselves operate and shareinformation many different ways, andmay or may not be financially orclinically integrated. In some cases,multiple entities hold themselves out asone enterprise and engage together inclinical or financial activities. In others,separate entities share information butdo not provide treatment together orshare financial risk. Many health careproviders participate in more than onesuch arrangement.

Therefore, we do not include aseparate category of ‘‘covered entity’’under this rule for ‘‘integrated deliverysystems’’ but instead accommodate theoperations of these varied arrangementsthrough the functional provisions of therule. For example, covered entities thatoperate as ‘‘organized health carearrangements’’ as defined in this rulemay share protected health informationfor the operation of such arrangementwithout becoming business associates ofone another. Similarly, the regulationdoes not require a business associatearrangement when protected healthinformation is shared for purposes ofproviding treatment. The application ofthis rule to any particular ‘‘integratedsystem’’ will depend on the nature ofthe common activities the participantsin the system perform. When theparticipants in such an arrangement are‘‘affiliated’’ as defined in this rule, theymay consider themselves a singlecovered entity (see § 164. 504).

The arrangements between academichealth centers, faculty practice plans,universities, and hospitals are similarlydiverse. We cannot describe a blanketrule that covers all such arrangements.The application of this rule will dependon the purposes for which theparticipants in such arrangements shareprotected health information, whethersome or all participants are undercommon ownership or control, andsimilar matters. We note that physicianswho have staff privileges at a covered



hospital do not become part of thathospital covered entity by virtue ofhaving such privileges.

We reject the recommendation toapply the rule only to components of anentity that engage in the transactions.This would omit as covered entities, forexample, the health plan componentsthat do not directly engage in thetransactions, including components thatengage in important health planfunctions such as coveragedeterminations and quality review.Indeed, we do not believe that thestatute permits this result with respectto health plans or health careclearinghouses as a matter of negativeimplication from section 1172(a)(3). Weclarify that only a health care providermust conduct transactions to be acovered entity for purposes of this rule.

We also clarify that health careproviders (such as doctors or nurses)who work for a larger organization anddo not conduct transactions on theirown behalf are workforce members ofthe covered entity, not covered entitiesthemselves.

Comment: A few commenters askedthe Department to clarify the definitionto provide that a multi-line insurer thatsells insurance coverages, some ofwhich do and others which do not meetthe definition of ‘‘health plan,’’ is not acovered entity with respect to actionstaken in connection with coverages thatare not ‘‘health plans.’’

Response: The final rule clarifies thatthe requirements below apply only tothe organizational unit or units of theorganization that are the ‘‘health carecomponent’’ of a covered entity, wherethe ‘‘covered functions’’ are not theprimary functions of the entity.Therefore, for a multi-line insurer, the‘‘health care component’’ is theinsurance line(s) that conduct, orsupport the conduct of, the health carefunction of the covered entity. Also, itshould be noted that excepted benefits,such as life insurance, are not includedin the definition of ‘‘health plan.’’ (Seepreamble discussion of § 164.504).

Comment: A commenter questionedwhether the Health Care FinancingAdministration (HCFA) is a coveredentity and how HCFA will share datawith Medicare managed careorganizations. The commenter alsoquestioned why the regulation mustapply to Medicaid since the existingMedicaid statute requires that stateshave privacy standards in place. It wasalso requested that the Departmentprovide a definition of ‘‘health plan’’ toclarify that state Medicaid Programs areconsidered as such.

Response: HCFA is a covered entitybecause it administers Medicare and

Medicaid, which are both listed in thestatute as health plans. Medicaremanaged care organizations are alsocovered entities under this regulation.As noted elsewhere in this preamble,covered entities that jointly administera health plan, such as Medicare +Choice, are both covered entities, andare not business associates of each otherby virtue of such joint administration.

We do not exclude state Medicaidprograms. Congress explicitly includedthe Medicaid program as a coveredhealth plan in the HIPAA statute.

Comment: A commenter asked theDepartment to provide detailedguidance as to when providers, plans,and clearinghouses become coveredentities. The commenter provided thefollowing example: if a provider submitsclaims only in paper form, and acoordination of benefits (COB)transaction is created due to otherinsurance coverage, will the originalprovider need to be notified that theclaim is now in electronic form, andthat it has become a covered entity?Another commenter voiced concern asto whether physicians who do notconduct electronic transactions wouldbecome covered entities if anotherentity using its records downstreamtransmits information in connectionwith a standard transaction on theirbehalf.

Response: We clarify that health careproviders who submit the transactionsin standard electronic form, healthplans, and health care clearinghousesare covered entities if they meet therespective definitions. Health careproviders become subject to the rule ifthey conduct standard transactions. Inthe above example, the health careprovider would not be a covered entityif the coordination of benefitstransaction was generated by a payor.

We also clarify that health careproviders who do not submittransactions in standard form becomecovered by this rule when other entities,such as a billing service or a hospital,transmit standard electronictransactions on the providers’ behalf.However, where the downstreamtransaction is not conducted on behalfof the health care provider, the providerdoes not become a covered entity due tothe downstream transaction.

Comment: Several commentersdiscussed the relationship betweensection 1179 of the Act and the privacyregulations. One commenter suggestedthat HHS retain the statement that acovered entity means ‘‘the entities towhich part C of title XI of the Actapplies.’’ In particular, the commenterobserved that section 1179 of the Actprovides that part C of title XI of the Act

does not apply to financial institutionsor to entities acting on behalf of suchinstitutions that are covered by thesection 1179 exemption. Thus, underthe definition of covered entity, theycomment that financial institutions andother entities that come within thescope of the section 1179 exemption areappropriately not covered entities.

Other commenters maintained thatsection 1179 of the Act means that theAct’s privacy requirements do not applyto the request for, or the use ordisclosure of, information by a coveredentity with respect to payment: (a) Fortransferring receivables; (b) for auditing;(c) in connection with—(i) a customerdispute; or (ii) an inquiry from or to acustomer; (d) in a communication to acustomer of the entity regarding thecustomer’s transactions payment card,account, check, or electronic fundstransfer; (e) for reporting to consumerreporting agencies; or (f) for complyingwith: (i) a civil or criminal subpoena; or(ii) a federal or state law regulating theentity. These companies expressedconcern that the proposed rule did notinclude the full text of section 1179when discussing the list of activitiesthat were exempt from the rule’srequirements. Accordingly, theyrecommended including in the finalrule either a full listing of or a referenceto section 1179’s full list of exemptions.Furthermore, these firms opposedapplying the proposed rule’s minimumnecessary standard for disclosure ofprotected health information tofinancial institutions because of section1179.

These commenters suggest that inlight of section 1179, HHS lacks theauthority to impose restrictions onfinancial institutions and other entitieswhen they engage in activities describedin that section. One commenterexpressed concern that even thoughproposed § 164.510(i) would havepermitted covered entities to disclosecertain information to financialinstitutions for banking and paymentprocesses, it did not state clearly thatfinancial institutions and other entitiesdescribed in section 1179 are exemptfrom the rule’s requirements.

Response: We interpret section 1179of the Act to mean that entities engagedin the activities of a financialinstitution, and those acting on behalf ofa financial institution, are not subject tothis regulation when they are engaged inauthorizing, processing, clearing,settling, billing, transferring,reconciling, or collecting payments for afinancial institution. The statutoryreference to 12 U.S.C. 3401 indicatesthat Congress chose to adopt thedefinition of financial institutions found



in the Right to Financial Privacy Act,which defines financial institutions asany office of a bank, savings bank, cardissuer, industrial loan company, trustcompany, savings association, buildingand loan, homestead association,cooperative bank, credit union, orconsumer finance institution located inthe United States or one of itsTerritories. Thus, when we use the term‘‘financial institution’’ in thisregulation, we turn to the definitionwith which Congress provided us. Weinterpret this provision to mean thatwhen a financial institution, or its agenton behalf of the financial institution,conducts the activities described insection 1179, the privacy regulation willnot govern the activity.

If, however, these activities areperformed by a covered entity or byanother entity, including a financialinstitution, on behalf of a coveredentity, the activities are subject to thisrule. For example, if a bank operates theaccounts payable system or other ‘‘backoffice’’ functions for a covered healthcare provider, that activity is notdescribed in section 1179. In suchinstances, because the bank would meetthe rule’s definition of ‘‘businessassociate,’’ the provider must enter intoa business associate contract with thebank before disclosing protected healthinformation pursuant to thisrelationship. However, if the sameprovider maintains an account throughwhich he/she cashes checks frompatients, no business associate contractwould be necessary because the bank’sactivities are not undertaken for or onbehalf of the covered entity, and fallwithin the scope of section 1179. In partto give effect to section 1179, in this rulewe do not consider a financialinstitution to be acting on behalf of acovered entity when it processesconsumer-conducted financialtransactions by debit, credit or otherpayment card, clears checks, initiates orprocesses electronic funds transfers, orconducts any other activity that directlyfacilitates or effects the transfer of fundsfor compensation for health care.

We do not agree with the commentthat section 1179 of the Act means thatthe privacy regulation’s requirementscannot apply to the activities listed inthat section; rather, it means that theentities expressly mentioned, financialinstitutions (as defined in the Right toFinancial Privacy Act), and their agentsthat engage in the listed activities for thefinancial institution are not within thescope of the regulation. Nor do weinterpret section 1179 to support anexemption for disclosures to financialinstitutions from the minimumnecessary provisions of this regulation.

Comment: One commenterrecommended that HHS include adefinition of ‘‘entity’’ in the final rulebecause HIPAA did not define it. Thecommenter explained that in a modernhealth care environment, theorganization acting as the health plan orhealth care provider may involve manyinterrelated corporate entities and thatthis could lead to difficulties indetermining what ‘‘entities’’ are actuallysubject to the regulation.

Response: We reject the commenter’ssuggestion. We believe it is clear in thefinal rule that the entities subject to theregulation are those listed at § 160.102.However, we acknowledge that how therule applies to integrated or othercomplex health systems needs to beaddressed; we have done so in § 164.504and in other provisions, such as thoseaddressing organized health carearrangements.

Comment: The preamble shouldclarify that self-insured group healthand workmen’s compensation plans arenot covered entities or businesspartners.

Response: In the preamble to theproposed rule we stated that certaintypes of insurance entities, such asworkers’ compensation, would not becovered entities under the rule. We donot change this position in this finalrule. The statutory definition of healthplan does not include workers’compensation products, and theregulatory definition of the termspecifically excludes them. However,HIPAA specifically includes most grouphealth plans within the definition of‘‘health plan.’’

Comment: A health insurance issuerasserted that health insurers and thirdparty administrators are usuallyrequired by employers to submit reportsdescribing the volume, amount, payee,basis for services rendered, types ofclaims paid and services for whichpayment was requested on behalf of itcovered employees. They recommendedthat the rule permit the disclosure ofprotected health information for suchpurposes.

Response: We agree that health plansshould be able to disclose protectedhealth information to employerssponsoring health plans under certaincircumstances. Section 164.504(f)explains the conditions under whichprotected health information may bedisclosed to plan sponsors. We believethat this provision gives sponsors accessto the information they need, butprotects individual’s information to theextent possible under our legislativeauthority.

Group Health Plan

For response to comments relating to‘‘group health plan,’’ see the response tocomments on ‘‘health plan’’ below andthe response to comments on § 164.504.

Health Care

Comment: A number of commentersasked that we include diseasemanagement activities and other similarhealth improvement programs, such aspreventive medicine, health educationservices and maintenance, health andcase management, and risk assessment,in the definition of ‘‘health care.’’Commenters maintained that the ruleshould avoid limiting technologicaladvances and new health care trendsintended to improve patient ‘‘healthcare.’’

Response: Review of these and othercomments, and our fact-finding,indicate that there are multiple,different, understandings of thedefinition of these terms. Therefore,rather than create a blanket rule thatincludes such terms in or excludes suchterms from the definition of ‘‘healthcare,’’ we define health care based onthe underlying activities that constitutehealth care. The activities described bythese commenters are considered‘‘health care’’ under this rule to theextent that they meet this functionaldefinition. Listing activities by label ortitle would create the risk that importantactivities would be left out and, giventhe lack of consensus on what theseterms mean, could also createconfusion.

Comment: Several commenters urgedthat the Department clarify that theactivities necessary to procure anddistribute eyes and eye tissue will notbe hampered by the rule. Some of thesecommenters explicitly requested that weinclude ‘‘eyes and eye tissue’’ in the listof procurement biologicals as well as‘‘eye procurement’’ in the definition of‘‘health care.’’ In addition, it was arguedthat ‘‘administration to patients’’ beexcluded in the absence of a cleardefinition. Also, commentersrecommended that the definitioninclude other activities associated withthe transplantation of organs, such asprocessing, screening, and distribution.

Response: We delete from thedefinition of ‘‘health care’’ activitiesrelated to the procurement or banking ofblood, sperm, organs, or any other tissuefor administration to patients. We do sobecause persons who make suchdonations are not seeking to be treated,diagnosed, or assessed or otherwiseseeking health care for themselves, butare seeking to contribute to the healthcare of others. In addition, the nature of



these activities entails a unique kind ofinformation sharing and trackingnecessary to safeguard the nation’sorgan and blood supply, and thoseseeking to donate are aware that thisinformation sharing will occur.Consequently, such procurement orbanking activities are not consideredhealth care and the organizations thatperform such activities are notconsidered health care providers forpurposes of this rule.

With respect to disclosure ofprotected health information by coveredentities to facilitate cadaveric organ andtissue donation, the final rule explicitlypermits a covered entity to discloseprotected health information withoutauthorization, consent, or agreement toorgan procurement organizations orother entities engaged in theprocurement, banking, ortransplantation of cadaveric organs,eyes, or tissue for the purpose offacilitating donation andtransplantation. See § 164.512(h). We donot include blood or sperm banking inthis provision because, for thoseactivities, there is direct contact withthe donor, and thus opportunity toobtain the individual’s authorization.

Comment: A large number ofcommenters urged that the term‘‘assessment’’ be included in the list ofservices in the definition, as‘‘assessment’’ is used to determine thebaseline health status of an individual.It was explained that assessments areconducted in the initial step ofdiagnosis and treatment of a patient. Ifassessment is not included in the list ofservices, they pointed out that theservices provided by occupationalhealth nurses and employee healthinformation may not be covered.

Response: We agree and have addedthe term ‘‘assessment’’ to the definitionto clarify that this activity is considered‘‘health care’’ for the purposes of therule.

Comment: One commenter asked thatwe revise the definition to explicitlyexclude plasmapheresis from paragraph(3) of the definition. It was explainedthat plasmapheresis centers do not havedirect access to health care recipients ortheir health information, and that thelimited health information collectedabout plasma donors is not used toprovide health care services as indicatedby the definition of health care.

Response: We address thecommenters’ concerns by removing theprovision related to procurement andbanking of human products from thedefinition.

Health Care Clearinghouse

Comment: The largest set ofcomments relating to health careclearinghouses focused on our proposalto exempt health care clearinghousesfrom the patient notice and access rightsprovisions of the regulation. In ourNPRM, we proposed to exempt healthcare clearinghouses from certainprovisions of the regulation that dealwith the covered entities’ notice ofinformation practices and consumers’rights to inspect, copy, and amend theirrecords. The rationale for thisexemption was based on our belief thathealth care clearinghouses engageprimarily in business-to-businesstransactions and do not initiate ormaintain direct relationships withindividuals. We proposed this positionwith the caveat that the exemptionswould be void for any health careclearinghouse that had direct contactwith individuals in a capacity otherthan that of a business partner. Inaddition, we indicated that, in mostinstances, clearinghouses also would beconsidered business partners under thisrule and would be bound by theircontracts with covered plans andproviders. They also would be subject tothe notice of information practicesdeveloped by the plans and providerswith whom they contract.

Commenters stated that, althoughhealth care clearinghouses do not havedirect contact with individuals, they dohave individually identifiable healthinformation that may be subject tomisuse or inappropriate disclosure.They expressed concern that we wereproposing to exempt health careclearinghouses from all or many aspectsof the regulation. These commenterssuggested that we either delete theexemption or make it very narrow,specific and explicit in the finalregulatory text.

Clearinghouse commenters, on theother hand, were in agreement with ourproposal, including the exemptionprovision and the provision that theexemption is voided when the entitydoes have direct contact withindividuals. They also stated that ahealth care clearinghouse that has adirect contact with individuals is nolonger a health care clearinghouse asdefined and should be subject to allrequirements of the regulation.

Response: In the final rule, where aclearinghouse creates or receivesprotected health information as abusiness associate of another coveredentity, we maintain the exemption forhealth care clearinghouses from certainprovisions of the regulation dealingwith the notice of information practices

and patient’s direct access rights toinspect, copy and amend records(§§ 164.524 and 164.526), on thegrounds that a health care clearinghouseis engaged in business-to-businessoperations, and is not dealing directlywith individuals. Moreover, as businessassociates of plans and providers, healthcare clearinghouses are bound by thenotices of information practices of thecovered entities with whom theycontract.

Where a health care clearinghousecreates or receives protected healthinformation other than as a businessassociate, however, it must comply withall the standards, requirements, andimplementation specifications of therule. We describe and delimit the exactnature of the exemption in theregulatory text. See § 164.500(b). Wewill monitor developments in thissector should the basic business-to-business relationship change.

Comment: A number of commentsrelate to the proposed definition ofhealth care clearinghouse. Manycommenters suggested that we expandthe definition. They suggested thatadditional types of entities be includedin the definition of health careclearinghouse, specifically medicaltranscription services, billing services,coding services, and ‘‘intermediaries.’’One commenter suggested that thedefinition be expanded to add entitiesthat receive standard transactions,process them and clean them up, andthen send them on, without convertingthem to any standard format. Anothercommenter suggested that the healthcare clearinghouse definition beexpanded to include entities that do notperform translation but may receiveprotected health information in astandard format and have access to thatinformation. Another commenter statedthat the list of covered entities shouldinclude any organization that receivesor maintains individually identifiablehealth information. One organizationrecommended that we expand thehealth care clearinghouse definition toinclude the concept of a research dataclearinghouse, which would collectindividually identifiable healthinformation from other covered entitiesto generate research data files for releaseas de-identified data or with appropriateconfidentiality safeguards. Onecommenter stated that HHS had gonebeyond Congressional intent byincluding billing services in thedefinition.

Response: We cannot expand thedefinition of ‘‘health careclearinghouse’’ to cover entities notcovered by the definition of this term inthe statute. In the final regulation, we



make a number of changes to addresspublic comments relating to definition.We modify the definition of health careclearinghouse to conform to thedefinition published in the TransactionsRule (with the addition of a few words,as noted above). We clarify in thepreamble that, while the term ‘‘healthcare clearinghouse’’ may have othermeanings and connotations in othercontexts, for purposes of this regulationan entity is considered a health careclearinghouse only to the extent that itactually meets the criteria in ourdefinition. Entities performing otherfunctions but not meeting the criteria fora health care clearinghouse are notclearinghouses, although they may bebusiness associates. Billing services areincluded in the regulatory definition of‘‘health care clearinghouse,’’ if theyperform the specified clearinghousefunctions. Although we have not addedor deleted any entities from our originaldefinition, we will monitor industrypractices and may add other entities inthe future as changes occur in the healthsystem.

Comment: Several commenterssuggested that we clarify that an entityacting solely as a conduit through whichindividually identifiable healthinformation is transmitted or throughwhich protected health informationflows but is not stored is not a coveredentity, e.g., a telephone company orInternet Service Provider. Othercommenters indicated that once atransaction leaves a provider or planelectronically, it may flow throughseveral entities before reaching aclearinghouse. They asked that theregulation protect the information inthat interim stage, just as the securityNPRM established a chain of trustarrangement for such a network. Othersnoted that these ‘‘conduit’’ entities arelikely to be business partners of theprovider, clearinghouse or plan, and weshould clarify that they are subject tobusiness partner obligations as in theproposed Security Rule.

Response: We clarify that entitiesacting as simple and routinecommunications conduits and carriersof information, such as telephonecompanies and Internet ServiceProviders, are not clearinghouses asdefined in the rule unless they carry outthe functions outlined in our definition.Similarly, we clarify that value addednetworks and switches are not healthcare clearinghouses unless they carryout the functions outlined in thedefinition, and clarify that such entitiesmay be business associates if they meetthe definition in the regulation.

Comment: Several commenters,including the large clearinghouses and

their trade associations, suggested thatwe not treat health care clearinghousesas playing a dual role as covered entityand business partner in the final rulebecause such a dual role causesconfusion as to which rules actuallyapply to clearinghouses. In their view,the definition of health careclearinghouse is sufficiently clear tostand alone and identify a health careclearinghouse as a covered entity, andallows health care clearinghouses tooperate under one consistent set ofrules.

Response: For reasons explained in§ 164.504 of this preamble, we do notcreate an exception to the businessassociate requirements when thebusiness associate is also a coveredentity. We retain the concept that ahealth care clearinghouse may be acovered entity and a business associateof a covered entity under the regulation.As business associates, they would bebound by their contracts with coveredplans and providers.

Health Care Provider

Comment: One commenter pointedout that the preamble referred to theobligations of providers and did not usethe term, ‘‘covered entity,’’ and thuscreated ambiguity about the obligationsof health care providers who may beemployed by persons other than coveredentities, e.g., pharmaceutical companies.It was suggested that a better reading ofthe statute and rule is that where neitherthe provider nor the company is acovered entity, the rule does not imposean obligation on either the provider-employee or the employer.

Response: We agree. We use the term‘‘covered entity’’ whenever possible inthe final rule, except for the instanceswhere the final rule treats the entitiesdifferently, or where use of the term‘‘health care provider’’ is necessary forpurposes of illustrating an example.

Comment: Several commenters statedthat the proposal’s definition was broad,unclear, and/or confusing. Further, wereceived many comments requestingclarification as to whether specificentities or persons were ‘‘health careproviders’’ for the purposes of our rule.One commenter questioned whetheraffiliated members of a health caregroup (even though separate legalentities) would be considered as oneprimary health care provider.

Response: We permit legally distinctcovered entities that share commonownership or control to designatethemselves together to be a singlecovered entity. Such organizations maypromulgate a single shared notice ofinformation practices and a consent

form. For more detailed information, seethe preamble discussion of § 164.504(d).

We understand the need foradditional guidance on whether specificentities or persons are health careproviders under the final rule. Weprovide guidance below and willprovide additional guidance as the ruleis implemented.

Comment: One commenter observedthat sections 1171(3), 1861(s) and1861(u) of the Act do not includepharmacists in the definition of healthcare provider or pharmacist services inthe definition of ‘‘medical or otherhealth services,’’ and questionedwhether pharmacists were covered bythe rule.

Response: The statutory definition of‘‘health care provider’’ at section1171(3) includes ‘‘any other person ororganization who furnishes, bills, or ispaid for health care in the normalcourse of business.’’ Pharmacists’services are clearly within this statutorydefinition of ‘‘health care.’’ There is nobasis for excluding pharmacists whomeet these statutory criteria from thisregulation.

Comment: Some commentersrecommended that the scope of thedefinition be broadened or clarified tocover additional persons ororganizations. Several commentersargued for expanding the reach of thehealth care provider definition to coverentities such as state and local publichealth agencies, maternity supportservices (provided by nutritionists,social workers, and public health nursesand the Special Supplemental NutritionProgram for Women, Infants andChildren), and those companies thatconduct cost-effectiveness reviews, riskmanagement, and benchmarkingstudies. One commenter queriedwhether auxiliary providers such aschild play therapists, and speech andlanguage therapists are considered to behealth care providers. Othercommenters questioned whether‘‘alternative’’ or ‘‘complementary’’providers, such as naturopathicphysicians and acupuncturists would beconsidered health care providerscovered by the rule.

Response: As with other aspects ofthis rule, we do not define ‘‘health careprovider’’ based on the title or label ofthe professional. The professionalactivities of these kinds of providersvary; a person is a ‘‘health careprovider’’ if those activities areconsistent with the rule’s definition of‘‘health care provider.’’ Thus, healthcare providers include persons, such asthose noted by the commenters, to theextent that they meet the definition. Wenote that health care providers are only



subject to this rule if they conductcertain transactions. See the definitionof ‘‘covered entity.’’

However companies that conductcost-effectiveness reviews, riskmanagement, and benchmarking studiesare not health care providers for thepurposes of this rule unless theyperform other functions that meet thedefinition. These entities would bebusiness associates if they perform suchactivities on behalf of a covered entity.

Comment: Another commenterrecommended that the Secretary expandthe definition of health care provider tocover health care providers whotransmit or ‘‘or receive’’ any health careinformation in electronic form.

Response: We do not accept thissuggestion. Section 1172(a)(3) states thatproviders that ‘‘transmit’’ healthinformation in connection with one ofthe HIPAA transactions are covered, butdoes not use the term ‘‘receive’’ or asimilar term.

Comment: Some comments related toonline companies as health careproviders and covered entities. Onecommenter argued that there was noreason ‘‘why an Internet pharmacyshould not also be covered’’ by the ruleas a health care provider. Anothercommenter stated that online healthcare service and content companies,including online medical recordcompanies, should be covered by thedefinition of health care provider.Another commenter pointed out that thedefinitions of covered entities cover‘‘Internet providers who ‘bill’ or are‘paid’ for health care services orsupplies, but not those who financethose services in other ways, such asthrough sale of identifiable healthinformation or advertising.’’ It waspointed out that thousands of Internetsites use information provided byindividuals who access the sites formarketing or other purposes.

Response: We agree that onlinecompanies are covered entities underthe rule if they otherwise meet thedefinition of health care provider orhealth plan and satisfy the otherrequirements of the rule, i.e., providersmust also transmit health information inelectronic form in connection with aHIPAA transaction. We restate here thelanguage in the preamble to theproposed rule that ‘‘An individual ororganization that bills and/or is paid forhealth care services or supplies in thenormal course of business, such as* * * an ‘‘online’’ pharmacy accessibleon the Internet, is also a health careprovider for purposes of this statute’’(64 FR 59930).

Comment: We received manycomments related to the reference to

‘‘health clinic or licensed health careprofessional located at a school orbusiness in the preamble’s discussion of‘‘health care provider.’’ It was statedthat including ‘‘licensed health careprofessionals located at a school orbusiness’’ highlights the need for theseindividuals to understand they have theauthority to disclose information to theSocial Security Administration (SSA)without authorization.

However, several commenters urgedHHS to create an exception for or deletethat reference in the preamblediscussion to primary and secondaryschools because of employer or businesspartner relationships. One federalagency suggested that the reference‘‘licensed health care professionalslocated at a [school]’’ be deleted fromthe preamble because the definition ofhealth care provider does not include areference to schools. The commenteralso suggested that the Secretaryconsider: adding language to thepreamble to clarify that the rules do notapply to clinics or school health careproviders that only maintain recordsthat have been excepted from thedefinition of protected healthinformation, adding an exception to thedefinition of covered entities for thoseschools, and limiting paperworkrequirements for these schools. Anothercommenter argued for deletingreferences to schools because theproposed rule appeared to supersede orcreate ambiguity as to the FamilyEducational Rights and Privacy Act(FERPA), which gives parents the rightto access ‘‘education’’ and healthrecords of their unemancipated minorchildren. However, in contrast, onecommenter supported the inclusion ofhealth care professionals who provideservices at schools or businesses.

Response: We realize that ourdiscussion of schools in the NPRM mayhave been confusing. Therefore, weaddress these concerns and set forth ourpolicy regarding protected healthinformation in educational agencies andinstitutions in the ‘‘Relationship toOther Federal Laws’’ discussion ofFERPA, above.

Comment: Many commenters urgedthat direct contact with the patient benecessary for an entity to be considereda health care provider. Commenterssuggested that persons andorganizations that are remote to thepatient and have no direct contactshould not be considered health careproviders. Several commenters arguedthat the definition of health careprovider covers a person that provideshealth care services or supplies onlywhen the provider furnishes to or billsthe patient directly. It was stated that

the Secretary did not intend thatmanufacturers, such as pharmaceutical,biologics, and device manufacturers,health care suppliers, medical-surgicalsupply distributors, health care vendorsthat offer medical record documentationtemplates and that typically do not dealdirectly with the patient, be consideredhealth care providers and thus coveredentities. However, in contrast, onecommenter argued that, as an in vitrodiagnostics manufacturer, it should becovered as a health care provider.

Response: We disagree with thecomments that urged that directdealings with an individual be aprerequisite to meeting the definition ofhealth care provider. Many providersincluded in the statutory definition ofprovider, such as clinical labs, do nothave direct contact with patients.Further, the use and disclosure ofprotected health information by indirecttreatment providers can have asignificant effect on individuals’privacy. We acknowledge, however, thatproviders who treat patients onlyindirectly need not have the full arrayof responsibilities as direct treatmentproviders, and modify the NPRM tomake this distinction with respect toseveral provisions (see, for example§ 164.506 regarding consent). We alsoclarify that manufacturers and healthcare suppliers who are consideredproviders by Medicare are providersunder this rule.

Comment: Some commenterssuggested that blood centers and plasmadonor centers that collect and distributesource plasma not be consideredcovered health care providers becausethe centers do not provide ‘‘health careservices’’ and the blood donors are not‘‘patients’’ seeking health care.Similarly, commenters expressedconcern that organ procurementorganizations might be consideredhealth care providers.

Response: We agree and have deletedfrom the definition of ‘‘health care’’ theterm ‘‘procurement or banking of blood,sperm, organs, or any other tissue foradministration to patients.’’ See priordiscussion under ‘‘health care.’’

