November 3, 1999 federal register - HHS.gov...Federal Register/Vol. 64, No. 212/Wednesday, November 3, 1999/Proposed Rules 59919 26. Research information unrelated to treatment. 27

fede

ral r

egiste

r

59917

WednesdayNovember 3, 1999

Part IV

Department ofHealth and HumanServicesOffice of the Secretary

45 CFR Parts 160 Through 164Standards for Privacy of IndividuallyIdentifiable Health Information; ProposedRule

VerDate 29-OCT-99 18:49 Nov 02, 1999 Jkt 190000 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\03NOP3.XXX pfrm01 PsN: 03NOP3

59918 Federal Register / Vol. 64, No. 212 / Wednesday, November 3, 1999 / Proposed Rules

DEPARTMENT OF HEALTH ANDHUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 through 164

RIN 0991–AB08

Standards for Privacy of IndividuallyIdentifiable Health Information

AGENCY: Office of the AssistantSecretary for Planning and Evaluation,DHHS.ACTION: Proposed rule.

SUMMARY: This rule proposes standardsto protect the privacy of individuallyidentifiable health informationmaintained or transmitted in connectionwith certain administrative andfinancial transactions. The rulesproposed below, which would apply tohealth plans, health care clearinghouses,and certain health care providers,propose standards with respect to therights individuals who are the subject ofthis information should have,procedures for the exercise of thoserights, and the authorized and requireduses and disclosures of this information.

The use of these standards wouldimprove the efficiency and effectivenessof public and private health programsand health care services by providingenhanced protections for individuallyidentifiable health information. Theseprotections would begin to addressgrowing public concerns that advancesin electronic technology in the healthcare industry are resulting, or mayresult, in a substantial erosion of theprivacy surrounding individuallyidentifiable health informationmaintained by health care providers,health plans and their administrativecontractors. This rule would implementthe privacy requirements of theAdministrative Simplification subtitleof the Health Insurance Portability andAccountability Act of 1996.DATES: Comments will be considered ifreceived as provided below, no laterthan 5 p.m. on January 3, 2000.ADDRESSES: Submit electroniccomments at the following web site:http://aspe.hhs.gov/admnsimp/.

Mail comments (1 original, 3 copies,and, if possible, a floppy disk ) to thefollowing address: U.S. Department ofHealth and Human Services, AssistantSecretary for Planning and Evaluation,Attention: Privacy-P, Room G–322A,Hubert H. Humphrey Building, 200Independence Avenue SW, Washington,DC 20201.

If you prefer, you may deliver yourwritten comments (1 original, 3 copies,and, if possible, a floppy disk) to the

following address: Room 442E, 200Independence Avenue, SW,Washington, DC 20201.

See the SUPPLEMENTARY INFORMATIONsection for further information oncomment procedures, availability ofcopies of this document and electronicaccess to this document.FOR FURTHER INFORMATION CONTACT:Roxanne Gibson (202) 260–5083.SUPPLEMENTARY INFORMATION: Commentprocedures, availability of copies, andelectronic access.

Comment procedures: All commentsshould include the full name, addressand telephone number of the sender ora knowledgeable point of contact.Written comments should include 1original and 3 copies. If possible, pleasesend an electronic version of thecomments on a 31⁄2 inch DOS formatfloppy disk in Adobe Acrobat PortableDocument Format (PDF) (preferred)HTML (preferred), ASCII text, orpopular word processor format(Microsoft word, Corel WordPerfect).

Because of staffing and resourcelimitations, we cannot accept commentsby electronic mail or facsimile (FAX)transmission, and all comments andcontent are to be limited to the 8.5 wideby 11.0 high vertical (also referred to as‘‘portrait’’) page orientation.Additionally, it is requested that ifidentical/duplicate commentsubmissions are submitted bothelectronically and in paper form thateach submission clearly indicate that itis a duplicate submission. In eachcomment, please specify the section ofthis proposed rule to which thecomment applies.

Comments received in a timelyfashion will be available for publicinspection (by appointment), as they arereceived, generally beginningapproximately three weeks afterpublication of a document in Room442E of the Department’s offices at 200Independence Avenue, SW.,Washington, DC 20201 on Mondaythrough Friday of each week from 8:30a.m. to 5 p.m. (phone: 202–260–5083).

After the close of the comment period,comments submitted electronically andwritten comments that we aretechnically able to convert will beposted on the AdministrativeSimplification web site (http://aspe.hhs.gov/admnsimp/).

Copies: To order copies of the FederalRegister containing this document, sendyour request to: New Orders,Superintendent of Documents, PO Box371954, Pittsburgh, PA 15250–7954.Specify the date of the issue requestedand enclose a check or money orderpayable to the Superintendent of

Documents, or enclose your Visa orMaster Card number and expirationdate. Credit card orders can also beplaced by calling the order desk at (202)512–1800 or by fax to (202) 512–2250.The cost for each copy is $8.00. As analternative, you can view andphotocopy the Federal Registerdocument at most libraries designatedas Federal Depository Libraries and atmany other public and academiclibraries throughout the country thatreceive the Federal Register.

Electronic Access: This document isavailable electronically at http://aspe.hhs.gov/admnsimp/ as well as atthe web site of the Government PrintingOffice at http://www.access.gpo.gov/suldocs/aces/aces140.html.I. Background

A. Need for privacy standards.B. Statutory background.C. Administrative costs.D. Consultations.E. Summary and purpose of the proposed

rule.1. Applicability.2. General rules.3. Scalability.4. Uses and disclosures with individual

authorization.5. Uses and disclosures for treatment,

payment and health care operations.6. Permissible uses and disclosures for

purposes other than treatment, paymentand health care operations.

7. Individual rights.8. Administrative requirements and policy

development and documentation.9. Preemption.10. Enforcement.11. Conclusion.

II. Provisions of the proposed rule.A. Applicability.1. Covered entities.2. Covered information.3. Interaction with other standards.4. References to other laws.B. Definitions.1. Act.2. Covered entity.3. Health care.4. Health care clearinghouse.5. Health care provider.6. Health information.7. Health plan.8. Secretary.9. Small health plan.10. Standard.11. State.12. Transaction.13. Business partner.14. Designated record set.15. Disclosure.16. Health care operations.17. Health oversight agency.18. Individual. 419. Individually

identifiable health information.20. Law enforcement official.21. Payment.22. Protected health information.23. Psychotherapy notes.24. Public health authority.25. Research.


59919Federal Register / Vol. 64, No. 212 / Wednesday, November 3, 1999 / Proposed Rules

26. Research information unrelated totreatment.

27. Treatment.28. Use.29. Workforce.C. General rules.1. Use and disclosure for treatment,

payment, and health care operations.2. Minimum necessary use and disclosure.3. Right to restrict uses and disclosures.4. Creation of de-identified information.5. Application to business partners.6. Application to information about

deceased persons.7. Adherence to the notice of information

practices.8. Application to covered entities that are

components of organizations that are notcovered entities.

D. Uses and disclosures with individualauthorization.

1. Requirements when the individual hasinitiated the authorization.

2. Requirements when the covered entityinitiates the authorization.

3. Model forms.4. Plain language requirement.5. Prohibition on conditioning treatment or

payment.6. Inclusion in the accounting for uses and

disclosures.7. Revocation of an authorization by the

individual.8. Expired, deficient, or false authorization.E. Uses and disclosures permitted without

individual authorization.1. Uses and disclosures for public health

activities.2. Use and disclosure for health oversight

activities.3. Use and disclosure for judicial and

administrative proceedings.4. Disclosure to coroners and medical

examiners.5. Disclosure for law enforcement.6. Uses and disclosure for governmental

health data systems.7. Disclosure of directory information.8. Disclosure for banking and payment

processes.9. Uses and disclosures for research.10. Uses and disclosures in emergency

circumstances.11. Disclosure to next-of-kin.12. Additional uses and disclosures

required by other law.13. Application to specialized classes.F. Rights of individuals.1. Rights and procedures for a written

notice of information practices.2. Rights and procedures for access for

inspection and copying.3. Rights and procedures with respect to an

accounting of disclosures.4. Rights and procedures for amendment

and correction.G. Administrative requirements.1. Designation of a privacy official.2. Training.3. Safeguards.4. Internal complaint process.5. Sanctions.6. Duty to mitigate.H. Development and documentation of

policies and procedures.1. Uses and disclosures of protected health

information.

2. Individual requests for restricting usesand disclosures.

3. Notice of information practices.4. Inspection and copying.5. Amendment or correction.6. Accounting for disclosures.7. Administrative requirements.8. Record keeping requirements.I. Relationship to other laws1. Relationship to State laws.2. Relationship to other federal laws.J. Compliance and Enforcement.1. Compliance2. Enforcement.

III. Small Business Assistance1. Notice to individuals of information

practices.2. Access of individuals to protected health

information.3. Accounting for uses and disclosures.4. Amendment and correction.5. Designated Privacy official.6. Training.7. Safeguards.8. Complaints.9. Sanctions.10. Documentation of policies and

procedures.11. Minimum Necessary.12. Business partners.13. Special disclosures that do not require

authorization—public health, research,etc.

14. Verification.IV. Preliminary Regulatory Impact Analysis

A. Relationship of this Analysis toAnalyses in Other HIPAA Regulations.

B. Summary of Costs and Benefits.C. Need for the Proposed Action.D. Baseline Privacy Protections.1. Professional Codes of Conduct and the

Protection of Health Information.2. State Laws.3. Federal Laws.E. Costs.F. Benefits.G. Examination of Alternative Approaches.1. Creation of de-identified information.2. General rules.3. Use and disclosure for treatment,

payment, and health care operations.4. Minimum necessary use and disclosure.5. Right to restrict uses and disclosures.6. Application to business partners.7. Application to information about

deceased persons.8. Uses and disclosures with individual

authorization.9. Uses and disclosures permitted without

individual authorization.10. Clearinghouses and the rights of

individuals.11. Rights and procedures for a written

notice of information practices.12. Rights and procedures for access for

inspection and copying.13. Rights and procedures with respect to

an accounting of disclosures.14. Rights and procedures for amendment

and correction.15. Administrative requirements.16. Development and documentation of

policies and procedures.17. Compliance and Enforcement.

V. Initial Regulatory Flexibility AnalysisA. Introduction.

B. Economic Effects on Small Entities1. Number and Types of Small Entities

Affected.2. Activities and Costs Associated with

Compliance.3. The burden on a typical small business.

VI. Unfunded MandatesA. Future Costs.B. Particular regions, communities, or

industrial sectors.C. National productivity and economic

growth.D. Full employment and job creation.E. Exports.

VII. Environmental ImpactVIII. Collection of Information RequirementsIX. Executive Order 12612: FederalismX. Executive Order 13086: Consultation and

Coordination with Indian TribalGovernments

List of Subjects in 45 CFR Parts 160 and 164Appendix: Sample Provider Notice of

Information Practices

I. Background

A. Need for Privacy Standards.[Please label comments about this

section with the subject: ‘‘Need forprivacy standards’’]

The maintenance and exchange ofindividually identifiable healthinformation is an integral component ofthe delivery of quality health care. Inorder to receive accurate and reliablediagnosis and treatment, patients mustprovide health care professionals withaccurate, detailed information abouttheir personal health, behavior, andother aspects of their lives. Health careproviders, health plans and health careclearinghouses also rely on theprovision of such information toaccurately and promptly process claimsfor payment and for otheradministrative functions that directlyaffect a patient’s ability to receiveneeded care, the quality of that care, andthe efficiency with which it is delivered.

Individuals who provide informationto health care providers and healthplans increasingly are concerned abouthow their information is used withinthe health care system. Patients want toknow that their sensitive informationwill be protected not only during thecourse of their treatment but also in thefuture as that information is maintainedand/or transmitted within and outsideof the health care system. Indeed, a WallStreet Journal/ABC poll on September16, 1999 asked Americans whatconcerned them most in the comingcentury. ‘‘Loss of personal privacy’’ wasthe first or second concern of 29 percentof respondents. All other issues, such aterrorism, world war, and globalwarming had scores of 23 percent orless.

Efforts to provide legal protectionagainst the inappropriate use ofindividually identifiable health



information have been, to date,undertaken primarily by the States.States have adopted a number of lawsdesigned to protect patients against theinappropriate use of health information.A recent survey of these laws indicates,however, that these protections are quiteuneven and leave large gaps in theirprotection. See Health Privacy Project,‘‘The State of Health Privacy: AnUneven Terrain,’’ Institute for HealthCare Research and Policy, GeorgetownUniversity (July 1999) (http://www.healthprivacy.org).

A clear and consistent set of privacystandards would improve theeffectiveness and the efficiency of thehealth care system. The number ofentities who are maintaining andtransmitting individually identifiablehealth information has increasedsignificantly over the last 10 years. Inaddition, the rapid growth of integratedhealth care delivery systems requiresgreater use of integrated healthinformation systems. The expanded useof electronic information has had clearbenefits for patients and the health caresystem as a whole. Use of electronicinformation has helped to speed thedelivery of effective care and theprocessing of billions of dollars worth ofhealth care claims. Greater use ofelectronic data has also increased ourability to identify and treat those whoare at risk for disease, conduct vitalresearch, detect fraud and abuse, andmeasure and improve the quality of caredelivered in the U.S.

The absence of national standards forthe confidentiality of health informationhas, however, made the health careindustry and the population in generaluncomfortable about this primarilyfinancially driven expansion in the useof electronic data. Many plans,providers, and clearinghouses havetaken steps to safeguard the privacy ofindividually-identifiable healthinformation. Yet they must currentlyrely on a patchwork of State laws andregulations that are incomplete and, attimes, inconsistent. The establishmentof a consistent foundation of privacystandards would, therefore, encouragethe increased and proper use ofelectronic information while alsoprotecting the very real needs ofpatients to safeguard their privacy.

The use of these standards will mostclearly benefit patients who are, inincreasing numbers, indicating that theyare apprehensive about the use andpotential use of their health informationfor inappropriate purposes. A nationalsurvey released in January 1999indicated that one-fifth of Americansalready believe that their personalhealth information has been used

inappropriately. See CaliforniaHealthCare Foundation, ‘‘NationalSurvey: Confidentiality of MedicalRecords,’’ January 1999 (conducted byPrinceton Survey Research Associates)(http://www.chcf.org). Of even greaterconcern, one-sixth of respondentsindicated that they had taken some formof action to avoid the misuse of theirinformation, including providinginaccurate information, frequentlychanging physicians, or avoiding care.The use of these standards will help torestore patient confidence in the healthcare system, providing benefits to bothpatients and those who serve them.

In order to administer their plans andprovide services, private and publichealth plans, health care providers, andhealth care clearinghouses must assuretheir customers (such as patients,insurers, providers, and health plans)that the health care information theycollect, maintain, use, or transmit willremain confidential. The protection ofthis information is particularlyimportant where it is individuallyidentifiable. Individuals have animportant and legitimate interest in theprivacy of their health information, andthat interest is threatened where there isimproper use or disclosure of theinformation. The risk of improper usesand disclosures has increased as thehealth care industry has begun to movefrom primarily paper-based informationsystems to systems that operate invarious electronic forms. The ease ofinformation collection, organization,retention, and exchange made possibleby the advances in computer and otherelectronic technology afford manybenefits to the health care industry andpatients. At the same time, theseadvances have reduced or eliminatedmany of the logistical obstacles thatpreviously served to protect theconfidentiality of health informationand the privacy interests of individuals.

Congress recognized the need forminimum national health care privacystandards to protect againstinappropriate use of individuallyidentifiable health information bypassing the Health Insurance Portabilityand Accountability Act of 1996(HIPAA), Public Law 104–191, whichcalled for the enactment of a privacystatute within three years of the date ofenactment. The legislation also calledfor the Secretary of Health and HumanServices to develop and send to theCongress recommendations forprotecting the confidentiality of healthcare information, which she did onSeptember 11, 1997. The Congressfurther recognized the importance ofsuch standards by providing theSecretary of Health and Human Services

with authority to promulgate healthprivacy regulations in lieu of timelyaction by the Congress. The need forpatient privacy protection also wasrecognized by the President’s AdvisoryCommission on Consumer Protectionand Quality in the Health Care Industryin its recommendations for a ConsumerBill of Rights and Responsibilities(November, 1997).

B. Statutory Background.[Please label comments about this

section with the subject: ‘‘Statutorybackground’’]

The Congress addressed theopportunities and challenges presentedby the health care industry’s increasinguse of and reliance on electronictechnology in the Health InsurancePortability and Accountability Act of1996 (HIPAA), Public Law 104–191,which was enacted on August 21, 1996.Sections 261 through 264 of HIPAA areknown as the AdministrativeSimplification provisions. The majorpart of these AdministrativeSimplification provisions are found atsection 262 of HIPAA, which enacted anew part C of title XI of the SocialSecurity Act (hereinafter we refer to theSocial Security Act as the ‘‘Act’’ and werefer to all other laws cited in thisdocument by their names).

In section 262, Congress recognizedand sought to facilitate the efficienciesand cost savings for the health careindustry that the increasing use ofelectronic technology affords. Thus,section 262 directs HHS to issuestandards to facilitate the electronicexchange of information with respect tofinancial and administrativetransactions carried out by health plans,health care clearinghouses, and healthcare providers who transmitelectronically in connection with suchtransactions. HHS proposed suchstandards in a series of Notices ofProposed Rulemaking (NPRM)published on May 7, 1998 (63 FR 25272and 25320), and June 16, 1998 (63 FR32784). At the same time, Congressrecognized the challenges to theconfidentiality of health informationpresented by the advances in electronictechnology and communication. Section262 thus also directs HHS to developstandards to protect the security,including the confidentiality andintegrity, of such information. HHSissued an NPRM proposing securitystandards on August 12, 1998 (63 FR43242).

Congress has recognized that privacystandards must accompany theelectronic data interchange standardsand that the increased ease oftransmitting and sharing individually



identifiable health information must beaccompanied by an increase in theprivacy and confidentiality. In fact, asignificant portion of the firstAdministrative Simplification sectionthat was debated on the floor of theSenate in 1994 (as part of the HealthSecurity Act) was made up of privacyprovision. Although the requirement forthe issuance of concomitant privacystandards remained as part of the billpassed by the House of Representatives,in conference the requirement forprivacy standards was removed from thestandard-setting authority of title XI(section 1173 of the Act) and placed ina separate section of HIPAA, section264. Subsection (b) of section 264required the Secretary of HHS todevelop and submit to the Congressrecommendations for:

(1) The rights that an individual who is asubject of individually identifiable healthinformation should have.

(2) The procedures that should beestablished for the exercise of such rights.

(3) The uses and disclosures of suchinformation that should be authorized orrequired.

The Secretary’s Recommendationswere submitted to the Congress onSeptember 11, 1997, and aresummarized below. Section 264(c)(1)provides that:

If legislation governing standards withrespect to the privacy of individuallyidentifiable health information transmitted inconnection with the transactions described insection 1173(a) of the Social Security Act (asadded by section 262) is not enacted by(August 21, 1999), the Secretary of Healthand Human Services shall promulgate finalregulations containing such standards notlater than (February 21, 2000). Suchregulations shall address at least the subjectsdescribed in subsection (b).

As the Congress did not enactlegislation governing standards withrespect to the privacy of individuallyidentifiable health information prior toAugust 21, 1999, HHS has now, inaccordance with this statutory mandate,developed proposed rules setting forthstandards to protect the privacy of suchinformation.

These privacy standards have been,and continue to be, an integral part ofthe suite of AdministrativeSimplification standards intended tosimplify and improve the efficiency ofthe administration of our health caresystem.