Comment: Several commentersproposed to restrict coverage to onlythose providers who furnished and werepaid for services and supplies. It wasargued that a salaried employee of acovered entity, such as a hospital-basedprovider, should not be covered by therule because that provider would besubject both directly to the rule as acovered entity and indirectly as anemployee of a covered entity.

Response: The ‘‘dual’’ direct andindirect situation described in thesecomments can arise only when a health



care provider conducts standard HIPAAtransactions both for itself and for itsemployer. For example, when theservices of a provider such as a hospital-based physician are billed through astandard HIPAA transaction conductedfor the employer, in this example thehospital, the physician does not becomea covered provider. Only when theprovider uses a standard transaction onits own behalf does he or she become acovered health care provider. Thus, theresult is typically as suggested by thiscommenter. When a hospital-basedprovider is not paid directly, that is,when the standard HIPAA transaction isnot on its behalf, it will not become acovered provider.

Comment: Other commenters arguedthat an employer who provides healthcare services to its employees for whomit neither bills the employee nor paysfor the health care should not beconsidered health care providerscovered by the proposed rule.

Response: We clarify that theemployer may be a health care providerunder the rule, and may be covered bythe rule if it conducts standardtransactions. The provisions of§ 164.504 may also apply.

Comment: Some commenters wereconfused about the preamble statement:‘‘in order to implement the principles inthe Secretary’s Recommendations, wemust impose any protections on thehealth care providers that use anddisclose the information, rather than onthe researcher seeking the information,’’with respect to the rule’s policy that aresearcher who provides care to subjectsin a trial will be considered a healthcare provider. Some commenters werealso unclear about whether theindividual researcher providing healthcare to subjects in a trial would beconsidered a health care provider orwhether the researcher’s homeinstitution would be considered a healthcare provider and thus subject to therule.

Response: We clarify that, in general,a researcher is also a health careprovider if the researcher provideshealth care to subjects in a clinicalresearch study and otherwise meets thedefinition of ‘‘health care provider’’under the rule. However, a health careprovider is only a covered entity andsubject to the rule if that providerconducts standard transactions. Withrespect to the above preamble statement,we meant that our jurisdiction under thestatute is limited to covered entities.Therefore, we cannot apply anyrestrictions or requirements on aresearcher in that person’s role as aresearcher. However, if a researcher isalso a health care provider that conducts

standard transactions, that researcher/provider is subject to the rule withregard to its provider activities.

As to applicability to a researcher/provider versus the researcher’s homeinstitution, we provide the followingguidance. The rule applies to theresearcher as a covered entity if theresearcher is a health care provider whoconducts standard transactions forservices on his or her own behalf,regardless of whether he or she is partof a larger organization. However, if theservices and transactions are conductedon behalf of the home institution, thenthe home institution is the coveredentity for purposes of the rule and theresearcher/provider is a workforcemember, not a covered entity.

Comment: One commenter expressedconfusion about those instances when ahealth care provider was a coveredentity one day, and one who ‘‘worksunder a contract’’ for a manufacturer thenext day.

Response: If persons are coveredunder the rule in one role, they are notnecessarily covered entities when theyparticipate in other activities in anotherrole. For example, that person could bea covered health care provider in ahospital one day but the next day readresearch records for a differentemployer. In its role as researcher, theperson is not covered, and protectionsdo not apply to those research records.

Comment: One commenter suggestedthat the Secretary modify proposed§ 160.102, to add the following clause atthe end (after (c)) (regarding health careprovider), ‘‘With respect to any entitywhose primary business is not that of ahealth plan or health care providerlicensed under the applicable laws ofany state, the standards, requirements,and implementation specifications ofthis subchapter shall apply solely to thecomponent of the entity that engages inthe transactions specified in [§]160.103.’’ (Emphasis added.) Anothercommenter also suggested that thedefinition of ‘‘covered entity’’ be revisedto mean entities that are ‘‘primarily orexclusively engaged in health care-related activities as a health plan, healthcare provider, or health careclearinghouse.’’

Response: The Secretary rejects thesesuggestions because they willimpermissibly limit the entities coveredby the rule. An entity that is a healthplan, health care provider, or healthcare clearinghouse meets the statutorydefinition of covered entity regardless ofhow much time is devoted to carryingout health care-related functions, orregardless of what percentage of theirtotal business applies to health care-related functions.

Comment: Several commenters soughtto distinguish a health care providerfrom a business partner as proposed inthe NPRM. For example, a number ofcommenters argued that diseasemanagers that provide services ‘‘onbehalf of’’ health plans and health careproviders, and case managers (avariation of a disease managementservice) are business partners and not‘‘health care providers.’’ Anothercommenter argued that a diseasemanager should be recognized(presumably as a covered entity)because of its involvement from thephysician-patient level through complexinteractions with health care providers.

Response: To the extent that a diseaseor case manager provides services onbehalf of or to a covered entity asdescribed in the rule’s definition ofbusiness associate, the disease or casemanager is a business associate forpurposes of this rule. However, ifservices provided by the disease or casemanager meet the definition oftreatment and the person otherwisemeets the definition of ‘‘health careprovider,’’ such a person is a health careprovider for purposes of this rule.

Comment: One commenter arguedthat pharmacy employees who assistpharmacists, such as technicians andcashiers, are not business partners.

Response: We agree. Employees of apharmacy that is a covered entity areworkforce members of that coveredentity for purposes of this rule.

Comment: A number of commentersrequested that we clarify the definitionof health care provider (‘‘* * * whofurnishes, bills, or is paid for health careservices or supplies in the normalcourse of business’’) by defining thevarious terms ‘‘furnish’’, ‘‘supply’’, and‘‘in the normal course of business.’’ Forinstance, it was stated that this wouldhelp employers recognize when servicessuch as an employee assistance programconstituted health care covered by therule.

Response: Although we understandthe concern expressed by thecommenters, we decline to follow theirsuggestion to define terms at this levelof specificity. These terms are incommon use today, and an attempt atspecific definition would risk theinadvertent creations of conflict withindustry practices. There is a significantvariation in the way employers structuretheir employee assistance programs(EAPs) and the type of services that theyprovide. If the EAP provides directtreatment to individuals, it may be ahealth care provider.



Health Information

The response to comments on healthinformation is included in the responseto comments on individuallyidentifiable health information, in thepreamble discussion of § 164.501.

Health Plan

Comment: One commenter suggestedthat to eliminate any ambiguity, theSecretary should clarify that the catch-all category under the definition ofhealth plan includes ‘‘24-hour coverageplans’’ (whether insured or self-insured)that integrate traditional employeehealth benefits coverage and workers’compensation coverage for the treatmentof on-the-job injuries and illnessesunder one program. It was stated thatthis clarification was essential if theSecretary persisted in excludingworkers’ compensation from the finalrule.

Response: We understand concernsthat such plans may use and discloseindividually identifiable healthinformation. We therefore clarify that tothe extent that 24-hour coverage planshave a health care component thatmeets the definition of ‘‘health plan’’ inthe final rule, such components mustabide by the provisions of the final rule.In the final rule, we have added a newprovision to § 164.512 that permitscovered entities to disclose informationunder workers’ compensation andsimilar laws. A health plan that is a 24-hour plan is permitted to makedisclosures as necessary to comply withsuch laws.

Comment: A number of commentersurged that certain types of insuranceentities, such as workers’ compensationand automobile insurance carriers,property and casualty insurance healthplans, and certain forms of limitedbenefits coverage, be included in thedefinition of ‘‘health plan.’’ It wasargued that consumers deserve the sameprotection with respect to their healthinformation, regardless of the entityusing it, and that it would beinequitable to subject health insurancecarriers to more stringent standards thanother types of insurers that useindividually identifiable healthinformation.

Response: The Congress did notinclude these programs in the definitionof a ‘‘health plan’’ under section 1171 ofthe Act. Further, HIPAA’s legislativehistory shows that the House Report’s(H. Rep. 104–496) definition of ‘‘healthplan’’ originally included certain benefitprograms, such as workers’compensation and liability insurance,but was later amended to clarify thedefinition and remove these programs.

Thus, since the statutory definition of ahealth plan both on its face and throughlegislative history evidence Congress’intention to exclude such programs, wedo not have the authority to require thatthese programs comply with thestandards. We have added explicitlanguage to the final rule whichexcludes the excepted benefit programs,as defined in section 2971(c)(1) of thePHS Act, 42 U.S.C. 300gg-91(c)(1).

Comment: Some commenters urgedHHS to include entities such as stoploss insurers and reinsurers in thedefinition of ‘‘health plan.’’ It wasobserved that such entities have come toplay important roles in managed caredelivery systems. They asserted thatincreasingly, capitated health plans andproviders contract with their reinsurersand stop loss carriers to medicallymanage their high cost outlier casessuch as organ and bone marrowtransplants, and therefore should bespecifically cited as subject to theregulations.

Response: Stop-loss and reinsurers donot meet the statutory definition ofhealth plan. They do not provide or payfor the costs of medical care, asdescribed in the statute, but ratherinsure health plans and providersagainst unexpected losses. Therefore,we cannot include them as health plansin the regulation.

Comment: A commenter asserted thatthere is a significant discrepancybetween the effect of the definition of‘‘group health plan’’ as proposed in§ 160.103, and the anticipated impact inthe cost estimates of the proposed ruleat 64 FR 60014. Paragraph (1) of theproposed definition of ‘‘health plan’’defined a ‘‘group health plan’’ as anERISA-defined employee welfare benefitplan that provides medical care andthat: ‘‘(i) Has 50 or more participants, or(ii) Is administered by an entity otherthan the employer that established andmaintains the plan[.]’’ (emphasis added)According to this commenter, under thisdefinition, the only insured or self-insured ERISA plans that would not beregulated ‘‘health plans’’ would be thosethat have less than 50 participants andare self administered.

The commenter presumed that the wehad intended to exclude from thedefinition of ‘‘health plan’’ (and fromcoverage under the proposed rule) allERISA plans that are small (less than 50participants) or are administered by athird party, whether large or small,based on the statement at 64 FR 60014,note 18. That footnote stated that theDepartment had ‘‘not included the 3.9million ‘other’ employer-health planslisted in HCFA’s administrativesimplification regulations because these

plans are administered by a third party.The proposed regulation will notregulate the employer plans but willregulate the third party administratorsof the plan.’’ The commenter urged usnot to repeat the statutory definition,and to adopt the policy implied in thefootnote.

Response: We agree with thecommenter’s observation that footnote18 (64 FR 60014) was inconsistent withthe proposed definition. We erred indrafting that note. The definition of‘‘group health plan’’ is adopted from thestatutory definition at section1171(5)(A), and excludes from the ruleas ‘‘health plans’’ only the few insuredor self-insured ERISA plans that haveless than 50 participants and are selfadministered. We reject thecommenter’s proposed change to thedefinition as inconsistent with thestatute.

Comment: A number of insurancecompanies asked that long term careinsurance policies be excluded from thedefinition of ‘‘health plan.’’ It wasargued that such policies do not providesufficiently comprehensive coverage ofthe cost of medical care, and are limitedbenefit plans that provide or pay for thecost of custodial and other relatedservices in connection with a long term,chronic illness or disability.

These commenters asserted thatHIPAA recognizes this nature of longterm care insurance, observing that,with respect to HIPAA’s portabilityrequirements, Congress enacted a seriesof exclusions for certain defined typesof health plan arrangements that do nottypically provide comprehensivecoverage. They maintained thatCongress recognized that long term careinsurance is excluded, so long as it isnot a part of a group health plan. Wherea long term care policy is offeredseparately from a group health plan it isconsidered an excepted benefit and isnot subject to the portability andguarantee issue requirements of HIPAA.Although this exception does not appearin the Administrative Simplificationprovisions of HIPAA, it was assertedthat it is guidance with respect to thetreatment of long term care insurance asa limited benefit coverage and not ascoverage that is so ‘‘sufficientlycomprehensive’’ that it is to be treatedin the same manner as a typical,comprehensive major medical healthplan arrangement.

Another commenter offered adifferent perspective observing thatthere are some long-term care policies—that do not pay for medical care andtherefore are not ‘‘health plans.’’ It wasnoted that most long-term care policiesare reimbursement policies—that is,



they reimburse the policyholder for theactual expenses that the insured incursfor long-term care services. To theextent that these constitute ‘‘medicalcare,’’ this commenter presumed thatthese policies would be considered‘‘health plans.’’ Other long-term carepolicies, they pointed out, simply pay afixed dollar amount when the insuredbecomes chronically ill, without regardto the actual cost of any long-term careservices received, and thus are similarto fixed indemnity critical illnesspolicies. The commenter suggested thatwhile there was an importantdistinction between indemnity basedlong-term care policies and expensesbased long-term care policies, it may bewise to exclude all long-term carepolicies from the scope of the rule toachieve consistency with HIPAA.

Response: We disagree. The statutorylanguage regarding long-term carepolicies in the portability title of HIPAAis different from the statutory languageregarding long-term care policies in theAdministrative Simplification title ofHIPAA. Section 1171(5)(G) of the Actmeans that issuers of long-term carepolicies are considered health plans forpurposes of administrativesimplification. We also interpret thestatute as authorizing the Secretary toexclude nursing home fixed-indemnitypolicies, not all long-term care policies,from the definition of ‘‘health plan,’’ ifshe determines that these policies donot provide ‘‘sufficiently comprehensivecoverage of a benefit’’ to be treated as ahealth plan (see section 1171 of theAct). We interpret the term‘‘comprehensive’’ to refer to the breadthor scope of coverage of a policy.‘‘Comprehensive’’ policies are those thatcover a range of possible serviceoptions. Since nursing home fixedindemnity policies are, by their ownterms, limited to payments made solelyfor nursing facility care, we havedetermined that they should not beincluded as health plans for thepurposes of the HIPAA regulations. TheSecretary, therefore, explicitly excludednursing home fixed-indemnity policiesfrom the definition of ‘‘health plan’’ inthe Transactions Rule, and thisexclusion is thus reflected in this finalrule. Issuers of other long-term carepolicies are considered to be healthplans under this rule and theTransactions Rule.

Comment: One commenter wasconcerned about the potential impact ofthe proposed regulations on ‘‘unfundedhealth plans,’’ which the commenterdescribed as programs used by smallercompanies to provide their associateswith special employee discounts orother membership incentives so that

they can obtain health care, includingprescription drugs, at reduced prices.The commenter asserted that if thesediscount and membership incentiveprograms were covered by theregulation, many smaller employersmight discontinue offering them to theiremployees, rather than deal with theadministrative burdens and costs ofcomplying with the rule.

Response: Only those specialemployee discounts or membershipincentives that are ‘‘employee welfarebenefit plans’’ as defined in section 3(1)of the Employee Retirement IncomeSecurity Act of 1974, 29 U.S.C. 1002(1),and provide ‘‘medical care’’ (as definedin section 2791(a)(2) of the PublicHealth Service Act, 42 U.S.C. 300gg-91(a)(2)), are health plans for thepurposes of this rule. Discount ormembership incentive programs that arenot group health plans are not coveredby the rule.

Comment: Several commenters agreedwith the proposal to exclude ‘‘exceptedbenefits’’ such as disability incomeinsurance policies, fixed indemnitycritical illness policies, and per diemlong-term care policies from thedefinition of ‘‘health plan,’’ but wereconcerned that the language of theproposed rule did not fully reflect thisintent. They asserted that clarificationwas necessary in order to avoidconfusion and costs to both consumersand insurers.

One commenter stated that, whileHHS did not intend for the rule to applyto every type of insurance coverage thatpaid for medical care, the language ofthe proposed rule did not bear this out.The problem, it was asserted, is thatunder the proposed rule any insurancepolicy that pays for ‘‘medical care’’would technically be a ‘‘health plan.’’ Itwas argued that despite the statementsin the narrative, there are no provisionsthat would exempt any of the ‘‘exceptedbenefits’’ from the definition of ‘‘healthcare.’’ It was stated that:

Although (with the exception of long-termcare insurance), the proposed rule does notinclude the ‘excepted benefits’ in its list ofsixteen examples of a health plan (proposed45 CFR 160.104), it does not explicitlyexclude them either. Because these types ofpolicies in some instances pay benefits thatcould be construed as payments for medicalcare, we are concerned by the fact that theyare not explicitly excluded from thedefinition of ‘health plan’ or therequirements of the proposed rule.’’

Several commenters proposed thatHHS adopt the same list of ‘‘exceptedbenefits’’ contained in 29 U.S.C. 1191b,suggesting that they could be adoptedeither as exceptions to the definition of‘‘health plan’’ or as exceptions to the

requirements imposed on ‘‘healthplans.’’ They asserted that this wouldpromote consistency in the federalregulatory structure for health plans.

It was suggested that HHS clarifywhether the definition of health plan,particularly the ‘‘group health plan’’ and‘‘health insurance issuer’’ components,includes a disability plan or disabilityinsurer. It was noted that a disabilityplan or disability insurer may coveronly income lost from disability and, asmentioned above, some rehabilitationservices, or a combination of lostincome, rehabilitation services andmedical care. The commenter suggestedthat in addressing this coverage issue, itmay be useful to refer to the definitionsof group health plan, health insuranceissuer and medical care set forth in PartI of HIPAA, which the statutoryprovisions of the AdministrativeSimplification subtitle expresslyreference. See 42 U.S.C. 1320d(5)(A)and (B).

Response: We agree that the NPRMmay have been ambiguous regarding thetypes of plans the rule covers. Toremedy this confusion, we have addedlanguage that specifically excludes fromthe definition any policy, plan, orprogram providing or paying the cost ofthe excepted benefits, as defined insection 2971(c)(1) of the PHS Act, 42U.S.C. 300gg–91(c)(1). As defined in thestatute, this includes but is not limitedto benefits under one or more (or anycombination thereof) of the following:coverage only for accident, or disabilityincome insurance, or any combinationthereof; liability insurance, includinggeneral liability insurance andautomobile liability insurance; andworkers’ compensation or similarinsurance.

However, the other excepted benefitsas defined in section 2971(c)(2) of thePHS Act, 42 U.S.C. 300gg–91(c)(2), suchas limited scope dental or visionbenefits, not explicitly excepted fromthe regulation could be considered‘‘health plans’’ under paragraph (1)(xvii)of the definition of ‘‘health plan’’ in thefinal rule if and to the extent that theymeet the criteria for the definition of‘‘health plan.’’ Such plans, unlike theprograms and plans listed at section2971(c)(1), directly and exclusivelyprovide health insurance, even iflimited in scope.

Comment: One commenterrecommended that the Secretary clarifythat ‘‘health plan’’ does not includeproperty and casualty benefit providers.The commenter stated that the clarifyinglanguage is needed given the ‘‘catchall’’category of entities defined as ‘‘anyother individual plan or group healthplan, or combination thereof, that



provides or pays for the cost of medicalcare,’’ and asserted that absentclarification there could be seriousconfusion as to whether property andcasualty benefit providers are ‘‘healthplans’’ under the rule.

Response: We agree and as describedabove have added language to the finalrule to clarify that the ‘‘exceptedbenefits’’ as defined under 42 U.S.C.300gg–91(c)(1), which includes liabilityprograms such as property and casualtybenefit providers, are not health plansfor the purposes of this rule.

Comment: Some commentersrecommended that the Secretary replacethe term ‘‘medical care’’ with ‘‘healthcare.’’ It was observed that ‘‘health care’’was defined in the proposal, and thatthis definition was used to define whata health care provider does. However,they observed that the definition of‘‘health plan’’ refers to the provision ofor payment for ‘‘medical care,’’ which isnot defined. Another commenterrecommended that HHS add theparenthetical phrase ‘‘as such term isdefined in section 2791 of the PublicHealth Service Act’’ after the phrase‘‘medical care.’’

Response: We disagree with the firstrecommendation. We understand thatthe term ‘‘medical care’’ can be easilyconfused with the term ‘‘health care.’’However, the two terms are notsynonymous. The term ‘‘medical care’’is a statutorily defined term and its useis critical in making a determination asto whether a health plan is considereda ‘‘health plan’’ for purposes ofadministrative simplification. Inaddition, since the term ‘‘medical care’’is used in the regulation only in thecontext of the definition of ‘‘healthplan’’ and we believe that its inclusionin the regulatory text may causeconfusion, we did not add a definitionof ‘‘medical care’’ in the final rule.However, consistent with the secondrecommendation above, the statutorycite for ‘‘medical care’’ was added to thedefinition of ‘‘health plan’’ in theTransactions Rule, and thus is reflectedin this final rule.

Comment: A number of commentersurged that the Secretary define morenarrowly what characteristics wouldmake a government program that paysfor specific health care services a‘‘health plan.’’ Commenters argued thatthere are many ‘‘payment’’ programsthat should not be included, asdiscussed below, and that if nodistinctions were made, ‘‘health plan’’would mean the same as ‘‘purchaser’’ oreven ‘‘payor.’’

Commenters asserted that there are anumber of state programs that pay for‘‘health care’’ (as defined in the rule) but

that are not health plans. They said thatexamples include the WIC program(Special Supplemental NutritionProgram for Women, Infants, andChildren) which pays for nutritionalassessment and counseling, among otherservices; the AIDS Client ServicesProgram (including AIDS prescriptiondrug payment) under the federal RyanWhite Care Act and state law; thedistribution of federal family planningfunds under Title X of the Public HealthServices Act; and the breast and cervicalhealth program which pays for cancerscreening in targeted populations.Commenters argued that these are notinsurance plans and do not fall withinthe ‘‘health plan’’ definition’s list ofexamples, all of which are eitherinsurance or broad-scope programs ofcare under a contract or statutoryentitlement. However, paragraph (16) inthat list opens the door to broaderinterpretation through the catchallphrase, ‘‘any other individual or groupplan that provides or pays for the costof medical care.’’ Commenters assertthat clarification is needed.

A few commenters stated that otherstate agencies often work in partnershipwith the state Medicaid program toimplement certain Medicaid benefits,such as maternity support services andprenatal genetics screening. Theyconcluded that while this probablymakes parts of the agency the ‘‘businesspartner’’ of a covered entity, they wereuncertain whether it also makes thesame agency parts a ‘‘health plan’’ aswell.

Response: We agree with thecommenters that clarification is neededas to the rule’s application togovernment programs that pay forhealth care services. Accordingly, in thefinal rule we have excepted from thedefinition of ‘‘health plan’’ agovernment funded program which doesnot have as its principal purpose theprovision of, or payment for, the cost ofhealth care or which has as its principalpurpose the provision, either directly orby grant, of health care. For example,the principal purpose of the WICprogram is not to provide or pay for thecost of health care, and thus, the WICprogram is not a health plan forpurposes of this rule. The program ofhealth care services for individualsdetained by the INS provides healthcare directly, and so is not a health plan.Similarly, the family planning programauthorized by Title X of the PublicHealth Service Act pays for careexclusively through grants, and so is nota health plan under this rule. Theseprograms (the grantees under the Title Xprogram) may be or include health care

providers and may be covered entities ifthey conduct standard transactions.

We further clarify that, where a publicprogram meets the definition of ‘‘healthplan,’’ the government agency thatadministers the program is the coveredentity. Where two agencies administer aprogram jointly, they are both a healthplan. For example, both the Health CareFinancing Administration and theinsurers that offers a Medicare+Choiceplan are ‘‘health plans’’ with respect toMedicare beneficiaries. An agency thatdoes not administer a program butwhich provides services for such aprogram is not a covered entity by virtueof providing such services. Whether anagency providing services is a businessassociate of the covered entity dependson whether its functions for the coveredentity meet the definition of businessassociate in § 164.501 and, in theexample described by this comment, inparticular on whether the arrangementfalls into the exception in§ 164.504(e)(1)(ii)(C) for governmentagencies that collect eligibility orenrollment information for coveredgovernment programs.

Comment: Some commentersexpressed support for retaining thecategory in paragraph (16) of theproposal’s definition: ‘‘Any otherindividual or group health plan, orcombination thereof, that provides orpays for the cost of medical care.’’Others asked that the Secretary clarifythis category. One commenter urged thatthe final rule clearly define which planswould meet the criteria for this category.

Response: As described in theproposed rule, this category implementsthe language at the beginning of thestatutory definition of the term ‘‘healthplan’’: ‘‘The term ‘health plan’ means anindividual or group plan that provides,or pays the cost of, medical care * * *Such term includes the following, andany combination thereof * * *’’ Thisstatutory language is general, notspecific, and as such, we are leaving itgeneral in the final rule. However, asdescribed above, we add explicitlanguage which excludes certain‘‘excepted benefits’’ from the definitionof ‘‘health plan’’ in an effort to clarifywhich plans are not health plans for thepurposes of this rule. Therefore, to theextent that a certain benefits plan orprogram otherwise meets the definitionof ‘‘health plan’’ and is not explicitlyexcepted, that program or plan isconsidered a ‘‘health plan’’ underparagraph (1)(xvii) of the final rule.

Comment: A commenter explainedthat HIPAA defines a group health planby expressly cross-referencing thestatutory sections in the PHS Act andthe Employee Retirement Income



Security Act of 1974 (ERISA), 29 U.S.C.1001, et seq., which define the terms‘‘group health plan,’’ ‘‘employee welfarebenefit plan’’ and ‘‘participant.’’ See 29U.S.C. 1002(l) (definition of ‘‘employeewelfare benefit plan,’’ which is the coreof the definition of group health planunder both ERISA and the PHS Act); 29U.S.C. 100217) (definition ofparticipant); 29 U.S.C. 1193(a)(definition of ‘‘group health plan,’’which is identical to that in section2791(a) of the PHS Act).

It was pointed out that the preambleand the text of the proposed rule bothlimit the definition of all three terms totheir current definitions. Thecommenter reasoned that since theERISA definitions may change over timethrough statutory amendment,Department of Labor regulations orjudicial interpretation, it would not beclear what point in time is to beconsidered current. Therefore, theysuggested deleting references to‘‘current’’ or ‘‘currently’’ in thepreamble and in the regulation withrespect to these three ERISA definitions.

In addition, the commenter stated thatas the preamble to the NPRM correctlyreflected, HIPAA expressly cross-references ERISA’s definition of‘‘participant’’ in section 3(7) of ERISA,29 U.S.C. 1002(7). 42 U.S.C.1320d(5)(A). The text of the privacyregulation, however, omits this cross-reference. It was suggested that thereference to section 3(7) of ERISA,defining ‘‘participant,’’ be included inthe regulation.

Finally, HIPAA incorporates thedefinition of a group health plan as setforth in section 2791(a) of the PHS Act,42 U.S.C. 300gg–91(a)(l). That definitionrefers to the provision of medical care‘‘directly or through insurance,reimbursement, or otherwise.’’ Theword ‘‘reimbursement’’ is omitted inboth the preamble and the text of theregulation; the commenter suggestedrestoring it to both.

Response: We agree. These changeswere made to the definition of ‘‘healthplan’’ as promulgated in theTransactions Rule, and are reflected inthis final rule.

Small Health PlanComment: One commenter

recommended that we delete thereference to $5 million in the definitionand instead define a ‘‘small health plan’’as a health plan with fewer than 50participants. It was stated that using adollar limitation to define a ‘‘smallhealth plan’’ is not meaningful for self-insured plans and some other types ofhealth plan coverage arrangements. Acommenter pointed out that the general

definition of a health plan refers to ‘‘50or more participants,’’ and that using adollar factor to define a ‘‘small healthplan’’ would be inconsistent with thisdefinition.

Response: We disagree. The SmallBusiness Administration (SBA)promulgates size standards that indicatethe maximum number of employees orannual receipts allowed for a concern(13 CFR 121.105) and its affiliates to beconsidered ‘‘small.’’ The size standardsthemselves are expressed either innumber of employees or annual receipts(13 CFR 121.201). The size standards forcompliance with programs of otheragencies are those for SBA programswhich are most comparable to theprograms of such other agencies, unlessotherwise agreed by the agency and theSBA (13 CFR 121.902). With respect tothe insurance industry, the SBA hasspecified that annual receipts of $5million is the maximum allowed for aconcern and its affiliates to beconsidered small (13 CFR 121.201).Consequently, we retain the proposal’sdefinition in the final rule to beconsistent with SBA requirements.

We understand there may be someconfusion as to the meaning of ‘‘annualreceipts’’ when applied to a health plan.For our purposes, therefore, we consider‘‘pure premiums’’ to be equivalent to‘‘annual receipts.’’

Workforce

Comment: Some commentersrequested that we exclude ‘‘volunteers’’from the definition of workforce. Theystated that volunteers are importantcontributors within many coveredentities, and in particular hospitals.They argued that it was unfair to askthat these people donate their time andat the same time subject them to thepenalties placed upon the paidemployees by these regulations, and thatit would discourage people fromvolunteering in the health care setting.

Response: We disagree. We believethat differentiating those persons underthe direct control of a covered entitywho are paid from those who are not isirrelevant for the purposes of protectingthe privacy of health information, andfor a covered entity’s management of itsworkforce. In either case, the person isworking for the covered entity. Withregard to implications for theindividual, persons in a covered entity’sworkforce are not held personally liablefor violating the standards orrequirements of the final rule. Rather,the Secretary has the authority toimpose civil monetary penalties and insome cases criminal penalties for suchviolations on only the covered entity.

Comment: One commenter asked thatthe rule clarify that employeesadministering a group health or otheremployee welfare benefit plan on theiremployers’ behalf are considered part ofthe covered entity’s workforce.