Part C of title XI consists of sections1171 through 1179 of the Act. Thesesections define various terms andimpose several requirements on HHS,health plans, health care clearinghouses,and health care providers who conduct

the identified transactionselectronically.

The first section, section 1171 of theAct, establishes definitions for purposesof part C of title XI for the followingterms: code set, health careclearinghouse, health care provider,health information, health plan,individually identifiable healthinformation, standard, and standardsetting organization.

Section 1172 of the Act makes thestandard adopted under part Capplicable to: (1) Health plans, (2)health care clearinghouses, and (3)health care providers who transmithealth information in electronic form inconnection with transactions referred toin section 1173(a)(1) of the Act(hereinafter referred to as the ‘‘coveredentities’’). Section 1172 also containsrequirements concerning the adoptionof standards, including the role ofstandard setting organizations andrequired consultations, summarizedbelow.

Section 1173 of the Act requires theSecretary to adopt standards fortransactions, and data elements for suchtransactions, to enable healthinformation to be exchangedelectronically. Section 1173(a)(1)describes the transactions that arecovered, which include the ninetransactions listed in section 1173(a)(2)and other transactions determinedappropriate by the Secretary. Theremainder of section 1173 sets outrequirements for the specific standardsthe Secretary is to adopt: unique healthidentifiers, code sets, security standards,electronic signatures, and transfer ofinformation among health plans. Ofparticular relevance to this proposedrule is section 1173(d), the securitystandard provision. The securitystandard authority applies to both thetransmission and the maintenance ofhealth information and requires theentities described in section 1172(a) tomaintain reasonable and appropriatesafeguards to ensure the integrity andconfidentiality of the information,protect against reasonably anticipatedthreats or hazards to the security orintegrity of the information orunauthorized uses or disclosures of theinformation, and to ensure compliancewith part C by the entity’s officers andemployees.

In section 1174 of the Act, theSecretary is required to establishstandards for all of the abovetransactions, except claims attachments,by February 21, 1998. A proposed rulefor most of the transactions waspublished in 1998 with the final ruleexpected by the end of 1999. The delaywas caused by the deliberate consensus

building process working with industryand the large number of commentsreceived (about 17,000).

Generally, after a standard isestablished, it may not be changedduring the first year after adoptionexcept for changes that are necessary topermit compliance with the standard.Modifications to any of these standardsmay be made after the first year, but notmore frequently than once every 12months. The Secretary also must ensurethat procedures exist for the routinemaintenance, testing, enhancement andexpansion of code sets and that there arecrosswalks from prior versions.

Section 1175 of the Act prohibitshealth plans from refusing to process, orfrom delaying processing of, atransaction that is presented in standardformat. It also establishes a timetable forcompliance: each person to whom astandard or implementationspecification applies is required tocomply with the standard within 24months (or 36 months for small healthplans) of its adoption. A health plan orother entity may, of course, complyvoluntarily before the effective date. Thesection also provides that compliancewith modifications to standards orimplementation specifications must beaccomplished by a date designated bythe Secretary, which date may not beearlier than 180 days from the notice ofchange.

Section 1176 of the Act establishescivil monetary penalties for violation ofthe provisions in part C of title XI of theAct, subject to several limitations.Penalties may not be more than $100per person per violation and not morethan $25,000 per person for violations ofa single standard for a calendar year.The procedural provisions of section1128A of the Act apply to actions takento obtain civil monetary penalties underthis section.

Section 1177 establishes penalties forany person that knowingly uses aunique health identifier, or obtains ordiscloses individually identifiablehealth information in violation of thepart. The penalties include: (1) A fine ofnot more than $50,000 and/orimprisonment of not more than 1 year;(2) if the offense is ‘‘under falsepretenses,’’ a fine of not more than$100,000 and/or imprisonment of notmore than 5 years; and (3) if the offenseis with intent to sell, transfer, or useindividually identifiable healthinformation for commercial advantage,personal gain, or malicious harm, a fineof not more than $250,000 and/orimprisonment of not more than 10years. We note that these penalties donot affect any other penalties that maybe imposed by other federal programs.



Under section 1178 of the Act, therequirements of part C, as well as anystandards or implementationspecifications adopted thereunder,preempt contrary State law. There arethree exceptions to this general rule ofpreemption: State laws that theSecretary determines are necessary forcertain purposes set forth in the statute;State laws that the Secretary determinesaddress controlled substances; and Statelaws relating to the privacy ofindividually identifiable healthinformation that are contrary to andmore stringent than the federalrequirements. There also are certainareas of State law (generally relating topublic health and oversight of healthplans) that are explicitly carved out ofthe general rule of preemption andaddressed separately.

Section 1179 of the Act makes theabove provisions inapplicable tofinancial institutions or anyone actingon behalf of a financial institution when‘‘authorizing, processing, clearing,settling, billing, transferring,reconciling, or collecting payments for afinancial institution.’’ Finally, asexplained above, section 264 requiresthe Secretary to issue standards withrespect to the privacy of individuallyidentifiable health informationtransmitted in connection with thetransactions described in section1173(a)(1). Section 264 also contains apreemption provision that provides thatcontrary provisions of State laws thatare more stringent than the federalstandards, requirements, orimplementation specifications will notbe preempted.

C. Administrative CostsSection 1172(b) of the Act provides

that ‘‘(a)ny standard adopted under thispart (part C of title XI of the Act) shallbe consistent with the objective ofreducing the administrative costs ofproviding and paying for health care.’’As is more fully discussed in theRegulatory Impact and RegulatoryFlexibility analyses below, we recognizethat the proposed privacy standardswould entail substantial initial andongoing administrative costs for entitiessubject to the rules. However, as theanalyses also indicate, even if the rulesproposed below are considered inisolation, they should produceadministrative and other cost savingsthat should more than offset such costson a national basis. It is also the casethat the privacy standards, like thesecurity standards authorized by section1173(d) of the Act, are necessitated bythe technological advances ininformation exchange that theremaining Administrative

Simplification standards facilitate forthe health care industry. The sametechnological advances that makepossible enormous administrative costsavings for the industry as a whole havealso made it possible to breach thesecurity and privacy of healthinformation on a scale that waspreviously inconceivable. The Congressrecognized that adequate protection ofthe security and privacy of healthinformation is a sine qua non of theincreased efficiency of informationexchange brought about by theelectronic revolution, by enacting thesecurity and privacy provisions of thelaw. Thus, even if the rules proposedbelow were to impose net costs, whichwe do not believe they do, they wouldstill be ‘‘consistent with’’ the objectiveof reducing administrative costs for thehealth care system as a whole.

D. Consultations[Please label comments about this

section with the subject:‘‘Consultations’’]

The Congress explicitly required theSecretary to consult with specifiedgroups in developing the standardsunder sections 262 and 264. Section264(d) of HIPAA specifically requiresthe Secretary to consult with theNational Committee on Vital and HealthStatistics (NCVHS) and the AttorneyGeneral in carrying out herresponsibilities under the section.Section 1172(b)(3) of the Act, which wasenacted by section 262, requires that, indeveloping a standard under section1172 for which no standard settingorganization has already developed astandard, the Secretary must, beforeadopting the standard, consult with theNational Uniform Billing Committee(NUBC), the National Uniform ClaimCommittee (NUCC), the Workgroup forElectronic Data Interchange (WEDI), andthe American Dental Association (ADA).Section 1172(f) also requires theSecretary to rely on therecommendations of the NCVHS andconsult with other appropriate federaland State agencies and privateorganizations.

We engaged in the requiredconsultations including the AttorneyGeneral, NUBC, NUCC, WEDI and theADA. We consulted with the NCVHS indeveloping the Recommendations, uponwhich this proposed rule is based. Inaddition we are continuing to consultwith this committee by requesting thecommittee to review this proposed ruleand provide comments, andrecommendations will be taken intoaccount in developing the finalregulation. We consulted withrepresentatives of the National Congress

of American Indians, the NationalIndian Health Board, and the selfgovernance tribes. We also met withrepresentatives of the NationalGovernors’ Association, the NationalConference of State Legislatures, theNational Association of Public HealthStatistics and Information Systems, anda number of other State organizations todiscuss the framework for the proposedrule, issues of special interests to theStates, and the process for providingcomments on the proposed rule.

In addition to the requiredconsultations, we met with numerousindividuals, entities, and agenciesregarding the regulation, with the goalof making these standards as compatibleas possible with current businesspractices, while still enhancing privacyprotection. Relevant federal agenciesparticipated in an interagency workinggroup, with additional representativesfrom all operating divisions and manystaff offices of HHS. The followingfederal agencies and offices wererepresented on the interagency workinggroup: the Department of Justice, theDepartment of Commerce, the SocialSecurity Administration, theDepartment of Defense, the Departmentof Veterans Affairs, the Department ofLabor, the Office of PersonnelManagement, and the Office ofManagement and Budget. Theinteragency working group developedthe policies of the proposed rules setforth below.

E. Summary and Purpose of theProposed Rule

[Please label comments about thissection with the subject: ‘‘Summary andpurpose’’]

The following outlines the provisionsand operations of this proposed rule andis intended to provide a framework forthe following preamble. A more detaileddiscussion of the authority, rationale,and implementation can be found inSection II of the preamble, Provisions ofthe Proposed Rule.

As described in more detail inpreamble section I.B, above, the HIPAArequires the Secretary of HHS topromulgate a series of standards relatingto the electronic exchange of healthinformation. Collectively these areknown as the AdministrativeSimplification provisions. In addition tothose standards, the Secretary wasrequired to develop and submit to theCongress recommendations for theprivacy rights that an individual who isa subject of individually identifiablehealth information should have, theprocedures that should be establishedfor the exercise of such rights, and the



uses and disclosures of suchinformation that should be authorized.

On September 11, 1997, the Secretarypresented to the Congress herRecommendations for protecting the‘‘Confidentiality of Individually-Identifiable Health Information’’ (the‘‘Recommendations’’), as required bysection 264 (a) of HIPAA. In thoseRecommendations, the Secretary calledfor new federal legislation to create anational floor of standards that providefundamental privacy rights for patients,and that define responsibilities for thosewho use and disclose identifiable healthinformation.

The Recommendations elaborated onthe components that should be includedin privacy legislation. Thesecomponents included new restrictionson the use and disclosure of healthinformation, the establishment of newconsumer rights, penalties for misuse ofinformation, and redress for thoseharmed by misuse of their information.The Recommendations served, to theextent possible under the HIPAAlegislative authority, as a template forthe rules proposed below. They areavailable on the HHS website at http://aspe.hhs.gov/admnsimp/pvcrec.htm.

The Secretary’s Recommendations setforth the a framework for federal privacylegislation. Such legislation should:

• Allow for the smooth flow ofidentifiable health information fortreatment, payment, and relatedoperations, and for specified additionalpurposes related to health care that arein the public interest.

• Prohibit the flow of identifiableinformation for any additional purposes,unless specifically and voluntarilyauthorized by the subject of theinformation.

• Put in place a set of fair informationpractices that allow individuals to knowwho is using their health information,and how it is being used.

• Establish fair information practicesthat allow individuals to obtain accessto their records and request amendmentof inaccurate information.

• Require persons who holdidentifiable health information tosafeguard that information frominappropriate use or disclosure.

• Hold those who use individuallyidentifiable health informationaccountable for their handling of thisinformation, and to provide legalrecourse to persons harmed by misuse.

We believed then, and still believe,that there is an urgent need forlegislation to establish comprehensiveprivacy standards for all those who payand provide for health care, and thosewho receive information from them.

This proposed rule implements manyof the policies set forth in theRecommendations. However, theHIPAA legislative authority is morelimited in scope than the federal statutewe recommend, and does not alwayspermit us to propose the policies thatwe believe are optimal. Our majorconcerns with the scope of the HIPAAauthority include the limited number ofentities to whom the proposed rulewould be applicable, and the absence ofstrong enforcement provisions and aprivate right of action for individualswhose privacy rights are violated.

The Recommendations call forlegislation that applies to health careproviders and payers who obtainidentifiable health information fromindividuals and, significantly, to thosewho receive such information fromproviders and payers. TheRecommendations follow healthinformation from initial creation by ahealth plan or health care provider,through various uses and disclosures,and would establish protections at eachstep: ‘‘We recommend that everyone inthis chain of information handling becovered by the same rules.’’ However,the HIPAA limits the application of ourproposed rule to health plans, healthcare clearinghouses, and to any healthcare provider who transmits healthinformation in electronic form inconnection with transactions referred toin section 1173(a)(1) of the Act (the‘‘covered entities’’). Unfortunately, thisleaves many entities that receive, useand disclose protected healthinformation outside of the system ofprotection that we propose to create.

In particular, the proposed regulationdoes not directly cover many of thepersons who obtain identifiable healthinformation from the covered entities. Inthis proposed rule we are, therefore,faced with creating new regulatorypermissions for covered entities todisclose health information, but cannotdirectly put in place appropriaterestrictions on how many likelyrecipients of such information may useand re-disclose such information. Forexample, the Secretary’sRecommendations proposed thatprotected health information obtainedby researchers not be further disclosedexcept for emergency circumstances, fora research project that meets certainconditions, and for oversight ofresearch. In this proposed rule,however, we cannot impose suchrestrictions. Additional examples ofpersons who receive this informationinclude workers compensation carriers,researchers, life insurance issuers,employers and marketing firms. We alsodo not have the authority to directly

regulate many of the persons thatcovered entities hire to performadministrative, legal, accounting, andsimilar services on their behalf, andwho would obtain health information inorder to perform their duties. Thisinability to directly address theinformation practices of these groupsleaves an important gap in theprotections provided by the proposedrule.

In addition, only those providers whoengage in the electronic administrativesimplification transactions can becovered by this rule. Any provider whomaintains a solely paper informationsystem would not be subject to theseprivacy standards, thus leaving anothergap in the system of protection wepropose to create.

The need to match a regulationlimited to a narrow range of coveredentities with the reality of informationsharing among a wide range of entitiesleads us to consider limiting the type orscope of the disclosures permittedunder this regulation. The disclosureswe propose to allow in this rule are,however, necessary for smoothoperation of the health care system andfor promoting key public goals such asresearch, public health, and lawenforcement. Any limitation on suchdisclosures could do more harm thangood.

Requirements to protect individuallyidentifiable health information must besupported by real and significantpenalties for violations. We recommendfederal legislation that would includepunishment for those who misusepersonal health information and redressfor people who are harmed by itsmisuse. We believe there should becriminal penalties (including fines andimprisonment) for obtaining healthinformation under false pretenses, andfor knowingly disclosing or usingprotected health information inviolation of the federal privacy law. Wealso believe that there should be civilmonetary penalties for other violationsof the law and that any individualwhose rights under the law have beenviolated, whether negligently orknowingly, should be permitted to bringan action for actual damages andequitable relief. Only if we put the forceof law behind our rhetoric can weexpect people to have confidence thattheir health information is protected,and ensure that those holding healthinformation will take theirresponsibilities seriously.

In HIPAA, Congress did not providesuch enforcement authority. There is noprivate right of action for individuals toenforce their rights, and we areconcerned that the penalty structure



does not reflect the importance of theseprivacy protections and the need tomaintain individuals’ trust in thesystem. For these and other reasons, wecontinue to call for federal legislation toensure that privacy protection for healthinformation will be strong andcomprehensive.

1. Applicabilitya. Entities covered. Under section

1172(a) of the Act, the provisions of thisproposed rule apply to health plans,health care clearinghouses, and to anyhealth care provider who transmitshealth information in electronic form inconnection with transactions referred toin section 1173(a)(1) of the Act (the‘‘covered entities’’). The terms healthplan, health care provider, and healthcare clearinghouse are defined inproposed § 160.103.

As noted above, because we do nothave the authority to apply thesestandards directly to any entity that isnot a covered entity, the proposed ruledoes not directly cover many of thepersons who obtain identifiable healthinformation from the covered entities.Examples of persons who receive thisinformation include contractors, third-party administrators, researchers, publichealth officials, life insurance issuers,employers and marketing firms. Wewould attempt to fill this gap in ourlegislative authority in part by requiringcovered entities to apply many of theprovisions of rule to the entities withwhom they contract for administrativeand other services. The proposedprovision is outlined in more detailbelow in the discussion of businesspartners.

b. Protected health information. Wepropose to apply the requirements ofthis rule to the subset of individualidentifiable health information which ismaintained or transmitted by coveredentities and which is or has been inelectronic form. The provisions of therule would apply to the informationitself, referred to as protected healthinformation in this rule, and not to theparticular records in which theinformation is contained. Onceinformation has been maintained ortransmitted electronically by a coveredentity, the protections would follow theinformation in whatever form, includingpaper records, in which it exists (whileit is held by a covered entity).

We understand that our proposalwould create a situation in which somehealth information would be protectedwhile other similar information (e.g.,health information contained in paperrecords that has not been maintained ortransmitted electronically) would not beprotected. We are concerned about the

potential confusion that such a systemmight entail, but we believe thatapplying the provisions of the rule toinformation only in electronic formwould result in no real protection forhealth care consumers. We haverequested comment on whether weshould extend the scope of the rule toall individually identifiable healthinformation, including purely paperrecords, maintained by covered entities.Although we are concerned thatextending our regulatory coverage to allrecords might be inconsistent with theintent of the provisions in the HIPAA,we believe that we do have the authorityto do so and that there are soundrationale for providing a consistent levelof protection to all individuallyidentifiable health information held bycovered entities.

2. General RulesThe purpose of our proposal is to

define and limit the circumstances inwhich an individual’s protected heathinformation may be used or disclosed byothers. We are proposing to make theuse and exchange of protected healthinformation relatively easy for healthcare purposes, and more difficult forpurposes other than health care.

Covered entities would be prohibitedfrom using or disclosing protectedhealth information except as providedin the proposed rule. Under the rule,covered entities could use or discloseprotected health information withindividual authorization, as provided inproposed § 164.508. Covered entitiescould use or disclose protected healthinformation without authorization fortreatment, payment and health careoperations, as provided in § 164.506(a).(The terms ‘‘treatment,’’ ‘‘payment’’ and‘‘health care operations’’ are defined inproposed § 164.504). Covered entitiesalso would be permitted to use ordisclose a patient’s protected healthinformation without authorization forspecified public and public policy-related purposes, including publichealth, research, health oversight, lawenforcement, and use by coroners, asprovided in proposed § 164.510.Covered entities would be permitted touse and disclose protected healthinformation when required to do so byother law, such as mandatory reportingunder state law or pursuant to a searchwarrant.

Covered entities would be required bythis rule to disclose protected healthinformation for only two purposes: topermit individuals to inspect and copyprotected health information aboutthem, pursuant to proposed § 164.514,and for enforcement of this rulepursuant to proposed § 164.522.

Under our proposal, most uses anddisclosures of an individual’s protectedhealth information would not requireexplicit authorization by the individual,but would be restricted by theprovisions of the rule. As discussed insection II.C. of this preamble, wepropose to substitute regulatoryprotections for the pro formaauthorizations that are used today. Therules would create a sphere of privacyprotection that includes covered entitieswho engage in treatment or payment,and the business partners they hire toassist them. While written consent forthese activities would not be required,new restrictions on both internal usesand external disclosures would be putin place to protect the information.

Our proposal is based on the principlethat a combination of strict limits onhow plans and providers can use anddisclose identifiable health information,adequate notice to patients about howsuch information will be used, andpatients’ rights to inspect, copy andamend protected health informationabout them, will provide patients withbetter privacy protection and moreeffective control over the disseminationof their information than alternativeapproaches to patient protection andcontrol.