Response: As long as the employeeshave been identified by the group healthplan in plan documents as performingfunctions related to the group healthplan (consistent with the requirementsof § 164.504(f)), those employees mayhave access to protected healthinformation. However, they are notpermitted to use or disclose protectedhealth information for employment-related purposes or in connection withany other employee benefit plan oremployee benefit of the plan sponsor.

Part 160—Subpart B—Preemption ofState Law

We summarize and respond below tocomments received in the Transactionsrulemaking on the issue of preemption,as well as those received on this topicin the Privacy rulemaking. Because noprocess was proposed in theTransactions rulemaking for grantingexceptions under section 1178(a)(2)(A),a process for making exceptiondeterminations was not adopted in theTransactions Rule. Instead, since aprocess for making exceptiondeterminations was proposed in thePrivacy rulemaking, we decided that thecomments received in the Transactionsrulemaking should be considered andaddressed in conjunction with thecomments received on the processproposed in the Privacy rulemaking. See65 FR 50318 for a fuller discussion.Accordingly, we discuss the preemptioncomments received in the Transactionsrulemaking where relevant below.

Comment: The majority of commentson preemption addressed the subject ingeneral terms. Numerous comments,particularly from plans and providers,argued that the proposed preemptionprovisions were burdensome,ineffective, or insufficient, and thatcomplete federal preemption of the‘‘patchwork’’ of state privacy laws isneeded. They also argued that theproposed preemption provisions arelikely to invite litigation. Variouspractical arguments in support of thisposition were made. Some of thesecomments recognized that theSecretary’s authority under section 1178of the Act is limited and acknowledgedthat the Secretary’s proposals werewithin her statutory authority. Onecommenter suggested that the exceptiondetermination process would result in avery costly and laborious andsometimes inconsistent analysis of theoccasions in which state law would



survive federal preemption, and thussuggested the final privacy regulationspreempt state law with only limitedexceptions, such as reporting childabuse. Many other comments, however,recommended changing the proposedpreemption provisions to preempt stateprivacy laws on as blanket a basis aspossible.

One comment argued that theassumption that more stringent privacylaws are better is not necessarily true,citing a 1999 GAO report findingevidence that the stringent stateconfidentiality laws of Minnesota haltedthe collection of comparativeinformation on health care quality.

Several comments in this vein werealso received in the Transactionsrulemaking. The majority of thesecomments took the position thatexceptions to the federal standardsshould either be prohibited ordiscouraged. It was argued that grantingexceptions to the standards, particularlythe transactions standards, would beinconsistent with the statute’s objectiveof promoting administrativesimplification through the use ofuniform transactions.

Many other commenters, however,endorsed the ‘‘federal floor’’ approach ofthe proposed rules. (These commentswere made in the context of theproposed privacy regulations.) Thesecomments argued that this approachwas preferable because it would notimpair the effectiveness of state privacylaws that are more protective of privacy,while raising the protection affordedmedical information in states that donot enact laws that are as protective asthe rules below. Some commentsargued, however, that the rules shouldgive even more deference to state law,questioning in particular the definitionsand the proposed addition to the ‘‘otherpurposes’’ criterion for exceptiondeterminations in this regard.

Response: With respect to theexception process provided for bysection 1178(a)(2)(A), the contentionthat the HIPAA standards shoulduniformly control is an argument thatshould be addressed to the Congress,not this agency. Section 1178 of the Actexpressly gives the Secretary authorityto grant exceptions to the general rulethat the HIPAA standards preemptcontrary state law in the circumstancesshe determines come within theprovisions at section 1178(a)(2)(A). Weagree that the underlying statutory goalof standardizing financial andadministrative health care transactionsdictates that exceptions should begranted only on narrow grounds.Nonetheless, Congress clearly intendedto accommodate some state laws in

these areas, and the Department is notfree to disregard this Congressionalchoice. As is more fully explainedbelow, we have interpreted the statutorycriteria for exceptions under section1178(a)(2)(A) to balance the need forrelative uniformity with respect to theHIPAA standards with state needs to setcertain policies in the statutorilydefined areas.

The situation is different with respectto state laws relating to the privacy ofprotected health information. Many ofthe comments arguing for uniformstandards were particularly concernedwith discrepancies between the federalprivacy standards and various stateprivacy requirements. Unlike thesituation with respect to thetransactions standards, where stateshave generally not entered the field, allstates regulate the privacy of somemedical information to a greater orlesser extent. Thus, we understand theprivate sector’s concern at having toreconcile differing state and federalprivacy requirements.

This is, however, likewise an areawhere the policy choice has been madeby Congress. Under section1178(a)(2)(B) of the Act and section264(c)(2) of HIPAA, provisions of stateprivacy laws that are contrary to andmore stringent than the correspondingfederal standard, requirement, orimplementation specification are notpreempted. The effect of theseprovisions is to let the law that is mostprotective of privacy control (the‘‘federal floor’’ approach referred to bymany commenters), and this policychoice is one with which we agree.Thus, the statute makes it impossible forthe Secretary to accommodate therequests to establish uniformlycontrolling federal privacy standards,even if doing so were viewed asdesirable.

Comment: Numerous commentsstated support for the proposal atproposed Subpart B to issue advisoryopinions with respect to the preemptionof state laws relating to the privacy ofindividually identifiable healthinformation. A number of thesecomments appeared to assume that theSecretary’s advisory opinions would bedispositive of the issue of whether ornot a state law was preempted. Many ofthese commenters suggested what theysaw as improvements to the proposedprocess, but supported the proposal tohave the Department undertake thisfunction.

Response: Despite the general supportfor the advisory opinion proposal, wedecided not to provide specifically forthe issuance of such opinions. Thefollowing considerations led to this

decision. First, the assumption bycommenters that an advisory opinionwould establish what law applied in agiven situation and thereby simplify thetask of ascertaining what legalrequirements apply to a covered entityor entities is incorrect. Any suchopinion would be advisory only.Although an advisory opinion issued bythe Department would indicate tocovered entities how the Departmentwould resolve the legal conflict inquestion and would apply the law indetermining compliance, it would notbind the courts. While we assume thatmost courts would give such opinionsdeference, the outcome could not beguaranteed.

Second, the thousands of questionsraised in the public comment about theinterpretation, implications, andconsequences of all of the proposedregulatory provisions have led us toconclude that significant advice andtechnical assistance about all of theregulatory requirements will have to beprovided on an ongoing basis. Werecognize that the preemption concernsthat would have been addressed by theproposed advisory opinions were likelyto be substantial. However, there is noreason to assume that they will be themost substantial or urgent of thequestions that will most likely need tobe addressed. It is our intent to provideas much technical advice and assistanceto the regulated community as we canwith the resources available. Ourconcern is that setting up an advisoryopinion process for just one of the manytypes of issues that will have to beaddressed will lead to a non-optimalallocation of those resources. Uponcareful consideration, therefore, wehave decided that we will be better ableto prioritize our workload and be betterable to be responsive to the most urgentand substantial questions raised to theDepartment, if we do not provide for aformal advisory opinion process onpreemption as proposed.

Comment: A few commenters arguedthat the Privacy Rule should preemptstate laws that would impose morestringent privacy requirements for theconduct of clinical trials. Onecommenter asserted that the existingfederal regulations and guidelines forpatient informed consent, together withthe proposed rule, would adequatelyprotect patient privacy.

Response: The Department does nothave the statutory authority underHIPAA to preempt state laws that wouldimpose more stringent privacyrequirements on covered entities.HIPAA provides that the rulepromulgated by the Secretary may notpreempt state laws that are in conflict



with the regulatory requirements andthat provide greater privacy protections.

Section 160.201—Applicability

Comment: Several commentersindicated that the guidance provided bythe definitions at proposed § 160.202would be of substantial benefit both toregulated entities and to the public.However, these commenters argued thatthe applicability of such definitionswould be too limited as drafted, sinceproposed § 160.201 provided that thedefinitions applied only to‘‘determinations and advisory opinionsissued by the Secretary pursuant to 42U.S.C. 1320d–7.’’ The commentersstated that it would be far more helpfulto make the definitions in proposed§ 160.202 more broadly applicable, toprovide general guidance on the issue ofpreemption.

Response: We agree with thecomments on this issue, and haverevised the applicability provision ofsubpart B below accordingly. Section160.201 below sets out that Subpart Bimplements section 1178. This means,in our view, that the definitions of thestatutory terms at § 160.202 arelegislative rules that apply when thosestatutory terms are employed, whetherby HHS, covered entities, or the courts.


Contrary

Comment: Some commenters assertedthat term ‘‘contrary’’ as defined at§ 160.202 was overly broad and that itsapplication would be time-consumingand confusing for states. Thesecommenters argued that, under theproposed definition, a state would berequired to examine all of its lawsrelating to health information privacy inorder to determine whether or not itslaw were contrary to the requirementsproposed. It was also suggested that thedefinition contain examples of how itwould work in practical terms.

A few commenters, however, arguedthat the definition of ‘‘contrary’’ asproposed was too narrow. Onecommenter argued that the Secretaryerred in her assessment of the case lawanalyzing what is known as ‘‘conflictpreemption’’ and which is set forth inshorthand in the tests set out at§ 160.202.

Response: We believe that thedefinition proposed represents a policythat is as clear as is feasible and whichcan be applied nationally anduniformly. As was noted in thepreamble to the proposed rules (at 64 FR59997), the tests in the proposeddefinition of ‘‘contrary’’ are adoptedfrom the jurisprudence of ‘‘conflict

preemption.’’ Since preemption is ajudicially developed doctrine, it isreasonable to interpret this term asindicating that the statutory analysisshould tie in to the analyticalformulations employed by the courts.Also, while the court-developed testsmay not be as clear as commenterswould like, they represent a long-term,thoughtful consideration of the problemof defining when a state/federal conflictexists. They will also, we assume,generally be employed by the courtswhen conflict issues arise under therules below. We thus see no practicalalternative to the proposed definitionand have retained it unchanged. Withrespect to various suggestions forshorthand versions of the proposedtests, such as the arguably broader term‘‘inconsistent with,’’ we see nooperational advantages to such terms.

Comment: One comment asked thatthe Department clarify that if state lawis not preempted, then the federal lawwould not also apply.

Response: This comment raises twoissues, both of which deservediscussion. First, a state law may not bepreempted because there is no conflictwith the analogous federal requirement;in such a situation, both laws can, andmust, be complied with. We thus do notaccept this suggestion, to the extent thatit suggests that the federal law wouldgive way in this situation. Second, astate law may also not be preemptedbecause it comes within section1178(a)(2)(B), section 1178(b), or section1178(c); in this situation, a contraryfederal law would give way.

Comment: One comment urged theDepartment to take the position thatwhere state law exists and no analogousfederal requirement exists, the staterequirement would not be ‘‘contrary to’’the federal requirement and wouldtherefore not trigger preemption.

Response: We agree with thiscomment.

Comment: One commenter criticizedthe definition as unhelpful in the multi-state transaction context. For example, itwas asked whether the issue of whethera state law was ‘‘contrary to’’ should bedetermined by the law of the statewhere the treatment is provided, wherethe claim processor is located, wherethe payment is issued, or the datamaintained, assuming all are in differentstates.

Response: This is a choice of lawissue, and, as is discussed more fullybelow, is a determination that isroutinely made today in connectionwith multi-state transactions. Seediscussion below under ExceptionDeterminations (Criteria for ExceptionDeterminations).

State Law

Comment: Comments noted that thedefinition of ‘‘state law’’ does notexplicitly include common law andrecommended that it be revised to do soor to clarify that the term includesevidentiary privileges recognized atstate law. Guidance concerning theimpact of state privileges was alsorequested.

Response: As requested, we clarifythat the definition of ‘‘state law’’includes common law by including theterm ‘‘common law.’’ In our view, thisphrase encompasses evidentiaryprivileges recognized at state law(which may also, we note, be embodiedin state statutes).

Comment: One comment criticizedthis definition as unwieldy, in thatlocating state laws pertaining to privacyis likely to be difficult. It was noted thatFlorida, for example, has more than 60statutes that address health privacy.

Response: To the extent that statelaws currently apply to covered entities,they have presumably determined whatthose laws require in order to complywith them. Thus, while determiningwhich laws are ‘‘contrary’’ to the federalrequirements will require additionalwork in terms of comparing state lawwith the federal requirements, entitiesshould already have acquired theknowledge of state law needed for thistask in the ordinary course of doingbusiness.

Comment: The New York CityDepartment of Health noted that inmany cases, provisions of New YorkState law are inapplicable within NewYork City, because the state legislaturehas recognized that the local code istailored to the particular needs of theCity. It urged that the New York CityCode be treated as state law, forpreemption purposes.

Response: We agree that, to the extenta state treats local law as substituting forstate law it could be considered to be‘‘state law’’ for purposes of thisdefinition. If, however, a local law islocal in scope and effect, and a tier ofstate law exists over the same subjectmatter, we do not think that the locallaw could or should be treated as ‘‘statelaw’’ for preemption purposes. We donot have sufficient information to assessthe situation raised by this commentwith respect to this principle, and soexpress no opinion thereon.

More Stringent

Comment: Many commenterssupported the policy in the proposeddefinition of ‘‘individual’’ at proposed§ 164.502, which would have permittedunemancipated minors to exercise, on



their own behalf, rights granted toindividuals in cases where theyconsented to the underlying health care.Commenters stated, however, that theproposed preemption provision wouldleave in place state laws authorizing orprohibiting disclosure to parents of theprotected health information of theirminor children and would negate theproposed policy for the treatment ofminors under the rule. The commentsstated that such state laws should betreated like other state laws, andpreempted to the extent that they areless protective of the privacy of minors.

Other commenters supported theproposed preemption provision—not topreempt a state law to the extent itauthorizes or prohibits disclosure ofprotected health information regarding aminor to a parent.

Response: Laws regarding access tohealth care for minors andconfidentiality of their medical recordsvary widely; this regulation recognizesand respects the current diversity ofstate law in this area. Where states haveconsidered the balance involved inprotecting the confidentiality of minors’health information and have explicitlyacted, for example, to authorizedisclosure, defer the decision to discloseto the discretion of the health careprovider, or prohibit disclosure ofminor’s protected health information toa parent, the rule defers to thesedecisions to the extent that they regulatesuch disclosures.

Comment: The proposed definition of‘‘more stringent’’ was criticized asaffording too much latitude to forgranting exceptions for state laws thatare not protective of privacy. It wassuggested that the test should be ‘‘mostprotective of the individual’s privacy.’’

Response: We considered adoptingthis test. However, for the reasons setout at 64 FR 59997, we concluded thatthis test would not provide sufficientguidance. The comments did notaddress the concerns we raised in thisregard in the preamble to the proposedrules, and we continue to believe thatthey are valid.

Comment: A drug company expressedconcern with what it saw as theexpansive definition of this term,arguing that state governments mayhave less experience with the specialneeds of researchers than federalagencies and may unknowingly adoptlaws that have a deleterious effect onresearch. A provider group expressedconcern that allowing stronger statelaws to prevail could result indiminished ability to get enoughpatients to complete high qualityclinical trials.

Response: These concerns arefundamentally addressed to the ‘‘federalfloor’’ approach of the statute, not to thedefinition proposed: even if thedefinition of ‘‘more stringent’’ werenarrowed, these concerns would stillexist. As discussed above, since the‘‘federal floor’’ approach is statutory, itis not within the Secretary’s authority tochange the dynamics that are ofconcern.

Comment: One comment stated thatthe proposed rule seemed to indicatethat the ‘‘more stringent’’ and ‘‘contraryto’’ definitions implied that thesestandards would apply to ERISA plansas well as to non-ERISA plans.

Response: The concern underlyingthis comment is that ERISA plans,which are not now subject to certainstate laws because of the ‘‘field’’preemption provision of ERISA butwhich are subject to the rules below,will become subject to state privacylaws that are ‘‘more stringent’’ than thefederal requirements, due to theoperation of section 1178(a)(2)(B),together with section 264(c)(2). Wedisagree that this is the case. While thecourts will have the final say on thesequestions, it is our view that thesesections simply leave in place morestringent state laws that wouldotherwise apply; to the extent that suchstate laws do not apply to ERISA plansbecause they are preempted by ERISA,we do not think that section 264(c)(2)overcomes the preemption effected bysection 514(a) of ERISA. For morediscussion of this point, see 64 FR60001.

Comment: The Lieutenant Governor’sOffice of the State of Hawaii requesteda blanket exemption for Hawaii from thefederal rules, on the ground that itsrecently enacted comprehensive healthprivacy law is, as a whole, morestringent than the proposed federalstandards. It was suggested that, forexample, special weight should be givento the severity of Hawaii’s penalties. Itwas suggested that a new definition(‘‘comprehensive’’) be added, and that‘‘more stringent’’ be defined in thatcontext as whether the state act or codeas a whole provides greater protection.

An advocacy group in Vermontargued that the Vermont legislature waspoised to enact stronger and morecomprehensive privacy laws and statedthat the group would resent a federalprohibition on that.

Response: The premise of thesecomments appears to be that theprovision-by-provision approach ofSubpart B, which is expressed in thedefinition of the term ‘‘contrary’’, iswrong. As we explained in the preambleto the proposed rules (at 64 FR 59995),

however, the statute dictates aprovision-by-provision comparison ofstate and federal requirements, not theoverall comparison suggested by thesecomments. We also note that theapproach suggested would bepractically and analytically problematic,in that it would be extremely difficult,if not impossible, to determine what isa legitimate stopping point for theprovisions to be weighed on either thestate side or the federal side of the scalein determining which set of laws wasthe ‘‘more stringent.’’ We accordingly donot accept the approach suggested bythese comments.

With respect to the comment of theVermont group, nothing in the rulesbelow prohibits or places any limits onstates enacting stronger or morecomprehensive privacy laws. To theextent that states enact privacy laws thatare stronger or more comprehensivethan contrary federal requirements, theywill presumably not be preemptedunder section 1178(a)(2)(B). To theextent that such state laws are notcontrary to the federal requirements,they will act as an overlay on the federalrequirements and will have effect.

Comment: One comment raised theissue of whether a private right of actionis a greater penalty, since the proposedfederal rule has no comparable remedy.

Response: We have reconsidered theproposed ‘‘penalty’’ provision of theproposed definition of ‘‘more stringent’’and have eliminated it. The HIPAAstatute provides for only two types ofpenalties: fines and imprisonment. Bothtypes of penalties could be imposed inaddition to the same type of penaltyimposed by a state law, and should notinterfere with the imposition of othertypes of penalties that may be availableunder state law. Thus, we think it isunlikely that there would be a conflictbetween state and federal law in thisrespect, so that the proposed criterion isunnecessary and confusing. In addition,the fact that a state law allows anindividual to file a lawsuit to protectprivacy does not conflict with theHIPAA penalty provisions.

Relates to the Privacy of IndividuallyIdentifiable Health Information

Comment: One comment criticizedthe definition of this term as too narrowin scope and too uncertain. Thecommenter argued that determining thespecific purpose of a state law may bedifficult and speculative, because manystate laws have incomplete,inaccessible, or non-existent legislativehistories. It was suggested that thedefinition be revised by deleting theword ‘‘specific’’ before the word‘‘purpose.’’ Another commenter argued



that the definition of this term should benarrowed to minimize reversepreemption by more stringent statelaws. One commenter generallysupported the proposed definition ofthis term.

Response: We are not accepting thefirst comment. The purpose of a givenstate enactment should be ascertainable,if not from legislative history or apurpose statement, then from the statuteviewed as a whole. The same should betrue of state regulations or rulings. Inany event, it seems appropriate torestrict the field of state laws that maypotentially trump the federal standardsto those that are clearly intended toestablish state public policy and operatein the same area as the federalstandards. To the extent that thedefinition in the rules below does this,we have accommodated the secondcomment. We note, however, that we donot agree that the definition should befurther restricted to minimize ‘‘reversepreemption,’’ as suggested by thiscomment, as we believe that state lawsthat are more protective of privacy thancontrary federal standards shouldremain, in order to ensure that theprivacy of individuals’ healthinformation receives the maximum legalprotection available.

Sections 160.203 and 160.204—Exception Determinations and AdvisoryOpinions

Most of the comments received onproposed Subpart B lumped together theproposed process for exceptiondeterminations under section1178(a)(2)(A) with the proposed processfor issuing advisory opinions undersection 1178(a)(2)(B), either because thesubstance of the comment applied toboth processes or because thecommenters did not draw a distinctionbetween the two processes. We addressthese general comments in this section.

Comment: Numerous commenters,particularly providers and providergroups, recommended that exceptiondeterminations and advisory opinionsnot be limited to states and advocatedallowing all covered entities (includingindividuals, providers and insurers), orprivate sector organizations, to requestdeterminations and opinions withrespect to preemption of state laws.Several commenters argued that limitingrequests to states would deny thirdparty stakeholders, such as life anddisability income insurers, any means ofresolving complex questions as to whatrule they are subject to. One commenternoted that because it is an insurer whowill be liable if it incorrectly analyzesthe interplay between laws and reachesan incorrect conclusion, there would be

little incentive for the states to requestclarification. It would also cause largeadministrative burdens which, it wasstated, would be costly and confusing.It was also suggested that the request forthe exception be made to the applicablestate’s attorney general or chief legalofficer, as well as the Secretary. Variouschanges to the language were suggested,such as adding that ‘‘a covered entity, orany other entity impacted by this rule’’be allowed to submit the writtenrequest.

Response: We agree, and havechanged § 164.204(a) below accordingly.

The decision to eliminate advisoryopinions makes this issue moot withrespect to those opinions.

Comment: Several commenters notedthat it was unclear under the proposedrule which state officials would beauthorized to request a determination.

Response: We agree that the proposedrule was unclear in this respect. Thefinal rule clarifies who may make therequest for a state, with respect toexception determinations. See,§ 160.204(a). The language adoptedshould ensure that the Secretaryreceives an authoritative statement fromthe state. At the same time, thislanguage provides states with flexibility,in that the governor or other chiefelected official may choose to designateother state officials to make suchrequests.

Comment: Many commentersrecommended that a process beestablished whereby HHS performs aninitial state-by-state critical analysis toprovide guidance on which state lawswill not be preempted; most suggestedthat such an analysis (alternativelyreferred to as a database orclearinghouse) should be completedbefore providers would be required tocome into compliance. Many of thesecomments argued that the Secretaryshould bear the cost for the analyses ofstate law, disagreeing with the premisestated in the preamble to the proposedrules that it is more efficient for theprivate market to complete the state-by-state review. Several comments alsorequested that HHS continue tomaintain and monitor the exceptiondetermination process, and update thedatabase over time in order to provideguidance and certainty on theinteraction of the federal rules withnewly enacted or amended state lawsthat are produced after the final rule.Some comments recommended thateach state be required to certifyagreement with the HHS analyses.

In contrast, one hospital associationnoted concerns that the Secretary wouldconduct a nationwide analysis of statelaws. The comment stated that

implementation would be difficult sincemuch of the law is a product of commonlaw, and such state-specific researchshould only be attempted byexperienced health care attorneys ineach jurisdiction.

Response: These comments seem tobe principally concerned with potentialconflicts between state privacy laws andthe privacy standards, because, as ismore fully explained below, preemptionof contrary state laws not relating toprivacy is automatic unless theSecretary affirmatively acts undersection 1178(a)(2)(A) to grant anexception. We recognize that theprovisions of sections 1178(b) (statepublic health laws), and 1178(c) (stateregulation of health plans) similarlypreserve state laws in those areas, butvery little of the public commentappeared to be concerned with theselatter statutory provisions. Accordingly,we respond below to what we see as thecommenters’ main concern.

The Department will not do the kindof global analysis requested by many ofthese comments. What these commentsare in effect seeking is a global advisoryopinion as to when the federal privacystandards will control and when theywill not. We understand the desire forcertainty underlying these comments.Nonetheless, the reasons set out aboveas the basis for our decision not toestablish a formal advisory opinionprocess apply equally to these requests.We also do not agree that the task ofevaluating the requirements below inlight of existing state law is undulyburdensome or unreasonable. Rather, itis common for new federal requirementsto necessitate an examination by theregulated entities of the interactionbetween existing state law and thefederal requirements incident to cominginto compliance.

We agree, however, that the case isdifferent where the Secretary hasaffirmatively acted, either throughgranting an exception under section1178(a)(2)(A) or by making a specificdetermination about the effect of aparticular state privacy law in, forexample, the course of determining anentity’s compliance with the privacystandards. As is discussed below, theDepartment intends to make notice ofexception determinations that it makesroutinely available.

We do not agree with the commentssuggesting that compliance by coveredentities be delayed pending completionof an analysis by the Secretary and thatstates be required to certify agreementwith the Secretary’s analysis, as we arenot institutionalizing the advisoryopinion/analysis process upon whichthese comments are predicated.



Furthermore, with respect to thesuggestion regarding delaying thecompliance date, Congress provided insection 1175(b) of the Act for a delay inwhen compliance is required toaccommodate the needs of coveredentities to address implementationissues such as those raised by thesecomments. With respect to thesuggestion regarding requiring states tocertify their agreement with theSecretary’s analysis, we have noauthority to do this.

Comment: Several commenterscriticized the proposed provision forannual publication of determinationsand advisory opinions in the FederalRegister as inadequate. They suggestedthat more frequent notices should bemade and the regulation be changedaccordingly, to provide for publicationeither quarterly or within a few days ofa determination. A few commenterssuggested that any determinationsmade, or opinions issued, by theSecretary be published on theDepartment’s website within 10 days ora few days of the determination oropinion.

Response: We agree that the proposedprovision for annual publication wasinadequate and have accordinglydeleted it. Subpart B contains noexpress requirement for publication, asthe Department is free to publish itsdeterminations absent such arequirement. It is our intention topublish notice of exceptiondeterminations on a periodic basis inthe Federal Register. We will alsoconsider other avenues of making suchdecisions publicly available as we moveinto the implementation process.

Comment: A few commenters arguedthat the process for obtaining anexception determination or an advisoryopinion from the Secretary will result ina period of time in which there isconfusion as to whether state or federallaw applies. The proposed regulationssay that the federal provisions willremain effective until the Secretarymakes a determination concerning thepreemption issue. This means that, forexample, a state law that was enactedand enforced for many years will bepreempted by federal law for the periodof time during which it takes theSecretary to make a determination. Thenif the Secretary determines that the statelaw is not preempted, the state law willagain become effective. Such situationswill result in confusion and unintendedviolations of the law. One of thecommenters suggested that requests forexceptions be required only when achallenge is brought against a particularstate law, and that a presumption ofvalidity should lie with state laws.

Another commenter, however, urgedthat ‘‘instead of the presumption ofpreemption, the state laws in questionwould be presumed to be subject to theexception unless or until the Secretarymakes a determination to the contrary.’’

Response: It is true that the effect ofsection 1178(a)(2)(A) is that the federalstandards will preempt contrary statelaw and that such preemption will notbe removed unless and until theSecretary acts to grant an exceptionunder that section (assuming, of course,that another provision of section 1178does not apply). We do not agree,however, that confusion should result,where the issue is whether a given statelaw has been preempted under section1178(a)(2)(A). Because preemption isautomatic with respect to state laws thatdo not come within the other provisionsof section 1178 (i.e., sections1178(a)(2)(B), 1178(b), and 1178(c)),such state laws are preempted until theSecretary affirmatively acts to preservethem from preemption by granting anexception under section 1178(a)(2)(A).

We cannot accept the suggestion thata presumption of validity attach to statelaws, and that states not be required torequest exceptions except in verynarrow circumstances. The statutoryscheme is the opposite: The statuteeffects preemption in the section1178(a)(2)(A) context unless theSecretary affirmatively acts to except thecontrary state law in question.

With respect to preemption undersections 1178(b) and 1178(c) (the carve-outs for state public health laws andstate regulation of health plans), we donot agree that preemption is likely to bea major cause of uncertainty. We havedeferred to Congressional intent bycrafting the permissible releases forpublic health, abuse, and oversightbroadly. See, §§ 164.512(b)—(d) below.Since there must first be a conflictbetween a state law and a federalrequirement in order for an issue ofpreemption to even arise, we think that,as a practical matter, few preemptionquestions should arise with respect tosections 1178(b) and 1178(c).

With respect to preemption of stateprivacy laws under section1178(a)(2)(B), however, we agree thatthe situation may be more difficult toascertain, because the Secretary doesnot determine the preemption status ofa state law under that section, unlike thesituation with respect to section1178(a)(2)(A). We have tried to definethe term ‘‘more stringent’’ to identifyand particularize the factors to beconsidered by courts to those relevant toprivacy interests. The more specific(than the statute) definition of this termat § 160.202 below should provide some

guidance in making the determinationas to which law prevails. Ambiguity inthe state of the law might also be a factorto be taken into account in determiningwhether a penalty should be applied.

Comment: Several commentsrecommended that exceptiondeterminations or advisory opinionsencompass a state act or code in itsentirety (in lieu of a provision-specificevaluation) if it is considered morestringent as a whole than the regulation.It was argued that since the provisionsof a given law are typicallyinterconnected and related, adopting oroverriding them on a provision-by-provision basis would result indistortions and/or unintendedconsequences or loopholes. Forexample, when a state law includesauthorization provisions, some of whichare consistent with the federalrequirements and some which are not,the cleanest approach is to view thestate law as inconsistent with thefederal requirements and thuspreempted in its entirety. Similarly,another comment suggested that stateconfidentiality laws written to addressthe specific needs of individuals servedwithin a discreet system of care beconsidered as a whole in assessingwhether they are as stringent or morestringent than the federal requirements.Another comment requested explicitclarification that state laws with abroader scope than the regulation willbe viewed as more stringent and beallowed to stand.