A central aspect of this proposal is theprinciple of ‘‘minimum necessary’’disclosure. (See proposed § 164.506(a)).With certain exceptions, permitted usesand disclosures of protected healthinformation would be restricted to theminimum amount of informationnecessary to accomplish the purpose forwhich the information is used ordisclosed, taking into considerationpractical and technological limitations(including the size and nature of thecovered entity’s business) and costs.While we recognize that there arelegitimate uses of protected healthinformation for which patientauthorization should not be required,the privilege of this access carries withit an obligation to safeguard theinformation. Covered entities would berequired to take steps to limit theamount of protected health informationused or disclosed to the informationnecessary to meet the purpose of the useor disclosure. These policies couldinclude limiting access to theinformation to a subset of employeeswho need to use the information in thecourse of their work, and limiting theamount of information disclosed from arecord to the information needed by therecipient to fulfill the purpose of thedisclosure.

We propose that individuals be ableto request that a covered entity restrictthe protected health information that



results from that encounter (with theexception of encounters for emergencytreatment) from further use or disclosurefor treatment, payment, and health careoperations. (See proposed § 164.506(c)).Covered entities would not be requiredto agree to restrictions requested byindividuals; the rule would only enforcea restriction that has been agreed to bythe covered entity and the individual.

Today’s health care system is acomplex business involving multipleindividuals and organizations engagingin a variety of commercial relationships.An individual’s privacy should not becompromised when a covered entityengages in such normal businessrelationships. To accomplish this result,the rule would, with narrow exceptions,require covered entities to ensure thatthe business partners with which theyshare protected health informationunderstand—through contractrequirements ‘‘ that they are subject tostandards regarding use and disclosureof protected health information andagree to abide by such rules. (Seeproposed § 164.506(e)). Other than forpurposes of treatment consultation orreferral, we would require a contract toexist between the covered entity and thebusiness partner that would, amongother specified provisions, limit thebusiness partner’s uses and disclosuresof protected health information to thosepermitted by the contract and wouldimpose certain security, inspection andreporting requirements on the businesspartner.

We do not intend to interfere withbusiness relationships in the health careindustry, but rather to ensure that theprivacy of the information shared inthese relationships is protected.Business partners would not bepermitted to use or disclose protectedhealth information in ways that wouldnot be permitted by the covered entityitself.

3. ScalabilityThe privacy standards would need to

be implemented by all covered entities,from the smallest provider to the largest,multi-state health plan. For this reason,we propose the privacy principles andstandards that covered entities mustmeet, but leave the detailed policies andprocedures for meeting these standardsto the discretion of each covered entity.We intend that implementation of thesestandards be flexible and scalable, toaccount for nature of each coveredentity’s business, as well as the coveredentity’s size and resources. A singleapproach to implementation of theserequirements would be neithereconomically feasible nor effective insafeguarding health information

privacy. Instead, we would require thateach covered entity assess its own needsand devise and implement privacypolicies appropriate to its size, itsinformation practices, and its businessrequirements. Examples of howimplementation of these standards arescalable are provided in the relevantsections of this preamble. (See, also, thediscussion in preamble sections II.C.and III.)

4. Uses and Disclosures With IndividualAuthorization

The rule would require that coveredentities have authorization fromindividuals before using or disclosingtheir protected health information forany purpose not otherwise recognizedby this rule. In § 164.508, we proposerules for obtaining authorizations.Authorizations are needed in a widearray of circumstances. Entities notcovered by this rule often want accessto individually identifiable healthinformation . For example, a potentialemployer may require healthinformation as part of a backgroundcheck for security purposes, or thepatient may request a plan or providerto disclose information to obtaineligibility for disability benefits or to anattorney for use in a law suit. Coveredentities may also seek such anauthorization in order to use protectedhealth information for a purpose nototherwise permitted under this rule. Forexample, a health plan may wish to usea person’s records for developing amarketing strategy.

The proposed authorizationrequirements are intended to ensure thatan individual’s authorization is trulyvoluntary. We would prohibit coveredentities from conditioning treatment orpayment on the individual agreeing todisclose information for other purposes.We also would require authorizations toclearly and specifically describe theinformation to be disclosed. If anauthorization is sought so that a coveredentity may sell, barter, or otherwiseexchange the information for purposesother than treatment, payment, or healthcare operations, the covered entitywould have to disclose this fact on theauthorization form. We would alsorequire authorizations to be revocable.We do not seek to limit the purposes forwhich authorization of recordsdisclosure may be sought, but rather toensure that these authorizations arevoluntary, fair, and enforceable.

While the provisions of this proposedrule are intended to make authorizationsfor treatment and payment purposesunnecessary, some States may continueto require them. This rule would notsupersede such State requirements

generally, but would impose a newrequirement that such State-mandatedauthorizations must be physicallyseparate from an authorization for otherpurposes described in this rule.

5. Uses and Disclosures for Treatment,Payment and Health Care Operations

Under this rule, covered entities withlimited exceptions would be permittedto use and disclose protected healthinformation without individualauthorization for treatment and paymentpurposes, and for related purposes thatwe have defined as health careoperations. (See § 164.506.) We wouldconstrue the terms ‘‘treatment’’ and‘‘payment’’ broadly. In section II.B. ofthis preamble, we describe the types ofactivities that would be consideredhealth care operations.

6. Permissible Uses and Disclosures forPurposes Other Than Treatment,Payment and Health Care Operations

Individually identifiable healthinformation is needed to support certainnational priority activities, such asreducing health care fraud, improvingthe quality of treatment throughresearch, protecting the public health,and responding to emergency situations.In many cases, the need to obtainauthorization for use of healthinformation would create significantobstacles in efforts to fight crime,understand disease, and protect publichealth. We examined the many uses thatthe health professions, relatedindustries, and the government make ofhealth information and we are aware ofthe concerns of privacy and consumeradvocates about these uses.

After balancing privacy and othersocial values, we are proposing rulesthat would permit use or disclosure ofhealth information without individualauthorization for the following nationalpriority activities and activities thatallow the health care system to operatesmoothly:

• Oversight of the health care system• Public health functions• Research• Judicial and administrative

proceedings• Law enforcement• Emergency circumstances• To provide information to next-of-

kin• For identification of the body of a

deceased person, or the cause of death• For government health data systems• For facility patient directories• To banks, to process health care

payments and premiums• For management of active duty

military and other special classes ofindividuals



• Where other law requires suchdisclosure and no other category ofpermissible disclosures would allow thedisclosure

The rule would specify conditionsthat would need to be met in order forthe use or disclosure of protected healthinformation to be permitted for each ofthese purposes. (See § 164.514) We haveproposed conditions tailored to the needfor each type of use or disclosure, andto the types of organizations involved ineach such activity. These uses anddisclosures, and the conditions underwhich they may occur, are discussed insection II. F of this preamble.

The uses and disclosures that wouldbe permitted under proposed rulewould be just that—permissible. Thus,for disclosures that are not compelledby other law, providers and payerswould be free to disclose or not,according to their own policies andethical principles. We propose theserules as a basic set of legal controls, butethics and professional practice maydictate more guarded disclosurepolicies. At the same time, nothing inthis rule would provide authority for acovered entity to restrict or refuse tomake a disclosure mandated by otherlaw.

7. Individual RightsWe are proposing to establish several

basic rights for individuals with respectto their protected health information.We propose that individuals be able toobtain access to protected healthinformation about them, which wouldinclude a right to inspect and obtain acopy of such information. See proposed§ 164.514. The right of access wouldextend to an accounting of disclosuresof the protected health information forpurposes other than treatment, payment,and health care operations. Seeproposed § 164.515.

In § 164.512, we also propose thatindividuals have a right to receive awritten notice of information practicesfrom covered entities. While theprimary purpose of this notice would beto inform individuals about the uses anddisclosures that a covered entity wouldintend to make with the information,the notice also would serve to limit theactivities of the covered entity—anotherwise lawful use or disclosure thatdoes not appear in the entity’s noticewould not be permitted. The coveredentity’s uses and disclosures could bestated in broad terms, but an entitywould not be able to make a use ordisclosure that is not included in itsnotice. The covered entity could modifyits notice at any time and apply revisedpractices to existing and newinformation held by the covered entity.

In addition, we propose thatindividuals have the right to requestamendment or correction of protectedhealth information that is inaccurate orincomplete. See proposed § 164.516. Weare proposing procedural requirementsand deadlines to implement each ofthese individual rights.

8. Administrative Requirements andPolicy Development and Documentation

In our Recommendations, we call fora federal law that requires holders ofidentifiable health information toimplement safeguards to protect it frominappropriate access, use or disclosure.No legislation or rule can effectivelyspecify how to do this for every holderof health information. But federal rulescan and should require those who holdidentifiable health information todevelop and implement basicadministrative procedures to protectthat information and protect the rightsof the individual with respect to thatinformation.

To accomplish this goal, we proposethat covered entities be required todesignate a privacy official, develop aprivacy training program for employees,implement safeguards to protect healthinformation from intentional oraccidental misuse, provide some meansfor individuals to lodge complaintsabout the covered entity’s informationpractices, and develop a system ofsanctions for employees and businesspartners who violate the entity’spolicies or procedures. (See proposed§ 164.518.). We also propose, in§ 164.520, to require covered entities tomaintain documentation of theirpolicies and procedures for complyingwith the requirements of this proposedrule. The purpose of these requirementsis to ensure that covered entities makeexplicit decisions about who wouldhave access to protected healthinformation, how that informationwould be used within the entity, andwhen that information would or wouldnot be disclosed to other entities.

9. PreemptionThe HIPAA provides that the rule

promulgated by the Secretary may notpreempt state laws that are in conflictwith the regulatory requirements andthat provide greater privacy protections.The HIPAA also provides that standardsissued by the Secretary will notsupercede certain other State laws,including: State laws relating toreporting of disease or injury, childabuse, birth or death, public healthsurveillance, or public healthinvestigation or intervention; Stateregulatory reporting; State laws whichthe Secretary finds are necessary to

prevent fraud and abuse, to ensureappropriate State regulation ofinsurance, for State reporting on healthcare delivery or costs, or for otherpurposes; or, State laws which theSecretary finds address controlledsubstances. These provisions arediscussed in more detail in preamblesection II.I.1.

This proposed rule also must be readin conjunction with other federal lawsand regulations that address the use anddisclosure of health information. Theseissues are discussed in preamble sectionII.I.2.

In general, the rule that we areproposing would create a federal floor ofprivacy protection, but would notsupercede other applicable law thatprovide greater protection to theconfidentiality of health information. Ingeneral, our rule would not makeentities subject to a state laws to whichthey are not subject today.

10. EnforcementThe HIPAA grants the Secretary the

authority to impose civil monetarypenalties against covered entities whichfail to comply with the requirements ofthis rule, and also establishes criminalpenalties for certain wrongfuldisclosures of protected healthinformation. The civil fines are cappedat $25,000 for each calendar year foreach provision that is violated. Thecriminal penalties are graduated,increasing if the offense is committedunder false pretenses, or with intent tosell the information or reap otherpersonal gain. The statute does notprovide for a private right of action forindividuals.

We propose to create a complaintsystem to permit individuals to makecomplaints to the Secretary aboutpotential violations of this rule. We alsopropose that covered entities develop aprocess for receiving complaints fromindividuals about the entities’ privacypractices. (See § 164.522.) Our intentwould be to work with covered entitiesto achieve voluntary compliance withthe proposed standards.

11. ConclusionAlthough the promise of these

proposed standards cannot becomereality for many patients because of thegaps in our authority, we believe theywould provide important newprotections. By placing strict boundariesaround the ways covered entities coulduse and disclose information, theserules would protect health informationat its primary sources: health plans andhealth care providers. By requiringcovered entities to inform patients abouthow their information is being used and



shared, by requiring covered entities toprovide access to that information, andby ensuring that authorizations wouldbe truly voluntary, these rules wouldprovide patients with important newtools for understanding and controllinginformation about them. By requiringcovered entities to document theirprivacy practices, this rule would focusattention on the importance of privacy,and reduce the ways in which privacyis compromised through inattention ormisuse.

With the Secretary’s recommenda-tions and these proposed rules, we areattempting to further two importantgoals: to allow the free flow of healthinformation needed to provide andpromote high quality health care, whileassuring that individuals’ healthinformation is properly protected. Weseek a balance that permits importantuses of information privacy of peoplewho seek care and healing. We believeour Recommendations find that balance,and have attempted to craft thisproposed rule to strike that balance aswell.

We continue to believe, however, thatfederal legislation is the best way toguarantee these protections. The HIPAAlegislative authority does not allow fullimplementation of our recommendedpolicies in this proposed rule. Thelegislation limits the entities that can beheld responsible for their use ofprotected health information, and theways in which the covered entities canbe held accountable. For these and otherreasons, we continue to call uponCongress to pass comprehensive federalprivacy legislation. Publication of thisproposed rule does not diminish ourfirm conviction that such legislationshould be enacted as soon as possible.

II. Provisions of the Proposed RuleWe propose to establish a new

subchapter C to title 45 of the Code ofFederal Regulations. Although the rulesproposed below would only establishtwo new parts (parts 160 and 164), weanticipate the new subchapter C willeventually contain three parts, part 160,162, and 164, with parts 161 and 163being reserved for future expansion, ifneeded. Part 160 will contain generalrequirements and provisions applicableto all of the regulations issued undersections 262 and 264 of Public Law104–191 (the AdministrativeSimplification provisions of HIPAA).We anticipate that Part 162 will containthe Administrative Simplificationregulations relating to transactions, codesets and identifiers. The new part 164will encompass the rules relating to thesecurity standards authorized by section1173(d), the electronic signature

standard authorized by section 1173(e),and the privacy rules proposed below.

The new part 164 will be composedof two subparts: subparts A and E, withB, C, and D being reserved. Subpart Awill consist of general provisions andsubpart E will consist of the finalprivacy rules. Because the new part 160will apply to the privacy rules, as wellas the other AdministrativeSimplification rules, it is set out below.

A. Applicability[Please label comments about this

section with the subject:‘‘Applicability’’]

The discussion below describes theentities and the information that wouldbe subject to the proposed regulation.

1. Covered EntitiesThe standards in this proposed

regulation would apply to all healthplans, all health care clearinghouses,and all health care providers thattransmit health information in anelectronic form in connection with astandard transaction. In this proposedrule, these entities are referred to as‘‘covered entities.’’ See definition atproposed § 160.103.

A health plan is defined by section1171 to be an individual or group planthat provides for, or pays the cost of,medical care. The statute expresslyincludes a significant group of employeewelfare benefit plans, state-regulatedinsurance plans, managed care plans,and essentially all government healthplans, including Medicare, Medicaid,the veterans health care program, andplans participating in the FederalEmployees Health Benefits Program. Seediscussion of the definition in sectionII.B.

A health care provider would be aprovider of services as defined insection 1861(u) of the Act, 42 U.S.C.1395x, a provider of medical or otherhealth services as defined in section1861(s) of the Act, and any other personwho furnishes, bills or is paid for healthcare services or supplies in the normalcourse of business. See discussion of thedefinition in section II.B. Health careproviders would be subject to theprovisions of the rule if they transmithealth information in electronic form inconnection with a standard transaction.Standard transactions include claimsand equivalent encounter information,eligibility and enrollment transactions,premium payments, claims attachments,and others. See proposed § 160.103.Health care providers who themselvesdo not directly conduct electronictransactions would become subject tothe provisions of the proposed rule ifanother entity, such as a billing agent or

hospital, transmits health information inelectronic form in connection with astandard transaction on their behalf.

A health care clearinghouse would bea public or private entity that processesor facilitates the processing ofnonstandard data elements of healthinformation into standard dataelements. See section 1171(2) of the Act.For purposes of this rule, we wouldconsider billing services, repricingcompanies, community healthmanagement information systems orcommunity health information systems,‘‘value-added’’ networks, switches andsimilar organizations to be health careclearinghouses for purposes of this partonly if they actually perform the samefunctions as a health care clearinghouse.See discussion of the definition insection II.B.

2. Covered InformationWe propose to apply the standards in

this proposed regulation to individuallyidentifiable health information that is orhas been electronically transmitted ormaintained by a covered entity,including such information when it is innon-electronic form (e.g., printed onpaper) or discussed orally. In thisproposed regulation, such informationis referred to as ‘‘protected healthinformation.’’ See discussion of thedefinition in section II.B. Under HIPAA,our authority to promulgate privacystandards extends to all individuallyidentifiable health information, in anyform, maintained or transmitted by acovered entity. For reasons discussedbelow, we are proposing to limit theapplication of the proposed standards toprotected health information. Below weinvite comment on whether we shouldapply the standards to a broader set ofindividually identifiable healthinformation in the future.

Under the proposal, the standardsapply to information, not to specificrecords. Thus, once protected healthinformation is transmitted ormaintained electronically, theprotections afforded by this regulationwould apply to the information in anyform and continue to apply as theinformation is printed, discussed orallyor otherwise changed in form. It wouldalso apply to the original paper versionof information that is at some pointtransmitted electronically. The authorityfor, and implications of, this scope arediscussed in detail in this section,below.

This proposed regulation would notapply to information that has never beenelectronically maintained or transmittedby a covered entity.

a. Legislative authority. Under HIPAA,we have authority to promulgate a



privacy standard that applies to allindividually identifiable healthinformation transmitted or maintainedby a covered entity, includinginformation in a non-electronic form.We recognize that there may be anexpectation that we would applyprivacy standards only to informationthat is electronically maintained andtransmitted. Our prior proposals underHIPAA have addressed onlyelectronically maintained andtransmitted information. See Notices ofProposed Rulemaking (NPRM)published on May 7, 1998 (63 FR 25272and 25320), June 16, 1998 (63 FR32784), and the proposed securitystandards published on August 12, 1998(63 FR 43242).

In considering the appropriate reachof the proposed privacy standards,however, we determined that limitingthe standards to electronic informationwould not be consistent with therequirement in HIPAA for the Secretaryto address privacy, confidentiality andsecurity concerns relating toindividually identifiable healthinformation.

The HIPAA statute, taken as a whole,contemplates an information protectionsystem that assures the privacy,confidentiality and integrity of healthinformation. Two provisions in subtitleF of HIPAA address privacy andconfidentiality concerns: section 264,titled ‘‘Recommendations with Respectto Privacy of Certain HealthInformation’’ and section 1173(d), titled‘‘Security Standards for HealthInformation.’’ See 42 U.S.C. 1320d–1320d–8, enacted as sections 262 and264 of HIPAA.

In enacting HIPAA, Congressrecognized that the increasedaccessibility of health information madepossible by the widespread and growinguse of electronic media and the newfederal mandate for increasedstandardization of data, requiresenhanced privacy and confidentialityprotections. The House Report linksprivacy and security concerns stating:‘‘The standards adopted would protectthe privacy and confidentiality of healthinformation. Health information isconsidered relatively ‘‘safe’’ today, notbecause it is secure, but because it isdifficult to access. These standardsimprove access and establish strictprivacy protections.’’ House Report No.496, 104th Cong., 2d. Sess., at 99.

Section 264(c) authorizes theSecretary to protect the privacy ofindividually identifiable healthinformation transmitted in connectionwith the standard transactions. Section1173(d) authorizes the Secretary toprescribe requirements that address the

security, integrity, and confidentiality ofhealth information maintained ortransmitted, in any form or medium, bythe covered entities.

Neither the privacy authority insection 264(c) nor the security authorityin 1173(d) exclusively limit the scope ofprotection to electronic information.Section 264(c) of HIPAA requires theSecretary to issue a regulation settingprivacy standards for individuallyidentifiable health information‘‘transmitted in connection with thetransactions described in section1173(a).’’ This statutory language is noton its face limited to electronictransmissions of individuallyidentifiable health information,although electronic transmissions ofsuch information are clearly within itsscope. Moreover, the section requiresthe regulations to address ‘‘at least’’ thesubjects of the Secretary’sRecommendations, which focus onindividually identifiable healthinformation, without reference towhether the information is electronic ornot.