Response: We have not adopted theapproach suggested by these comments.As discussed above with respect to thedefinition of the term ‘‘more stringent,’’it is our view that the statute precludesthe approach suggested. We also suggestthat this approach ignores the fact thateach separate provision of law usuallyrepresents a nuanced policy choice to,for example, permit this use or prohibitthat disclosure; the aggregated approachproposed would fail to recognize andweigh such policy choices.

Comment: One commentrecommended that the final rule: permitrequests for exception determinationsand advisory opinions as of the date ofpublication of the final rule, require theSecretary to notify the requestor withina specified short period of time of alladditional information needed, andprohibit enforcement action until theSecretary issues a response.

Response: With respect to the firstrecommendation, we clarify thatrequests for exception determinationsmay be made at any time; since theprocess for issuing advisory opinionshas not been adopted, thisrecommendation is moot as it pertains



to advisory opinions. With respect tothe second recommendation, we willundertake to process exception requestsas expeditiously as possible, but, for thereasons discussed below in connectionwith the comments relating to settingdeadlines for those determinations, wecannot commit at this time to a‘‘specified short period of time’’ withinwhich the Secretary may requestadditional information. We see noreason to agree to the thirdrecommendation. Because contrary statelaws for which an exception is availableonly under section 1178(a)(2)(A) will bepreempted by operation of law unlessand until the Secretary acts to grant anexception, there will be an ascertainablecompliance standard for compliancepurposes, and enforcement actionwould be appropriate where suchcompliance did not occur.

Sections 160.203(a) and 160.204(a)—Exception Determinations

Section 160.203(a)—Criteria forException Determinations

Comment: Numerous commentscriticized the proposed criteria for theirsubstance or lack thereof. A number ofcommenters argued that theeffectiveness language that was added tothe third statutory criterion made theexception so massive that it wouldswallow the rule. These commentsgenerally expressed concern that lawsthat were less protective of privacywould be granted exceptions under thislanguage. Other commenters criticizedthe criteria generally as creating a largeloophole that would let state laws thatdo not protect privacy trump the federalprivacy standards.

Response: We agree with thesecomments. The scope of the statutorycriteria is ambiguous, but they could beread so broadly as to largely swallow thefederal protections. We do not think thatthis was Congress’s intent. Accordingly,we have added language to most of thestatutory criteria clarifying their scope.With respect to the criteria at1178(a)(2)(A)(i), this clarifying languagegenerally ties the criteria morespecifically to the concern withprotecting and making more efficientthe health care delivery and paymentsystem that underlies theAdministrative Simplificationprovisions of HIPAA, but, with respectto the catch-all provision at section1178(a)(2)(A)(i)(IV), also requires thatprivacy interests be balanced with suchconcerns, to the extent relevant. Werequire that exceptions for rules toensure appropriate state regulation ofinsurance and health plans be stated ina statute or regulation, so that such

exceptions will be clearly tied tostatements of priorities made bypublicly accountable bodies (e.g.,through the public comment process forregulations, and by elected officialsthrough statutes). With respect to thecriterion at section 1178(a)(2)(A)(ii), wehave further delineated what ‘‘addressescontrolled substances’’ means. Thelanguage provided, which builds onconcepts at 21 U.S.C. 821 and theMedicare regulations at 42 CFR 1001.2,delineates the area within which thegovernment traditionally regulatescontrolled substances, both civilly andcriminally; it is our view that HIPAAwas not intended to displace suchregulation.

Comment: Several commenters urgedthat the request for determination by theSecretary under proposed § 160.204(a)be limited to cases where an exceptionis absolutely necessary, and that inmaking such a determination, theSecretary should be required to make adetermination that the benefits ofgranting an exception outweigh thepotential harm and risk of disclosure inviolation of the regulation.

Response: We have not furtherdefined the statutory term ‘‘necessary’’,as requested. We believe that thedetermination of what is ‘‘necessary’’will be fact-specific and contextdependent, and should not be furthercircumscribed absent such specifics.The state will need to make its case thatthe state law in question is sufficiently‘‘necessary’’ to accomplish theparticular statutory ground forexception that it should trump thecontrary federal standard, requirement,or implementation specification.

Comment: One commenter noted thata state should be required to explainwhether it has taken any action tocorrect any less stringent state law forwhich an exception has been requested.This commenter recommended that asection be added to proposed§ 160.204(a) stating that ‘‘a state mustspecify what, if any, action has beentaken to amend the state law to complywith the federal regulations.’’ Anothercomment, received in the Transactionsrulemaking, took the position thatexception determinations should begranted only if the state standards inquestion exceeded the nationalstandards.

Response: The first and last commentsappear to confuse the ‘‘more stringent’’criterion that applies under section1178(a)(2)(B) of the Act with the criteriathat apply to exceptions under section1178(a)(2)(A). We are also not adoptingthe language suggested by the firstcomment, because we do not agree thatstates should necessarily have to try to

amend their state laws as a preconditionto requesting exceptions under section1178(a)(2)(A). Rather, the questionshould be whether the state has made aconvincing case that the state law inquestion is sufficiently necessary forone of the statutory purposes that itshould trump the contrary federalpolicy.

Comment: One commenter stated thatexceptions for state laws that arecontrary to the federal standards shouldnot be preempted where the state andfederal standards are found to be equal.

Response: This suggestion has notbeen adopted, as it is not consistentwith the statute. With respect to theadministrative simplification standardsin general, it is clear that the intent ofCongress was to preempt contrary statelaws except in the limited areasspecified as exceptions or carve-outs.See, section 1178. This statutoryapproach is consistent with theunderlying goal of simplifying healthcare transactions through the adoptionof uniform national standards. Evenwith respect to state laws relating to theprivacy of medical information, thestatute shields such state laws frompreemption by the federal standardsonly if they are ‘‘more’’ stringent thanthe related federal standard orimplementation specification.

Comment: One commenter noted thatdeterminations would apply only totransactions that are wholly intrastate.Thus, any element of a health caretransaction that would implicate morethan one state’s law wouldautomatically preclude the Secretary’sevaluation as to whether the laws weremore or less stringent than the federalrequirement. Other commentersexpressed confusion about thisproposed requirement, noting thatproviders and plans operate now in amulti-state environment.

Response: We agree with thecommenters and have dropped theproposed requirement. As noted by thecommenters, health care entities nowtypically operate in a multi-stateenvironment, so already make thechoice of law judgements that arenecessary in multi-state transactions. Itis the result of that calculus that willhave to be weighed against the federalstandards, requirements, andimplementation specifications in thepreemption analysis.

Comment: One comment received inthe Transactions rulemaking suggestedthat the Department should allowexceptions to the standard transactionsto accommodate abbreviatedtransactions between state agencies,such as claims between a public healthdepartment and the state Medicaid



agency. Another comment requested anexception for Home and CommunityBased Waiver Services from thetransactions standards.

Response: The concerns raised bythese comments would seem to be moreproperly addressed through the processestablished for maintaining andmodifying the transactions standards. Ifthe concerns underlying thesecomments cannot be addressed in thismanner, however, there is nothing inthe rules below to preclude states fromrequesting exceptions in such cases.They will then have to make the casethat one or more grounds for exceptionapplies.

Section 160.204(a)—Process forException Determinations—Commentsand Responses

Comment: Several comments receivedin the Transactions rulemaking statedthat the process for applying for andgranting exception determinations(referred to as ‘‘waivers’’ by some)needed to be spelled out in the finalrule.

Response: We agree with thesecomments. As noted above, since noprocess was proposed in theTransactions rulemaking, a process formaking exception determinations wasnot adopted in those final rules. SubpartB below adopts a process for makingexception determinations, whichresponds to these comments.

Comment: Comments stated that theexception process would beburdensome, unwieldy, and time-consuming for state agencies as well asthe Department. One comment took theposition that states should not berequired to submit exception requests tothe Department under proposed§ 160.203(a), but could providedocumentation that the state law meetsone of the conditions articulated inproposed § 160.203.

Response: We disagree that theprocess adopted at § 164.204 below willbe burdensome, unwieldy, or time-consuming. The only thing theregulation describes is the showings thata requestor must make as part of itssubmission, and all are relevant to theissue to be determined by the Secretary.How much information is submitted is,generally speaking, in the requestor’scontrol, and the regulation places norestrictions on how the requestorobtains it, whether by acting directly, byworking with providers and/or plans, orby working with others. With respect tothe suggestion that states not berequired to submit exception requests,we disagree that this suggestion is eitherstatutorily authorized or advisable. Weread this comment as implicitly

suggesting that the Secretary mustproactively identify instances of conflictand evaluate them. This suggestion is,thus, at bottom the same as the manysuggestions that we create a database orcompendium of controlling law, and itis rejected for the same reasons.

Comment: Several comments urgedthat all state requests for non-preemption include a process for publicparticipation. These comments believethat members of the public and otherinterested stakeholders should beallowed to submit comments on a state’srequest for exception, and that thesecomments should be reviewed andconsidered by the Secretary indetermining whether the exceptionshould be granted. One commentsuggested that the Secretary at least givenotice to the citizens of the state priorto granting an exception.

Response: The revision to§ 160.204(a), to permit requests forexception determinations by anyperson, responds to these comments.

Comment: Many commenters notedthat the lack of a clear and reasonabletime line for the Secretary to issue anexception determination would notprovide sufficient assurance that thequestions regarding what rules applywill be resolved in a time frame thatwill allow business to be conductedproperly, and argued that this wouldincrease confusion and uncertaintyabout which statutes and regulationsshould be followed. Timeframes of 60 or90 days were suggested. One groupsuggested that, if a state does not receivea response from HHS within 60 days,the waiver should be deemed approved.

Response: The workload prioritizationand management considerationsdiscussed above with respect toadvisory opinions are also relevant hereand make us reluctant to agree to adeadline for making exceptiondeterminations. This is particularly trueat the outset, since we have noexperience with such requests. Wetherefore have no basis for determininghow long processing such requests willtake, how many requests we will needto process, or what resources will beavailable for such processing. We agreethat states and other requesters shouldreceive timely responses and will makeevery effort to make determinations asexpeditiously as possible, but we cannotcommit to firm deadlines in this initialrule. Once we have experience inhandling exception requests, we willconsult with states and others in regardto their experiences and concerns andtheir suggestions for improving theSecretary’s expeditious handling of suchrequests.

We are not accepting the suggestionthat requests for exception be deemedapproved if not acted upon in somedefined time period. Section1178(a)(2)(A) requires a specificdetermination by the Secretary. Thesuggested policy would not beconsistent with this statutoryrequirement. It is also inadvisable froma policy standpoint, in that it wouldtend to maximize exceptions. Thiswould be contrary to the underlyingstatutory policy in favor of uniformfederal standards.

Comment: One commenter tookexception to the requirement for statesto seek a determination from theDepartment that a provision of state lawis necessary to prevent fraud and abuseor to ensure appropriate state regulationof insurance plans, contending that thismandate could interfere with theInsurance Commissioners’ ability to dotheir jobs. Another commentersuggested that the regulationspecifically recognize the broad scope ofstate insurance department activities,such as market conduct examinations,enforcement investigations, andconsumer complaint handling.

Response: The first comment raises anissue that lies outside our legalauthority to address, as section1178(a)(2)(A) clearly mandates that theSecretary make a determination in theseareas. With respect to the secondcomment, to the extent these concernspertain to health plans, we believe thatthe provisions at § 164.512 relating tooversight and disclosures required bylaw should address the concernsunderlying this comment.

Section 160.204(a)(4)—Period ofEffectiveness of ExceptionDeterminations

Comment: Numerous commentersstated that the proposed three yearlimitation on the effectiveness ofexception determinations would posesignificant problems and should belimited to one year, since a one yearlimitation would provide more frequentreview of the necessity for exceptions.The commenters expressed concern thatstate laws which provide less privacyprotection than the federal regulationwould be given exceptions by theSecretary and thus argued that theexceptions should be more limited induration or that the Secretary shouldrequire that each request, regardless ofduration, include a description of thelength of time such an exception wouldbe needed.

One state government commenter,however, argued that the 3 year limitshould be eliminated entirely, on theground that requiring a redetermination



every three years would be burdensomefor the states and be a waste of time andresources for all parties. Othercommenters, including two stateagencies, suggested that the exemptionshould remain effective until either thestate law or the federal regulation ischanged. Another commenter suggestedthat the three year sunset be deleted andthat the final rule provide for automaticreview to determine if changes incircumstance or law would necessitateamendment or deletion of the opinion.Other recommendations includeddeeming the state law as continuing ineffect upon the submission of a stateapplication for an exemption rather thanwaiting for a determination by theSecretary that may not occur for asubstantial period of time.

Response: We are persuaded that theproposed 3 year limit on exceptiondeterminations does not make sensewhere neither law providing the basisfor the exception has changed in theinterim. We also agree that where eitherlaw has changed, a previously grantedexception should not continue. Section160.205(a) below addresses theseconcerns.

Sections 160.203(b) and 160.204(b)—Advisory Opinions

Section 160.203(b)—Effect of AdvisoryOpinions

Comment: Several commentersquestioned whether or not DHHS hasstanding to issue binding advisoryopinions and recommended that theDepartment clarify this issue beforeimplementation of this regulation. Onerespondent suggested that theDepartment clarify in the final rule thelegal issues on which it will opine inadvisory opinion requests, and state thatin responding to requests for advisoryopinions the Department will not opineon the preemptive force of ERISA withrespect to state laws governing theprivacy of individually identifiablehealth information, since interpretationsas to the scope and extent of ERISA’spreemption provisions are outside of theDepartment’s jurisdictional authority.

One commenter asked whether a statecould enforce a state law which theSecretary had indicated through anadvisory opinion is preempted byfederal law. This commenter also askedwhether the state would be subject topenalties if it chose to continue toenforce its own laws.

Response: As discussed above, in partfor reasons raised by these comments,the Department has decided not to havea formal process for issuing advisoryopinions, as proposed.

Several of these concerns, however,raise issues of broader concern that needto be addressed. First, we disagree thatthe Secretary lacks legal authority toopine on whether or not state privacylaws are preempted. The Secretary ischarged by law with determiningcompliance, and where state law andthe federal requirements conflict, adetermination of which law controlswill have to be made in order todetermine whether the federal standard,requirement, or implementationspecification at issue has been violated.Thus, the Secretary cannot carry out herenforcement functions without makingsuch determinations. It is furtherreasonable that, if the Secretary makessuch determinations, she can makethose determinations known, forwhatever persuasive effect they mayhave.

The questions as to whether a statecould enforce, or would be subject topenalties if it chose to continue toenforce, its own laws following a denialby the Secretary of an exception requestunder § 160.203 or a holding by a courtof competent jurisdiction that a stateprivacy law had been preempted by acontrary federal privacy standard raiseseveral issues. First, a state law ispreempted under the Act only to theextent that it applies to covered entities;thus, a state is free to continue toenforce a ‘‘preempted’’ state law againstnon-covered entities to which the statelaw applies. If there is a question ofcoverage, states may wish to establishprocesses to ascertain which entitieswithin their borders are covered entitieswithin the meaning of these rules.Second, with respect to covered entities,if a state were to try to enforce apreempted state law against suchentities, it would presumably be actingwithout legal authority in so doing. Wecannot speak to what remedies might beavailable to covered entities to protectthemselves against such wrongful stateaction, but we assume that coveredentities could seek judicial relief, if allelse failed. With respect to the issue ofimposing penalties on states, we do notsee this as likely. The only situation thatwe can envision in which penaltiesmight be imposed on a state would beif a state agency were itself a coveredentity and followed a preempted statelaw, thereby violating the contraryfederal standard, requirement, orimplementation specification.

Section 160.204(b)—Process forAdvisory Opinions

Comment: Several commenters statedthat it was unclear whether a statewould be required to submit a requestfor an advisory opinion in order for the

law to be considered more stringent andthus not preempted. The Departmentshould clarify whether a state law couldbe non-preempted even without such anadvisory opinion. Another commenterrequested that the final rule explicitlystate that the stricter rule alwaysapplies, whether it be state or federal,and regardless of whether there is anyconflict between state and federal law.

Response: The elimination of theproposed process for advisory opinionsrenders moot the first question. Also,the preceding response clarifies thatwhich law preempts in the privacycontext (assuming that the state law andfederal requirement are ‘‘contrary’’) is amatter of which one is the ‘‘morestringent.’’ This is not a matter whichthe Secretary will ultimately determine;rather, this is a question about whichthe courts will ultimately make the finaldetermination. With respect to thesecond comment, we believe that§ 160.203(b) below responds to thisissue, but we would note that the statutealready provides for this.

Comment: Several commenterssupported the decision to limit theparties who may request advisoryopinions to the state. These commentersdid not believe that insurers should beallowed to request an advisory opinionand open every state law up tochallenge and review.

Several commenters requested thatguidance on advisory opinions beprovided in all circumstances, not onlyat the Secretary’s discretion. It wassuggested that proposed§ 160.204(b)(2)(iv) be revised to read asfollows: ‘‘A state may submit a writtenrequest to the Secretary for an advisoryopinion under this paragraph. Therequest must include the followinginformation: the reasons why the statelaw should or should not be preemptedby the federal standard, requirement, orimplementation specification, includinghow the state law meets the criteria at§ 160.203(b).’’

Response: The decision not to have aformal process for issuing advisoryopinions renders these issues moot.

Sections 160.203(c) and 160.203(d)—Statutory Carve-Outs

Comment: Several commenters askedthat the Department provide morespecific examples itemizing activitiestraditionally regulated by the state thatcould constitute ‘‘carve-out’’ exceptions.These commenters also requested thatthe Department include language in theregulation stating that if a state law fallswithin several different exceptions, thestate chooses which determinationexception shall apply.



Response: We are concerned thatitemizing examples in this way couldleave out important state laws or createinadvertent negative implications thatlaws not listed are not included.However, as explained above, we havedesigned the types of activities that arepermissive disclosures for public healthunder § 164.512(b) below in part tocome within the carve-out effected bysection 1178(b); while the stateregulatory activities covered by section1178(c) will generally come within§ 164.512(d) below. With respect to thecomments asking that a state get to‘‘choose’’ which exception it comesunder, we have in effect provided forthis with respect to exceptions undersection 1178(a)(2)(A), by giving the statethe right to request an exception underthat section. With respect to exceptionsunder section 1178(a)(2)(B), thoseexceptions occur by operation of law,and it is not within the Secretary’spower to ‘‘let’’ the state choose whetheran exception occurs under that section.

Comment: Several commenters tookthe position that the Secretary shouldnot limit the procedural requirements inproposed § 160.204(a) to only thoseapplications under proposed§ 160.203(a). They urged that therequirements of proposed § 160.204(a)should also apply to preemption undersections 1178(a)(2)(B), 1178(b) and1178(c). It was suggested that the rulesshould provide for exceptiondeterminations with respect to thematters covered by these provisions ofthe statute; such additional provisionswould provide clear procedures forstates to follow and ensure that requestsfor exceptions are adequatelydocumented.

A slightly different approach wastaken by several commenters, whorecommended that proposed§ 160.204(b) be amended to clarify thatthe Secretary will also issue advisoryopinions as to whether a state lawconstitutes an exception underproposed §§ 160.203(c) and 160.203(d).This change would, they argued, givestates the same opportunity for guidancethat they have under § 160.203(a) and(b), and as such, avoid costly lawsuitsto preserve state laws.

Response: We are not taking either ofthe recommended courses of action.With respect to the recommendationthat we expand the exceptiondetermination process to encompassexceptions under sections 1178(a)(2)(B),1178(b), and 1178(c), we do not have theauthority to grant exceptions underthese sections. Under section 1178, theSecretary has authority to makeexception determinations only withrespect to the matters covered by section

1178(a)(2)(A); contrary state lawscoming within section 1178(a)(2)(B) arepreempted if not more stringent, whileif a contrary state law comes withinsection 1178(b) or section 1178(c), it isnot preempted. These latter statutoryprovisions operate by their own terms.Thus, it is not within the Secretary’sauthority to establish the determinationprocess which these comments seek.

With respect to the request seekingadvisory opinions in the section 1178(b)and 1178(c) situations, we agree that wehave the authority to issue suchopinions. However, the considerationsdescribed above that have led us not toadopt a formal process for issuingadvisory opinions in the privacy contextapply with equal force and effect here.

Comment: One commenter arguedthat it would be unnecessarilyburdensome for state health dataagencies (whose focus is on the cost ofhealthcare or improving Medicare,Medicaid, or the healthcare system) toobtain a specific determination from theDepartment for an exception underproposed § 160.203(c). States should berequired only to notify the Secretary oftheir own determination that suchcollection is necessary. It was alsoargued that cases where the statutorycarve-outs apply should not require aSecretarial determination.

Response: We clarify that noSecretarial determination is required foractivities that fall into one of thestatutory carve-outs. With respect todata collections for state health dataagencies, we note that provision hasbeen made for many of these activitiesin several provisions of the rules below,such as the provisions relating todisclosures required by law(§ 164.512(a)), disclosures for oversight(§ 164.512(d)), and disclosures forpublic health (§ 164.512(b)). Somedisclosures for Medicare and Medicaidpurposes may also come within thedefinition of health care operations. Afuller discussion of this issue appears inconnection with § 164.512 below.

Constitutional Comments andResponses

Comment: Several commenterssuggested that as a general matter therule is unconstitutional.

Response: We disagree that the rule isunconstitutional. The particulargrounds for this conclusion are set outwith respect to particular constitutionalissues in the responses below. Withrespect to the comments that simplymade this general assertion, the lack ofdetail of the comments makes asubstantive response impossible.

Article II

Comment: One commenter contendedthat the Secretary improperly delegatedauthority to private entities by requiringcovered entities to enter into contractswith, monitor, and take action forviolations of the contract against theirbusiness partners. These commentsassert that the selection of these entitiesto ‘‘enforce’’ the regulations violates theExecutive Powers Clause and theAppointments and Take Care Clauses.

Response: We reject the assertion thatthe business associate provisionsconstitute an improper delegation ofexecutive power to private entities.HIPAA provides HHS with authority toenforce the regulation against coveredentities. The rules below regulate onlythe conduct of the covered entity; to theextent a covered entity chooses toconduct its funding through a businessassociate, those functions are stillfunctions of the covered entity. Thus, noimproper delegation has occurredbecause what is being regulated are theactions of the covered entity, not theactions of the business associate in itsindependent capacity.

We also reject the suggestion that thebusiness associates provisionsconstitute an improper appointment ofcovered entities to enforce theregulation and violate the Take CareClause. Because the Secretary has notdelegated authority to covered entities,the inference that she has appointedcovered entities to exercise suchauthority misses the mark.

Commerce Clause

Comment: A few commenterssuggested that the privacy regulationregulates activities that are not ininterstate commerce and which are,therefore, beyond the powers the U.S.Constitution gives the federalgovernment.

Response: We disagree. Health careproviders, health plans, and health careclearinghouses are engaged in economicand commercial activities, including theexchange of individually identifiablehealth information electronically acrossstate lines. These activities constituteinterstate commerce. Therefore, theycome within the scope of Congress’power to regulate interstate commerce.

Nondelegation Doctrine

Comment: Some commenters objectedto the manner by which Congressprovided the Secretary authority topromulgate this regulation. Thesecomments asserted that Congressviolated the nondelegation doctrine by(1) not providing an ‘‘intelligibleprinciple’’ to guide the agency, (2) not



establishing ‘‘ascertainable standards,’’and (3) improperly permitting theSecretary to make social policydecisions.

Response: We disagree. HIPAA clearlydelineates Congress’ general policy toestablish strict privacy protections forindividually identifiable healthinformation to encourage electronictransactions. Congress also establishedboundaries limiting the Secretary’sauthority. Congress established theselimitations in several ways, includingby calling for privacy standards for‘‘individually identifiable healthinformation’’; specifying that privacystandards must address individuals’rights regarding their individuallyidentifiable health information, theprocedures for exercising those rights,and the particular uses and disclosuresto be authorized or required; restrictingthe direct application of the privacystandards to ‘‘covered entities,’’ whichCongress defined; requiring consultationwith the National Committee on Vitaland Health Statistics and the AttorneyGeneral; specifying the circumstancesunder which the federal requirementswould supersede state laws; andspecifying the civil and criminalpenalties the Secretary could impose forviolations of the regulation. Theselimitations also serve as ‘‘ascertainablestandards’’ upon which reviewingcourts can rely to determine the validityof the exercise of authority.

Although Congress could have chosento impose expressly an exhaustive list ofspecifications that must be met in orderto achieve the protective purposes of theHIPAA, it was entirely permissible forCongress to entrust to the Secretary thetask of providing these specificationsbased on her experience and expertisein dealing with these complex andtechnical matters.

We disagree with the comments thatCongress improperly delegatedCongressional policy choices to her.Congress clearly decided to createfederal standards protecting the privacyof ‘‘individually identifiable healthinformation’’ and not to preempt statelaws that are more stringent. Congressalso determined over whom theSecretary would have authority, thetype of information protected, and theminimum level of regulation.

Separation of PowersComment: Some commenters asserted

that the federal government may notpreempt state laws that are not as strictas the privacy regulation because to doso would violate the separation ofpowers in the U.S. Constitution. Onecomment suggested that the rules raiseda substantial constitutional issue

because, as proposed, they permittedthe Secretary to make determinations onpreemption, which is a role reserved forthe judiciary.

Response: We disagree. We note thatthis comment only pertains todeterminations under section1178(a)(2)(A); as discussed above, therules below provide for no Secretarialdeterminations with respect to stateprivacy laws coming within section1178(a)(2)(B). With respect todeterminations under section1178(a)(2)(A), however, the final rules,like the proposed rules, provide that ata state’s request the Secretary may makecertain determinations regarding thepreemptive effect of the rules on aparticular state law. As usually the casewith any administrative decisions, theseare subject to judicial review pursuantto the Administrative Procedure Act.

First AmendmentComment: Some comments suggested

that the rules violated the FirstAmendment. They asserted that if therule included Christian Sciencepractitioners as covered entities itwould violate the separation of churchand state doctrine.

Response: We disagree. The FirstAmendment does not always prohibitthe federal government from regulatingsecular activities of religiousorganizations. However, we addressconcerns relating to Christian Sciencepractitioners more fully in the responseto comments discussion of thedefinition of ‘‘covered entity’’ in§ 160.103.

Fourth AmendmentComment: Many comments expressed

Fourth Amendment concerns aboutvarious proposed provisions. Thesecomments fall into two categories—general concerns about warrantlesssearches and specific concerns aboutadministrative searches. Severalcomments argued that the proposedregulations permit law enforcement andgovernment officials access to protectedhealth information without firstrequiring a judicial search warrant or anindividual’s consent. These commentsrejected the applicability of any of theexisting exceptions permittingwarrantless searches in this context.Another comment argued that federaland state police should be able to obtainpersonal medical records only with theinformed consent of an individual.Many of these comments also expressedconcern that protected healthinformation could be provided togovernment or private agencies forinclusion in a governmental health datasystem.

Response: We disagree that theprovisions of these rules that permitdisclosures for law enforcementpurposes and governmental health datasystems generally violate the FourthAmendment. The privacy regulationdoes not create new access rights for lawenforcement. Rather, it refrains fromplacing a significant barrier in front ofaccess rights that law enforcementcurrently has under existing legalauthority. While the regulation maypermit a covered entity to makedisclosures in specified instances, itdoes not require the covered entitymake the disclosure. Thus, because weare not modifying existing law regardingdisclosures to law enforcement officials,except to strengthen the requirementsrelated to requests already authorizedunder law, and are not requiring anysuch disclosures, the privacy regulationdoes not infringe upon individual’sFourth Amendment rights. We discussthe rationale underlying the permissibledisclosures to law enforcement officialsmore fully in the preamble discussionrelating to § 164.512(f).

We note that the proposed provisionrelating to disclosures to governmenthealth data systems has been eliminatedin the final rule. However, to the extentthat the comments can be seen as raisingconcern over disclosure of protectedhealth information to governmentagencies for public health, healthoversight, or other purposes permittedby the final rule, the reasoning in theprevious paragraph applies.

Comment: One commenter suggestedthat the rules violate the FourthAmendment by requiring coveredentities to provide access to theSecretary to their books, records,accounts, and facilities to ensurecompliance with these rules. Thecommenter also suggested that therequirement that covered entities enterinto agreements with their businesspartners to make their records availableto the Secretary for inspection as wellalso violates the warrant requirement ofthe Fourth Amendment.

Response: We disagree. Theserequirements are consistent with U.S.Supreme Court cases holding thatwarrantless administrative searches ofcommercial property are not per seviolations of the Fourth Amendment.The provisions requiring that coveredentities provide access to certainmaterial to determine compliance withthe regulation come within the well-settled exception regarding closelyregulated businesses and industries tothe warrant requirement. From state andlocal licensure laws to the federal fraudand abuse statutes and regulations, thehealth care industry is one of the most



tightly regulated businesses in thecountry. Because the industry has suchan extensive history of governmentoversight and involvement, thoseoperating within it have no reasonableexpectation of privacy from thegovernment such that a warrant wouldbe required to determine compliancewith the rules.