The security provision also is notlimited by its terms to electronicallymaintained information. Rather, section1173(d) applies throughout to ‘‘healthinformation,’’ a statutorily defined termthat clearly covers information in bothits electronic and non-electronic forms.

In HIPAA, when Congress intended tolimit health information to its electronicform, it did so explicitly. Section1172(a)(3) of the statute says that thestandards apply to health plans and tohealth care providers who transmithealth information in electronic form inconnection with the standardtransactions (emphasis added); bycontrast, the section 1173(d)requirements for informationmaintained or transmitted are notsimilarly qualified.

Further support for the premise thatthe standards may reach informationthat is maintained or transmitted non-electronically is found within section1173(d) itself. That section explicitlydistinguishes within one subsection(§ 1173(d)(1)(A)) between ‘‘recordsystems used to maintain healthinformation’’ and ‘‘computerized recordsystems.’’ Thus, the conclusion may bedrawn that the record systems coveredby the § 1173(d) security standards areintended to include record systemsother than those that are exclusivelyelectronic or ‘‘computerized.’’

Finally, the section that generallydefines the HIPAA standardtransactions, section 1173(a), is notlimited by its terms to transactions thatare electronic. Rather, although all ofthe transactions described can be

performed electronically, all take paperand some take oral forms as well.Indeed, the purpose of the standards,including the security and privacystandards, is stated as ‘‘to enableelectronic exchange.’’ This purposewould not preclude (and in fact wouldsupport) requirements that relate to non-electronic media where they support theoverall goal of enabling electronicinformation exchange. Thus, we believethat the statute authorizes a privacyregulation covering health informationin any form or medium maintained ortransmitted by the covered entities.

Although we believe that HIPAAauthorizes the Secretary to issueregulations covering individuallyidentifiable health information in anyform, the proposed privacy standards inthis NPRM are directed to protectingonly individually identifiable healthinformation that is or at some point hasbeen electronically maintained ortransmitted by a covered entity. Thosestandards do not cover healthinformation that has never been inelectronic form.

We are proposing this approachbecause we believe that it focuses mostdirectly on the primary concern raisedby HIPAA: the fact that growing use ofcomputerization in health care,including the rapid growth of electronictransfers of health information, givesrise to a substantial concern about theconfidentiality of the health careinformation that is part of this growingelectronic commerce. At the same time,could not adequately address theconfidentiality concerns associated withelectronic transfers of healthinformation unless we address theresulting uses and disclosures of suchinformation, in whatever form. Indeed,the protection offered by this standardwould be devoid of meaning if all non-electronic records and transmissionswere excluded. In that event, access to‘‘protected’’ health information wouldbecome merely a matter of obtaining theinformation in a paper or oral form.Such a narrow reading of the statutewould lead to a system in whichindividually identifiable healthinformation transmitted as part of aclaim would be protected only until theinformation was printed or read aloud,at which point protection woulddisappear. Previously protectedinformation could be freely printed andredistributed, regardless of limits onfurther electronic redistribution. Thestatutory language does not compel suchan anomalous result.

In developing our proposal, weconsidered other approaches fordetermining the information that wouldbe subject to the privacy standards. We



considered but rejected limiting thescope of the proposal to information inelectronic form. For the reasonsdiscussed above, such a narrowinterpretation would render thestandards nearly meaningless. We alsoconsidered applying the privacystandards to all individually identifiablehealth information in any formmaintained or transmitted by a coveredentity. There are clear advantages to thisapproach, including permitting coveredentities to treat all individuallyidentifiable health information underthe same standards. We rejected thatapproach in favor of our proposedapproach which we believe is morefocused at the public concerns overhealth information confidentiality in anelectronic communications age. We alsowere concerned about imposingadditional burden with respect to healthinformation that was less likely topresent privacy concerns: paper recordsthat are never reduced to electronicform are less likely to becomedisseminated broadly throughout thehealth care system. We invite commenton the approach that we are proposingand on whether alternate approaches todetermining the health information thatwould be subject to this regulationwould be more appropriate.

We also considered making use ofother statutory authorities under whichwe impose general operating ormanagement conditions for programs(e.g., Medicare, grant programs) toenhance these proposed privacyprotections. Doing so could enable us toapply these privacy standards to a widerrange of entities than are currentlyaffected, such as health care providerswho do not transmit standardtransactions electronically. We usemany other authorities now to imposeconfidentiality and privacyrequirements, although the current ruleslack consistency. It is not clear whetherusing these other authorities wouldcreate more uniform protections orexpanded enforcement options.Therefore we request comment on theconcept of drawing on other authoritiesto amplify the protections of theseprivacy standards.

b. Application to records containingprotected and unprotected healthinformation. Once transmitted ormaintained electronically, protectedhealth information is often mixed withunprotected health information in thesame record. For example, under theproposed rules, information from amedical record that is electronicallytransmitted by a provider to a healthplan and then returned to the originalrecord would become protected healthinformation, even though the rest of the

information contained in the paperrecord may not be subject to theseprivacy rules.

We reiterate that under the proposedrule, the protections would apply to theinformation itself, not to the particularrecord in which it is contained ortransmitted. Therefore, an entity couldnot maintain duplicate records and onlyapply the protections to the informationcontained in the record that iselectronically maintained ortransmitted. For example, once anindividual’s name and diagnostic codeis transmitted electronically betweencovered entities (or business partners),that information must be protected byboth the transmitting and receivingentities in every record, written,electronic or other, in which it appears.

We recognize that this approach mayrequire some additional administrativeattention to mixed records (recordscontaining protected and unprotectedhealth information) to ensure that thehandling of protected healthinformation conforms with theseregulations. We considered ways tolimit application of these protections toavoid such potential administrativeconcerns. However, these regulationswould have little effect if not applicableto otherwise protected healthinformation simply because it wascombined with unprotected healthinformation—any information could belawfully disclosed simply by includingsome additional information. Likewise,these regulations would have nomeaning if entities could then avoidapplying the protections merely bymaintaining separate duplicate records.A way to limit these rules to avoidapplication to mixed informationwithout sacrificing basic protections isnot apparent.

Unlike the potential issues inherent inthe protection of oral information, theremay be relatively simple ways to reducepossible confusion in protecting mixedrecords. The risk of inappropriate use ordisclosure of protected healthinformation in a mixed record can beeliminated simply by handling allinformation in mixed records as if itwere protected. It also may be possibleto develop a ‘‘watermark’’ analogous toa copyright label, designating whichwritten information is protected. Wewelcome comments on how best toprotect information in mixed records,without creating unnecessaryadministrative burdens.

Finally, we recognize that these rulesmay create awkward boundaries andenforcement ambiguities, and seekcomment on how best to reduce theseambiguities while maintaining the basicprotections mandated by the statute.

3. Interaction With Other Standards

The privacy standards in thisproposed regulation would be closelyintegrated with other standards thathave been proposed under the HIPAAAdministrative Simplification title. Thisis particularly true with respect to theproposed security standards publishedon August 12, 1998 (63 FR 43242).

We understand that we are proposinga broader scope of applicability withrespect to covered information underthese privacy standards than we havepreviously proposed under the securitystandard. We intend to solicit additionalcomments regarding the scope ofinformation that should be addressedunder the security standard in the nearfuture.

We also recognize that in this NPRMwe are publishing slightly differentdefinitions for some of the concepts thatwere defined in previously publishedNPRMs for the other standards. Thedifferences resulted from the commentsreceived on the previous NPRMs as wellas the conceptual work done in thedevelopment of this NPRM. As wepublish the final rules, we will bring allthe definitions into conformance.

4. References to Other Laws

The provisions we propose in thisrule would interact with numerousother laws. For example, proposed§ 164.510 provides standards for certainuses or disclosures that are permitted inthis rule, and in some cases referencesactivities that are authorized by otherapplicable law, such as federal, State,tribal or territorial laws. In cases wherethis rule references ‘‘law’’ or ‘‘applicablelaw’’ we intend to encompass allapplicable laws, decisions, rules,regulations, administrative proceduresor other actions having the effect of law.We do not intend to exclude anyapplicable legal requirements imposedby a governmental body authorized toregulate in a given area. Whereparticular types of law are at issue, suchas in the proposed provisions forpreemption of State laws in subpart B ofpart 160, or permitted disclosuresrelated to the Armed Forces in§ 164.510(m), we so indicate by referringto the particular type of law in question(e.g., ‘‘State law’’ or ‘‘federal law’’).

When we describe an action as‘‘authorized by law,’’ we mean that alegal basis exists for the activity. Thephrase ‘‘authorized by law’’ is a term ofart that includes both actions that arepermitted and actions that are requiredby law. When we specifically discuss anaction that is ‘‘required’’ or ‘‘mandated,’’we mean that a law compels (orconversely, prohibits) the performance



of the activity in question. For example,in the health oversight context,disclosure of health informationpursuant to a valid Inspector Generalsubpoena, grand jury subpoena, civilinvestigative demand, or a statute orregulation requiring production ofinformation justifying a claim wouldconstitute a disclosure required by law.

B. Definitions. (§§ 160.103 and 164.504)[Please label comments about this

section with the subject: ‘‘Definitions’’]Section 1171 of the Act defines

several terms and our proposed ruleswould, for the most part, simply restatethe law or adopt definitions previouslydefined in the other HIPAA proposedrules. In some instances, we proposedefinitions from the Secretary’sRecommendations. We also proposesome new definitions for convenienceand efficiency of exposition, and othersto clarify the application and operationof this rule. We describe the proposeddefinitions and discuss the rationalebehind them, below.

Most of the definitions would bedefined in proposed §§ 160.103 and164.504. The definitions at proposed§ 160.103 apply to all AdministrativeSimplification standards, including thisprivacy rule and the security standard.The definitions proposed in § 164.504would apply only to this privacy rule.Certain other definitions are specific toparticular sections of the proposed ruleand are provided in those sections. Theterms that are defined at proposed§ 160.103 follow:

1. Act. We would define ‘‘Act’’ tomean the Social Security Act, asamended. This definition would beadded for convenience.

2. Covered entity. This definitionwould be provided for convenience ofreference and would mean the entitiesto which part C of title XI of the Actapplies. These are the entities describedin section 1172(a)(1): Health plans,health care clearinghouses, and healthcare providers who transmit any healthinformation in electronic form inconnection with a transaction referredto in section 1173(a)(1) of the Act (a‘‘standard transaction’’). In the preamblewe occasionally refer to health plansand the health care providers describedabove as ‘‘covered plans,’’ ‘‘coveredproviders,’’ or ‘‘covered plans andproviders.’’

We note that health care providerswho do not submit HIPAA transactionsin standard form become covered bythis rule when other entities, such as abilling service or a hospital, transmitstandard electronic transactions on theirbehalf. The provider could notcircumvent these requirements by

assigning the task to its agent, since theagent would be deemed to be acting asthe provider.

3. Health care. We would define theterm ‘‘health care’’ as it is defined in theSecretary’s Recommendations. Healthcare means the provision of care,services, or supplies to a patient andincludes any: (1) Preventive, diagnostic,therapeutic, rehabilitative, maintenance,or palliative care, counseling, service, orprocedure with respect to the physicalor mental condition, or functionalstatus, of a patient or affecting thestructure or function of the body; (2)sale or dispensing of a drug, device,equipment, or other item pursuant to aprescription; or (3) procurement orbanking of blood, sperm, organs, or anyother tissue for administration topatients.

4. Health care clearinghouse. Wewould define ‘‘health careclearinghouse’’ as defined by section1171(2) of the Act. The Act defines a‘‘health care clearinghouse’’ as a ‘‘publicor private entity that processes orfacilitates the processing of nonstandarddata elements of health information intostandard data elements.’’ In practice,clearinghouses receive transactions fromhealth care providers, health plans,other health care clearinghouses, orbusiness partners of such entities, andother entities, translate the data from agiven format into one acceptable to theentity receiving the transaction, andforward the processed transaction tothat entity. There are currently anumber of private clearinghouses thatcontract or perform this function forhealth care providers. For purposes ofthis rule, we would consider billingservices, repricing companies,community health managementinformation systems or communityhealth information systems, ‘‘value-added’’ networks, switches and similarorganizations to be health careclearinghouses for purposes of this partonly if they actually perform the samefunctions as a health care clearinghouse.

We would note that we are proposingto exempt clearinghouses from anumber of the provisions of this rulethat would apply to other coveredentities (see §§ 164.512, 164.514 and164.516 below), because in most caseswe do not believe that clearinghouseswould be dealing directly withindividuals. In many instances,clearinghouses would be consideredbusiness partners under this rule andwould be bound by their contracts withcovered plans and providers. Seeproposed § 164.506(e). We would adoptthis position with the caveat that theexemptions would be void for anyclearinghouse that had direct contact

with individuals in a capacity otherthan that of a business partner.

5. Health care provider. Section1171(3) of the Act defines ‘‘health careprovider’’ as a ‘‘provider of medicalservices as defined in section 1861(u) ofthe Act, a provider of medical or otherhealth services as defined in section1861(s) of the Act, and any other personwho furnishes health care services orsupplies.’’ We are proposing to define‘‘health care provider’’ as the Act does,and clarify that a health care provider islimited to any person or organizationthat furnishes, bills, or is paid for,health care services or supplies in thenormal course of business. Thisdefinition would include a researcherwho provides health care to the subjectsof research, free clinics, and a healthclinic or licensed health careprofessional located at a school orbusiness.

Section 1861(u) of the Act containsthe Medicare definition of a provider,which encompasses institutionalproviders, such as hospitals, skillednursing facilities, home health agencies,and comprehensive outpatientrehabilitation facilities. Section 1861(s)of the Act defines other Medicarefacilities and practitioners, includingassorted clinics and centers, physicians,clinical laboratories, various licensed/certified health care practitioners, andsuppliers of durable medical equipment.The last portion of the proposeddefinition encompasses appropriatelylicensed or certified health carepractitioners or organizations, includingpharmacies and nursing homes andmany types of therapists, technicians,and aides. It also would include anyother individual or organization thatfurnishes health care services orsupplies in the normal course ofbusiness. An individual or organizationthat bills and/or is paid for health careservices or supplies in the normalcourse of business, such as a grouppractice or an ‘‘on-line’’ pharmacyaccessible on the Internet, is also ahealth care provider for purposes of thisstatute.

For a more detailed discussion of thedefinition of health care provider, werefer the reader to our proposed rule(Standard Health Care ProviderIdentifier) published on May 7, 1998, inthe Federal Register (63 FR 25320).

6. Health information. We woulddefine ‘‘health information’’ as it isdefined in section 1171(4) of the Act.‘‘Health information’’ would mean anyinformation, whether oral or recorded inany form or medium, that is created orreceived by a health care provider,health plan, public health authority,employer, life insurer, school or



university, or health care clearinghouse;and that relates to the past, present, orfuture physical or mental health orcondition of an individual, theprovision of health care to anindividual, or the past, present, orfuture payment for the provision ofhealth care to an individual.

In this paragraph we attempt to clarifythe relationship between the definedterms ‘‘health information,’’‘‘individually identifiable healthinformation’’ and ‘‘protected healthinformation.’’ The term ‘‘healthinformation’’ encompasses the universeof information governed by theadministrative simplificationrequirements of the Act. For example,under section 1173 of the Act, theSecretary is to adopt standards to enablethe electronic exchange of all healthinformation. However, protection ofpersonal privacy is primarily a concernfor the subset of health information thatis ‘‘individually identifiable healthinformation,’’ as defined by the Act (seebelow). For example, a tabulation of thenumber of students with asthma byschool district would be healthinformation, but since it normally couldnot be used to identify any individuals,it would not usually create privacyconcerns. The definition of individuallyidentifiable health information omitssome of the persons or organizationsthat are described as creating orreceiving ‘‘health information.’’ Somesections of the Act refer specifically toindividually identifiable healthinformation, such as section 1177 insetting criminal penalties for wrongfuluse or disclosure, and section 264 inrequesting recommendations for privacystandards. Finally, we propose thephrase ‘‘protected health information’’(§ 164.504) to refer to the subset ofindividually identifiable healthinformation that is used or disclosed bythe entities that are subject to this rule.

7. Health plan. We would define‘‘health plan’’ essentially as section1171(5) of the Act defines it. Section1171 of the Act refers to severaldefinitions in section 2791 of the PublicHealth Service Act, 42 U.S.C. 300gg–91,as added by Public Law 104–191. Forclarity, we would incorporate thereferenced definitions as currentlystated into our proposed definitions.

As defined in section 1171(5), a‘‘health plan’’ is an individual plan orgroup health plan that provides, or paysthe cost of, medical care (see section2791(a) of the Public Health Service Act(PHS Act)). This definition wouldinclude, but is not limited to, the 15types of plans listed in the statute, aswell as any combination of them. Theterm would include, when applied to

public benefit programs, the componentof the government agency thatadministers the program. Church plansand government plans are included tothe extent that they fall into one or moreof the listed categories.

Health plan’’ includes the followingsingly or in combination:

a. ‘‘Group health plan’’ (as currentlydefined by section 2791(a) of the PHSAct). A group health plan is a plan thathas 50 or more participants (as the term‘‘participant’’ is currently defined bysection 3(7) of ERISA) or isadministered by an entity other than theemployer that established and maintainsthe plan. This definition includes bothinsured and self-insured plans.

Section 2791(a)(1) of the PHS Actdefines ‘‘group health plan’’ as anemployee welfare benefit plan (asdefined in current section 3(1) ofERISA) to the extent that the planprovides medical care, including itemsand services paid for as medical care, toemployees or their dependents directlyor through insurance, or otherwise.

b. ‘‘Health insurance issuer’’ (ascurrently defined by section 2791(b) ofthe PHS Act).