In addition, the cases cited by thecommenters concern unannouncedsearches of the premises and facilities ofparticular entities. Because ourenforcement provisions only provide forthe review of books, records, and otherinformation and only during normalbusiness hours with notice, except forexceptional situations, this case lawdoes not apply.

As for business associates, theyvoluntarily enter into their agreementswith covered entities. This agreement,therefore, functions as knowing andvoluntary consents to the search (evenassuming it could be understood to bea search) and obviates the need for awarrant.

Fifth Amendment

Comment: Several comments assertedthat the proposed rules violated theFifth Amendment because in thecommenters’ views they authorized thetaking of privacy property without justcompensation or due process of law.

Response: We disagree. The rules setforth below do not address the issue ofwho owns an individual’s medicalrecord. Instead, they address what usesand disclosures of protected healthinformation may be made by coveredentities with or without a consent orauthorization. As described in responseto a similar comment, medical recordshave been the property of the healthcare provider or medical facility thatcreated them, historically. In somestates, statutes directly provide theseentities with ownership. These laws arelimited by laws that provide patients ortheir representatives with access to therecords or that provide the patient withan ownership interest in the informationwithin the records. As we discuss, thefinal rule is consistent with current statelaw that provides patients access toprotected health information, but notownership of medical records. Statelaws that provide patients with greateraccess would remain in effect.Therefore, because patients do not owntheir records, no taking can occur. Asfor their interest in the information, thefinal rule retains their rights. As forcovered entities, the final rule does nottake away their ownership rights ormake their ownership interest in theprotected health information worthless.

Therefore, no taking has occurred inthese situations either.

Ninth and Tenth AmendmentsComment: Several comments asserted

that the proposed rules violated theNinth and Tenth Amendments. Onecommenter suggested that the NinthAmendment prohibits long andcomplicated regulations. Othercommenters suggested that the proposedrules authorized the compelleddisclosure of individually identifiablehealth information in violation of Stateconstitutional provisions, such as thosein California and Florida. Similarly, acouple of commenters asserted that theprivacy rules violate the TenthAmendment.

Response: We disagree. The Ninthand Tenth Amendments address therights retained by the people andacknowledge that the States or thepeople are reserved the powers notdelegated to the federal government andnot otherwise prohibited by theConstitution. Because HHS is regulatingunder a delegation of authority fromCongress in an area that affectsinterstate commerce, we are within thepowers provided to Congress in theConstitution. Nothing in the NinthAmendment, or any other provision ofthe Constitution, restricts the length orcomplexity of any law. Additionally, wedo not believe the rules belowimpermissibly authorize behavior thatviolates State constitutions. This rulerequires disclosure only to theindividual or to the Secretary to enforcethis rule. As noted in the preamblediscussion of ‘‘Preemption,’’ these rulesdo not preempt State laws, includingconstitutional provisions, that arecontrary to and more stringent, asdefined at § 160.502, than these rules.See the discussion of ‘‘Preemption’’ forfurther clarification. Therefore, if theseState constitutions are contrary to therule below and provide greaterprotection, they remain in full force; ifthey do not, they are preempted, inaccordance with the Supremacy Clauseof the Constitution.

Right to PrivacyComment: Several comments

suggested that the proposed regulationwould violate the right to privacyguaranteed by the First, Fourth, Fifth,and Ninth Amendments because itwould permit covered entities todisclose protected health informationwithout the consent of the individual.

Response: These comments did notprovide specific facts or legal basis forthe claims. We are, thus, unable toprovide a substantive response to theseparticular comments. However, we note

that the rule requires disclosures only tothe individual or to the Secretary todetermine compliance with this rule.Other uses or disclosures under this ruleare permissive, not required. Therefore,if a particular use or disclosure underthis rule is viewed as interfering with aright that prohibited the use ordisclosure, the rule itself is not whatrequires the use or disclosure.

Void for VaguenessComment: One comment suggested

that the Secretary’s use of a‘‘reasonableness’’ standard isunconstitutionally vague. Specifically,this comment objected to therequirement that covered entities use‘‘reasonable’’ efforts to use or disclosethe minimum amount of protectedhealth information, to ensure thatbusiness partners comply with theprivacy provisions of their contracts, tonotify business partners of anyamendments or corrections to protectedhealth information, and to verify theidentity of individuals requestinginformation, as well as charge only a‘‘reasonable’’ fee for inspecting andcopying health information. Thiscomment asserted that the Secretaryprovided ‘‘inadequate guidance’’ as towhat qualifies as ‘‘reasonable.’’

Response: We disagree with thecomment’s suggestion that by applyinga ‘‘reasonableness’’ standard, theregulation has failed to provide for ‘‘fairwarning’’ or ‘‘fair enforcement.’’ The‘‘reasonableness’’ standard is well-established in law; for example, it is thefoundation of the common law of torts.Courts also have consistently held asconstitutional statutes that rely upon a‘‘reasonableness’’ standard. Our relianceupon a ‘‘reasonableness’’ standard, thus,provides covered entities withconstitutionally sufficient guidance.

Criminal IntentComment: One comment argued that

the regulation’s reliance upon a‘‘reasonableness’’ standard criminalizes‘‘unreasonable efforts’’ withoutrequiring criminal intent or mens rea.

Response: We reject this suggestionbecause HIPAA clearly provides thecriminal intent requirement.Specifically, HIPPA provides that a‘‘person who knowingly and inviolation of this part—(1) uses or causesto be used a unique health identifier; (2)obtains individually identifiable healthinformation relating to an individual; or(3) discloses individually identifiablehealth information to another person,shall be punished as provided insubsection (b).’’ HIPAA section 1177(emphasis added). Subsection (b) alsorelies on a knowledge standard in



outlining the three levels of criminalsanctions. Thus, Congress, not theSecretary, established the mens rea byincluding the term ‘‘knowingly’’ in thecriminal penalty provisions of HIPAA.

Data CollectionComment: One commenter suggested

that the U.S. Constitution authorized thecollection of data on individuals onlyfor the purpose of the census.

Response: While it might be true thatthe U.S. Constitution expresslydiscusses the national census, it doesnot forbid federal agencies fromcollecting data for other purposes. Theability of agencies to collect non-censusdata has been upheld by the courts.

Relationship to Other Federal LawsComment: We received several

comments that sought clarification ofthe interaction of various federal lawsand the privacy regulation. Many ofthese comments simply listed federallaws and regulations with which thecommenter currently must comply. Forexample, commenters noted that theymust comply with regulations relatingto safety, public health, and civil rights,including Medicare and Medicaid, theAmericans with Disabilities Act, theFamily and Medical Leave Act, theFederal Aviation Administrationregulations, the Department ofTransportation regulations, the FederalHighway Administration regulations,the Occupational Safety and HealthAdministration regulations, and theEnvironmental Protection Agencyregulations, and alcohol and drug freeworkplace rules. These commenterssuggested that the regulation stateclearly and unequivocally that uses ordisclosures of protected healthinformation for these purposes werepermissible. Some suggested modifyingthe definition of health care operationsto include these uses specifically.Another suggestion was to add a sectionthat permitted the transmission ofprotected health information toemployers when reasonably necessaryto comply with federal, state, ormunicipal laws and regulations, orwhen necessary for public or employeesafety and health.

Response: Although we sympathizewith entities’ needs to evaluate theexisting laws with which they mustcomply in light of the requirements ofthe final regulation, we are unable torespond substantially to comments thatdo not pose specific questions. We offer,however, the following guidance: if ancovered entity is required to discloseprotected health information pursuantto a specific statutory or regulatoryscheme, the covered entity generally

will be permitted under § 164.512(a) tomake these disclosures without aconsent or authorization; if, however, astatute or regulation merely suggests adisclosure, the covered entity will needto determine if the disclosure comeswithin another category of permissibledisclosure under §§ 164.510 or 164.512or, alternatively, if the disclosure wouldotherwise come within § 164.502. If not,the entity will need to obtain a consentor authorization for the disclosure.

Comment: One commenter soughtclarification as to when a disclosure isconsidered to be ‘‘required’’ by anotherlaw versus ‘‘permitted’’ by that law.

Responses: We use these termsaccording to their common usage. By‘‘required by law,’’ we mean that acovered entity has a legal obligation todisclose the information. For example, ifa statute states that a covered entitymust report the names of all individualspresenting with gun shot wounds to theemergency room or else be fined $500for each violation, a covered entitywould be required by law to disclose theprotected health information necessaryto comply with this mandate. Theprivacy regulation permits this type ofdisclosure, but does not require it.Therefore, if a covered entity chose notto comply with the reporting statute itwould violate only the reporting statuteand not the privacy regulation.

On the other hand, if a statute statedthat a covered entity may or is permittedto report the names of all individualspresenting with gun shot wounds to theemergency room and, in turn, wouldreceive $500 for each month it madethese reports, a covered entity wouldnot be permitted by § 164.512(a) todisclose the protected healthinformation. Of course, if anotherpermissible provision applied to thesefacts, the covered entity could make thedisclosure under that provision, but itwould not be considered to be adisclosure. See discussion under§ 164.512(a) below.

Comment: Several commenterssuggested that the proposed rule wasunnecessarily duplicative of existingregulations for federal programs, such asMedicare, Medicaid, and the FederalEmployee Health Benefit Program.

Response: Congress specificallysubjected certain federal programs,including Medicare, Medicaid, and theFederal Employee Health BenefitProgram to the privacy regulation byincluding them within the definition of‘‘health plan.’’ Therefore, coveredentities subject to requirements ofexisting federal programs will also haveto comply with the privacy regulation.

Comment: One comment asserts thatthe regulation would not affect current

federal requirements if the currentrequirements are weaker than therequirements of the privacy regulation.This same commenter suggested thatcurrent federal requirements will trumpboth state law and the proposedregulation, even if Medicaidtransactions remain wholly intrastate.

Response: We disagree. As noted inour discussion of ‘‘Relationship to OtherFederal Laws,’’ each law or regulationwill need to be evaluated individually.We similarly disagree with the secondassertion made by the commenter. Thefinal rule will preempt state laws onlyin specific instances. For a moredetailed analysis, see the preamblediscussion of ‘‘Preemption.’’

Administrative SubpoenasComment: One comment stated that

the final rule should not impose newstandards on administrative subpoenasthat would conflict with existing laws oradministrative or judicial rules thatestablish standards for issuingsubpoenas. Nor should the final ruleconflict with established standards forthe conduct of administrative, civil, orcriminal proceedings, including therules regarding the discovery ofevidence. Other comments soughtfurther restrictions on access toprotected health information in thiscontext.

Response: Section 164.512(e) belowaddresses disclosures for judicial andadministrative proceedings. The finalrules generally do not interfere withthese existing processes to the extent anindividual served with a subpoena,court order, or other similar process isable to raise objections alreadyavailable. See the discussion belowunder § 164.512(e) for a fuller response.

Americans with Disabilities ActComment: Several comments

discussed the intersection between theproposed Privacy Rule and theAmericans with Disabilities Act(‘‘ADA’’) and sections 503 and 504 ofthe Rehabilitation Act of 1973. Onecomment suggested that the final ruleexplicitly allows disclosures authorizedby the Americans with Disabilities Actwithout an individual’s authorization,because this law, in the commenter’sview, provides more than adequateprotection for the confidentiality ofmedical records in the employmentcontext. The comment noted that underthese laws employers may receiveinformation related to fitness for duty,pre-employment physicals, routineexaminations, return to workexaminations, examinations followingother types of absences, examinationstriggered by specific events, changes in



circumstances, requests for reasonableaccommodations, leave requests,employee wellness programs, andmedical monitoring.

Other commenters suggested that theADA requires the disclosure ofprotected health information toemployers so that the employee maytake advantage of the protections ofthese laws. They suggested that the finalrules clarify that employment may beconditioned on obtaining anauthorization for disclosure of protectedhealth information for lawful purposesand provide guidance concerning theinteraction of the ADA with the finalregulation’s requirements. Severalcommenters wanted clarification thatthe privacy regulation would not permitemployers to request or use protectedhealth information in violation of theADA.

Response: We disagree with thecomment that the final rule shouldallow disclosures of protected healthinformation authorized by the ADAwithout the individual’s authorization.We learned from the comments thataccess to and use of protected healthinformation by employers is ofparticular concern to many people. Withregard to employers, we do not havestatutory authority to regulate them.Therefore, it is beyond the scope of thisregulation to prohibit employers fromrequesting or obtaining protected healthinformation. Covered entities maydisclose protected health informationabout individuals who are members ofan employer’s workforce with anauthorization. Nothing in the privacyregulation prohibits employers fromobtaining that authorization as acondition of employment. We note,however, that employers must complywith other laws that govern them, suchas nondiscrimination laws. Forexample, if an employer receives arequest for a reasonableaccommodation, the employer mayrequire reasonable documentation aboutthe employee’s disability and thefunctional limitations that require thereasonable accommodation, if thedisability and the limitations are notobvious. If the individual providesinsufficient documentation and does notprovide the missing information in atimely manner after the employer’ssubsequent request, the employer mayrequire the individual to go to anappropriate health professional of theemployer’s choice. In this situation, theemployee does not authorize thedisclosure of information to substantiatethe disability and the need forreasonable accommodation, theemployer need not provide theaccommodation.

We agree that this rule does notpermit employers to request or useprotected health information inviolation of the ADA or otherantidiscrimination laws.

Appropriations LawsComment: One comment suggested

that the penalty provisions of HIPAA, ifextended to the privacy regulation,would require the Secretary to violate‘‘Appropriations Laws’’ because theSecretary could be in the position ofassessing penalties against her own andother federal agencies in their roles ascovered entities. Enforcing penalties onthese entities would require the transferof agency funds to the General Fund.

Response: We disagree. Although weanticipate achieving voluntarycompliance and resolving any disputesprior to the actual assessment ofpenalties, the Department of Justice’sOffice of Legal Counsel has determinedin similar situations that federalagencies have authority to assesspenalties against other federal agenciesand that doing so is not in violation ofthe Anti-Deficiency Act, 31 U.S.C. 1341.

Balanced Budget Act of 1997Comment: One comment expressed

concern that the regulation would placetremendous burdens on providersalready struggling with the effects of theBalanced Budget Act of 1997.

Response: We appreciate the costscovered entities face when complyingwith other statutory and regulatoryrequirements, such as the BalancedBudget Act of 1997. However, HHScannot address the impact of theBalanced Budget Act or other statutes inthe context of this regulation.

Comment: Another comment statedthat the regulation is in direct conflictwith the Balanced Budget Act of 1997(‘‘BBA’’). The comment asserts that theregulation’s compliance date conflictswith the BBA, as well as GenerallyAcceptable Accounting Principles.According to the comment, coveredentities that made capital acquisitions toensure compliance with the year 2000(‘‘Y2K’’) problem would not be able toaccount for the full depreciation of thesesystems until 2005. Because HIPAArequires compliance before that time,the regulation would force prematureobsolescence of this equipment becausewhile it is Y2K compliant, it may beHIPAA non-compliant.

Response: This comment raises twodistinct issues—(1) the investment innew equipment and (2) the compliancedate. With regard to the first issue, wereject the comment’s assertion that theregulation requires covered entities topurchase new information systems or

information technology equipment, butrealize that some covered entities mayneed to update their equipment. Wehave tried to minimize the costs, whileresponding appropriately to Congress’mandate for privacy rules. We havedealt with the cost issues in detail in the‘‘Regulatory Impact Analysis’’ section ofthis Preamble. With regard to the secondissue, Congress, not the Secretary,established the compliance data atsection 1175(b) of the Act.

Civil Rights of Institutionalized PersonsAct

Comment: A few comments expressedconcern that the privacy regulationwould inadvertently hinder theDepartment of Justice Civil RightsDivisions’ investigations under the CivilRights of Institutionalized Persons Act(‘‘CRIPA’’). These comments suggestedclearly including civil rightsenforcement activities as health careoversight.

Response: We agree with thiscomment. We do not intend for theprivacy rules to hinder CRIPAinvestigations. Thus, the final ruleincludes agencies that are authorized bylaw to ‘‘enforce civil rights laws forwhich health information is relevant’’ inthe definition of ‘‘health oversightagency’’ at § 164.501. Covered entitiesare permitted to disclose protectedhealth information to health oversightagencies under § 164.512(d) without anauthorization. Therefore, we do notbelieve the final rule should hinder theDepartment of Justice’s ability toconduct investigations pursuant to itsauthority in CRIPA.

Clinical Laboratory ImprovementAmendments

Comment: One comment expressedconcern that the proposed definition ofhealth care operations did not includeactivities related to the quality controlclinical studies performed bylaboratories to demonstrate the qualityof patient test results. Because theClinical Laboratory ImprovementAmendments of 1988 (‘‘CLIA’’) requiresthese studies that the comment assertedrequire the use of protected healthinformation, the comment suggestedincluding this specific activity in thedefinition of ‘‘health care operations.’’

Response: We do not intend for theprivacy regulation to impede the abilityof laboratories to comply with therequirements of CLIA. Quality controlactivities come within the definition of‘‘health care operations’’ in § 164.501because they come within the meaningof the term ‘‘quality assuranceactivities.’’ To the extent they would notcome within health care operations, but



are required by CLIA, the privacyregulation permits clinical laboratoriesthat are regulated by CLIA to complywith mandatory uses and disclosures ofprotected health information pursuantto § 164.512(a).

Comment: One comment stated thatthe proposed regulation’s right of accessfor inspection and copying provisionswere contrary to CLIA in that CLIApermits laboratories to disclose lab testresults only to ‘‘authorized persons.’’This comment suggested that the finalrule include language adopting thisrestriction to ensure that patients notobtain laboratory test results before theappropriate health care provider hasreviewed and explained those results tothe patients.

A similar comment stated that thelack of preemption of state laws couldcreate problems for clinical laboratoriesunder CLIA. Specifically, this commentnoted that CLIA permits clinicallaboratories to perform tests only uponthe written or electronic request of, andto provide the results to, an ‘‘authorizedperson.’’ State laws define who is an‘‘authorized person.’’ The commentexpressed concern as to whether theregulation would preempt state lawsthat only permit physicians to receivetest results.

Response: We agree that CLIAcontrols in these cases. Therefore, wehave amended the right of access,§ 164.524(a), so that a covered entitythat is subject to CLIA does not have toprovide access to the individual to theextent such access would be prohibitedby law. Because of this change, webelieve the preemption concern is moot.

Controlled Substance ActComment: One comment expressed

concern that the privacy regulation asproposed would restrict the DrugEnforcement Agency’s (‘‘the DEA’’)enforcement of the ControlledSubstances Act (‘‘CSA’’). The commentsuggested including enforcementactivities in the definition of ‘‘healthoversight agency.’’

Response: In our view, the privacyregulation should not impede the DEA’sability to enforce the CSA. First, to theextent the CSA requires disclosures tothe DEA, these disclosures would bepermissible under § 164.512(a). Second,some of the DEA’s CSA activities comewithin the exception for healthoversight agencies which permitsdisclosures to health oversight agenciesfor:

Activities authorized by law, includingaudits; civil, administrative, or criminalinvestigations; inspections * * * civil,administrative, or criminal proceedings oractions; and other activity necessary for

appropriate oversight of the health caresystem.

Therefore, to the extent the DEA isenforcing the CSA, disclosures to it inits capacity as a health oversight agencyare permissible under § 164.512(d).Alternatively, CSA required disclosuresto the DEA for law enforcementpurposes are permitted under§ 164.512(f). When acting as a lawenforcement agency under the CSA, theDEA may obtain the informationpursuant to § 164.512(f). Thus, we donot agree that the privacy regulationwill impede the DEA’s enforcement ofthe CSA. See the preamble discussion of§ 164.512 for further explanation.

Comment: One commenter suggestedclarifying the provisions allowingdisclosures that are ‘‘required by law’’ toensure that the mandatory reportingrequirements the CSA imposes oncovered entities, including makingavailable reports, inventories, andrecords of transactions, are notpreempted by the regulation.

Response: We agree that the privacyregulation does not alter coveredentities’ obligations under the CSA.Because the CSA requires coveredentities manufacturing, distributing,and/or dispensing controlled substancesto maintain and provide to the DEAspecific records and reports, the privacyregulation permits these disclosuresunder § 164.512(a). In addition, whenthe DEA seeks documents to determinean entity’s compliance with the CSA,such disclosures are permitted under§ 164.512(d).

Comment: The same commenterexpressed concern that the proposedprivacy regulation inappropriatelylimits voluntary reporting and wouldprevent or deter employees of coveredentities from providing the DEA withinformation about violations of the CSA.

Response: We agree with the generalconcerns expressed in this comment.We do not believe the privacy rules willlimit voluntary reporting of violations ofthe CSA. The CSA requires certainentities to maintain several types ofrecords that may include protectedhealth information. Although reportsthat included protected healthinformation may be restricted underthese rules, reporting the fact that anentity is not maintaining proper reportsis not. If it were necessary to obtainprotected health information during theinvestigatory stages following such avoluntary report, the DEA would be ableto obtain the information in other ways,such as by following the administrativeprocedures outlined in § 164.512(e).

We also agree that employees ofcovered entities who report violations of

the CSA should not be subjected toretaliation by their employers. Under§ 164.502(j), we specifically state that acovered entity is not considered to haveviolated the regulation if a workforcemember or business associate in goodfaith reports violations of laws orprofessional standards by coveredentities to appropriate authorities. Seediscussion of § 164.502(j) below.

Department of TransportationComment: Several commenters stated

that the Secretary should recognize inthe preamble that it is permissible foremployers to condition employment onan individual’s delivering a consent tocertain medical tests and/orexaminations, such as drug-freeworkplace programs and Department ofTransportation (‘‘DOT’’)-requiredphysical examinations. These commentsalso suggested that employers should beable to receive certain information, suchas pass/fail test and examination results,fitness-to-work assessments, and otherlegally required or permissible physicalassessments without obtaining anauthorization. To achieve this goal,these comments suggested defining‘‘health information’’ to excludeinformation such as information abouthow much weight a specific employeecan lift.

Response: We reject the suggestion todefine ‘‘health information,’’ whichCongress defined in HIPAA, so that itexcludes individually identifiablehealth information that may be relevantto employers for these types ofexaminations and programs. We do notregulate employers. Nothing in the rulesprohibit employers from conditioningemployment on an individual signingthe appropriate consent orauthorization. By the same token,however, the rules below do not relieveemployers from their obligations underthe ADA and other laws that restrict thedisclosure of individually identifiablehealth information.

Comment: One commenter assertedthat the proposed regulation conflictswith the DOT guidelines regardingpositive alcohol and drug tests thatrequire the employer be notified inwriting of the results. This documentcontains protected health information.In addition, the treatment center recordsmust be provided to the SubstanceAbuse Professional (‘‘SAP’’) and theemployer must receive a report fromSAP with random drug testingrecommendations.

Response: It is our understanding thatDOT requires drug testing of allapplicants for employment in safety-sensitive positions or individuals beingtransferred to such positions.



Employers, pursuant to DOTregulations, may condition anemployee’s employment or positionupon first obtaining an authorization forthe disclosure of results of these tests tothe employer. Therefore, we do notbelieve the final rules conflict with theDOT requirements, which do notprohibit obtaining authorizations beforesuch information is disclosed toemployers.

Developmental Disabilities Act

Comment: One commenter urged HHSto ensure that the regulation would notimpede access to individuallyidentifiable health information toentities that are part of the Protectionand Advocacy System to investigateabuse and neglect as authorized by theDevelopmental Disabilities Bill of RightsAct.

Response: The DevelopmentalDisabilities Assistance and Bill of RightsAct of 2000 (‘‘DD Act’’) mandatesspecific disclosures of individuallyidentifiable health information toProtection and Advocacy systemsdesignated by the chief elected officialof the states and Territories. Therefore,covered entities may make thesedisclosures under § 164.512(a) withoutfirst obtaining an individual’sauthorization, except in thosecircumstances in which the DD Actrequires the individual’s authorization.Therefore, the rules below will notimpede the functioning of the existingProtection and Advocacy System.

Employee Retirement Income SecurityAct of 1974

Comment: Several commentersobjected to the fact that the NPRM didnot clarify the scope of preemption ofstate laws under the EmployeeRetirement Income Security Act of 1974(ERISA). These commenters assertedthat the final rule must state that ERISApreempts all state laws (including thoserelating to the privacy of individuallyidentifiable health information) so thatmultistate employers could continue toadminister their group health plansusing a single set of rules. In contrast,other commenters criticized theDepartment for its analysis of thecurrent principles governing ERISApreemption of state law, pointing outthat the Department has no authority tointerpret ERISA.

Response: This Department has noauthority to issue regulations underERISA as requested by some of thesecommenters, so the rule below does notcontain the statement requested. See thediscussion of this point under‘‘Preemption’’ above.

Comment: One commenter requestedthat the final rule clarify that section264(c)(2) of HIPAA does not save statelaws that would otherwise bepreempted by the Federal EmployeesHealth Benefits Program. Thecommenter noted that in the NPRM thisstatement was made with respect toMedicare and ERISA, but not the lawgoverning the FEHBP.

Response: We agree with thiscomment. The preemption analysis setout above with respect to ERISA appliesequally to the Federal Employees HealthBenefit Program.

Comment: One commenter noted thatthe final rule should clarify theinterplay between state law, thepreemption standards in Subtitle A ofTitle I of HIPAA (Health Care Access,Portability and Renewability), and thepreemption standards in the privacyrequirements in Subtitle F of Title II ofHIPAA (Administrative Simplification).

Response: The NPRM described onlythe preemption standards that applywith respect to the statutory provisionsof HIPAA that were implemented by theproposed rule. We agree that thepreemption standards in Subtitle A ofTitle I of HIPAA are different. Congressexpressly provided that the preemptionprovisions of Title I apply only to Part7, which addresses portability, access,and renewability requirements forGroup Health Plans. To the extent statelaws contain provisions regardingportability, access, or renewability, aswell as privacy requirements, a coveredentity will need to evaluate the privacyprovisions under the Title II preemptionprovisions, as explained in thepreemption provisions of the rules, andthe other provisions under the Title Ipreemption requirements.

European Union Privacy Directive andU.S. Safe Harbors

Comment: Several comments statedthat the privacy regulation should beconsistent with the European Union’sDirective on Data Protection. Otherssought guidance as to how to complywith both the E.U. Directive on DataProtection and the U.S. Safe HarborPrivacy Principles.

Response: We appreciate the need forcovered entities obtaining personal datafrom the European Union to understandhow the privacy regulation intersectswith the Data Protection Directive. Wehave provided guidance as to thisinteraction in the ‘‘Other Federal Laws’’provisions of the preamble.

Comment: A few comments expressedconcern that the proposed definition of‘‘individual’’ excluded foreign militaryand diplomatic personnel and theirdependents, as well as overseas foreign

national beneficiaries. They noted thatthe distinctions are based on nationalityand are inconsistent with the stance ofthe E.U. Directive on Data Protectionand the Department of Commerce’sassurances to the EuropeanCommission.

Response: We agree with the generalprinciple that privacy protectionsshould protect every person, regardlessof nationality. As noted in thediscussion of the definition of‘‘individual,’’ the final regulation’sdefinition does not exclude foreignmilitary and diplomatic personnel, theirdependents, or overseas foreign nationalbeneficiaries from the definition ofindividual. As described in thediscussion of § 164.512 below, the finalrule applies to foreign diplomaticpersonnel and their dependents like allother individuals. Foreign militarypersonnel receive the same treatmentunder the final rule as U.S. militarypersonnel do, as discussed with regardto § 164.512 below. Overseas foreignnational beneficiaries to the extent theyreceive care for the Department ofDefense or a source acting on behalf ofthe Department of Defense remaingenerally excluded from the final rulesprotections. For a more detailedexplanation, see § 164.500.

Fair Credit Reporting ActComment: A few commenters

requested that we exclude informationmaintained, used, or disclosed pursuantto the Fair Credit Reporting Act(‘‘FCRA’’) from the requirements of theprivacy regulation. These commentersnoted that the protection in the privacyregulation duplicate those in the FCRA.

Response: Although we realize thatsome overlap between FCRA and theprivacy rules may exist, we have chosennot to remove information that maycome within the purview of FCRA fromthe scope of our rules because FCRA’sfocus is not the same as ourCongressional mandate to protectindividually identifiable healthinformation.

To the extent a covered entity seeksto engage in collection activities or otherpayment-related activities, it may do sopursuant to the requirements of this rulerelated to payment. See discussion of§§ 164.501 and 164.502 below.

We understand that some coveredentities may be part of, or containcomponents that are, entities whichmeet the definition of ‘‘consumerreporting agencies.’’ As such, theseentities are subject to the FCRA. Asdescribed in the preamble to § 164.504,covered entities must designate whatparts of their organizations will betreated as covered entities for the



purpose of these privacy rules. Thecovered entity component will need tocomply with these rules, while thecomponents that are consumer reportingagencies will need to comply withFCRA.

Comment: One comment suggestedthat the privacy regulation wouldconflict with the FCRA if theregulation’s requirement applied toinformation disclosed to consumerreporting agencies.

Response: To the extent a coveredentity is required to disclose protectedhealth information to a consumerreporting agency, it may do so under§ 164.512(a). See also discussion underthe definition of ‘‘payment’’ below.

Fair Debt Collection and Practices ActComment: Several comments

expressed concern that health plans andhealth care providers be able tocontinue using debt collectors incompliance with the Fair DebtCollections Practices Act and relatedlaws.

Response: In our view, health plansand health care providers will be able tocontinue using debt collectors. Usingthe services of a debt collector to obtainpayment for the provision of health carecomes within the definition of‘‘payment’’ and is permitted under theregulation. Thus, so long as the use ofdebt collectors is consistent with theregulatory requirements (such as,providers obtain the proper consents,the disclosure is of the minimumamount of information necessary tocollect the debt, the provider or healthplan enter into a business associateagreement with the debt collector, etc.),relying upon debt collectors to obtainreimbursement for the provision ofhealth care would not be prohibited bythe regulation.

Family Medical Leave ActComment: One comment suggested

that the proposed regulation adverselyaffects the ability of an employer todetermine an employee’s entitlement toleave under the Family Medical LeaveAct (‘‘FMLA’’) by affecting theemployer’s right to receive medicalcertification of the need for leave,additional certifications, and fitness forduty certification at the end of the leave.The commenter sought clarification asto whether a provider could discloseinformation to an employer without firstobtaining an individual’s consent orauthorization. Another commentersuggested that the final rule explicitlyexclude from the rule disclosuresauthorized by the FMLA, because, in thecommenter’s view, it provides morethan adequate protection for the

confidentiality of medical records in theemployment context.

Response: We disagree that the FMLAprovides adequate privacy protectionsfor individually identifiable healthinformation. As we understand theFMLA, the need for employers to obtainprotected health information under thestatute is analogous to the employer’sneed for protected health informationunder the ADA. In both situations,employers may need protected healthinformation to fulfill their obligationsunder these statutes, but neither statuterequires covered entities to provide theinformation directly to the employer.Thus, covered entities in thesecircumstances will need an individual’sauthorizations before the disclosure ismade to the employer.

Federal Common LawComment: One commenter did not

want the privacy rules to interfere withthe federal common law governingcollective bargaining agreementspermitting employers to insist on thecooperation of employees with medicalfitness evaluations.

Response: We do not seek to interferewith legal medical fitness evaluations.These rules require a covered entity tohave an individual’s authorizationbefore the information resulting fromsuch evaluations is disclosed to theemployer unless another provision ofthe rule applies. We do not prohibitemployers from conditioningemployment, accommodations, or otherbenefits, when legally permitted to doso, upon the individual/employeeproviding an authorization that wouldpermit the disclosure of protectedhealth information to employers bycovered entities. See § 164.508(b)(4)below.

Federal Educational Rights and PrivacyAct

Comment: A few commenterssupported the exclusion of ‘‘educationrecords’’ from the definition of‘‘protected health information.’’However, one commenter requested that‘‘treatment records’’ of students who are18 years or older attending post-secondary education institutions beexcluded from the definition of‘‘protected health information’’ as wellto avoid confusion.

Response: We agree with thesecommenters. See ‘‘Relationship to OtherFederal Laws’’ for a description of ourexclusion of FERPA ‘‘educationrecords’’ and records defined at 20U.S.C. 1232g(a)(4)(B)(iv), commonlyreferred to as ‘‘treatment records,’’ fromthe definition of ‘‘protected healthinformation.’’

Comment: One comment suggestedthat the regulation should not apply toany health information that is part of an‘‘education record’’ in any educationalagency or institution, regardless of itsFERPA status.

Response: We disagree. As noted inour discussion of ‘‘Relationship of OtherFederal Laws,’’ we exclude educationrecords from the definition of protectedhealth information because Congressexpressly provided privacy protectionsfor these records and explained howthese records should be treated inFERPA.

Comment: One commenter suggestedeliminating the preamble language thatdescribes school nurses and on-siteclinics as acting as providers andsubject to the privacy regulation, notingthat this language is confusing andinconsistent with the statementsprovided in the preamble explicitlystating that HIPAA does not preemptFERPA.

Response: We agree that this languagemay have been confusing. We haveprovided a clearer expression of whenschools may be required to comply withthe privacy regulation in the‘‘Relationship to Other Federal Laws’’section of the preamble.

Comment: One commenter suggestedadding a discussion of FERPA to the‘‘Relationship to Other Federal Laws’’section of the preamble.

Response: We agree and have addedFERPA to the list of federal lawsdiscussed in ‘‘Relationship to OtherFederal Laws’’ section of the preamble.

Comment: One commenter stated thatschool clinics should not have tocomply with the ‘‘ancillary’’administrative requirements, such asdesignating a privacy official,maintaining documentation of theirpolicies and procedures, and providingthe Secretary of HHS with access.

Response: We disagree. Because wehave excluded education records andrecords described at 20 U.S.C.1232g(a)(4)(B)(iv) held by educationalagencies and institutions subject toFERPA from the definition of protectedhealth information, only non-FERPAschools would be subject to theadministrative requirements. Most ofthese school clinics will also not becovered entities because they are notengaged in HIPAA transactions andthese administrative requirements willnot apply to them. However, to theextent a school clinic is within thedefinition of a health care provider, asCongress defined the term, and theschool clinic is engaged in HIPAAtransactions, it will be a covered entityand must comply with the rules below.



Comment: Several commentersexpressed concern that the privacyregulation would eliminate the parents’ability to have access to information intheir children’s school health records.Because the proposed regulationsuggests that school-based clinics keephealth records separate from othereducational files, these commentsargued that the regulation is contrary tothe spirit of FERPA, which providesparents with access rights to theirchildren’s educational files.

Response: As noted in the‘‘Relationship to Other Federal Laws’’provision of the preamble, to the extentinformation in school-based clinics isnot protected health informationbecause it is an education record, theFERPA access requirements apply andthis regulation does not. For more detailregarding the rule’s application tounemancipated minors, see thepreamble discussion about ‘‘PersonalRepresentatives.’’

Federal Employees Compensation Act

Comment: One comment noted thatthe Federal Employees CompensationAct (‘‘FECA’’) requires claimants to signa release form when they file a claim.This commenter suggested that theprivacy regulation should not placeadditional restrictions on this type ofrelease form.

Response: We agree. In the final rule,we have added a new provision,§ 164.512(l), that permits coveredentities to make disclosures authorizedunder workers’ compensation andsimilar laws. This provision wouldpermit covered entities to makedisclosures authorized under FECA andnot require a different release form.

Federal Employees Health BenefitsProgram

Comment: A few comments expressedconcern about the preemption effect onFEHBP and wanted clarification that theprivacy regulation does not alter theexisting preemptive scope of theprogram.

Response: We do not intend to affectthe preemptive scope of the FEHBP. TheFederal Employee Health Benefit Act of1998 preempts any state law that‘‘relates to’’ health insurance or plans. 5U.S.C. 8902(m). The final rule does notattempt to alter the preemptive scopeCongress has provided to the FEHBP.

Comment: One comment suggestedthat in the context of FEHBP HHSshould place the enforcementresponsibilities of the privacy regulationwith Office of Personnel Management,as the agency responsible foradministering the program.

Response: We disagree. Congressplaced enforcement with the Secretary.See section 1176 of the Act.

Federal Rules of Civil ProcedureComment: A few comments suggested

revising proposed § 164.510(d) so that itis consistent with the existing discoveryprocedure under the Federal Rules ofCivil Procedure or local rules.

Response: We disagree that the rulesregarding disclosures and uses ofprotected health information for judicialand administrative procedures shouldprovide only those protections that existunder existing discovery rules.Although the current process may beappropriate for other documents andinformation requested during thediscovery process, the current system,as exemplified by the Federal Rules ofCivil Procedure, does not providesufficient protection for protected healthinformation. Under current discoveryrules, private attorneys, governmentofficials, and others who develop suchrequests make the initial determinationsas to what information ordocumentation should be disclosed.Independent third-party review, such asthat by a court, only becomes necessaryif a person of whom the request is maderefuses to provide the information. Ifthis happens, the person seekingdiscovery must obtain a court order ormove to compel discovery. In our viewthis system does not provide sufficientprotections to ensure that unnecessaryand unwarranted disclosures ofprotected health information does notoccur. For a related discuss, see thepreamble regarding ‘‘Disclosures forJudicial and AdministrativeProceedings’’ under § 164.512(e).

Federal Rules of EvidenceComment: Many comments requested

clarification that the privacy regulationdoes not conflict or interfere with thefederal or state privileges. In particular,one of these comments suggested thatthe final regulation provide thatdisclosures for a purpose recognized bythe regulation not constitute a waiver offederal or state privileges.

Response: We do not intend for theprivacy regulation to interfere withfederal or state rules of evidence thatcreate privileges. Consistent with TheUniform Health-Care Information Actdrafted by the National Conference ofCommissioners on Uniform State Laws,we do not view a consent or anauthorization to function as a waiver offederal or state privileges. For furtherdiscussion of the effect of consent orauthorization on federal or stateprivileges, see preamble discussions in§§ 164.506 and 164.508.

Comment: Other commentsapplauded the Secretary’s references toJaffee v. Redman, 518 U.S. 1 (1996),which recognized a psychotherapist-patient privilege, and asked theSecretary to incorporate expressly thisprivilege into the final regulation.

Response: We agree that thepsychotherapist-patient relationship isan important one that deservesprotection. However, it is beyond thescope our mandate to create specificevidentiary privileges. It is alsounnecessary because the United StatesSupreme Court has adopted thisprivilege.

Comment: A few comments discussedwhether one remedy for violating theprivacy regulation should be to excludeor suppress evidence obtained inviolation of the regulation. Onecomment supported using this penalty,while another opposed it.

Response: We do not have theauthority to mandate that courts applyor not apply the exclusionary rule toevidence obtained in violation of theregulation. This issue is in the purviewof the courts.

Federal Tort Claims ActComment: One comment contended

that the proposed regulation’srequirement mandating covered entitiesto name the subjects of protected healthinformation disclosed under a businesspartner contract as third party intendedbeneficiaries under the contract wouldhave created an impermissible right ofaction against the government under theFederal Tort Claims Act (‘‘FTCA’’).

Response: Because we have deletedthe third party beneficiary provisionsfrom the final rules, this comment ismoot.

Comment: Another commentsuggested the regulation would hamperthe ability of federal agencies to discloseprotected health information to theirattorneys, the Department of Justice,during the initial stages of the claimsbrought under the FTCA.

Response: We disagree. Theregulation applies only to federalagencies that are covered entities. To theextent an agency is not a covered entity,it is not subject to the regulation; to theextent an agency is a covered entity, itmust comply with the regulation. Acovered entity that is a federal agencymay disclose relevant information to itsattorneys, who are business associates,for purposes of health care operations,which includes uses or disclosures forlegal functions. See § 164.501(definitions of ‘‘business associate’’ and‘‘health care operations’’). The final ruleprovides specific provisions describinghow federal agencies may provide



adequate assurances for these types ofdisclosures of protected healthinformation. See § 164.504(e)(3).

Food and Drug AdministrationComment: A few comments expressed

concerns about the use of protectedhealth information for reportingactivities to the Food and DrugAdministration (‘‘FDA’’). Their concernfocused on the ability to obtain ordisclose protected health informationfor pre-and post-marketing adverseevent reports, device tracking, and post-marketing safety and efficacyevaluation.

Response: We agree with thiscomment and have provided thatcovered entities may disclose protectedhealth information to persons subject tothe jurisdiction of the FDA, to complywith the requirements of, or at thedirection of, the FDA with regard toreporting adverse events (or similarreports with respect to dietarysupplements), the tracking of medicaldevices, other post-marketingsurveillance, or other similarrequirements described at § 164.512(b).

Foreign StandardsComment: One comment asked how

the regulation could be enforced againstforeign countries (or presumably entitiesin foreign countries) that solicit medicalrecords from entities in the UnitedStates.

Response: We do not regulatesolicitations of information. To theextent a covered entity wants to complywith a request for disclosure ofprotected health information to foreigncountries or entities within foreigncountries, it will need to comply withthe privacy rules before making thedisclosure. If the covered entity fails tocomply with the rules, it will be subjectto enforcement proceedings.

Freedom of Information ActComment: One comment asserted that

the proposed privacy regulationconflicts with the Freedom ofInformation Act (‘‘FOIA’’). Thecomment argued that the proposedrestriction on disclosures by agencieswould not come within one of thepermissible exemptions to the FOIA. Inaddition, the comment noted that onlyin exceptional circumstances would theprotected health information ofdeceased individuals come within anexemption because, for the most part,death extinguishes an individual’s rightto privacy.

Response: Section 164.512(a) belowpermits covered entities to discloseprotected health information when suchdisclosures are required by other laws as

long as they follow the requirements ofthose laws. Therefore, the privacyregulation will not interfere with theability of federal agencies to complywith FOIA, when it requires thedisclosure.

We disagree, however, that mostprotected health information will notcome within Exemption 6 of FOIA. Seethe discussion above under‘‘Relationship to Other Federal Laws’’for our review of FOIA. Moreover, wedisagree with the comment’s assertionthat the protected health information ofdeceased individuals does not comewithin Exemption 6. Courts haverecognized that a deceased individual’ssurviving relatives may have a privacyinterest that federal agencies mayconsider when balancing privacyinterests against the public interest indisclosure of the requested information.Federal agencies will need to considernot only the privacy interests of thesubject of the protected healthinformation in the record requested, butalso, when appropriate, those of adeceased individual’s family consistentwith judicial rulings.

If an agency receives a FOIA requestfor the disclosure of protected healthinformation of a deceased individual, itwill need to determine whether or notthe disclosure comes within Exemption6. This evaluation must be consistentwith the court’s rulings in this area. Ifthe exemption applies, the federalagency will not have to release theinformation. If the federal agencydetermines that the exemption does notapply, may release it under § 164.512(a)of this regulation.

Comment: One commenter expressedconcern that our proposal to protect theindividually identifiable healthinformation about the deceased for twoyears following death would impedepublic interest reporting and would beat odds with many state Freedom ofInformation laws that make deathrecords and autopsy reports publicinformation. The commenter suggestedpermitting medical information to beavailable upon the death of anindividual or, at the very least, that anappeals process be permitted so thathealth information trustees would beallowed to balance the interests inprivacy and in public disclosure andrelease or not release the informationaccordingly.

Response: These rules permit coveredentities to make disclosures that arerequired by state Freedom ofInformation Act (FOIA) laws under§ 164.512(a). Thus, if a state FOIA lawdesignates death records and autopsyreports as public information that mustbe disclosed, a covered entity may

disclose it without an authorizationunder the rule. To the extent that suchinformation is required to be disclosedby FOIA or other law, such disclosuresare permitted under the final rule. Inaddition, to the extent that deathrecords and autopsy reports areobtainable from non-covered entities,such as state legal authorities, access tothis information is not impeded by thisrule.

If another law does not require thedisclosure of death records and autopsyreports generated and maintained by acovered entity, which are protectedhealth information, covered entities arenot allowed to disclose suchinformation except as permitted orrequired by the final rule, even ifanother entity discloses them.

Comment: One comment soughtclarification of the relationship betweenthe Freedom of Information Act, thePrivacy Act, and the privacy rules.

Response: We have provided thisanalysis in the ‘‘Relationship to OtherFederal Laws’’ section of the preamblein our discussion of the Freedom ofInformation Act.

Gramm-Leach-Bliley

Comments: One commenter notedthat the Financial ServicesModernization Act, also known asGramm-Leach-Bliley (‘‘GLB’’), requiresfinancial institutions to provide detailedprivacy notices to individuals. Thecommenter suggested that the privacyregulation should not require financialinstitutions to provide additional notice.

Response: We disagree. To the extenta covered entity is required to complywith the notice requirements of GLBand those of our rules, the coveredentity must comply with both. We willwork with the FTC and other agenciesimplementing GLB to avoid unnecessaryduplication. For a more detaileddiscussion of GLB and the privacy rules,see the ‘‘Relationship to Other FederalLaws’’ section of the preamble.

Comment: A few commenters askedthat the Department clarify thatfinancial institutions, such as banks,that serve as payors are covered entities.The comments explained that with theenactment of the Gramm-Leach-BlileyAct, banks are able to form holdingcompanies that will include insurancecompanies (that may be coveredentities). They recommended that banksbe held to the rule’s requirements andbe required to obtain authorization toconduct non-payment activities, such asfor the marketing of health and non-health items and services or the use anddisclosure to non-health relateddivisions of the covered entity.



Response: These comments did notprovide specific facts that would permitus to provide a substantive response. Anorganization will need to determinewhether it comes within the definitionof ‘‘covered entity.’’ An organizationmay also need to consider whether ornot it contains a health care component.Organizations that are uncertain aboutthe application of the regulation to themwill need to evaluate their specific factsin light of this rule.

Inspector General ActComment: One comment requested

the Secretary to clarify in the preamblethat the privacy regulation does notpreempt the Inspector General Act.

Response: We agree that to the extentthe Inspector General Act requires usesor disclosures of protected healthinformation, the privacy regulation doesnot preempt it. The final rule providesthat to the extent required under section201(a)(5) of the Act, nothing in thissubchapter should be construed todiminish the authority of any InspectorGeneral, including the authorityprovided in the Inspector General Act of1978. See discussion of § 160.102 above.

Medicare and MedicaidComment: One comment suggested

possible inconsistencies between theregulation and Medicare/Medicaidrequirements, such as those under theQuality Improvement System forManaged Care. This commenter askedthat HHS expand the definition ofhealth care operations to include healthpromotion activities and avoid potentialconflicts.

Response: We disagree that theprivacy regulation would prohibitmanaged care plans operating in theMedicare or Medicaid programs fromfulfilling their statutory obligations. Tothe extent a covered entity is requiredby law to use or disclose protectedhealth information in a particularmanner, the covered entity may makesuch a use or disclosure under§ 164.512(a). Additionally, qualityassessment and improvement activitiescome within the definition of ‘‘healthcare operations.’’ Therefore, the specificexample provided by the commenterwould seem to be a permissible use ordisclosure under § 164.502, even if itwere not a use or disclosure ‘‘requiredby law.’’

Comment: One commenter stated thatMedicare should not be able to requirethe disclosure of psychotherapy notesbecause it would destroy a practitioner’sability to treat patients effectively.

Response: If the Title XVIII of theSocial Security Act requires thedisclosure of psychotherapy notes, the

final rule permits, but does not require,a covered entity to make such adisclosure under § 164.512(a). If,however, the Social Security Act doesnot require such disclosures, Medicaredoes not have the discretion to requirethe disclosure of psychotherapy notes asa public policy matter because the finalrule provides that covered entities, withlimited exceptions, must obtain anindividual’s authorization beforedisclosing psychotherapy notes. See§ 164.508(a)(2).

National Labor Relations Act

Comment: A few comments expressedconcern that the regulation did notaddress the obligation of coveredentities to disclose protected healthinformation to collective bargainingrepresentatives under the NationalLabor Relations Act.

Response: The final rule does notprohibit disclosures that coveredentities must make pursuant to otherlaws. To the extent a covered entity isrequired by law to disclose protectedhealth information to collectivebargaining representatives under theNLRA, it may to so without anauthorization. Also, the definition of‘‘health care operations’’ at § 164.501permits disclosures to employeerepresentatives for purposes ofgrievance resolution.

Organ Donation

Comment: One commenter expressedconcern about the potential impact ofthe regulation on the organ donationprogram under 42 CFR part 482.

Response: In the final rule, we addprovisions allowing the use ordisclosure of protected healthinformation to organ procurementorganizations or other entities engagedin the procurement, banking, ortransplantation of cadaveric organs,eyes, or tissue for the purpose offacilitating donation andtransplantation. See § 164.512(h).

Privacy Act Comments

Comment: One comment suggestedthat the final rule unambiguouslypermit the continued operation of thestatutorily established or authorizeddiscretionary routine uses permittedunder the Privacy Act for both lawenforcement and health oversight.

Response: We disagree. See thediscussion of the Privacy Act in‘‘Relationship to Other Federal Laws’’above.

Public Health Services Act

Comment: One comment suggestedthat the Public Health Service Actplaces more stringent rules regarding

the disclosure of information onFederally Qualified Health Centers thanthe proposed privacy regulationsuggested. Therefore, the commentersuggested that the final rule exemptFederally Qualified Health Centers fromthe rules requirements

Response: We disagree. Congressexpressly included Federally QualifiedHealth Centers, a provider of medical orother health services under the SocialSecurity Act section 1861(s), within itsdefinition of health care provider insection 1171 of the Act; therefore, wecannot exclude them from theregulation.

Comment: One commenter noted thatno conflicts existed between theproposed rule and the Public HealthServices Act.

Response: As we discuss in the‘‘Relationship to Other Federal Laws’’section of the preamble, the PublicHealth Service Act contains explicitconfidentiality requirements that are sogeneral as not to create problems ofinconsistency. We recognized, however,that in some cases, that law or itsaccompanying regulations may containgreater restrictions. In those situations,a covered entity’s ability to make whatare permissive disclosures under thisprivacy regulation would be limited bythose laws.

Reporting RequirementComment: One comment noted that

federal agencies must provideinformation to certain entities pursuantto various federal statutes. For example,federal agencies must not withholdinformation from a Congressionaloversight committee or the GeneralAccounting Office. Similarly, somefederal agencies must provide theBureau of the Census and the NationalArchives and Records Administrationwith certain information. This commentexpressed concern that the privacyregulation would conflict with theserequirements. Additionally, thecommenter asked whether the privacynotice would need to contain these usesand disclosures and recommended thata general statement that these federalagencies would disclose protectedhealth information when required bylaw be considered sufficient to meet theprivacy notice requirements.

Response: To the extent a federalagency acting as a covered entity isrequired by federal statute to discloseprotected health information, theregulation permits the disclosure asrequired by law under § 164.512(a). Thenotice provisions at§ 164.520(b)(1)(ii)(B) require coveredentities to provide a brief description ofthe purposes for which the covered



entity is permitted or required by therules to use or disclose protected healthinformation without an individual’swritten authorization. If these statutesrequire the disclosures, covered entitiessubject to the requirement may make thedisclosure pursuant to § 164.512(a).Thus, their notice must include adescription of the category of thesedisclosures. For example, a generalstatement such as the covered entity‘‘will disclose your protected healthinformation to comply with legalrequirements’’ should suffice.

Comment: One comment stressed thatthe final rule should not inadvertentlypreempt mandatory reporting laws dulyenacted by federal, state, or locallegislative bodies. This commenter alsosuggested that the final rule not preventthe reporting of violations to lawenforcement agencies.

Response: We agree. Like theproposed rule, the final rule permitscovered entities to disclose protectedhealth information when required bylaw under § 164.512(a). To the extent acovered entity is required by law tomake a report to law enforcementagencies or is otherwise permitted tomake a disclosure to a law enforcementagency as described in § 164.512(f), itmay do so without an authorization.Alternatively, a covered entity mayalways request that individualsauthorize these disclosures.

Security StandardsComment: One comment called for

HHS to consider the privacy regulationin conjunction with the other HIPAAstandards. In particular, this commentfocused on the belief that the securitystandards should be compatible withthe existing and emerging health careand information technology industrystandards.

Response: We agree that the securitystandards and the privacy rules shouldbe compatible with one another and areworking to ensure that the final rules inboth areas function together. Becausewe are addressing comments regardingthe privacy rules in this preamble, wewill consider the comment about thesecurity standard as we finalize that setof rules.

Substance Abuse Confidentiality Statuteand Regulations

Comment: Several commenters notedthat many health care providers arebound by the federal restrictionsgoverning alcohol and drug abuserecords. One commenter noted that theNPRM differed substantially from thesubstance abuse regulations and wouldhave caused a host of practical problemsfor covered entities. Another

commenter, however, supported theNPRM’s analysis that stated that morestringent provisions of the substanceabuse provisions would apply. Thiscommenter suggested an even strongerapproach of including in the text aprovision that would preserve existingfederal law. Yet, one commentsuggested that the regulation asproposed would confuse providers bymaking it difficult to determine whenthey may disclose information to lawenforcement because the privacyregulation would permit disclosuresthat the substance abuse regulationswould not.

Response: We appreciate the need ofsome covered entities to evaluate theprivacy rules in light of federalrequirements regarding alcohol anddrug abuse records. Therefore, weprovide a more detailed analysis in the‘‘Relationship to Other Federal Laws’’section of the preamble.

Comment: Some of these commentersalso noted that state laws contain strictconfidentiality requirements. A fewcommenters suggested that HHSreassess the regulations to avoidinconsistencies with state privacyrequirements, implying that problemsexist because of conflicts between thefederal and state laws regarding theconfidentiality of substance abuseinformation.

Response: As noted in the preamblesection discussing preemption, the finalrules do not preempt state laws thatprovide more privacy protections. For amore detailed analysis of therelationship between state law and theprivacy rules, see the ‘‘Preemption’’provisions of the preamble.

Tribal LawComments: One commenter suggested

that the consultation process with tribalgovernments described in the NPRMwas inadequate under Executive OrderNo. 13084. In addition, the commenterexpressed concern that the disclosuresfor research purposes as permitted bythe NPRM would conflict with anumber of tribal laws that offerindividuals greater privacy rights withrespect to research and reflects culturalappropriateness. In particular, thecommenter referenced the HealthResearch Code for the Navajo Nationwhich creates a entity with broaderauthority over research conducted onthe Navajo Nation than the local IRBand requires informed consent by studyparticipants. Other laws mentioned bythe commenter included the NavajoNation Privacy and Access toInformation Act and a similar policyapplicable to all health care providerswithin the Navajo Nation. The

commenter expressed concern that theproposed regulation research provisionswould override these tribal laws.

Response: We disagree with thecomment that the consultation withtribal governments undertaken prior tothe proposed regulation is inadequateunder Executive Order No. 13084. Asstated in the proposed regulation, theDepartment consulted withrepresentatives of the National Congressof American Indians and the NationalIndian Health Board, as well as others,about the proposals and the applicationof HIPAA to the Tribes, and thepotential variations based on therelationship of each Tribe with the IHSfor the purpose of providing healthservices. In addition, Indian and tribalgovernments had the opportunity to,and did, submit substantive commentson the proposed rules.

Additionally, disclosures permittedby this regulation do not conflict withthe policies as described by thiscommenter. Disclosures for researchpurposes under the final rule, as in theproposed regulation, are permissivedisclosures only. The rule describes theouter boundaries of permissibledisclosures. A covered health careprovider that is subject to the tribal lawsof the Navajo Nation must continue tocomply with those tribal laws. If thetribal laws impose more stringentprivacy standards on disclosures forresearch, such as requiring informedconsent in all cases, nothing in the finalrule would preclude compliance withthose more stringent privacy standards.The final rule does not interfere withthe internal governance of the NavajoNation or otherwise adversely affect thepolicy choices of the tribal governmentwith respect to the culturalappropriateness of research conductedin the Navajo Nation.

TRICAREComment: One comment expressed

concern regarding the application of the‘‘minimum necessary’’ standard toinvestigations of health care providersunder the TRICARE (formerly theCHAMPUS) program. The comment alsoexpressed concern that health careproviders would be able to avoidproviding their records to suchinvestigators because the proposed§ 164.510 exceptions were notmandatory disclosures.

Response: In our view, neither theminimum necessary standard nor thefinal §§ 164.510 and 164.512 permissivedisclosures will impede suchinvestigations. The regulation requirescovered entities to make all reasonableefforts not to disclose more than theminimum amount of protected health



information necessary to accomplish theintended purpose of the use ordisclosure. This requirement, however,does not apply to uses or disclosuresthat are required by law. See§ 164.502(b)(2)(iv). Thus, if thedisclosure to the investigators isrequired by law, the minimumnecessary standard will not apply.Additionally, the final rule providesthat covered entities rely, if suchreliance is reasonable, on assertionsfrom public officials about whatinformation is reasonably necessary forthe purpose for which it is being sought.See § 164.514(d)(3)(iii).

We disagree with the assertion thatproviders will be able to avoidproviding their records to investigators.Nothing in this rule permits coveredentities to avoid disclosures required byother laws.

Veterans AffairsComment: One comment sought

clarification about how disclosures ofprotected health information wouldoccur within the Veterans Affairsprograms for veterans and theirdependents.

Response: We appreciate thecommenter’s request for clarification asto how the rules will affect disclosuresof protected health information in thespecific context of Veteran’s Affairsprograms. Veterans health careprograms under 38 U.S.C. chapter 17 aredefined as ‘‘health plans.’’ Withoutsufficient details as to the particularaspects of the Veterans Affairs programsthat this comment views as problematic,we cannot comment substantively onthis concern.

Comment: One comment suggestedthat the final regulation clarify that theanalysis applied to the substance abuseregulations apply to laws governingVeteran’s Affairs health records.

Response: Although we realize somedifference may exist between the laws,we believe the discussion of federalsubstance abuse confidentialityregulations in the ‘‘Relationship toOther Federal Laws’’ preamble providesguidance that may be applied to thelaws governing Veteran’s Affairs (‘‘VA’’)health records. In most cases, a conflictwill not exist between these privacyrules and the VA programs. Forexample, some disclosures allowedwithout patient consent or authorizationunder the privacy regulation may not bewithin the VA statutory list ofpermissible disclosures without awritten consent. In such circumstances,the covered entity would have to abideby the VA statute, and no conflict exists.If the disclosures permitted by the VAstatute come within the permissible

disclosures of our rules, no conflictexists. In some cases, our rules maydemand additional requirements, suchas obtaining the approval of a privacyboard or Institutional Review Board if acovered entity seeks to discloseprotected health information forresearch purposes without theindividual’s authorization. A coveredentity subject to the VA statute willneed to ensure that it meets therequirements of both that statute and theregulation below. If a conflict arises, thecovered entity should evaluate thespecific potential conflicting provisionsunder the implied repeal analysis setforth in the ‘‘Relationship to OtherFederal Laws’’ discussion in thepreamble.