Section 2971(b) of the PHS Actdefines a ‘‘health insurance issuer’’ asan insurance company, insuranceservice, or insurance organization that islicensed to engage in the business ofinsurance in a State and is subject toState law that regulates insurance.

c. ‘‘Health maintenance organization’’(as currently defined by section 2791(b)of the PHS Act). Section 2791(b) of thePHS Act currently defines a ‘‘healthmaintenance organization’’ as afederally qualified health maintenanceorganization, an organization recognizedas such under State law, or a similarorganization regulated for solvencyunder State law in the same manner andto the same extent as such a healthmaintenance organization. Theseorganizations may include preferredprovider organizations, providersponsored organizations, independentpractice associations, competitivemedical plans, exclusive providerorganizations, and foundations formedical care.

d. Part A or Part B of the Medicareprogram (title XVIII of the Act).

e. The Medicaid program (title XIX ofthe Act).

f. A ‘‘Medicare supplemental policy’’as defined under section 1882(g)(1) ofthe Act. Section 1882(g)(1) of the Actdefines a ‘‘Medicare supplementalpolicy’’ as a health insurance policy thata private entity offers a Medicarebeneficiary to provide payment forexpenses incurred for services and itemsthat are not reimbursed by Medicare

because of deductible, coinsurance, orother limitations under Medicare. Thestatutory definition of a Medicaresupplemental policy excludes a numberof plans that are similar to Medicaresupplemental plans, such as healthplans for employees and formeremployers and for members and formermembers of trade associations andunions. A number of these health plansmay be included under the definitionsof ‘‘group health plan’’ or ‘‘healthinsurance issuer,’’ as defined inparagraphs ‘‘a’’ and ‘‘b’’ above.

g. A ‘‘long-term care policy,’’including a nursing-home fixedindemnity policy. A ‘‘long-term carepolicy’’ is considered to be a health planregardless of how comprehensive it is.

h. An employee welfare benefit planor any other arrangement that isestablished or maintained for thepurpose of offering or providing healthbenefits to the employees of two or moreemployers. This includes plans that arereferred to as multiple employer welfarearrangements (‘‘MEWAs’’).

i. The health care program for activemilitary personnel under title 10 of theUnited States Code. See paragraph ‘‘k’’,below, for further discussion.

j. The veterans health care programunder chapter 17 of title 38 of theUnited States Code. This health planprimarily furnishes medical carethrough hospitals and clinicsadministered by the Department ofVeterans Affairs (VA) for veteransenrolled in the VA health care system.

k. The Civilian Health and MedicalProgram of the Uniformed Services(CHAMPUS) as defined in 10 U.S.C.1072(4). We note that the Act’sdefinition of ‘‘health plan’’ omits severaltypes of health care provided by theDepartment of Defense (DOD). Sections1171(5)(I) and 1171(5)(K) cover only thehealth care program for active dutypersonnel (see 10 U.S.C. 1074(a)) andthe CHAMPUS program (see 10 U.S.C.1079, 1086). What is omitted is healthcare provided in military treatmentfacilities to military retirees (see 10U.S.C. 1074(b)), to dependents of activeduty personnel and to dependents ofretirees (see 10 U.S.C. 1076), toSecretarial designees such as membersof Congress, Justices of the SupremeCourt, and to foreign military personnelunder NATO status of forcesagreements. Health care provided by theDOD in military facilities to theaforementioned persons is not includedas a ‘‘health plan’’ under HIPAA.However, these facilities would still beconsidered to be health care providers.

l. The Indian Health Service programunder the Indian Health CareImprovement Act (25 U.S.C. 1601, et.



seq.). This program furnishes services,generally through its own health careproviders, primarily to persons who areeligible to receive services because theyare of American Indian or AlaskanNative descent.

m. The Federal Employees HealthBenefits Program under 5 U.S.C. chapter89. This program consists of healthinsurance plans offered to active andretired federal employees and theirdependents. Although section1171(5)(M) of the Act refers to the‘‘Federal Employees Health BenefitPlan,’’ this and any other rules adoptingadministrative simplification standardswill use the correct name, the FederalEmployees Health Benefits Program.One health plan does not cover allfederal employees; over 350 healthplans provide health benefits coverageto federal employees, retirees, and theireligible family members. Therefore, wewill use the correct name, The FederalEmployees Health Benefits Program, tomake clear that the administrativesimplification standards apply to allhealth plans that participate in theProgram.

n. An approved State child healthplan for child health assistance thatmeets the requirements of section 2103of the Act, which established theChildren’s Health Insurance Program(CHIP).

o. A Medicare Plus Choiceorganization as defined in 42 CFR 422.2,with a contract under 42 CFR part 422,subpart K.

p. Any other individual plan or grouphealth plan, or combination thereof, thatprovides or pays for the cost of medicalcare. This category implements thelanguage at the beginning of thestatutory definition of the term ‘‘healthplan’’: ‘‘The term ’health plan’ means anindividual or group plan that provides,or pays the cost of, medical care * * *Such term includes the following, andany combination thereof * * *’’ Thisstatutory language is general, notspecific. Moreover, the statement thatthe term ‘‘health plan’’ ‘‘includes’’ thespecified plans implies that the termalso covers other plans that meet thestated criteria. One approach tointerpreting this introductory languagein the statute would be to makecoverage decisions about plans that maymeet these criteria on a case-by-casebasis. Instead we propose to clarify itscoverage by adding this category to theproposed definition of ‘‘health plan’’;we seek public comment on itsapplication. The Secretary woulddetermine which plans that meet thecriteria in the preceding paragraph arehealth plans for purposes of title II ofHIPAA.

Consistent with the other parts ofHIPAA, the provisions of this rulegenerally would not apply to certaintypes of insurance entities, such asworkers’ compensation and automobileinsurance carriers, other property andcasualty insurers, and certain forms oflimited benefits coverage, even whensuch arrangements provide coverage forhealth care services. 29 U.S.C. 1186(c).We note that health care providerswould be subject to the provisions ofthis rule with respect to the health carethey provide to individuals, even if suchproviders seek or receive reimbursementfrom an insurance entity that is not acovered entity under these rules.However, nothing in this rule would beintended to prevent a health careprovider from disclosing protectedhealth information to a non-coveredinsurance entity for the purpose ofobtaining payment for services. Further,under proposed § 164.510(n), this rulewould permit disclosures by health careproviders of protected healthinformation to such insurance entitiesand to other persons when mandated byapplicable law for the purposes ofdetermining eligibility for coverage orbenefits under such insurancearrangements. For example, a Stateworkers’ compensation law that requiresdisclosure of protected healthinformation to an insurer or employerfor the purposes of determining anindividual’s eligibility for medical orother benefits, or for the purpose ofdetermining fitness for duty, would notbe disturbed by this rule.

8. Secretary. This term means theSecretary of Health and Human Servicesand any other officer or employee of theDepartment of Health and HumanServices to whom the authorityinvolved has been delegated. It isprovided for ease of reference.

9. Small health plan. The HIPAA doesnot define a ‘‘small health plan,’’ butinstead explicitly leaves the definitionto be determined by the Secretary. Wepropose to adopt the size classificationused by the Small BusinessAdministration. We would thereforedefine a ‘‘small health plan’’ as a healthplan with annual receipts of $5 millionor less. 31 CFR 121.201. This differsfrom the definition of ‘‘small healthplan’’ in prior proposed AdministrativeSimplification rules. We will conformthe definitions in the finalAdministrative Simplification rules.

10. Standard. The term ‘‘standard’’would mean a prescribed set of rules,conditions, or requirements concerningclassification of components,specification of materials, performanceor operations, or delineation ofprocedures in describing products,

systems, services, or practices. Thisdefinition is a general one, toaccommodate the varying functions ofthe specific standards proposed in theother HIPAA regulations, as well as therules proposed below.

11. State. This term would includethe 50 States, the District of Columbia,the Commonwealth of Puerto Rico, theVirgin Islands, and Guam. Thisdefinition follows the statutorydefinition of ‘‘State’’ in section 1101(a)of the Act.

12. Transaction. We would define‘‘transaction,’’ as we have done in otherAdministrative Simplificationregulations, to mean the exchange ofinformation between two parties tocarry out financial or administrativeactivities related to health care. Atransaction would be (1) any of thetransactions listed in section 1173(a)(2)of the Act, and (2) any transactiondetermined appropriate by the Secretaryin accordance with Section 1173(a)(1) ofthe Act.

A ‘‘transaction’’ would mean any ofthe following:

a. Health claims or equivalentencounter information. This transactioncould be used to submit health careclaim billing information, encounterinformation, or both, from health careproviders to payers, either directly orvia intermediary billers and claimsclearinghouses.

b. Health care payment andremittance advice. This transactioncould be used by a health plan to makea payment to a financial institution fora health care provider (sending paymentonly), to send an explanation of benefitsremittance advice directly to a healthcare provider (sending data only), or tomake payment and send an explanationof benefits remittance advice to a healthcar provider via a financial institution(sending both payment and data).

c. Coordination of benefits. Thistransaction could be used to transmithealth care claims and billing paymentinformation between payers withdifferent payment responsibilities wherecoordination of benefits is required orbetween payers and regulatory agenciesto monitor the furnishing, billing, and/or payment of health care serviceswithin a specific health care/insuranceindustry segment.

d. Health claims status. Thistransaction could be used by health careproviders and recipients of health careproducts or services (or their authorizedagents) to request the status of a healthcare claim or encounter from a healthplan.

e. Enrollment and disenrollment in ahealth plan. This transaction could beused to establish communication



between the sponsor of a health benefitand the payer. It provides enrollmentdata, such as subscriber anddependents, employer information, andprimary care health care providerinformation. A sponsor would be thebacker of the coverage, benefit, orproduct. A sponsor could be anemployer, union, government agency,association, or insurance company. Thehealth plan would refer to an entity thatpays claims, administers the insuranceproduct or benefit, or both.

f. Eligibility for a health plan. Thistransaction could be used to inquireabout the eligibility, coverage, orbenefits associated with a benefit plan,employer, plan sponsor, subscriber, or adependent under the subscriber’spolicy. It also could be used tocommunicate information about orchanges to eligibility, coverage, orbenefits from information sources (suchas insurers, sponsors, and payers) toinformation receivers (such asphysicians, hospitals, third partyadministrators, and governmentagencies).

g. Health plan premium payments.This transaction could be used by, forexample, employers, employees, unions,and associations to make and keep trackof payments of health plan premiums totheir health insurers. This transactioncould also be used by a health careprovider, acting as liaison for thebeneficiary, to make payment to a healthinsurer for coinsurance, copayments,and deductibles.

h. Referral certification andauthorization. This transaction could beused to transmit health care servicereferral information between health careproviders, health care providersfurnishing services, and payers. It couldalso be used to obtain authorization forcertain health care services from ahealth plan.

i. First report of injury. Thistransaction could be used to reportinformation pertaining to an injury,illness, or incident to entities interestedin the information for statistical, legal,claims, and risk management processingrequirements.

j. Health claims attachments. Thistransaction could be used to transmithealth care service information, such assubscriber, patient, demographic,diagnosis, or treatment data for thepurpose of a request for review,certification, notification, or reportingthe outcome of a health care servicesreview.

k. Other transactions as the Secretarymay prescribe by regulation. Undersection 1173(a)(1)(B) of the Act, theSecretary may adopt standards, and dataelements for those standards, for other

financial and administrativetransactions deemed appropriate by theSecretary. These transactions would beconsistent with the goals of improvingthe operation of the health care systemand reducing administrative costs.

In addition to the above terms, anumber of terms are defined inproposed § 164.504, and are specific tothe proposed privacy rules. They are asfollows:

13. Business partner. This term wouldmean a person to whom a covered entitydiscloses protected health informationso that the person can carry out, assistwith the performance of, or perform onbehalf of, a function or activity for thecovered entity. Such term includes anyagent, contractor or other person whoreceives protected health informationfrom the covered entity (or from anotherbusiness partner of the covered entity)for the purposes described in theprevious sentence. It would not includea person who is an employee, avolunteer or other person associatedwith the covered entity on a paid orunpaid basis.

14. Designated record set. This termwould be defined as a group of recordsunder the control of a covered entityfrom which information is retrieved bythe name of the individual or by someidentifying number, symbol, or otheridentifying particular assigned to theindividual, and which is used by thecovered entity to make decisions aboutthe individual. The concept of a‘‘designated record set’’ is derived fromthe Privacy Act’s concept of a ‘‘systemof records.’’ Under the Privacy Act,federal agencies must provide anindividual with access to ‘‘informationpertaining to him which is contained in[a system of records].’’ 5 U.S.C.552a(d)(1). A ‘‘system of records’’ isdefined as ‘‘a group of any recordsunder the control of any agency fromwhich information is retrieved by thename of the individual or by someidentifying number, symbol, or otheridentifying particular assigned to theindividual.’’ 5 U.S.C. 552a(a)(5). Underthis rule, we would substitute the term‘‘covered entity’’ for ‘‘agency’’ and limitthe information to that used by thecovered entity to make decisions aboutthe individual.

We would define a ‘‘record’’ as ‘‘anyitem, collection, or grouping ofprotected health informationmaintained, collected, used, ordisseminated by a covered entity.’’Under the Privacy Act, ‘‘the term’record’ means any item, collection, orgrouping of information about anindividual that is maintained by anagency, including, but not limited to,his education, financial transactions,

medical history, and criminal oremployment history and that containshis name, or the identifying number,symbol, or other identifying particularassigned to the individual, such as afinger or voice print or a photograph.’’5 U.S.C. 552a(a)(4). For purposes of thisrule we propose to limit the informationto protected health information, asdefined in this rule. ‘‘Protected healthinformation’’ already incorporates theconcept of identifiability, and thereforeour definition of ‘‘record’’ is muchsimpler.

For health plans, designated recordsets would include, at a minimum, theclaims adjudication, enrollment, andpatient accounting systems. For healthcare providers, designated record setswould include, at a minimum, themedical records and billing records.Designated record set would alsoinclude a correspondence system, acomplaint system, or an event trackingsystem if decisions about individualsare made based, in whole or in part, oninformation in those systems. Files usedto backup a primary data system or thesequential files created to transmit abatch of claims to a clearinghouse areclear examples of data files whichwould not fall under this definition.

We note that a designated record setwould only exist for types of recordsthat a covered entity actually ‘‘retrieves’’by an identifier, and not records that areonly ‘‘retrievable’’ by an identifier. Inmany cases, technology will permitsorting and retrieving by a variety offields and therefore the ‘‘retrievable’’standard would be relativelymeaningless.

15. Disclosure. This term would bedefined as the release, transfer,provision of access to, or divulging inany other manner of information outsidethe entity holding the information.

16. Health care operations. Wepropose the term ‘‘health careoperations’’ to clarify the activities weconsider to be ‘‘compatible with anddirectly related to’’ treatment andpayment and therefore would notrequire authorization from theindividual for use or disclosure ofprotected health information.

Under our proposal, ‘‘health careoperations’’ means the followingservices or activities if provided by oron behalf of a covered health plan orhealth care provider for the purposes ofcarrying out the management functionsof such plan or provider necessary forthe support of treatment or payment:

• Conducting quality assessment andimprovement activities, includingevaluating outcomes, and developingclinical guidelines;



• Reviewing the competence orqualifications of health careprofessionals, evaluating practitionerand provider performance, health planperformance, conducting trainingprograms in which undergraduate andgraduate students and trainees in allareas of health care learn undersupervision to practice as health careproviders (e.g., residency programs,grand rounds, nursing practicums),accreditation, certification, licensing orcredentialing activities;

• Insurance rating and otherinsurance activities relating to therenewal of a contract for insurance,including underwriting, experiencerating, and reinsurance, but only whenthe individuals are already enrolled inthe health plan conducting suchactivities and only when the use ordisclosure of such protected healthinformation relates to an existingcontract of insurance (including therenewal of such a contract);

• Conducting or arranging forauditing services, including fraud andabuse detection and complianceprograms; and

• Compiling and analyzinginformation in anticipation of, or for usein, civil or criminal legal proceedings.

Our definition proposes to limithealth care operations to functions andactivities performed by a health plan orprovider or by a business partner onbehalf of a health plan or a provider.Our definition anticipates that in orderfor treatment and payment to occur,protected health information would beused within entities, would be sharedwith business partners, and in somecases would be shared between coveredentities (or their business partners).However, a health care operation shouldnot result in protected healthinformation being disclosed to an entitythat is not the covered entity (or abusiness partner of such entity) onwhose behalf the operation is beingperformed. For example, a health planmay request a health care provider toprovide protected health information tothe health plan, or to a business partnerof the health plan, as part of anoutcomes evaluation effort relating toproviders affiliated with that plan. Thiswould be a health care operation.

We are aware that the health careindustry is changing and that thesecategories, though broad, may need tobe modified to reflect differentconditions in the future.

17. Health oversight agency. Wewould define the term ‘‘health oversightagency’’ as it is defined in theSecretary’s Recommendations. Seesection II.E. below for furtherdiscussion.

18. Individual. We would define‘‘individual’’ to mean the person who isthe subject of protected healthinformation. We would define the termto include, with respect to the signingof authorizations and other rights (suchas access, copying, and correction),various types of legal representatives.The term would include court-appointed guardians or persons with apower of attorney, including personsmaking health care decisions forincapacitated persons, persons acting onbehalf of a decedent’s estate, whereState or other applicable law authorizessuch legal representatives to exercisethe person’s rights in such contexts, andparents subject to certain restrictionsexplained below. We would define thisterm to exclude foreign military andforeign diplomatic personnel and theirdependents who receive health careprovided or paid for by the DOD orother federal agency or entity acting onits behalf, and overseas foreign nationalbeneficiaries of health care provided bythe DOD or other federal agency, or non-governmental organization acting on itsbehalf.

a. Disclosures pursuant to a power ofattorney. The definition of an individualwould include legal representatives, tothe extent permitted under State orother applicable law. We consideredseveral issues in making thisdetermination.

A ‘‘power of attorney’’ is a legalagreement through which a personformally grants authority to anotherperson to make decisions on theperson’s behalf about financial, healthcare, legal, and/or other matters. Ingranting power of attorney, a persondoes not give up his or her own right tomake decisions regarding the healthcare, financial, legal, or other issuesinvolved in the legal agreement. Rather,he or she authorizes the other person tomake these decisions as well.

In some cases, an individual givesanother person power of attorney overissues not directly related to health care(e.g., financial matters) while informallyrelying on a third person (eitherimplicitly or through verbal agreement)to make health care decisions on his orher behalf. In such situations, theperson with power of attorney couldseek health information from a healthplan or provider in order to complete atask related to his or her power ofattorney. For example, a person withfinancial power of attorney may requesthealth information from a health plan orprovider in order to apply for disabilitybenefits on the individual’s behalf.

In developing proposed rules toaddress these situations, we consideredtwo options: (1) Allowing health plans

and health care providers to disclosehealth information withoutauthorization directly to the person withpower of attorney over issues notdirectly related to health care; and (2)prohibiting health plans or health careproviders from disclosing healthinformation without authorizationdirectly to such persons and stating thatdisclosure without authorization ispermitted only to persons designatedformally (through power of attorney forhealth care) or informally as thepatient’s health care decision-maker. Webelieve that both options have merit.

The first option recognizes that theresponsibilities of persons with powerof attorney often are broad, and thateven when the power of attorneyagreement does not relate directly tohealth care, the person with power ofattorney at times has a legitimate needfor health information in order to carryout his or her legal responsibility. Thesecond option recognizes that when anindividual is competent to make healthcare decisions, it is appropriate for himor her (or, if the individual wishes, forthe informally designated health caredecision maker) to decide whether thecovered entity should disclose healthinformation to someone with power ofattorney over issues not directly relatedto health care.

In light of the fact that laws vary byState regarding power of attorney andthat implementation of either optioncould be in the individual’s interest, wewould allow health plans and healthcare providers to disclose protectedhealth information withoutauthorization directly to persons withpower of attorney to handle any issueon the individual’s behalf, inaccordance with State or otherapplicable laws regarding this issue.

This definition also accounts forsituations in which a competentindividual has granted one personpower of attorney over health careissues yet, in practice, relies on anotherperson to make health care decisions.We recognize that, by giving power ofattorney for health care issues to oneperson and involving another personinformally in making treatmentdecisions, the individual is, in the firstinstance, formally granting consent torelease his or her health informationand, in practice, granting consent torelease medical information to thesecond person. Therefore, we wouldallow a health plan or provider,pursuant to State or other applicablelaw, to disclose protected healthinformation without authorization to aperson with power of attorney for thepatient’s health care and to a person



1 Sweeney, L. Guaranteeing Anonymity whenSharing Medical Data, the Datafly System. Masys,

D., Ed. Proceedings, American Medical InformaticsAssociation, Nashville, TN: Hanley & Belfus, Inc.,1997:51–55.

informally designated as the patient’shealth care decision maker.

b. Disclosures pertaining toincapacitated individuals. Coveredentities would be permitted to discloseprotected health information to anyperson making health care decisions foran incapacitated person under State orother applicable law. This definitiondefers to current laws regarding healthcare decision-making when a patient isnot a minor and is incapable of makinghis or her own decisions. We propose topermit information to follow suchdecision-making authority. It is ourintent not to disturb existing practicesregarding incapacitated patients.

Applicable laws vary significantlyregarding the categories of persons whocan make health care decisions when apatient is incapable of making them. Forexample, some State laws establish ahierarchy of persons who may makemedical decisions for the incapacitatedperson (e.g., first a person with powerof attorney, if not then next-of-kin, ifnone then close friend, etc.). In otherStates, health care providers mayexercise professional judgment aboutwhich person would make health caredecisions in the patient’s best interest.We also recognize that federal agencieshave, in some cases, established rulesregarding such patients. For example,the DOD has established requirementsregarding military personnel who arebased overseas and who have becomeincapable of making their owndecisions.

Because laws vary regarding patientsunable to make their own decisions andbecause these patients’ interests couldbe served through a variety ofarrangements, we would allow healthplans and health care providers todisclose information in accordance withapplicable laws regarding incapacitatedpatients.

c. Disclosures pertaining to minors. Ingeneral, because the definition ofindividual would include parents, aparent, guardian, or person acting inloco parentis could exercise the rightsestablished under this regulation onbehalf of their minor (as established byapplicable law) children. However, incases where a minor lawfully obtains ahealth care service without the consentof or notification to a parent, the minorwould be treated as the individual forpurposes of exercising any rightsestablished under this regulation withrespect to protected health informationrelating to such health services. Lawsregarding access to health care forminors and confidentiality of theirmedical records vary widely; thisproposed regulation recognizes andrespects the current diversity of the law

in this area. It would not affectapplicable regulation of the delivery ofhealth care services to minors, andwould not preempt any law authorizingor prohibiting disclosure of individuallyidentifiable health information of minorindividuals to their parents. Thedisclosure of individually identifiablehealth information from substanceabuse records is also addressed byadditional requirements establishedunder 42 CFR part 2.

d. Foreign recipients of defenserelated health care. We would definethe term ‘‘individual’’ to exclude foreignmilitary and foreign diplomaticpersonnel and their dependents whoreceive health care provided by or paidfor by the DOD or other federal agency,or by an entity acting on its behalf,pursuant to a country-to-countryagreement or federal statute. We wouldalso exclude from this term overseasforeign national beneficiaries of healthcare provided by the DOD or otherfederal agency or by a non-governmentalorganization acting on behalf of DOD orsuch agency. This exclusion isdiscussed in section II.E.l3.

e. Disclosures pertaining to deceasedpersons. This provision is discussed inSection II.C.6.

19. Individually identifiable healthinformation. We would define‘‘individually identifiable healthinformation’’ as it is defined in section1171(6) of the Act. While the definitionof individually identifiable healthinformation does not expand on thestatutory definition, we recognize thatthe issue of how the identifyingcharacteristics can be removed fromsuch information (referred to in this ruleas de-identification) presents difficultoperational issues. Accordingly, wepropose in § 164.506(d) an approach forde-identifying identifiable information,along with restrictions designed toensure that de-identified information isnot used inappropriately.

The privacy standards would apply to‘‘individually identifiable healthinformation,’’ and not to informationthat does not identify the individual.We are aware that, even after removingobvious identifiers, there is always someprobability or risk, however remote, thatany information about an individual canbe attributed. A 1997 MIT study showedthat, because of the public availability ofthe Cambridge, Massachusetts votinglist, 97 percent of the individuals inCambridge whose data appeared in adata base which contained only theirnine digit zip code and birth date couldbe identified with certainty. 1 Their

information had been ‘‘de-identified’’(some obvious identifiers had beenremoved) but it was not anonymous (itwas still possible to identify theindividual).

It is not always obvious wheninformation identifies the subject. If thename and identifying numbers (e.g.,SSN, insurance number, etc.) areremoved, a person could still beidentified by the address. With theaddress removed, the subject of amedical record could be identifiedbased on health and demographiccharacteristics (e.g., age, race,diagnosis). ‘‘Identifiability’’ varies withthe location of the subject; there couldbe hundreds of people in Manhattanwho have the same age, race, gender,and diagnosis, but only one such personin a small town or rural county. Gaugingthe risk of identification of informationrequires statistical experience andexpertise that most covered entities willnot possess.

Obvious identifiers on healthinformation could be replaced withrandom numbers or encrypted codes,which can prevent the person using therecord from identifying the subject, butwhich allow the person holding thecode to re-identify the information.Information with coded or encryptedidentifiers would be considered ‘‘de-identified’’ but not ‘‘anonymous,’’because it is still possible for someoneto identify the subject.

We considered defining ‘‘individuallyidentifiable health information’’ as anyinformation that is not anonymous, thatis, for which there is any possibility ofidentifying the subject. We rejected thisoption, for several reasons. First, thestatute suggests a different approach.The term ‘‘individually identifiablehealth information’’ is defined inHIPAA as health information that‘‘* * * identifies the individual, or withrespect to which there is a reasonablebasis to believe that the information canbe used to identify the individual.’’ Byincluding the modifier ‘‘reasonablebasis,’’ Congress appears to reject theabsolute approach to defining‘‘identifiable.’’

Second, covered entities may not havethe statistical sophistication to knowwith certainty when sufficientidentifying information has beenremoved so that the record is no longeridentifiable. We believe that coveredentities need more concrete guidance asto when information will and will notbe ‘‘identifiable’’ for purposes of thisregulation.



Finally, defining non-identifiable tomean anonymous would requirecovered entities to comply with theterms of this regulation with respect toinformation for which the probability ofidentification of the subject is very low.We want to encourage covered entitiesand others to remove obvious identifiersor encrypt them whenever possible; useof the absolute definition of‘‘identifiable’’ would not promote thissalutary result.

For these reasons, we propose at§ 164.506(d)(2)(ii) that there be apresumption that, if specifiedidentifying information is removed andif the holder has no reason to believethat the remaining information can beused by the reasonably anticipatedrecipients alone or in combination withother information to identify anindividual, then the covered entity ispresumed to have created de-identifiedinformation.

At the same time, in proposed§ 164.506(d)(2)(iii), we would leaveleeway for more sophisticated data usersto take a different approach. We wouldinclude a ‘‘reasonableness’’ standard sothat entities with sufficient statisticalexperience and expertise could removeor code a different combination ofinformation, so long as the result is stilla low probability of identification. Withthis approach, our intent is to providecertainty for most covered entities,while not limiting the options of moresophisticated data users.

In § 164.504, we propose to define‘‘individually identifiable healthinformation’’ to mean healthinformation created or received by ahealth care provider, health plan,employer or health care clearinghouse,that could be used directly or indirectlyto identify the individual who is thesubject of the information. Underproposed § 164.506(d)(2)(ii),information would be presumed not tobe ‘‘identifiable’’ if:

• All of the following data elementshave been removed or otherwiseconcealed: Name; address, includingstreet address, city, county, zip code, orequivalent geocodes; names of relativesand employers; birth date; telephoneand fax numbers; e-mail addresses;social security number; medical recordnumber; health plan beneficiarynumber; account number; certificate/license number; any vehicle or otherdevice serial number; web URL; InternetProtocol (IP) address; finger or voiceprints; photographic images; and anyother unique identifying number,characteristic, or code (whethergenerally available in the public realmor not) that the covered entity hasreason to believe may be available to an

anticipated recipient of the information,and

• The covered entity has no reason tobelieve that any reasonably anticipatedrecipient of such information could usethe information alone, or incombination with other information, toidentify an individual. Thus, to createde-identified information, entities thathad removed the listed identifierswould still have to remove additionaldata elements if they had reason tobelieve that a recipient could use theremaining information, alone or incombination with other information, toidentify an individual. For example, ifthe ‘‘occupation’’ field is left intact andthe entity knows that a person’soccupation is sufficiently unique toallow identification, that field wouldhave to be removed from the relevantrecord. The presumption does not allowuse or disclosure if the covered entityhas reason to believe the subject of theinformation can be re-identified. Ourconcern with the potential for re-identification is heightened by ourlimited jurisdiction under HIPAA.Because we can only regulate healthcare providers, health plans and healthcare clearinghouses, we cannot prohibitother recipients of de-identifiedinformation from attempting to re-identify it.

To assist covered entities inascertaining whether their attempts tocreate de-identified information wouldbe successful, the Secretary would fromtime to time issue guidance establishingmethods that covered entities could useto determine the identifiability ofinformation. This guidance wouldinclude information on statistical andother tests that could be performed bycovered entities in assessing whetherthey have created de-identifiedinformation. The manner in which suchguidance would be published anddistributed will be addressed in thefinal regulation. We solicit comment onthe best ways in which to informcovered entities of appropriate anduseful information on methods that theycan use to determine whetherinformation is de-identified.

In enforcing this regulation, theSecretary would consider thesophistication of covered entities whendetermining whether a covered entityhad reason to believe that informationthat it had attempted to de-identifycontinued to identify the subject.Covered entities that routinely createand distribute de-identified data wouldbe expected to be aware of and to useadvanced statistical techniques,including the guidance issued by theSecretary, to ensure that they are notimproperly disclosing individually

identifiable health information. Coveredentities that rarely create de-identifiedinformation would not be expected tohave the same level of knowledge ofthese statistical methods, and generallycould rely on the presumption thatinformation from which they haveremoved the listed identifiers (andprovided that they do not know that theinformation remains identifiable) is de-identified. We solicit comment onwhether the enforcement approach thatwe are suggesting here and our overallapproach relating to the creation of de-identified information would providesufficient guidance to covered entities topermit them to create, use and disclosede-identified information.

In addition, we propose to permitentities with appropriate statisticalexperience and expertise (obtainedthrough a statistical consultant or staffwith statistical expertise) to decide thatsome of the above named data elementscould be retained in the de-identifieddata set if: (1) The entity determines thatthe probability of identifying anindividual with the remaininginformation is very low, or (2) the entityhas converted the ‘‘identifiable’’ dataelements into data elements that, incombination with the remaininginformation, have a very low probabilityof being used to identify an individual.An example of such a conversion wouldbe the translation of birth date into ageexpressed in years or, if still determinedto convey ‘‘identifiability,’’ ageexpressed in categories of years (e.g., age18 to 24). In making thesedeterminations, the entity must considerthe data elements taken together as wellas any additional information that mightreasonably be available to a recipient.Examples of the types of entities thatwould have the statistical experienceand expertise to make this type ofjudgment include large health researchinstitutions such as medical schoolswith epidemiologists and statisticianson the faculty; federal agencies such asthe National Center for Health Statistics,the Agency for Health Care Policy andResearch, FDA, the Bureau of theCensus, and NIH; and large corporationsthat do health research such aspharmaceutical manufacturers withepidemiologists and statisticians onstaff.

An important component of thisapproach to defining ‘‘identifiable’’would be the prohibition on re-identification of health information. Wepropose that a covered entity that is arecipient of de-identified informationwho attempts to re-identify such de-identified information for a purpose forwhich protected health informationcould not be used or disclosed under



this rule be deemed to be in violation ofthe law. See proposed § 164.506(d) andsection II.C. below. There may becircumstances, however, whenrecipients of de-identified informationwill have a legitimate reason to requestthat the de-identified information be re-identified by the originating coveredentity. For example, if a researcherreceived de-identified information froma covered entity and the researchrevealed that a particular patient wasmisdiagnosed, the covered entity shouldbe permitted to re-identify the patient’shealth information so that the patientcould be informed of the error and seekappropriate care. One of the principalreasons entities retain information incoded form, rather than rendering itanonymous, is to enable re-identification of the information forappropriate reasons. Although wewould anticipate that the need for re-identification would be rare, entitiesthat expect to have to perform thisfunction should establish a process fordetermining when re-identification isappropriate. Once covered entities re-identify information, it becomesprotected information and may,therefore, be used and disclosed only aspermitted by this regulation.

The phrase ‘‘individuallyidentifiable’’ information is already inuse by many HHS agencies and others.In particular, the Common Ruleregulation includes ‘‘identifiable privateinformation’’ in its definition of ‘‘humansubject.’’ Because of this, medicalrecords research on ‘‘identifiable privateinformation’’ is subject to Common Ruleconsent and IRB review requirements. Itwould not be our intent to suggestchanges to this practice. Researchersand others can and are encouraged tocontinue to use more stringentapproaches to protecting information.

We invite comment on the approachthat we are proposing and on alternativeapproaches to standards for coveredentities to determine when healthinformation can reasonably beconsidered no longer individuallyidentifiable.

20. Law enforcement official. Wepropose a new definition of ‘‘lawenforcement official,’’ to mean an officerof the United States or a politicalsubdivision thereof, who is empoweredby law to conduct an investigation orofficial proceeding inquiring into aviolation of, or failure to comply with,any law; or a criminal, civil, oradministrative proceeding arising from aviolation of, or failure to comply with,any law.

21. Payment. We offer a newdefinition of payment. The term‘‘payment’’ would mean activities

undertaken by a health plan (or by abusiness partner on behalf of a healthplan) to determine its responsibilitiesfor coverage under the health planpolicy or contract including the actualpayment under the policy or contract, orby a health care provider (or by abusiness partner on behalf of a provider)to obtain reimbursement for theprovision of health care, including:

• Determinations of coverage,improving payment methodologies orcoverage policies, or adjudication orsubrogation of claims;

• Risk adjusting payments based onenrollee health status and demographiccharacteristics;

• Billing, claims management,medical review, medical dataprocessing;

• Review of health care services withrespect to medical necessity, coverageunder a health plan policy or contract,appropriateness of care, or justificationof charges; and,

• Utilization review activities,including pre-certification andpreauthorization of services.

Our proposed definition is intendedto capture the necessary sharing ofprotected health information amonghealth care providers who provide care,health plans and other insurers who payfor care, their business partners, as wellas sponsors of group health plans, suchas employers, who pay for care andsometimes provide administrativeservices in conjunction with health planpayment activities. For example,employers sometimes maintain theeligibility file with respect to a grouphealth plan.

Our proposed definition anticipatesthat protected health information wouldbe used for payment purposes withinentities, would be shared with businesspartners, and in most cases would beshared between health care providersand health plans (and their businesspartners). In some cases, a paymentactivity could result in the disclosure ofprotected health information by a planto an employer or to another payer ofhealth care, or to an insurer that is nota covered entity, such as forcoordination of benefits or to a workerscompensation carrier. For example, ahealth plan could disclose protectedhealth information to an employer inconnection with determining theexperience rate for group coverage.

We are concerned that disclosures forpayments may routinely result indisclosures of protected healthinformation to non-covered entities,such as employers, which are notsubject to the use and disclosurerequirements of this rule. Weconsidered prohibiting disclosures to

employers without individualauthorization, or alternatively, requiringa contractual relationship, similar to thecontracts required for business partners,before such disclosures could occur. Wenote that the National Committee onQuality Assurance has adopted astandard for the year 2000 that wouldrequire health plans to ‘‘have policiesthat prohibit sending identifiablepersonal health information to fullyinsured or self-insured employers andprovide safeguards against the use ofinformation in any action relating to anindividual’’ (Standard R.R.6, NationalCommittee for Quality Assurance 2000Standards).

We did not adopt either of theseapproaches, however, because we wereconcerned that we might disrupt somebeneficial activities if we were toprohibit or place significant conditionson disclosures by health plans toemployers. We also recognize thatemployers are paying for health care inmany cases, and it has been suggestedto us that they may need access toclaims and other information for thepurposes of negotiating rates, qualityimprovement and auditing their plansand claims administrators. We invitecomment on the extent to whichemployers currently receive protectedhealth information about theiremployees, for what types of activitiesprotected health information isreceived, and whether any or all of theseactivities could be accomplished withde-identified health information. Wealso invite other comments on howdisclosures to employers should betreated under this rule.

22. Protected health information. Wewould create a new definition of‘‘protected health information’’ to meanindividually identifiable healthinformation that is or has beenelectronically maintained orelectronically transmitted by a coveredentity, as well as such information whenit takes any other form. For example,protected health information wouldremain protected after it is read from acomputer screen and discussed orally,printed onto paper or other media,photographed, or otherwise duplicated.We note that individually identifiablehealth information created or receivedby an employer as such would not beconsidered protected healthinformation, although such informationcreated or received by an employer inits role as a health plan or providerwould be protected health information.

Under this definition, informationthat is ‘‘electronically transmitted’’would include information exchangedwith a computer using electronic media,even when the information is physically



moved from one location to anotherusing magnetic or optical media (e.g.,copying information from one computerto another using a floppy disc).Transmissions over the Internet (i.e.,open network), Extranet (i.e., usingInternet technology to link a businesswith information only accessible tocollaborating parties), leased lines, dial-up lines, and private networks would allbe included. Telephone voice responseand ‘‘faxback’’ (i.e., a request forinformation from a computer made viavoice or telephone keypad input withthe requested information returned as afax) systems would be included becausethese are computer output devicessimilar in function to a printer or videoscreen. This definition would notinclude ‘‘paper-to-paper’’ faxes, orperson-to-person telephone calls, videoteleconferencing, or messages left onvoice-mail. The key concept thatdetermines if a transmission meets thedefinition is whether the source ortarget of the transmission is a computer.The medium or the machine throughwhich the information is transmitted orrendered is irrelevant.

Also, information that is‘‘electronically maintained’’ would beinformation stored by a computer or onany electronic medium from which theinformation may be retrieved by acomputer. These media include, but arenot limited to, electronic memory chips,magnetic tape, magnetic disk, orcompact disc (CD) optical media.

Individually identifiable healthinformation that is part of an ‘‘educationrecord’’ governed by the FamilyEducational Rights and Privacy Act(FERPA), 20 U.S.C. 1232g, would not beconsidered protected healthinformation. Congress specificallyaddressed such information when itenacted FERPA to protect the privacyrights of students and parents ineducational settings. FERPA applies toeducational records that are maintainedby educational agencies and institutionsthat are recipients of federal funds fromthe Department of Education. FERPArequires written consent of the parent orstudent prior to disclosure of educationrecords except in statutorily specifiedcircumstances. We do not believe thatCongress intended to amend or preemptFERPA in enacting HIPAA.

Individually identifiable healthinformation of inmates of correctionalfacilities and detainees in detentionfacilities would be excluded from thisdefinition because unimpeded sharingof inmate identifiable healthinformation is crucial for correctionaland detention facility operations. In acorrectional or detention setting, prisonofficials are required by law to safely

house and provide health care toinmates. These activities require the useand disclosure of identifiable healthinformation. Therefore, correctional anddetention facilities must routinely shareinmate health information among theirhealth care and other components, aswell as with community health carefacilities. In order to maintain goodorder and protect the well-being ofprisoners, the relationship between suchfacilities and inmates or detaineesinvolves a highly regulated, specializedarea of the law which has evolved as acarefully balanced compromise withdue deference to institutional needs andobligations.

Federal and other prison facilitiesroutinely share health information withcommunity health care facilities inorder to provide medical treatment topersons in their custody. It is notuncommon for inmates and detainees tobe transported from one facility toanother, for example, for the purpose ofmaking a court appearance in anotherjurisdiction, or to obtain specializedmedical care. In these and othercircumstances, law enforcementagencies such as the Federal Bureau ofPrisons (the Bureau), the United StatesMarshals Service (USMS), theImmigration and Naturalization Service,State prisons, county jails, and U.S.Probation Offices, share identifiablehealth information about inmates anddetainees to ensure that appropriatehealth care and supervision of theinmate or detainee is maintained.Likewise, these agencies must, in turn,share health information with thefacility that resumes custody of theinmate or detainee.

Requiring an inmate’s or detainee’sauthorization for disclosure ofidentifiable health information for day-to-day operations would represent asignificant shift in correctional anddetention management philosophy. Ifcorrectional and detention facilitieswere covered by this rule, the proposedprovisions for individual authorizationscould potentially be used by an inmateor detainee to override the safety andsecurity concerns of the correctional/custodial authority; for example, aninmate being sent out on a federal writcould refuse to permit the Bureau todisclose a suicide history to the USMS.Additionally, by seeking anauthorization to disclose theinformation, staff may give the inmateor detainee advance notice of animpending transfer, which in turn maycreate security risks.