WIC

Comment: One comment called onother federal agencies to examine theirregulations and policies regarding theuse and disclosure of protected healthinformation. The comment suggestedthat other agencies revise theirregulations and policies to avoidduplicative, contradictory, or morestringent requirements. The commentnoted that the U.S. Department ofAgriculture’s Special SupplementalNutrition Program for Women, Infants,and Children (‘‘WIC’’) does not releaseWIC data. Because the commenterbelieved the regulation would notprohibit the disclosure of WIC data, thecomment stated that the Department ofAgriculture should now release suchinformation.

Response: We support other federalagencies to whom the rules apply intheir efforts to review existingregulations and policies regardingprotected health information. However,we do not agree with the suggestion thatother federal agencies that are notcovered entities must reduce theprotections or access-related rights theyprovide for individually identifiablehealth information they hold.

Part 160, Subpart C—Compliance andEnforcement

Section 160.306(a)—Who Can FileComplaints With the Secretary

Comment: The proposed rule limitedthose who could file a complaint withthe Secretary to individuals. A numberof commenters suggested that otherpersons with knowledge of a possibleviolation should also be able to filecomplaints. Examples that wereprovided included a mental health careprovider with first hand knowledge of ahealth plan improperly requiringdisclosure of psychotherapy notes andan occupational health nurse with

knowledge that her human resourcesmanager is improperly reviewingmedical records. A few comments raisedthe concern that permitting any personto file a complaint lends itself to abuseand is not necessary to ensure privacyrights and that the complainant shouldbe a person for whom there is a duty toprotect health information.

Response: As discussed below, therule defines ‘‘individual’’ as the personwho is the subject of the individuallyidentifiable health information.However, the covered entity may allowother persons, such as personalrepresentatives, to exercise the rights ofthe individual under certaincircumstances, e.g., for a deceasedindividual. We agree with thecommenters that any person maybecome aware of conduct by a coveredentity that is in violation of the rule.Such persons could include the coveredentity’s employees, business associates,patients, or accrediting, healthoversight, or advocacy agencies ororganizations. Many persons, such asthe covered entity’s employees, may, infact, be in a better position than the‘‘individual’’ to know that a violationhas occurred. Another example is a stateProtection and Advocacy group thatmay represent persons withdevelopmental disabilities. We havedecided to allow complaints from anyperson. The term ‘‘person’’ is notrestricted here to human beings ornatural persons, but also includes anytype of association, group, ororganization.

Allowing such persons to filecomplaints may be the only way theSecretary may learn of certain possibleviolations. Moreover, individuals whoare the subject of the information maynot be willing to file a complaintbecause of fear of embarrassment orretaliation. Based on our experiencewith various civil rights laws, such asTitle VI of the Civil Rights Act of 1964and Title II of the Americans withDisabilities Act, that allow any personto file a complaint with the Secretary,we do not believe that this practice willresult in abuse. Finally, upholdingprivacy protections benefits all personswho have or may be served by thecovered entity as well as the generalpublic, and not only the subject of theinformation.

If a complaint is received fromsomeone who is not the subject ofprotected health information, the personwho is the subject of this informationmay be concerned with the Secretary’sinvestigation of this complaint. Whilewe did not receive comments on thisissue, we want to protect the privacyrights of this individual. This might



involve the Secretary seeking to contactthe individual to provide information asto how the Secretary will addressindividual’s privacy concerns whileresolving the complaint. Contacting allindividuals may not be practicable inthe case of allegations of systemicviolations (e.g., where the allegation isthat hundreds of medical records werewrongfully disclosed).

Requiring That a Complainant Exhaustthe Covered Entity’s Internal ComplaintProcess Prior to Filing a Complaint Withthe Secretary

Comment: A number of commenters,primarily health plans, suggested thatindividuals should not be permitted tofile a complaint with the Secretary untilthey exhaust the covered entity’s owncomplaint process. Commenters statedthat covered entities should have acertain period of time, such as ninetydays, to correct the violation. Somecommenters asserted that providing forfiling a complaint with the Secretarywill be very expensive for both thepublic and private sectors of the healthcare industry to implement. Othercommenters suggested requiring theSecretary to inform the covered entity ofany complaint it has received and notinitiate an investigation or ‘‘takeenforcement action’’ before the coveredentity has time to address thecomplaint.

Response: We have decided, for anumber of reasons, to retain theapproach as presented in the proposedrule. First, we are concerned thatrequiring that complainants first notifythe covered entity would have a chillingeffect on complaints. In the course ofinvestigating individual complaints, theSecretary will often need to reveal theidentity of the complainant to thecovered entity. However, in theinvestigation of cases of systemicviolations and some individualviolations, individual names may notneed to be identified. Under theapproach suggested by thesecommenters, the covered entity wouldlearn the names of all persons who filecomplaints with the Secretary. Someindividuals might feel uncomfortable orfear embarrassment or retaliationrevealing their identity to the coveredentity they believe has violated theregulation. Individuals may also feelthey are being forced to enter intonegotiations with this entity before theycan file a complaint with the Secretary.

Second, because some potentialcomplainants would not bringcomplaints to the covered entity,possible violations might not becomeknown to the Secretary and mightcontinue. Third, the delay in the

complaint coming to the attention of theSecretary because of the time allowedfor the covered entity to resolve thecomplaint may mean that significantviolations are not addressedexpeditiously. Finally, the processproposed by these commenters isarguably unnecessary because anindividual who believes that anagreement can be reached with thecovered entity, can, through the entity’sinternal complaint process or othermeans, seek resolution before filing acomplaint with the Secretary.

Our approach is consistent with otherlaws and regulations protectingindividual rights. None of the civilrights laws enforced by the Secretaryrequire a complainant to provide anynotification to the entity that is allegedto have engaged in discrimination (e.g.,Americans with Disabilities Act, section504 of the Rehabilitation Act, Title VI ofthe Civil Rights Act, and the AgeDiscrimination Act). The concept of‘‘exhaustion’’ is used in laws thatrequire individuals to pursueadministrative remedies, such as thatprovided by a governmental agency,before bringing a court action. UnderHIPAA, individuals do not have a rightto court action.

Some commenters seemed to believethat the Secretary would pursueenforcement action without notifyingthe covered entity. It has been theSecretary’s practice in investigatingcases under other laws, such as variouscivil rights laws, to inform entities thatwe have received a complaint againstthem and to seek early resolution ifpossible. In enforcing the privacy rule,the Secretary will generally inform thecovered entity of the nature of anycomplaints it has received against theentity. (There may be situations whereinformation is withheld to protect theprivacy interests of the complainant orothers or where revealing informationwould impede the investigation of thecovered entity.) The Secretary will alsogenerally afford the entity anopportunity to share information withthe Secretary that may result in an earlyresolution. Our approach will be to seekinformal resolution of complaintswhenever possible, which includesallowing covered entities a reasonableamount of time to work with theSecretary to come into compliancebefore initiating action to seek civilmonetary penalties.

Section 160.306(b)(3)—Requiring ThatComplaints Be Filed With the SecretaryWithin a Certain Period of Time

Comment: A number of commenters,primarily privacy and disabilityadvocacy organizations, suggested that

the regulation require that complaintsbe filed with the Secretary by a certaintime. These commenters generallyrecommended that the time period forfiling a complaint should commence torun from the time when the individualknew or had reason to know of theviolation or omission. Another commentsuggested that a requirement to file acomplaint with the Secretary within 180days of the alleged noncompliance is aproblem because a patient may, becauseof his or her medical condition, beunable to access his or her recordswithin that time frame.

Response: We agree with thecommenters that complainants shouldgenerally be required to submitcomplaints in a timely fashion. Federalregulations implementing Title VI of theCivil Rights Act of 1964 provide that‘‘[a] complaint must be filed not laterthan ‘180 days from the date of thealleged discrimination’ unless the timefor filing is extended by the responsibleDepartment official or his designee.’’ 45CFR 80.7(b). Other civil rights laws,such as the Age Discrimination Act,section 504 of the Rehabilitation Act,and Title II of the Americans withDisabilities Act (ADA) (state and localgovernment services), also use thisapproach. Under civil rights lawsadministered by the EEOC, individualshave 180 days of the allegeddiscriminatory act to file a charge withEEOC (or 300 days if there is a state orlocal fair employment practices agencyinvolved).

Therefore, in the final rule we requirethat complaints be filed within 180 daysof when the complainant knew orshould have known that the act oromission complained of occurred unlessthis time limit is waived by theSecretary for good cause shown. Webelieve that an investigation of acomplaint is likely to be most effectiveif persons can be interviewed anddocuments reviewed as close to the timeof the alleged violation as possible.Requiring that complaints generally befiled within a certain period of timeincreases the likelihood that theSecretary will have necessary andreliable information. Moreover, we aretaking this approach in order toencourage complainants to filecomplaints as soon as possible. Byreceiving complaints in a timelyfashion, we can, if such complaintsprove valid, reduce the harm caused bythe violation.

Section 160.308—Basis for ConductingCompliance Reviews

Comment: A number of commentsexpressed concern that the Secretarywould conduct compliance reviews



without having received a complaint orhaving reason to believe there isnoncompliance. A number of thesecommenters appeared to believe that theSecretary would engage in ‘‘routinevisits.’’ Some commenters suggestedthat the Secretary should only be able toconduct compliance reviews if theSecretary has initiated an investigationof a complaint regarding the coveredentity in the preceding twelve months.Some commenters suggested that thereshould only be compliance reviewsbased on established criteria for reviews(e.g., finding of ‘‘reckless disregard’’).Many of these commenters stated thatcooperating with compliance reviews ispotentially burdensome and expensive.

One commenter asked whether theSecretary will have a process forreviewing all covered entities todetermine how they are complying withrequirements. This commenterquestioned whether covered entitieswill be required to submit plans andwait for Departmental approval.

Another commenter suggested thatthe Secretary specify a time limit for thecompletion of a compliance review.

Response: We disagree with thecommenters that the final rule shouldrestrict the Secretary’s ability to conductcompliance reviews. The Secretaryneeds to maintain the flexibility toconduct whatever reviews are necessaryto ensure compliance with the rule.

Section 160.310 (a) and (c)—TheSecretary’s Access to Information inDetermining Compliance

Comment: Some commenters raisedobjections to provisions in the proposedrule which required that coveredentities maintain records and submitcompliance reports as the Secretarydetermines is necessary to determinecompliance and required that coveredentities permit access by the Secretaryduring normal business hours to itsbooks, records, accounts, and othersources of information, includingprotected health information, and itsfacilities, that are pertinent toascertaining compliance with thissubpart. One commenter stated that theSecretary’s access to private healthinformation without appropriate patientconsent is contrary to the intent ofHIPAA. Another commenter expressedthe view that, because covered entitiesface criminal penalties for violations,these provisions violate the FifthAmendment protections against forcedself incrimination. Other commentersstated that covered entities should begiven the reason the Secretary needs tohave access to its books and records.Another commenter stated that thereshould be a limit to the frequency or

extent of intrusion by the federalgovernment into the business practicesof a covered entity and that theseprovisions violate the FourthAmendment of the Constitution.

Finally, a coalition of church planssuggested that the Secretary providechurch plans with additional proceduralsafeguards to reduce unnecessaryintrusion into internal churchoperations. These suggested safeguardsincluded permitting HHS to obtainrecords and other documents only ifthey are relevant and necessary tocompliance and enforcement activitiesrelated to church plans, requiring asenior official to determine theappropriateness of compliance-relatedactivities for church plans, andproviding church plans with a self-correcting period similar to thatCongress expressly provided in Title I ofHIPAA under the tax code.

Response: The final rule retains theproposed language in these twoprovisions with one change. The ruleadds a provision indicating that theSecretary’s access to information heldby the covered entity may be at any timeand without notice where exigentcircumstances exist, such as where timeis of the essence because documentsmight be hidden or destroyed. Thus,covered entities will generally receivenotice before the Secretary seeks toaccess the entity’s books or records.

Other than the exigent circumstanceslanguage, the language in these twoprovisions is virtually the same as thelanguage in this Department’s regulationimplementing Title VI of the CivilRights Act of 1964. 45 CFR 80.6(b) and(c). The Title VI regulation isincorporated by reference in otherDepartment regulations prohibitingdiscrimination of the basis of disability.45 CFR 84.61. Similar provisionsallowing this Department access torecipient information is found in theSecretary’s regulation implementing theAge Discrimination Act. 45 CFR 91.34.These provisions have not proved to beburdensome to entities that are subjectto these civil rights regulations (i.e., allrecipients of Department funds).

We do not interpret Constitutionalcase law as supporting the view that afederal agency’s review of informationpursuant to statutory mandate violatesthe Fifth Amendment protectionsagainst forced self incrimination. Norwould such a review of this informationraise Fourth Amendment problems. Seediscussion above regardingConstitutional comments and responses.

We appreciate the concern that theSecretary not involve herselfunnecessarily into the internaloperations of church plans. However, by

providing health insurance or care totheir employees, church plans areengaging in a secular activity. Under theregulation, church plans are subject tothe same compliance and enforcementrequirements with which other coveredentities must comply. Because Congressdid not carve out specific exceptions orrequire stricter standards forinvestigations related to church plans,incorporating such measures into theregulation would be inappropriate.

Additionally, there is no indicationthat the regulation will directly interferewith the religious practices of churchplans. Also, the regulation as writtenappropriately limits the ability ofinvestigators to obtain information fromcovered entities. The regulationprovides that the Secretary may obtainaccess only to information that ispertinent to ascertain compliance withthe regulation. We do not anticipateasking for information that is notnecessary to assess compliance with theregulation. The purpose of obtainingrecords and similar materials is todetermine compliance, not to engage inany sort of review or evaluation ofreligious activities or beliefs. Therefore,we believe the regulation appropriatelybalances the need to access informationto determine compliance with the desireof covered entities to avoid openingevery record in their possession to thegovernment.

Provision of Technical AssistanceComment: A number of commenters

inquired as to how a covered entity canrequest technical assistance from theSecretary to come into compliance. Anumber of commenters suggested thatthe Secretary provide interpretiveguidance to assist with compliance.Others recommended that the Secretaryhave a contact person or privacy official,available by telephone or email, toprovide guidance on theappropriateness of a disclosure or adenial of access. One commentersuggested that there be a formal processfor a covered entity to submitcompliance activities to the Secretaryfor prior approval and clarification. Thiscommenter suggested that clarificationsbe published on a contemporaneousbasis in the Federal Register to helpcorrect any ambiguities and confusionin implementation. It was also suggestedthat the Secretary undertake anassessment of ‘‘best practices’’ ofcovered entities and document andpromote the findings to serve as aconvenient ‘‘road map’’ for othercovered entities. Another commentersuggested that we work with providersto create implementation guidelinesmodeled after the interpretative



guidelines that HCFA creates forsurveyors on the conditions ofparticipation for Medicare and Medicaidcontractors.

Response: While we have not in thefinal rule committed the Secretary toany specific model of providingguidance or assistance, we do state ourintent, subject to budget and staffingconstraints, to develop a technicalassistance program that will include theprovision of written material whenappropriate to assist covered entities inachieving compliance. We will considerother models including HCFA’sMedicare and Medicaid interpretativeguidelines. Further informationregarding the Secretary’s technicalassistance program may be provided inthe Federal Register and on the HHSOffice for Civil Rights (OCR) Web Site.While OCR plans to have fully trainedstaff available to respond to questions,its ability to provide individualizedadvice in regard to such matters as theappropriateness of a particulardisclosure or the sufficiency ofcompliance activities will be based onstaff resources and demands. The ideaof looking at ‘‘best practices’’ andsharing information with all coveredentities is a good one and we willexplore how best to do this. We notethat a covered entity is not excused fromcompliance with the regulation becauseof any failure to receive technicalassistance or guidance.

Basis for Violation Findings andEnforcement

Comment: A number of commentersasked that covered entities not be liablefor violations of the rule if they haveacted in good faith. One commenterindicated that enforcement actionsshould not be pursued against coveredentities that make legitimate businessdecisions about how to comply with theprivacy standards.

Response: The commenters seemed toargue that even if a covered entity doesnot comply with a requirement of therule, the covered entity should not beliable if there was an honest and sincereintention or attempt to fulfill itsobligations. The final rule, however,does not take this approach but insteaddraws careful distinctions between whata covered entity must dounconditionally, and what a coveredentity must make certain reasonableefforts to do. In addition, the final ruleis clear as to the specific provisionswhere ‘‘good faith’’ is a consideration.For example, a covered entity ispermitted to use and disclose protectedhealth information withoutauthorization based on criteria thatincludes a good faith belief that such

use or disclosure is necessary to avert animminent threat to health or safety(§ 164.512(j)(1)(i)). Therefore, coveredentities need to pay careful attention tothe specific language in eachrequirement. However, we note thatmany of these provisions can beimplemented in a variety of ways; e.g,covered entities can exercise businessjudgement regarding how to conductstaff training.

As to enforcement, a covered entitywill not necessarily suffer a penaltysolely because an act or omissionviolates the rule. As we discusselsewhere, the Department will exercisediscretion to consider not only the harmdone, but the willingness of the coveredentity to achieve voluntary compliance.Further, the AdministrativeSimplification provisions of HIPAAprovide that whether a violation wasknown or not is relevant in determiningwhether civil or criminal penaltiesapply. In addition, if a civil penaltyapplies, HIPAA allows the Secretary,where the failure to comply was due toreasonable cause and not to willfulneglect, to delay the imposition of thepenalty to allow the covered entity tocomply. The Department will developand release for public comment anenforcement regulation applicable to allthe administrative simplificationregulations that will address theseissues.

Comment: One commenter askedwhether hospitals will be vicariouslyliable for the violations of theiremployees and expressed concern thathospitals and other providers will be theones paying large fines.

Response: The enforcement regulationwill address this issue. However, wenote that section 1128A(1) of the SocialSecurity Act, which applies to theimposition of civil monetary penaltiesunder HIPAA, provides that a principalis liable for penalties for the actions ofits agent acting within the scope of theagency. Therefore, a covered entity willgenerally be responsible for the actionsof its employees such as where theemployee discloses protected healthinformation in violation of theregulation.

Comment: A commenter expressedthe concern that if a covered entityacquires a non-compliant health plan, itwould be liable for financial penalties.This commenter suggested that, at aminimum, the covered entity be given agrace period of at least a year, but notless than six months to bring anyacquisition up to standard. Thecommenter stated that the Secretaryshould encourage, not discourage,compliant companies to acquire non-compliant ones. Another commenter

expressed a general concern aboutresolution of enforcement if an entityfaced with a HIPAA complaint acquiresor merges with an entity not covered byHIPAA.

Response: As discussed above, theSecretary will encourage voluntaryefforts to cure violations of the rule, andwill consider that fact in determiningwhether to bring a compliance action.We do not agree, however, that weshould limit our authority to pursueviolations of the rule if the situationwarrants it.

Comment: One commenter wasconcerned about the ‘‘undue risk’’ ofliability on originators of information,stemming from the fact that ‘‘thenumber of covered entities is limitedand they are unable to restrict how arecipient of information may use or re-disclose information * * *’’

Response: Under this rule, we do nothold covered entities responsible for theactions of recipients of protected healthinformation, unless the recipient is abusiness associate of the covered entity.We agree that it is not fair to holdcovered entities responsible for theactions of persons with whom they haveno on-going relationship, but believe itis fair to expect covered entities to holdtheir business associates to appropriatestandards of behavior with respect tohealth information.

Other Compliance and EnforcementComments

Comment: A number of commentsraised questions regarding theSecretary’s priorities for enforcement. Afew commenters stated that theysupported deferring enforcement untilthere is experience using the proposedstandards. One organization asked thatwe clarify that the regulation does notreplace or otherwise modify the self-regulatory/consumer empowermentapproach to consumer privacy in theonline environment.

Response: We have not made anydecisions regarding enforcementpriorities. It appears that somecommenters believe that no enforcementaction will be taken against a givencovered entity until that entity has hadsome time to comply. Covered entitieshave two years to come into compliancewith the regulation (three years in thecase of small health plans). Somecovered entities will have hadexperience using the standards prior tothe compliance date. We do not agreethat we should defer enforcement whereviolations of the rule occur. It would bewrong for covered entities to believethat enforcement action is based ontheir not having much experience in



using a particular standard or meetinganother requirement.

We support a self-regulation approachin that we recognize that mostcompliance will be achieved by thevoluntary activities of covered entitiesrather than by our enforcementactivities. Our emphasis will be oneducation, technical assistance, andvoluntary compliance and not onfinding violations and imposingpenalties. We also support a consumerempowerment approach. Aknowledgeable consumer is key to theeffectiveness of this rule. A consumerfamiliar with the requirements of thisrule will be equipped to make choicesregarding which covered entity will bestserve their privacy interests and willknow their rights under the rule andhow they can seek redress for violationsof this rule. Privacy-minded consumerswill seek to protect the privacy rights ofothers by bringing concerns to theattention of covered entities, the public,and the Secretary. However, we do notagree that we should defer enforcementwhere violations of the rule occur.

Comment: One commenter expressedconcern that by filing a complaint anindividual would be required to revealsensitive information to the public.Another commenter suggested thatcomplaints regarding noncompliance inregard to psychotherapy notes should bemade to a panel of mental healthprofessionals designated by theSecretary. This commenter alsoproposed that all patient information bemaintained as privileged, not berevealed to the public, and be keptunder seal after the case is reviewed andclosed.

Response: We appreciate this concernand will seek to ensure that individuallyidentifiable health information andother personal information contained incomplaints will not be available to thepublic. The privacy regulation provides,at § 160.310(c)(3), that protected healthinformation obtained by the Secretary inconnection with an investigation orcompliance review will not be disclosedexcept if necessary for ascertaining orenforcing compliance with theregulation or if required by law. Inaddition, this Department generallyseeks to protect the privacy ofindividuals to the fullest extentpossible, while permitting the exchangeof records required to fulfill itsadministrative and programresponsibilities. The Freedom ofInformation Act, 5 U.S.C. 552, and theHHS implementing regulation, 45 CFRpart 5, provide substantial protection forrecords about individuals wheredisclosure would constitute anunwarranted invasion of their personal

privacy. In implementing the privacyregulation, OCR plans to continue itscurrent practice of protecting itscomplaint files from disclosure. OCRtreats these files as investigatory recordscompiled for law enforcement purposes.Moreover, OCR maintains thatdisclosing protected health informationin these files generally constitutes anunwarranted invasion of personalprivacy.

It is not clear in regarding the use ofmental health professionals, whetherthe commenter believes that suchprofessionals should be involvedbecause they would be best able to keeppsychotherapy notes confidential orbecause such professionals can bestunderstand the meaning or relevance ofsuch notes. OCR anticipates that it willnot have to obtain a copy or reviewpsychotherapy notes in investigatingmost complaints regardingnoncompliance in regard to such notes.There may be some cases where areview of the notes may be needed suchas where we need to identify that theinformation a covered entity disclosedwas in fact psychotherapy notes. If weneed to obtain a copy of psychotherapynotes, we will keep these notesconfidential and secure. OCRinvestigative staff will be trained toensure that they fully respect theconfidentiality of personal information.In addition, while the specific contentsof these notes is generally not relevantto violations under this rule, if suchnotes are relevant, we will secure theexpertise of mental health professionalsif needed in reviewing psychotherapynotes.

Comment: A member of Congress anda number of privacy and consumergroups expressed concern with whetherOCR has adequate funding to carry outthe major responsibility of enforcing thecomplaint process established by thisrule. The Senator stated that ‘‘[d]ue tothe limited enforcement ability allowedfor in this rule by HIPAA, it is essentialthat OCR have the capacity to enforcethe regulations. Now is the time for OCRto begin building the necessaryinfrastructure to enforce the regulationeffectively.’’

Response: We agree and arecommitted to an effective enforcementprogram. We are working with Congressto ensure that the Secretary has thenecessary funds to secure voluntarycompliance through education andtechnical assistance, to investigatecomplaints and conduct compliancereviews, to provide states withexception determinations, and to usecivil and criminal penalties whennecessary. We will continue to work

with Congress and within the newAdministration in this regard.

Coordination With ReviewingAuthorities

Comment: A number of commentersreferenced other entities that alreadyconsider the privacy of healthinformation. One commenter indicatedopposition to the delegation ofinspections to third party organizations,such as the Joint Commission on theAccreditation of HealthcareOrganizations (JCAHO). A fewcommenters indicated that stateagencies are already authorized toinvestigate violations of state privacystandards and that we should rely onthose agencies to investigate allegedviolations of the privacy rules ordelegate its complaint process to statesthat wish to carry out this responsibilityor to those states that have a complaintprocess in place. Another commenterargued that individuals should berequired to exhaust any state processesbefore filing a complaint with theSecretary. Others referenced the factthat state medical licensing boardsinvestigate complaints againstphysicians for violating patientconfidentiality. One group asked thatthe federal government streamline all ofthese activities so physicians can havea single entity to whom they must beresponsive. Another group suggestedthat OMB should be given responsibilityfor ensuring that FEHB Plans operate incompliance with the privacy standardsand for enforcement.

A few commenters stated that theregulation might be used as a basis forviolation findings and subsequentpenalties under other Departmentauthorities, such as under Medicare’sConditions of Participation related topatient privacy and right toconfidentiality of medical records. Onecommenter wanted some assurance thatthis regulation will not be used asgrounds for sanctions under Medicare.Another commenter indicated supportfor making compliance with the privacyregulation a Condition of Participationunder Medicare.

Response: HIPAA does not give theSecretary the authority to delegate herresponsibilities to other private orpublic agencies such as JCAHO or stateagencies. However, we plan to exploreways that we may benefit from currentactivities that also serve to protect theprivacy of individually identifiablehealth information. For example, if weconduct an investigation or review of acovered entity, that entity may want toshare information regarding findings ofother bodies that conducted similarreviews. We would welcome such



information. In developing itsenforcement program, we may exploreways it can coordinate with otherregulatory or oversight bodies so that wecan efficiently and effectively pursueour joint interests in protecting privacy.

We do not accept the suggestion thatindividuals be required to exhaust theirremedies under state law before filing acomplaint with the Secretary. Ourrationale is similar to that discussedabove in regard to the suggestion thatcovered entities be required to exhausta covered entity’s internal complaintprocess before filing a complaint withthe Secretary. Congress provided forfederal privacy protection and we wantto allow individuals the right to thisprotection without barriers or delay.Covered entities may in their privacynotice inform individuals of any rightsthey have under state law including anyright to file privacy complaints. We donot have the authority to interfere withstate processes and HIPAA explicitlyprovides that we cannot preempt statelaws that provide greater privacyprotection.

We have not yet addressed the issueas to whether this regulation might beused as a basis for violation findings orpenalties under other Departmentauthorities. We note that Medicareconditions of participation requireparticipating providers to haveprocedures for ensuring theconfidentiality of patient records, aswell as afford patients with the right tothe confidentiality of their clinicalrecords.

PenaltiesComment: Many commenters

considered the statutory penaltiesinsufficient to protect privacy, statingthat the civil penalties are too weak tohave the impact needed to reduce therisk of inappropriate disclosure. Somecommenters took the opposing view andstated that large fines and prisonsentences for violations woulddiscourage physicians from transmittingany sort of health care information toany other agency, regardless of themedical necessity. Another commentexpressed the concern that doctors willbe at risk of going to jail for protectingthe privacy of individuals (by notdisclosing information the governmentbelieves should be released).

Response: The enforcement regulationwill address the application of the civilmonetary and criminal penalties underHIPAA. The regulation will bepublished in the Federal Register as aproposed regulation and the public willhave an opportunity to comment. We donot believe that our rule, and thepenalties available under it, will

discourage physicians and otherproviders from using or disclosingnecessary information. We believe thatthe rule permits physicians to make thedisclosures that they need to makeunder the health care system withoutexposing themselves to jeopardy underthe rule. We believe that the penaltiesunder the statute are woefullyinadequate. We support legislation thatwould increase the amount of thesepenalties.

Comment: A number of commentersstated that the regulations should permitindividuals to sue for damages causedby breaches of privacy under theseregulations. Some of these commentersspecified that damages, equitable relief,attorneys fees, and punitive damagesshould be available. Conversely, onecomment stated that strong penalties arenecessary and would preclude the needfor a private right of action. Anothercommenter stated that he does notbelieve that the statute intended to giveindividuals the equivalent of a right tosue, which results from makingindividuals third party beneficiaries tocontracts between business partners.

Response: We do not have theauthority to provide a private right ofaction by regulation. As discussedbelow, the final rule deletes the thirdparty beneficiary provision that was inthe proposed rule.

However, we believe that, in additionto strong civil monetary penalties,federal law should allow any individualwhose rights have been violated to bringan action for actual damages andequitable relief. The Secretary’sRecommendations, which weresubmitted to Congress on September 11,1997, called for a private right of actionto permit individuals to enforce theirprivacy rights.

Comment: One comment stated that,in calculating civil monetary penalties,the criteria should include aggravatingor mitigating circumstances andwhether the violation is a minor or firsttime violation. Several comments statedthat penalties should be tiered so thatthose that commit the most egregiousviolations face stricter civil monetarypenalties.

Response: As mentioned above, issuesregarding civil fines and criminalpenalties will be addressed in theenforcement regulation.