Therefore we propose to exclude theindividually identifiable healthinformation of inmates of correctionalfacilities and detainees in detention

facilities from the definition ofprotected health information. We notethat existing federal laws limiting thedisclosure and release of information(e.g., FOIA/Privacy Act) protect theprivacy of identifiable federal inmatehealth information. Subject to certainlimitations, these laws permit inmatesand detainees to obtain and review acopy of their medical records and tocorrect inaccurate information.

Under this approach, the identifiablehealth information held by correctionaland detention facilities of persons whohave been released would not beprotected. The facilities requirecontinued access to such informationfor security, protection and health carepurposes because inmates and detaineesare frequently readmitted to correctionaland detention facilities. However,concern has been expressed about thepossibility that absent coverage by thisproposed rule, correctional anddetention facilities may discloseinformation about former inmates anddetainees without restriction. Wetherefore request comments on whetheridentifiable health information held bycorrectional and detention facilitiesabout former inmates and detaineesshould be subject to this rule, and thepotential security concerns and burdensuch a requirement might place on thesefacilities.

23. Psychotherapy notes. We woulddefine ‘‘psychotherapy notes’’ to meandetailed notes recorded (in anymedium) by a health care provider whois a mental health professionaldocumenting or analyzing the contentsof conversation during a privatecounseling session or a group, joint, orfamily counseling session. Such notesare used only by the therapist whowrote them, maintained separately fromthe medical record, and not involved inthe documentation necessary for healthcare treatment, payment, or operations.Such term would not includemedication prescription andmonitoring, counseling session start andstop times or the modalities andfrequencies of treatment furnished,results of clinical tests, or a briefsummary of the following items:diagnosis, functional status, thetreatment plan, symptoms, prognosisand progress to date.

24. Public health authority. We woulddefine ‘‘public health authority’’ as anagency or authority of the United States,a State, a territory, a politicalsubdivision of a State or territory, or anIndian tribe that is responsible forpublic health matters as part of itsofficial mandate.

25. Research. We would define‘‘research’’ as a systematic investigation,



2 For example, validity is an indicator of how wella test measures the property or characteristic it isintended to measure and the reliability of a test, i.e.,whether the same result is obtained each time thetest is used. Validity is also a measurement of theaccuracy with which a test predicts a clinicalcondition. Utility refers to the degree to which theresults of test can be used to make decisions aboutthe subsequent delivery of health care.

including research development, testingand evaluation, designed to develop orcontribute to generalizable knowledge.We further explain that ‘‘generalizableknowledge’’ is knowledge related tohealth that can be applied topopulations outside of the populationserved by the covered entity.

This is the definition of ‘‘research’’ inthe federal regulation that protectshuman subjects, entitled The FederalPolicy for the Protection of HumanSubjects (often referred to as the‘‘Common Rule,’’ at 45 CFR part 46).This definition is well understood in theresearch community and elsewhere, andwe propose to use it here to maintainconsistency with other federalregulations that affect research.

26. Research information unrelated totreatment. We would define ‘‘researchinformation unrelated to treatment’’ asinformation that is received or createdby a covered entity in the course ofconducting research for which there isinsufficient scientific and medicalevidence regarding the validity or utilityof the information such that it shouldnot be used for the purpose of providinghealth care,2 and with respect to whichthe covered entity has not requestedpayment from a health plan.

27. Treatment. We would define‘‘treatment’’ to mean the provision ofhealth care by, or the coordination ofhealth care (including health caremanagement of the individual throughrisk assessment, case management, anddisease management) among, healthcare providers, or the referral of anindividual from one provider to another,or coordination of health care or otherservices among health care providersand third parties authorized by thehealth plan or the individual. Ourdefinition is intended to relate only toservices provided to an individual andnot to an entire enrolled population.

28. Use. We would propose a newdefinition of the term ‘‘use’’ to mean theemployment, application, utilization,examination or analysis of healthinformation within an entity that holdsthe information.

29. Workforce. We would define‘‘workforce’’ to mean employees,volunteers, trainees and other personsunder the direct control of a coveredentity, including persons providinglabor on an unpaid basis.

C. General Rules. (§ 164.506)

[Please label comments about thissection with the subject: ‘‘Introductionto general rules’’]

The purpose of our proposal is todefine and limit the circumstances inwhich an individual’s protected healthinformation could be used or disclosedby covered entities. As discussed above,we are proposing to make the use andexchange of protected healthinformation relatively easy for healthcare purposes and more difficult forpurposes other than health care.

As a general rule, we are proposingthat protected health information not beused or disclosed by covered entitiesexcept as authorized by the individualwho is the subject of such informationor as explicitly provided by this rule.Under this proposal, most uses anddisclosures of an individual’s protectedhealth information would not requireexplicit authorization by the individual,but would be restricted by theprovisions of the rule. Covered entitieswould be able to use or disclose anindividual’s protected healthinformation without authorization fortreatment, payment and health careoperations. See proposed§ 164.506(a)(1)(i). Covered entities alsowould be permitted to use or disclose anindividual’s protected healthinformation for specified public andpublic policy-related purposes,including public health, research, healthoversight, law enforcement, and use bycoroners. Covered entities would bepermitted by this rule to use anddisclose protected health informationwhen required to do so by other law,such as a mandatory reportingrequirement under State law orpursuant to a search warrant. Seeproposed § 164.510. Covered entitieswould be required by this rule todisclose protected health informationfor only two purposes: To permitindividuals to inspect and copyprotected health information about them(see proposed § 164.514) and forenforcement of this rule (see proposed§ 164.522(e)).

The proposed rule generally wouldnot require covered entities to vary thelevel of protection of protected healthinformation based on the sensitivity ofsuch information. We believe that allprotected health information shouldhave effective protection frominappropriate use and disclosure bycovered entities, and except for limitedclasses of information that are notneeded for treatment and paymentpurposes, we have not providedadditional protection to protected healthinformation that might be considered

particularly sensitive. We would notethat the proposed rule would notpreempt provisions of other applicablelaws that provide additional privacyprotection to certain classes of protectedhealth information. We understand,however, that there are medicalconditions and treatments thatindividuals may believe are particularlysensitive, or which could be the basis ofstigma or discrimination. We invitecomment on whether this rule shouldprovide for additional protection forsuch information. We would appreciatecomment that discusses how suchinformation should be identified andthe types of steps that covered entitiescould take to provide such additionalprotection. We also invite comment onhow such provisions could be enforced.

Covered entities of all types and sizeswould be required to comply with theproposed privacy standards outlinedbelow. The proposed standards wouldnot impose particular mechanisms orprocedures that covered entities mustadopt to implement the standards.Instead, we would require that eachaffected entity assess its own needs anddevise, implement, and maintainappropriate privacy policies,procedures, and documentation toaddress its business requirements. Howeach privacy standard would besatisfied would be business decisionsthat each entity would have to make.This allows the privacy standards toestablish a stable baseline, yet remainflexible enough to take advantage ofdevelopments and methods forprotecting privacy that will evolve overtime.

Because the privacy standards wouldneed to be implemented by all coveredentities, from the smallest provider tothe largest, multi-state health plan, asingle approach to implementing thesestandards would be neithereconomically feasible nor effective insafeguarding health informationprivacy. For example, in a smallphysician practice, the office managermight be designated to serve as theprivacy official as one of many duties(see proposed § 164.518(a)) whereas at alarge health plan, the privacy officialmay constitute a full time position andhave the regular support and advice ofa privacy staff or board.

Similarly, a large enterprise may makefrequent electronic disclosures ofsimilar data. In such a case, theenterprise would be expected to removeidentifiers or to limit the data fields thatare disclosed to fit the purpose of thedisclosure. The process would bedocumented and perhaps evenautomated. A solo physician’s office,however, would not be expected to have



the same capabilities to limit theamount of information disclosed,although, in the cases of disclosuresinvolving a small number of records,such an office could be expected to hideidentifiers or to limit disclosures tocertain pages of the medical record thatare relevant to the purpose of thedisclosure.

In taking this approach, we intend tostrike a balance between the need tomaintain the confidentiality of protectedhealth information and the economiccost of doing so. Health care entitiesmust consider both aspects in devisingtheir solutions. This approach is similarto the approach we proposed in theNotice of Proposed Rulemaking for theadministrative simplification securityand electronic signature standards.

1. Use and Disclosure for Treatment,Payment, and Health Care Operations.(§ 164.506(a))

[Please label comments about thissection with the subject: ‘‘Treatment,payment, and health care operations’’]

We are proposing that, subject tolimited exceptions for psychotherapynotes and research informationunrelated to treatment discussed below,a covered entity be permitted to use ordisclose protected health informationwithout individual authorization fortreatment, payment or health careoperations.

The Secretary’s Recommendationsproposed that covered entities be able touse individually identifiable healthinformation without authorization of theidentified individual for treatment andpayment and for purposes that are‘‘compatible with and directly relatedto’’ treatment and payment. TheRecommendations further explainedthat the terms ‘‘treatment’’ and‘‘payment’’ were to be construedbroadly, encompassing treatment andpayment for all patients. They alsonoted that the test of ‘‘compatible withand directly related to’’ is meant to bemore restrictive than the test currentlyused in the Privacy Act, 5. U.S.C. 552a,for determining whether a proposed‘‘routine use’’ is sufficiently related tothe primary purpose for which theinformation would be collected topermit its release under the proposed‘‘routine use.’’ The Privacy Act permitsrelease of such information if theproposed routine use is ‘‘compatiblewith’’ the purpose for which theinformation is collected. Our proposal isintended to be consistent with thisdiscussion from the Secretary’sRecommendations.

a. General rule for treatment,payment, and health care operations.We are not proposing to require

individual authorizations of uses anddisclosures for health care and relatedpurposes, although such authorizationsare routinely gathered today as acondition of obtaining health care orenrolling in a health plan. Althoughmany current disclosures of healthinformation are made pursuant toindividual authorizations, theseauthorizations provide individuals withlittle actual control over their healthinformation. When an individual isrequired to sign a blanket authorizationat the point of receiving care orenrolling for coverage, that consent isoften not voluntary because theindividual must sign the form as acondition of treatment or payment fortreatment. Individuals are also oftenasked to sign broad authorizations butare provided little or no informationabout how their health information maybe or will in fact be used. Individualscannot make a truly informed decisionwithout knowing all the possible uses,disclosures and re-disclosures to whichtheir information will be subject. Inaddition, since the authorization usuallyprecedes creation of the record, theindividual cannot predict all theinformation the record may contain andtherefore cannot make an informeddecision as to what would be released.

Our proposal is intended to make theexchange of protected healthinformation relatively easy for healthcare purposes and more difficult forpurposes other than health care. Forindividuals, health care treatment andpayment are the core functions of thehealth care system. This is what theyexpect their health information will beused for when they seek medical careand present their proof of insurance tothe provider. Consistent with thisexpectation, we considered requiring aseparate individual authorization forevery use or disclosure of informationbut rejected such an approach becauseit would not be realistic in anincreasingly integrated health caresystem. For example, a requirement forseparate patient authorization for eachroutine referral could impair care, bydelaying consultation and referral, aswell as payment.

We therefore propose that coveredentities be permitted to use and discloseprotected health information withoutindividual authorization for treatmentand payment purposes, and for relatedpurposes that we have defined as healthcare operations. For example, healthcare providers could maintain and referto a medical record, discloseinformation to other providers orpersons as necessary for consultationabout diagnosis or treatment, anddisclose information as part of referrals

to other providers. Health care providersalso could use a patient’s protectedhealth information for paymentpurposes such as submitting a claim toa payer. In addition, they could use apatient’s protected health informationfor health care operations, such as usefor an internal quality oversight review.We would note that, in the case of anindividual where the provider hasagreed to restrictions on use ordisclosure of the patient’s protectedhealth information, the provider isbound by such restrictions as providedin § 164.506(c).

Similarly, health plans could use anenrollee’s protected health informationfor payment purposes, such asreviewing and paying health claims thathave been submitted to it, pre-admission screening of a request forhospitalization, or post-claim audits ofhealth care providers. Health plans alsocould use an enrollee’s protected healthinformation for health care operations,such as reviewing the utilizationpatterns or outcome performance ofproviders participating in their network.

Further, as described in more detailbelow, health care providers and healthplans would not need individualauthorization to provide protectedhealth information to a business partnerfor treatment, payment or health careoperations functions if the otherrequirements for disclosing to businesspartners are met. See proposed§ 164.506(e).

We intend that the right to use anddisclose protected health information beinterpreted to apply for treatment andpayment of all individuals. Forexample, in the course of providing careto a patient, a physician could wish toexamine the records of other patientswith similar conditions. Likewise, aphysician could consult the records ofseveral people in the same family orliving in the same household to assist indiagnosis of conditions that could becontagious or that could arise from acommon environmental factor. A healthplan or a provider could use theprotected health information of anumber of enrollees to developtreatment protocols, practice guidelines,or to assess quality of care. All of theseuses would be permitted under thisproposed rule.

Our proposal would not restrict towhom disclosures could be made fortreatment, payment or operations. Forexample, covered entities could makedisclosures to non-covered entities forpayment purposes, such as a disclosureto a workers compensation carrier forcoordination of benefits purposes. Wenote, however, that when disclosuresare made to non-covered entities, the



ability of this proposed rule to protectthe confidentiality of the informationends. This points to the need for passageof more comprehensive privacylegislation that would permit therestrictions on use and disclosure tofollow the information beyond coveredentities.

We also propose to prohibit coveredentities from seeking individualauthorization for uses and disclosuresfor treatment, payment and health careoperations unless required by State orother applicable law. As discussedabove in this section, suchauthorizations could not providemeaningful privacy protections orindividual control and could in factcultivate in individuals erroneousunderstandings of their rights andprotections.

The general approach that we areproposing is not new. Some existingState health confidentiality laws permitdisclosures without individualauthorization to other health careproviders treating the individual, andthe Uniform Health-Care InformationAct permits disclosure ‘‘to a person whois providing health-care to the patient’’(9 part I, U.L.A. 475, 2–104 (1988 andSupp. 1998)). We believe that thisapproach would be the most realisticway to protect individualconfidentiality in an increasingly data-driven, electronic and integrated healthcare system. We recognize, however,that particularly given the limited scopeof the authority that we have under thisproposed rule to reach some significantactors in the health care system, thatother approaches could be of interest.We invite comments on whether otherapproaches to protecting individuals’health information would be moreeffective.

b. Health care operations. Weconsidered the extent to which thecovered entities might benefit fromfurther guidance on the types ofactivities that appropriately would beconsidered health care operations. Theterm is defined in proposed § 164.504.In the debates that have surroundedprivacy legislation before the Congress,there has been substantial discussion ofthe definition of health care operations,with some parties advocating for a verybroad definition and others advocatinga more restrictive approach.

Given the lack of consensus over theextent of the activities that could beencompassed within the term healthcare operations, we determined that itwould be helpful to identify activitiesthat, in our opinion, are sufficientlyunrelated to the treatment and paymentfunctions to require a individual toauthorize use of his or her information.

We want to make clear that theseactivities would not be prohibited, anddo not dispute that many of theseactivities are indeed beneficial to bothindividuals and the institutionsinvolved. Nonetheless, they are notnecessary for the key functions oftreatment and payment and thereforewould require the authorization of theindividual before his/her informationcould be used. These activities wouldinclude but would not be limited to:

• The use of protected healthinformation for marketing of health andnon-health items and services;

• The disclosure of protected healthinformation for sale, rent or barter;

• The use of protected healthinformation by a non-health relateddivision of the same corporation, e.g.,for use in marketing or underwriting lifeor casualty insurance, or in bankingservices;

• The disclosure, by sale orotherwise, of protected healthinformation to a plan or provider formaking eligibility or enrollmentdeterminations, or for underwriting orrisk rating determinations, prior to theindividual’s enrollment in the plan;

• The disclosure of information to anemployer for use in employmentdeterminations; and

• The use or disclosure ofinformation for fund raising purposes.

We invite comments on the activitieswithin the proposed definitions of‘‘treatment,’’ ‘‘payment,’’ and ‘‘healthcare operations,’’ as well as theactivities proposed to be excluded fromthese definitions.

c. Exception for psychotherapy notes.We propose that a covered health careprovider not be permitted to disclosepsychotherapy notes, as defined by thisproposed rule, for treatment, payment,or health care operations unless aspecific authorization is obtained fromthe individual. In addition, a coveredentity would not be permitted tocondition treatment of an individual,enrollment of an individual in a healthplan, or payment of a claim for benefitsmade by or on behalf of an individualon a requirement that the individualprovide a specific authorization for thedisclosure of psychotherapy notes.

We would define ‘‘psychotherapynotes’’ to mean detailed notes recorded(in any medium) by a health careprovider who is a mental healthprofessional documenting or analyzingthe contents of conversation during aprivate counseling session or a group,joint, or family counseling session. Suchnotes could be used only by thetherapist who wrote them, would haveto be maintained separately from themedical record, and could not be

involved in the documentationnecessary for health care treatment,payment, or operations (as defined in§ 164.504). Such term would notinclude medication prescription andmonitoring, counseling session start andstop times or the modalities andfrequencies of treatment furnished,results of clinical tests, or summaries ofthe following items: diagnoses,functional status, the treatment plan,symptoms, prognosis and progress todate.

Psychotherapy notes are of primaryvalue to the specific provider and thepromise of strict confidentiality helps toensure that the patient will feelcomfortable freely and completelydisclosing very personal informationessential to successful treatment. Unlikeinformation shared with other healthcare providers for the purposes oftreatment, psychotherapy notes aremore detailed and subjective and aresubject to unique rules of disclosure. InJaffee v. Redmond, 518 U. S. 1 (1996),the Supreme Court ruled thatconversations and notes between apatient and psychotherapist areconfidential and protected fromcompulsory disclosure. The language inthe Supreme Court opinion makes therationale clear:

Like the spousal and attorney-clientprivileges, the psychotherapist-patientprivilege is ‘‘rooted in the imperative needfor confidence and trust.’’ * * * Treatmentby a physician for physical ailments canoften proceed successfully on the basis of aphysical examination, objective informationsupplied by the patient, and the results ofdiagnostic tests. Effective psychotherapy, bycontrast, depends upon an atmosphere ofconfidence and trust in which the patient iswilling to make a frank and completedisclosure of facts, emotions, memories, andfears. Because of the sensitive nature of theproblems for which individuals consultpsychotherapists, disclosure of confidentialcommunications made during counselingsessions may cause embarrassment ordisgrace. For this reason, the mere possibilityof disclosure may impede development of theconfidential relationship necessary forsuccessful treatment. As the JudicialConference Advisory Committee observed in1972 when it recommended that Congressrecognize a psychotherapist privilege as partof the Proposed Federal Rules of Evidence, apsychiatrist’s ability to help her patients ‘‘iscompletely dependent upon (the patients’)willingness and ability to talk freely. Thismakes it difficult if not impossible for (apsychiatrist) to function without being ableto assure * * * patients of confidentialityand, indeed, privileged communication.Where there may be exceptions to thisgeneral rule * * *, there is wide agreementthat confidentiality is a sine qua non forsuccessful psychiatric treatment. * * *’’

By protecting confidential communicationsbetween a psychotherapist and her patient



from involuntary disclosure, the proposedprivilege thus serves important privateinterests. * * * The psychotherapistprivilege serves the public interest byfacilitating the provision of appropriatetreatment for individuals suffering the effectsof a mental or emotional problem. Themental health of our citizenry, no less thanits physical health, is a public good oftranscendent importance.