Comment: One comment stated thatthe regulation should clarify whether asingle disclosure that involved thehealth information of multiple partieswould constitute a single or multipleinfractions, for the purpose ofcalculating the penalty amount.

Response: The enforcement regulationwill address the calculation of penalties.

However, we note that section 1176subjects persons to civil monetarypenalties of not more than $100 for eachviolation of a requirement or prohibitionand not more than $25,000 in a calendaryear for all violations of an identicalrequirement or prohibition. Forexample, if a covered entity fails topermit amendment of protected healthinformation for 10 patients in onecalendar year, the entity may be finedup to $1000 ($100 times 10 violationsequals $1000).

Part 164—Subpart A—GeneralRequirements

Part 164—Subpart B–D—Reserved

Part 164—Subpart E—Privacy

Section 164.500—Applicability

Covered EntitiesThe response to comments on covered

entities is included in the response tocomments on the definition of ‘‘coveredentity’’ in the preamble discussion of§ 160.103.

Covered InformationThe response to comments on covered

information is included in the responseto comments on the definition of‘‘protected health information’’ in thepreamble discussion of § 164.501.


Designated record setComment: Many commenters

generally supported our proposeddefinition of designated record set.Commenters suggested differentmethods for narrowing the informationaccessible to individuals, such asexcluding information obtained withoutface-to-face interaction (e.g., phoneconsultations). Other commentersrecommended broadening theinformation accessible to individuals,such as allowing access to ‘‘the entiremedical record,’’ not just a designatedrecord set. Some commenters advocatedfor access to all information aboutindividuals. A few commentersgenerally supported the provision butrecommended that consultation andinterpretative assistance be providedwhen the disclosure may cause harm ormisunderstanding.

Response: We believe individualsshould have a right to access anyprotected health information that maybe used to make decisions about themand modify the final rule to accomplishthis result. This approach facilitates anopen and cooperative relationshipbetween individuals and covered healthcare providers and health plans andallows individuals fair opportunities toknow what health information may be



2 Privacy Protection Study Commission,‘‘Personal Privacy in an Information Society,’’ July1977, p. 298–299.

3 Health Privacy Working Group, ‘‘Best Principlesfor Health Privacy,’’ Health Privacy Project,Institute for Health Care Research and Policy,Georgetown University, July 1999.

4 National Committee on Quality Assurance andthe Joint Commission on Accreditation ofHealthcare Organizations, ‘‘Protecting PersonalHealth Information: A Framework for Meeting theChallenges in a Managed Care Environment,’’ 1998,p. 25.

5 ASTM, ‘‘Standard Guide for Confidentiality,Privacy, Access and Data Security, Principles forHealth Information Including Computer-BasedPatient Records,’’ E 1869–97, § 11.1.1.

used to make decisions about them. Welist certain records that are always partof the designated record set. For coveredproviders these are the medical recordand billing record. For health plansthese are the enrollment, payment,claims adjudication, and case ormedical management records. Thepurpose of these specified records ismanagement of the accounts and healthcare of individuals. In addition, weinclude in the designated record set towhich individuals have access anyrecord used, in whole or in part, by orfor the covered entity to make decisionsabout individuals. Only protectedhealth information that is in adesignated record set is covered.Therefore, if a covered provider has aphone conversation, informationobtained during that conversation issubject to access only to the extent thatit is recorded in the designated recordset.

We do not require a covered entity toprovide access to all individuallyidentifiable health information, becausethe benefits of access to information notused to make decisions aboutindividuals is limited and is outweighedby the burdens on covered entities oflocating, retrieving, and providingaccess to such information. Suchinformation may be found in manytypes of records that include significantinformation not relevant to theindividual as well as information aboutother persons. For example, a hospital’speer review files that include protectedhealth information about many patientsbut are used only to improve patientcare at the hospital, and not to makedecisions about individuals, are not partof that hospital’s designated record sets.

We encourage but do not requirecovered entities to provide interpretiveassistance to individuals accessing theirinformation, because such arequirement could imposeadministrative burdens that outweighthe benefits likely to accrue.

The importance to individuals ofhaving the right to inspect and copyinformation about them is supported bya variety of industry groups and isrecognized in current state and federallaw. The July 1977 Report of the PrivacyProtection Study Commissionrecommended that individuals haveaccess to medical records and medicalrecord information.2 The Privacy Act (5U.S.C. 552a) requires governmentagencies to permit individuals to reviewrecords and have a copy made in a formcomprehensible to the individual. In its

report ‘‘Best Principles for HealthPrivacy,’’ the Health Privacy WorkingGroup recommended that individualsshould have the right to accessinformation about them.3 The NationalAssociation of InsuranceCommissioners’ Health InformationPrivacy Model Act establishes the rightof an individual to examine or receivea copy of protected health informationin the possession of the carrier or aperson acting on behalf of the carrier.

Many states also establish a right forindividuals to access health informationabout them. For example, Alaska law(AK Code 18.23.005) entitles patients‘‘to inspect and copy any recordsdeveloped or maintained by a healthcare provider or other person pertainingto the health care rendered to thepatient.’’ Hawaii law (HRS section323C–11) requires health care providersand health plans, among others, topermit individuals to inspect and copyprotected health information aboutthem. Many other states have similarprovisions.

Industry and standard-settingorganizations also have developedpolicies to enable individual access tohealth information. The NationalCommittee for Quality Assurance andthe Joint Commission on Accreditationof Healthcare Organizations issuedrecommendations stating, ‘‘Patients’confidence in the protection of theirinformation requires that they have themeans to know what is contained intheir records. The opportunity forpatients to review their records willenable them to correct any errors andmay provide them with a betterunderstanding of their health status andtreatment.’’ 4 Standards of the AmericanSociety for Testing and Materials state,‘‘The patient or his or her designatedpersonal representative has access rightsto the data and information in his or herhealth record and other healthinformation databases except asrestricted by law. An individual shouldbe able to inspect or see his or herhealth information or request a copy ofall or part of the health information, orboth.’’ 5 We build on this well-established principle in this final rule.

Comment: Several commentersadvocated for access to not onlyinformation that has already been usedto make decisions, but also informationthat may be used to make decisions.Other commenters believed accessibleinformation should be more limited; forexample, some commenters argued thataccessible information should berestricted to only information used tomake health care decisions.

Response: We agree that it is desirablethat individuals have access toinformation reasonably likely to be usedto make decisions about them. On theother hand, it is desirable that thecategory of records covered be readilyascertainable by the covered entity. Wetherefore define ‘‘designated record set’’to include certain categories of records(a provider’s medical record and billingrecord, the enrollment records, andcertain other records maintained by ahealth plan) that are normally used, andare reasonably likely to be used, to makedecisions about individuals. We alsoadd a category of other records that are,in fact, used, in whole or in part, tomake decisions about individuals. Thiscategory includes records that are usedto make decisions about anyindividuals, whether or not the recordshave been used to make a decisionabout the particular individualrequesting access.

We disagree that accessibleinformation should be restricted toinformation used to make health caredecisions, because other decisions bycovered entities can also affectindividuals’ interests. For example,covered entities make financialdecisions about individuals, such aswhether an individual’s deductible hasbeen met. Because such decisions cansignificantly affect individuals’interests, we believe they should haveaccess to any protected healthinformation included in such records.

Comment: Some commenters believedthe rule should use the term‘‘retrievable’’ instead of ‘‘retrieved’’ todescribe information accessible toindividuals. Other commenterssuggested that the rule follow thePrivacy Act’s principle of allowingaccess only when entities retrieverecords by individual identifiers. Somecommenters requested clarification thatcovered entities are not required tomaintain information by name or otherpatient identifier.

Response: We have modified theproposed definition of the designatedrecord set to focus on how informationis used, not how it is retrieved.Information may be retrieved orretrievable by name, but if it is neverused to make decisions about any



individuals, the burdens of requiring acovered entity to find it and to redactinformation about other individualsoutweigh any benefits to the individualof having access to the information.When the information might be used toaffect the individual’s interests,however, that balance changes and thebenefits outweigh the burdens. Weconfirm that this regulation does notrequire covered entities to maintain anyparticular record set by name oridentifier.

Comment: A few commentersrecommended denial of access forinformation relating to investigations ofclaims, fraud, and misrepresentations.Many commenters suggested thatsensitive, proprietary, and legaldocuments that are ‘‘typical state lawprivileges’’ be excluded from the right toaccess. Specific suggestions forexclusion, either from the right of accessor from the definition of designatedrecord set, include quality assuranceactivities, information related tomedical appeals, peer review andcredentialing, attorney-clientinformation, and compliance committeeactivities. Some commenters suggestedexcluding information already suppliedto individuals on previous requests andinformation related to health careoperations. However, some commentersfelt that such information was alreadyexcluded from the definition ofdesignated record set. Othercommenters requested clarification thatthis provision will not prevent patientsfrom getting information related tomedical malpractice.

Response: We do not agree thatrecords in these categories are neverused to affect the interests ofindividuals. For example, whileprotected health information used forpeer review and quality assuranceactivities typically would not be used tomake decisions about individuals, and,thus, typically would not be part of adesignated record set, we cannot saythat this is true in all cases. We designthis provision to be sufficiently flexibleto work with the varying practices ofcovered entities.

The rule addresses several of thesecomments by excepting from the accessprovisions (§ 164.524) informationcompiled in reasonable anticipation of,or for use in, a civil, criminal, oradministrative action or proceeding.Similarly, nothing in this rule requiresa covered entity to divulge informationcovered by physician-patient or similarprivilege. Under the access provisions, acovered entity may redact informationin a record about other persons orinformation obtained under a promise ofconfidentiality, prior to releasing the

information to the individual. Weclarify that nothing in this provisionwould prevent access to informationneeded to prosecute or defend a medicalmalpractice action; the rules of therelevant court determine such access.

We found no persuasive evidence tosupport excluding information alreadysupplied to individuals on previousrequests. The burdens of trackingrequests and the information providedpursuant to requests outweigh theburdens of providing the accessrequested. A covered entity may,however, discuss the scope of therequest for access with the individual tofacilitate the timely provision of access.For example, if the individual agrees,the covered entity could supply only theinformation created or received sincethe date access was last granted.

DisclosureComment: A number of commenters

asked that the definition of ‘‘disclosure’’be modified so that it is clear that it doesnot include the release, transfer,provision of access to, or divulging inany other manner of protected healthinformation to the individual who is thesubject of that information. It wassuggested that we revise the definitionin this way to clarify that a health careprovider may release protected healthinformation to the subject of theinformation without first requiring thatthe patient complete an authorizationform.

Response: We agree with thecommenters’ concern, but accomplishthis result through a different provisionin the regulation. In § 164.502 of thisfinal rule, we specify that disclosures ofprotected health information to theindividual are not subject to thelimitations on disclosure of protectedhealth information otherwise imposedby this rule.

Comment: A number of commentersstated that the regulation should notapply to disclosures occurring within oramong different subsidiaries orcomponents of the same entity. Onecommenter interpreted ‘‘disclosure’’ tomean outside the agency or, in the caseof a state Department of Health, outsidesister agencies and offices that directlyassist the Secretary in performingMedicaid functions and are listed in thestate plan as entitled to receiveMedicaid data.

Response: We agree that there arecircumstances under which relatedorganizations may be treated as a singlecovered entity for purposes of protectingthe privacy of health information, andmodify the rule to accommodate suchcircumstances. In § 164.504 of the finalrule, we specify the conditions under

which affiliated companies maycombine into a single covered entity andsimilarly describe which components ofa larger organization must comply withthe requirements of this rule. Forexample, transfers of information withinthe designated component or affiliatedentity are uses while transfers ofinformation outside the designatedcomponent or affiliated entity aredisclosures. See the discussion of§ 164.504 for further information andrationale. It is not clear from thesecomments whether the particularorganizational arrangements describedcould constitute a single covered entity.

Comment: A commenter noted thatthe definition of ‘‘disclosure’’ shouldreflect that health plan correspondencecontaining protected health information,such as Explanation of Benefits (EOBs),is frequently sent to the policyholder.Therefore, it was suggested that thewords ‘‘provision of access to’’ bedeleted from the definition and that a‘‘disclosure’’ be clarified to include theconveyance of protected healthinformation to a third party.

Response: The definition is, on itsface, broad enough to cover the transfersof information described and so is notchanged. We agree that health plansmust be able to send EOBs topolicyholders. Sending EOBcorrespondence to a policyholder by acovered entity is a disclosure forpurposes of this rule, but it is adisclosure for purposes of payment.Therefore, subject to the provisions of§ 164.522(b) regarding ConfidentialCommunications, it is permitted even ifit discloses to the policyholderprotected health information aboutanother individual (see below).

Health care operationsComment: Several commenters stated

that the list of activities within thedefinition of health care operations wastoo broad and should be narrowed. Theyasserted that the definition should belimited to exclude activities that havelittle or no connection to the care of aparticular patient or to only includeemergency treatment situations orsituations constituting a clear andpresent danger to oneself or others.

Response: We disagree. We believethat narrowing the definition in themanner requested will place seriousburdens on covered entities and impairtheir ability to conduct legitimatebusiness and management functions.

Comment: Many commenters,including physician groups, consumergroups, and privacy advocates, arguedthat we should limit the informationthat can be used for health careoperations to de-identified data. They



argued that if an activity could be donewith de-identified data, it should not beincorporated in the definition of healthcare operations.

Response: We disagree. We believethat many activities necessary for thebusiness and administrative operationsof health plans and health careproviders are not possible with de-identified information or are possibleonly under unduly burdensomecircumstances. For example, identifiedinformation may be used or disclosedduring an audit of claims, for a plan tocontact a provider about alternativetreatments for specific patients, and inreviewing the competence of health careprofessionals. Further, not all coveredentities have the same ability to de-identify protected health information.Covered entities with highly automatedinformation systems will be able to usede-identified data for many purposes.Other covered entities maintain most oftheir records on paper, so a requirementto de-identify information would placetoo great a burden on the legitimate androutine business functions included inthe definition of health care operations.Small business, which are most likely tohave largely paper records, would findsuch a blanket requirement particularlyburdensome.

Protected health information that isde-identified pursuant to § 164.514(a) isnot subject to this rule. We hope thisprovides covered entities capable of de-identifying information with theincentive to do so.

Comment: Some commentersrequested that we permit the use ofdemographic data (geographic, location,age, gender, and race) separate from allother data for health care operations.They argued that demographic data wasneeded to establish provider networksand monitor providers to ensure that theneeds of ethnic and minoritypopulations were being addressed.

Response: The use of demographicdata for the stated purposes is withinthe definition of health care operations;a special rule is not necessary.

Comment: Some commenters pointedout that the definition of health careoperations is similar to, and at timesoverlaps with, the definition of research.In addition, a number of commentersquestioned whether or not researchconducted by the covered entity or itsbusiness partner must only beapplicable to and used within thecovered entity to be considered healthcare operations. Others questionedwhether such studies or researchperformed internal to a covered entityare ‘‘health care operations’’ even ifgeneralizable results may be produced.

Response: We agree that some healthcare operations have many of thecharacteristics of research studies and inthe NPRM asked for comments on howto make this distinction. While a clearanswer was not suggested in any of thecomments, the comments generallytogether with our fact finding lead to theprovisions in the final rule. Thedistinction between health careoperations and research rests onwhether the primary purpose of thestudy is to produce ‘‘generalizableknowledge.’’ We have modified thedefinition of health care operations toinclude ‘‘quality assessment andimprovement activities, includingoutcomes evaluation and developmentof clinical guidelines, provided that theobtaining of generalizable knowledge isnot the primary purpose of any studiesresulting from such activities.’’ If theprimary purpose of the activity is toproduce generalizable knowledge, theactivity fits within this rule’s definitionof ‘‘research’’ and the covered entitymust comply with §§ 164.508 or164.512, including obtaining anauthorization or the approval of aninstitutional review board or privacyboard. If not and the activity otherwisemeets the definition of health careoperations, the activity is not researchand may be conducted under the healthcare operations provisions of this rule.

In some instances, the primarypurpose of the activity may change aspreliminary results are analyzed. Anactivity that was initiated as an internaloutcomes evaluation may produceinformation that the covered entitywants to generalize. If the purpose of astudy changes and the covered entitydoes intend to generalize the results, thecovered entity should document thechange in status of the activity toestablish that they did not violate therequirements of this rule. (See definitionof ‘‘research,’’ below, for furtherinformation on the distinction between‘‘research’’ and ‘‘health careoperations.’’)

We note that the difficulty indetermining when an activity is for theinternal operations of an entity andwhen it is a research activity is a long-standing issue in the industry. Thevariation among commenters’ views isone of many indications that, today,there is not consensus on how to drawthis line. We do not resolve the largerissue here, but instead providerequirements specific to the informationcovered by this rule.

Comment: Several commenters askedthat disease management and disabilitymanagement activities be explicitlyincluded in the definition of health careoperations. Many health plans asserted

that they would not be able to providedisease management, wellness, andhealth promotion activities if theactivity were solely captured in therule’s definition of ‘‘treatment.’’ Theyalso expressed concern that ‘‘treatment’’usually applies to an individual, not toa population, as is the practice fordisease management.

Response: We were unable to findgenerally accepted definitions of theterms ‘‘disease management’’ and‘‘disability management.’’ Rather thanrely on this label, we include many ofthe functions often included indiscussions of disease management inthis definition or in the definition oftreatment, and modify both definitionsto address the commenters’ concerns.For example, we have revised thedefinition of health care operations toinclude population-based activitiesrelated to improving health or reducinghealth care costs. This topic is discussedfurther in the comment responsesregarding the definition of ‘‘treatment,’’below.

Comment: Several commenters urgedthat the definition of health careoperations be illustrative and flexible,rather than structured in the form of alist as in the proposed rule. Theybelieved it would be impossible toidentify all the activities that constitutehealth care operations. Commentersrepresenting health plans wereconcerned that the ‘‘static’’ nature of thedefinition would stifle innovation andcould not reflect the new functions thathealth plans may develop in the futurethat benefit consumers, improve quality,and reduce costs. Other commenters,expressed support for the approachtaken in the proposed rule, but felt thelist was too broad.

Response: In the final rule, we revisethe proposed definition of health careoperations to broaden the list ofactivities included, but we do not agreewith the comments asking for anillustrative definition rather than aninclusive list. Instead, we describe theactivities that constitute health careoperations in broad terms andcategories, such as ‘‘quality assessment’’and ‘‘business planning anddevelopment.’’ We believe the use ofbroadly stated categories will allowindustry innovation, but without theprivacy risks entailed in an illustrativeapproach.

Comment: Several commenters notedthat utilization review and internalquality review should be included inthe definition. They pointed out thatboth of these activities were discussedin the preamble to the proposed rule butwere not incorporated into theregulation text.



Response: We agree and havemodified the regulation text toincorporate quality assessment andimprovement activities, including thedevelopment of clinical guidelines andprotocol development.

Comment: Several commenters statedthat the proposal did not providesufficient guidance regarding compilingand analyzing information inanticipation of or for use in legalproceedings. In particular, they raisedconcerns about the lack of specificity asto when ‘‘anticipation’’ would betriggered.

Response: We agree that thisprovision was confusing and havereplaced it with a broader reference toconducting or arranging for legalservices generally.

Comment: Hospital representativespointed out the pressure on health carefacilities to improve cost efficiencies,make cost-effectiveness studies, andbenchmark essential health careoperations. They emphasized that suchactivities often use identifiable patientinformation, although the products ofthe analyses usually do not containidentifiable health information.Commenters representing state hospitalassociations pointed out that theyroutinely receive protected healthinformation from hospitals for analysesthat are used by member hospitals forsuch things as quality of carebenchmark comparisons, market shareanalysis, determining physicianutilization of hospital resources, andcharge comparisons.

Response: We have expanded thedefinition of health care operations toinclude use and disclosure of protectedhealth information for the importantfunctions noted by these commenters.We also allow a covered entity to engagea business associate to provide dataaggregation services. See § 164.504(e).

Comment: Several commenters arguedthat many activities that are integral tothe day-to-day operations of a healthplan have not been included in thedefinition. Examples provided by thecommenters include: issuing planidentification cards, customer service,computer maintenance, storage andback-up of radiologic images, and theinstallation and servicing of medicalequipment or computer systems.

Response: We agree with thecommenters that there are activities notdirectly part of treatment or paymentthat are more closely associated with theadministrative or clerical functions ofthe plan or provider that need to beincluded in the definition. To includesuch activities in the definition ofhealth care operations, we eliminate therequirement that health care operations

be directly related to treatment andpayment, and we add to this definitionthe new categories of businessmanagement (including generaladministrative activities) and businessplanning activities.

Comment: One commenter asked forclarification on whether cost-relatedanalyses could also be done byproviders as well as health plans.

Response: Health care operations,including business managementfunctions, are not limited to healthplans. Any covered entity can performhealth care operations.

Comment: One commenter stated thatthe proposed rule did not address whathappens to records when a coveredentity is sold or merged with anotherentity.

Response: We agree and add to thedefinition of health care operationsdisclosures of protected healthinformation for due diligence to acovered entity that is a potentialsuccessor in interest. This provisionincludes disclosures pursuant to thesale of a covered entity’s business as agoing concern, mergers, acquisitions,consolidations, and other similar typesof corporate restructuring betweencovered entities, including a division ofa covered entity, and to an entity that isnot a covered entity but will become acovered entity if the reorganization orsale is completed. Other types of salesof assets, or disclosures to organizationsthat are not and would not becomecovered entities, are not included in thedefinition of health care operations andcould only occur if the covered entityobtained valid authorization for suchdisclosure in accordance with § 164.508or if the disclosure is otherwisepermitted under this rule.

Once a covered entity is sold ormerged with another covered entity, thesuccessor in interest becomesresponsible for complying with thisregulation with respect to thetransferred information.

Comment: Several commentersexpressed concern that the definition ofhealth care operations failed to includethe use of protected health informationfor the underwriting of new health carepolicies and took issue with theexclusion of uses and disclosures ofprotected health information ofprospective enrollees. They expressedthe concern that limiting health careoperations to the underwriting andrating of existing members places ahealth plan in the position of not beingable to evaluate prudently andunderwrite a consumer’s health carerisk.

Response: We agree that coveredentities should be able to use the

protected health information ofprospective enrollees to underwrite andrate new business and change thedefinition of health care operationsaccordingly. The definition of healthcare operations below includesunderwriting, premium rating, andother activities related to the creation ofa contract of health insurance.

Comment: Several commenters statedthat group health plans needed to beable to use and disclose protected healthinformation for purposes of soliciting acontract with a new carrier and ratesetting.

Response: We agree and add‘‘activities relating to the * * *replacement of a contract of insurance’’to cover such disclosures. See § 164.504for the rules for plan sponsors of grouphealth plans to obtain such information.

Comment: Commenters from thebusiness community supported ourrecognition of the importance offinancial risk transfer mechanisms inthe health care marketplace byincluding ‘‘reinsurance’’ in thedefinition of health care operations.However, they stated that the term‘‘reinsurance’’ alone was not adequate tocapture ‘‘stop-loss insurance’’ (alsoreferred to as excess of loss insurance),another type of risk transfer insurance.

Response: We agree with thecommenters that stop-loss and excess ofloss insurance are functionallyequivalent to reinsurance and add theseto the definition of health careoperations.

Comment: Commenters from theemployer community explained thatthere is a trend among employers tocontract with a single insurer for alltheir insurance needs (health, disability,workers’ compensation). They statedthat in these integrated systems,employee health information is sharedamong the various programs in thesystem. The commenters believed theexisting definition poses obstacles forthose employers utilizing an integratedhealth system because of the need toobtain authorizations before beingpermitted to use protected healthinformation from the health plan toadminister or audit their disability orworkers’ compensation plan.

Other commenters representingemployers stated that some employerswanted to combine health informationfrom different insurers and health plansproviding employee benefits to theirworkforces, including its group healthplan, workers’ compensation insurers,and disability insurers, so that theycould have more information in order tobetter manage the occurrences ofdisability and illness among theirworkforces. They expressed concern



that the proposed rule would not permitsuch sharing of information.

Response: While we agree thatintegrating health information fromdifferent benefit programs may produceefficiencies as well as benefits forindividuals, the integration also raisessignificant privacy concerns,particularly if there are no safeguards onuses and disclosures from the integrateddata. Under HIPAA, we do not havejurisdiction over many types of insurersthat use health information, such asworkers’ compensation insurers orinsurers providing disability incomebenefits, and we cannot address theextent to which they provideindividually identifiable healthinformation to a health plan, nor do weprohibit a health plan from receivingsuch information. Once a health planreceives identifiable health information,however, the information becomesprotected and may only be used anddisclosed as otherwise permitted by thisrule.

We clarify, however, that a coveredentity may provide data and statisticalanalyses for its customers as a healthcare operation, provided that it does notdisclose protected health information ina way that would otherwise violate thisrule. A group health plan or healthinsurance issuer or HMO, or theirbusiness associate on their behalf, mayperform such analyses for an employercustomer and provide the results in de-identified form to the customer, usingintegrated data received from otherinsurers, as long as protected healthinformation is not disclosed in violationof this rule. See the definition of ‘‘healthcare operations,’’ § 164.501. If theemployer sponsors more than one grouphealth plan, or if its group health planprovides coverage through more thanone health insurance issuer or HMO, thedifferent covered entities may be anorganized health care arrangement andbe able to jointly participate in such ananalysis as part of the health careoperations of such organized health carearrangement. See the definitions of‘‘health care operations’’ and ‘‘organizedhealth care arrangement,’’ § 164.501. Wefurther clarify that a plan sponsorproviding plan administration to agroup health plan may participate insuch an analysis, provided that therequirements of § 164.504(f) and otherparts of this rule are met.

The results described above are thesame whether the health informationthat is being combined is from separateinsurers or from one entity that has ahealth component and also providesexcepted benefits. See the discussionrelating to health care components,§ 164.504.

We note that under the arrangementsdescribed above, the final rule providessubstantial flexibility to covered entitiesto provide general data and statisticalanalyses, resulting in the disclosure ofde-identified information, to employersand other customers. An employer alsomay receive protected healthinformation from a covered entity forany purpose, including those describedin comment above, with theauthorization of the individual. See§ 164.508.

Comment: A number of commentersasserted that the proposed definitionappeared to limit training andeducational activities to that of healthcare professionals, students, andtrainees. They asked that we expand thedefinition to include other education-related activities, such as continuingeducation for providers and training ofnon-health care professionals as neededfor supporting treatment or payment.

Response: We agree with thecommenters that the definition of healthcare operations was unnecessarilylimiting with respect to educationalactivities and expand the definition ofhealth care operations to include‘‘conducting training programs in whichstudents, trainees, or practitioners inareas of health care learn undersupervision to practice or improve theirskills as health care providers.’’ Weclarify that medical rounds areconsidered treatment, not health careoperations.

Comment: A few commentersoutlined the need to include the trainingof non-health care professionals, such ashealth data analysts, administrators, andcomputer programmers within thedefinition of health care operations. Itwas argued that, in many cases, theseprofessionals perform functions whichsupport treatment and payment and willneed access to protected healthinformation in order to carry out theirresponsibilities.

Response: We agree and expand thedefinition of health care operations toinclude training of non-health careprofessionals.

Comment: One commenter stated thatthe definition did not explicitly includephysician credentialing and peerreview.

Response: We have revised thedefinition to specifically include‘‘licensing or credentialing activities.’’In addition, peer review activities arecaptured in the definition as reviewingthe competence or qualifications ofhealth care professionals and evaluatingpractitioner and provider performance.

Health Oversight Agency

Comment: Some commenters soughtto have specific organizations defined ashealth oversight agencies. For example,some commenters asked that theregulation text, rather than thepreamble, explicitly list state insurancedepartments as an example of healthoversight agencies. Medical devicemanufacturers recommended expandingthe definition to include governmentcontractors such as coding committees,which provide data to HCFA to help theagency make reimbursement decisions.

One federal agency soughtclarification that several of its sub-agencies were oversight agencies; it wasconcerned about its status in partbecause the agency fits into more thanone of the categories of health oversightagency listed in the proposed rule.

Other commenters recommendedexpanding the definition of oversightagency to include private-sectoraccreditation organizations. Onecommenter recommended stating in thefinal rule that private companiesproviding information to insurers andemployers are not included in thedefinition of health oversight agency.

Response: Because the range of healthoversight agencies is so broad, we donot include specific examples in thedefinition. We include many examplesin the preamble above and providefurther clarity here.

As under the NPRM, state insurancedepartments are an example of a healthoversight agency. A commenterconcerned about state trauma registriesdid not describe the registries’ activitiesor legal charters, so we cannot clarifywhether such registries may be healthoversight agencies. Governmentcontractors such as coding committees,which provide data to HCFA to supportpayment processes, are not therebyhealth oversight agencies under thisrule. We clarify that public agenciesmay fit into more than one category ofhealth oversight agency.

The definition of health oversightagency does not include private-sectoraccreditation organizations. While theirwork can promote quality in the healthcare delivery system, privateaccreditation organizations are notauthorized by law to oversee the healthcare system or government programs inwhich health information is necessaryto determine eligibility or compliance,or to enforce civil rights laws for whichhealth information is relevant. Underthe final rule, we consider privateaccrediting groups to be performing ahealth care operations function forcovered entities. Thus, disclosures toprivate accrediting organizations are


Documents

Federal Register /Vol. 65, No. 250/Thursday, December 28 ... · 82562 Federal Register/Vol. 65, No. 250/Thursday, December 28, 2000/Rules and Regulations and to protect against the