That it is appropriate for the federal courtsto recognize a psychotherapist privilegeunder Rule 501 is confirmed by the fact thatall 50 States and the District of Columbiahave enacted into law some form ofpsychotherapist privilege. * * * Becausestate legislatures are fully aware of the needto protect the integrity of the fact findingfunctions of their courts, the existence of aconsensus among the States indicates that‘‘reason and experience’’ support recognitionof the privilege. In addition, given theimportance of the patient’s understandingthat her communications with her therapistwill not be publicly disclosed, any State’spromise of confidentiality would have littlevalue if the patient were aware that theprivilege would not be honored in a federalcourt. * * * Jaffee, 518 U.S. 7–9.

The special status of thepsychotherapist privilege in our societyas well as the physical and conceptualsegregation of the psychotherapy notesmakes this prohibition on disclosuresfor treatment, payment and health careoperations without a specificauthorization from the individualreasonable and practical.

We note that the policy being appliedto psychotherapy notes differs from thepolicy being applied to most other typesof protected health information. Formost protected health information, acovered entity would be prohibited fromsoliciting an authorization from anindividual for treatment, payment andhealth operations unless such anauthorization is required by otherapplicable law. In this case, because ofthe special status of psychotherapynotes as described above, we proposethat a specific authorization be requiredbefore such notes can be disclosedwithin the treatment and paymentsystems. We propose this specialtreatment because there are few reasonswhy other health care entities shouldneed the psychotherapy notes about anindividual, and in those cases, theindividual is in the best position todetermine if the notes should bedisclosed. For example, an individualcould authorize disclosure if they arechanging health care providers. Sincewe have defined psychotherapy notes insuch a way that they do not includeinformation that health plans wouldneed to process a claim for services,special authorizations for paymentpurposes should be rare. We would notethat the provisions governing

authorizations under § 164.508 wouldapply to the special authorizationsunder this provision.

We also propose that covered entitiesnot be permitted to condition treatmentor payment decisions on a requirementthat an individual provide a specificauthorization for the use or disclosure ofpsychotherapy notes. The specialprotections that are being proposedwould not be meaningful if coveredentities could coerce individuals byconditioning treatment or paymentdecisions on a requirement that theindividual authorize use or disclosuresof such notes. This requirement wouldnot prohibit the provider that creates thepsychotherapy notes information fromusing the notes for treatment of theindividual. The provider could not,however, condition the provision oftreatment on a requirement that theindividual authorize the use of thepsychotherapy notes by the coveredentity for other purposes or thedisclosure of the notes by the providerto others.

We considered including otherdisclosures permitted under proposed§ 164.510 within the prohibitiondescribed in this provision, but wereunsure if psychotherapy notes were everrelevant to the public policy purposesunderlying those disclosures. Forexample, we would assume that suchnotes are rarely disclosed for publichealth purposes or to next of kin. Wesolicit comment on whether there areadditional categories of disclosurespermitted under proposed § 164.510 forwhich the disclosure of psychotherapynotes by covered entities withoutspecific individual authorization wouldbe appropriate.

d. Exception for research informationunrelated to treatment. Given thevoluntary, often altruistic, nature ofresearch participation, and theexperimental character of data generatedfrom many research studies, researchparticipants should have assurances thatthe confidentiality of their individuallyidentifiable information will bemaintained in a manner that respectsthese unique characteristics. In theprocess of conducting health research,some information that is collected couldbe related to the delivery of health careto the individual and some could beunrelated to the care of the individual.Some information that is generated inthe course of a research study couldhave unknown analytic validity, clinicalvalidity, or clinical utility. In general,unknown analytic or clinical validitymeans that the sensitivity, specificity,and predictive value of the researchinformation is not known. Specifically,analytic validity refers to how well a

test performs in measuring the propertyor characteristic it is intended tomeasure. Another element of the test’sanalytical validity is its reliability—thatis, it must give the same result eachtime. Clinical validity is the accuracywith which a test predicts a clinicalcondition. Unknown clinical utilitymeans that there is an absence ofscientific and medical agreementregarding the applicability of theinformation for the diagnosis,prevention, or treatment of any malady,or the assessment of the health of theindividual.

We would define ‘‘researchinformation unrelated to treatment’’ asinformation that is received or createdby a covered entity in the course ofconducting research for which there isinsufficient scientific and medicalevidence regarding the validity or utilityof the information such that it shouldnot be used for the purpose of providinghealth care, and with respect to whichthe covered entity has not requestedpayment from a health plan.

Such information should never beused in a clinical treatment protocol butcould result as a byproduct of such aprotocol. For example, consider a studywhich involves the evaluation of a newdrug, as well as an assessment of agenetic marker. The drug trial includesphysical and radiographicexaminations, as well as blood tests tomonitor potential toxicity of the newdrug on the liver; all of these proceduresare part of the provision of health care,and therefore, would constitute‘‘protected health information,’’ but not‘‘research information unrelated totreatment.’’ In the same study, theinvestigators are searching for a geneticmarker for this particular disease. Todate, no marker has been identified andit is uncertain whether or not thepreliminary results from this researchstudy would prove to be a marker forthis disease. The genetic informationgenerated from this study wouldconstitute ‘‘research informationunrelated to treatment’’.

We solicit comment on this definitionof ‘‘research information unrelated totreatment’’ and how it would work inpractice.

Because the meaning of thisinformation is currently unknown, wewould prohibit its use and disclosurefor treatment, payment and health careoperations unless a specificauthorization is obtained from thesubject of the information. Failing tolimit the uses and disclosures of thisinformation within the health paymentsystem would place researchparticipants at increased risk ofdiscrimination, which could result in



individuals refusing to volunteer toparticipate in this type of research.Without the special protections that weare proposing, we are concerned thatmuch potentially life-saving researchcould be halted. Moreover, because thisinformation that lacks analytical orclinical validity and clinical utility, andbecause we have defined it in terms thatpreclude researchers from seeking third-party reimbursement for its creation,there would not be a reason for thisinformation to be further used ordisclosed within the treatment andpayment system without individualauthorization.

We also propose that covered entitiesnot be permitted to condition treatmentor payment decisions on a requirementthat an individual provide a specificauthorization for the use or disclosure ofresearch information unrelated totreatment. The special protections thatare being proposed would not bemeaningful if covered entities couldcoerce individuals into authorizingdisclosure by conditioning treatment orpayment decisions on a requirementthat the individual authorize disclosuresof such information. This requirementwould not prohibit the covered entitythat creates the information from usingthe information for the researchpurposes for which it was collected. Theentity could not, however, condition theprovision of treatment on a requirementthat the individual authorize use ofresearch information unrelated totreatment by the covered entity for otherpurposes or the disclosure of theinformation by the covered entity toothers.

We considered including other of theuses and disclosures that would bepermitted under § 164.510 within theprohibition described in this provision,but were unsure if research informationunrelated to treatment would ever berelevant to the public policy purposesunderlying those disclosures. We solicitcomment on whether there areadditional categories of uses ordisclosures that would be permittedunder proposed § 164.510 for which theuse or disclosure of such information bycovered entities without specificindividual authorization would beappropriate.

2. Minimum Necessary Use andDisclosure. (§ 164.506(b))

[Please label comments about thissection with the subject: ‘‘Minimumnecessary’’]

We propose that, except as discussedbelow, a covered entity must make allreasonable efforts not to use or disclosemore than the minimum amount ofprotected health information necessary

to accomplish the intended purpose ofthe use or disclosure, taking intoconsideration practical andtechnological limitations.

In certain circumstances, theassessment of what is minimallynecessary is appropriately made by aperson other than the covered entity; inthose cases, discussed in this paragraph,and reflected in proposed§ 164.506(b)(1)(i), the requirements ofthis section would not apply. First, thecovered entity would not be required tomake a ‘‘minimum necessary’’ analysisfor the standardized content of thevarious HIPAA transactions, since thatcontent has been determined throughregulation. Second, with one exception,when an individual authorizes a use ordisclosure the covered entity would notbe required to make a ‘‘minimumnecessary’’ determination. In such cases,the covered entity would be unlikely toknow enough about the informationneeds of the third party to make a‘‘minimum necessary’’ determination.The exception, when the ‘‘minimumnecessary’’ principle would apply to anauthorization, is for authorizations foruse of protected health information bythe covered entity itself. See proposed§ 164.508(a)(2). Third, with respect todisclosures that are mandatory underthis or other law, and which would bepermitted under the rules proposedbelow, public officials, rather than thecovered entity, would determine whatinformation is required (e.g., coronersand medical examiners, State reportingrequirements, judicial warrants). Seeproposed §§ 164.510 and164.506(b)(1)(ii). Fourth, disclosuremade pursuant to a request by theindividual for access to his or herprotected health information presentsno possible privacy threat and thereforelies outside this requirement. Seeproposed § 164.506(b)(1)(i).

Under this proposal, covered entitiesgenerally would be required to establishpolicies and procedures to limit theamount of protected health careinformation used or disclosed to theminimum amount necessary to meet thepurpose of the use or disclosure, and tolimit access to protected healthinformation only to those people whoneed access to the information toaccomplish the use or disclosure. Withrespect to use, if an entity consists ofseveral different components, the entitywould be required to create barriersbetween components so thatinformation is not used inappropriately.For example, a health plan that offersother insurance products would havepolicies and procedures to preventprotected health information fromcrossing over from one product line to

another. The same principle applies todisclosures. For example, if a coveredentity opts to disclose protected healthinformation to a researcher pursuant toproposed § 164.510(j), it would need toensure that only the informationnecessary for the particular researchprotocol is disclosed.

It should be noted that, under section1173(d) of the Act, covered entitieswould also be required to satisfy therequirements of the Security standards,by establishing policies and proceduresto provide access to health informationsystems only to persons who requireaccess, and implement procedures toeliminate all other access. Thus, theprivacy and security requirementswould work together to minimize theamount of information shared, therebylessening the possibility of misuse orinadvertent release.

A ‘‘minimum necessary’’determination would need to beconsistent with and directly related tothe purpose of the use or disclosure andtake into consideration the ability of acovered entity to delimit the amount ofinformation used or disclosed and therelative burden imposed on the entity.The proposed minimum necessaryrequirement is based on areasonableness standard: coveredentities would be required to makereasonable efforts and to incurreasonable expense to limit the use anddisclosure of protected healthinformation as provided in this section.

In determining what a reasonableeffort is under this section, coveredentities should take into considerationthe amount of information that wouldbe used or disclosed, the extent towhich the use or disclosure wouldextend the number of individuals orentities with access to the protectedhealth information, the importance ofthe use or disclosure, the likelihood thatfurther uses or disclosures of theprotected health information couldoccur, the potential to achievesubstantially the same purpose with de-identified information, the technologyavailable to limit the amount ofprotected health information that isused or disclosed, the cost of limitingthe use or disclosure, and any otherfactors that the covered entity believesare relevant to the determination. Wewould expect that in most cases wherecovered entities have more informationthan is necessary to accomplish thepurpose of a use or disclosure, somemethod of limiting the information thatis used or disclosed could be found.

We note that all of the uses anddisclosures subject to the requirementsof this provision are permissive; theminimum necessary provision does not



apply to uses or disclosures mandatedby law. Covered entities should notmake uses or disclosures of protectedhealth information where they areunable to make any efforts to reasonablylimit the amount of protected healthinformation used or disclosed for apermissive purpose. Where there isambiguity regarding the particularinformation to be used or disclosed, thisprovision should be interpreted torequire the covered entity or make someeffort to limit the amount of informationused or disclosed.

We note that procedures forimplementing the minimum necessaryrequirement for uses would often focuson limiting the physical access thatemployees, business partners and otherswould have to the protected healthinformation. Procedures which limit thespecific employees or business partners,or the types of employees or businesspartners, who would be qualified to gainaccess to particular records would oftenbe appropriate. Covered entities withadvanced technological capabilitiesshould also consider limiting access toappropriate portions of protected healthinformation when it would be practicalto do so.

The ‘‘minimum necessary’’determination would include adetermination that the purpose of theuse or disclosure could not bereasonably accomplished withinformation that is not identifiable. Eachcovered entity would be required tohave policies for determining wheninformation must be stripped ofidentifiers before disclosure. Ifidentifiers are not removed simplybecause of inconvenience to the coveredentity, the ‘‘minimum necessary’’ rulewould be violated.

Similarly, disclosure of an entiremedical record, in response to a requestfor something other than the entiremedical record, would presumptivelyviolate the ‘‘minimum necessary’’ rule.Except where the individual hasspecifically authorized use or disclosureof the full medical record, when acovered entity receives a request for anentire medical record, the covered entitycould not, under these proposed rules,disclose the entire record unless therequest included an explanation of whythe purpose of the disclosure could notreasonably be accomplished without theentire medical record.

The decisions called for indetermining what would be theminimum necessary information toaccomplish an allowable purposeshould include both a respect for theprivacy rights of the subjects of themedical record and the reasonableability of covered entities to delimit the

amount of individually identifiablehealth information in otherwisepermitted uses and disclosures. Forexample, a large enterprise that makesfrequent electronic disclosures ofsimilar data would be expected toremove identifiers or to limit the datafields that are disclosed to fit thepurpose of the disclosure. An individualphysician’s office would not beexpected to have the same capabilitiesto limit the amount of informationdisclosed, although, in the cases ofdisclosures involving a small number ofrecords, such an office could beexpected to hide identifiers or to limitdisclosures to certain pages of themedical record that are relevant to thepurpose of the disclosure.

Even where it might not be reasonablefor a covered entity to limit the amountof information disclosed, there could beopportunities, when the use ordisclosure does not requireauthorization by the individual, toreduce the scope of the disclosure inways that substantially protect theprivacy interests of the subject. Forexample, if a health researcher wantsaccess to relatively discrete parts ofmedical records that are presentlymaintained in paper form for a largenumber of patients with a certaincondition, it could be financiallyprohibitive for the covered entity toisolate the desired information.However, it could be reasonable for thecovered entity to allow the researcher toreview the records on-site and toabstract only the information relevant tothe research. Much records research isdone today through such abstracting,and this could be a good way to meetthe ‘‘minimum necessary’’ principle. Bylimiting the physical distribution of therecord, the covered entity would haveeffectively limited the scope of thedisclosure to the information necessaryfor the purpose.

Proposed § 164.506(b) generallywould place the responsibility fordetermining what disclosure is the‘‘minimum necessary’’ on the coveredentity making the disclosure. Theexception would be for health planrequests for information from healthcare providers for auditing and relatedpurposes. In this instance, since theprovider is not in a position to negotiatewith the payer, the duty would beshifted to the payer to request the‘‘minimum necessary’’ information forthe purpose. See proposed§ 164.506(b)(1)(iv). Whenever a healthplan requests a disclosure, it would berequired to limit its requests to theinformation to achieve the purpose ofthe request. For example, a health planseeking protected health information

from a provider or other health plan toprocess a payment should not requestthe entire health record unless it isactually necessary.

In addition, the proposal wouldpermit covered entities to reasonablyrely on requests by certain publicagencies in determining the minimumnecessary information for certaindisclosures. For example, a coveredentity that reasonably relies on therequests of public health agencies,oversight agencies, law enforcementagencies, coroners or medical examinerswould be in compliance with thisrequirement. See proposed§ 164.506(b)(3).

As discussed in prior HIPAAproposed rulemakings, it is likely to beeasier to limit disclosure whendisclosing computerized records thanwhen providing access to paper records.Technological mechanisms to limit theamount of information available for aparticular purpose, and makeinformation available withoutidentifiers, are an importantcontribution of technology to personalprivacy. For example, the fields ofinformation that are disclosed can belimited, identifiers (including names,addresses and other data) can beremoved, and encryption can restrict toauthorized personnel the ability to linkidentifiers back to the record.

For electronic information covered bythe proposed rules, the ‘‘minimumnecessary’’ requirement would meanreviewing, forwarding, or printing outonly those fields and records relevant tothe user’s need for information. Wherereasonable (based on the size,sophistication and volume of thecovered entity’s electronic informationsystems), covered entities wouldconfigure their record systems to allowselective access to different portions ofthe record, so that, for example,administrative personnel get access toonly certain fields, and medicalpersonnel get access to other fields. Thisselective access to information would beimplemented using the access controltechnology discussed in the electronicsecurity regulation.

For non-electronic informationcovered by the proposed rules,‘‘minimum necessary’’ would mean theselective copying of relevant parts ofprotected health information or the useof ‘‘order forms’’ to convey the relevantinformation. These techniques arealready in use in the health careenvironment today, not because ofprivacy considerations, but because ofthe risk of losing access to the fullmedical record when needed for clinicor emergency visits.



This rule would require, in proposed§ 164.520, that each covered entitydocument the administrative policiesand procedures that it will use to meetthe requirements of this section. Withrespect to the ‘‘minimum necessary’’compliance standard, such procedureswould have to describe the process orprocesses by which the covered entitywill make minimum necessarydeterminations, the person or personswho will be responsible for making suchdeterminations, and the process in placeto periodically review routine uses anddisclosures in light of new technologiesor other relevant changes. Proposed usesor disclosures would have to bereviewed by persons who have anunderstanding of the entity’s privacypolicies and practices, and who havesufficient expertise to understand andweigh the factors described above. Seeproposed § 164.506(b)(2). The policiesthat would be reasonable would varydepending on the nature and size of thecovered entity. For large enterprises, thedocumentation of policies andprocedures might identify the generaljob descriptions of the people thatwould make such decisions throughoutthe organization.

In addition, the procedures wouldprovide that the covered entity willreview each request for disclosureindividually on its own merits (and, forresearch, the documentation of requiredIRB or other approval). Covered entitiesshould not have general policies ofapproving all requests (or all requests ofa particular type) for disclosures or useswithout carefully considering the factorsidentified above as well as otherinformation specific to the request thatthe entity finds important to thedecision.

We understand that the requirementsoutlined in this section do not create abright line test for determining theminimum necessary amount ofprotected health informationappropriate for most uses or disclosures.Because of this lack of precision, weconsidered eliminating the requirementaltogether. We also considered merelyrequiring covered entities to address theconcept within their internal privacyprocedures, with no further guidance asto how each covered entity wouldaddress the issue. These approacheswere rejected because minimizing boththe amount of protected healthinformation used and disclosed withinthe health care system and the numberof persons who have access to suchinformation is vital if we are tosuccessfully enhance the confidentialityof people’s personal health information.We invite comments on the approachthat we have adopted and on alternative

methods of implementing the minimumnecessary principle.

3. Right to Restrict Uses andDisclosures. (§ 164.506(c))

[Please label comments about thissection with the subject: ‘‘Right torestrict’’]

We propose to permit in § 164.506(c)that individuals be able to request thata covered entity restrict further uses anddisclosures of protected healthinformation for treatment, payment, orhealth care operations, and if thecovered entity agrees to the requestedrestrictions, the covered entity could notmake uses or disclosures for treatment,payment or health care operations thatare inconsistent with such restrictions,unless such uses or disclosures aremandated by law. This provision wouldnot apply to health care provided to anindividual on an emergency basis.

This proposal would not restrict theright of a provider to make an otherwisepermissible disclosure under § 164.510,such as a disclosure for public health oremergency purposes. While there isnothing in this proposed rule thatwould prohibit a provider and anindividual from agreeing in advance notto make such disclosures, such anagreement would not be enforceablethrough this proposed rule.

We should note that there is nothingin this proposed rule that requires acovered entity to agree to a request torestrict, or to treat or provide coverageto an individual requesting a restrictionunder this provision. Covered entitieswho do not wish to, or due tocontractual obligations cannot, restrictfurther use or disclosure would not beobligated to treat an individual makinga request under this provision. Forexample, some health care providerscould feel that it is medicallyinappropriate to honor patient requestsunder this provision. The medicalhistory and records of a patient,particularly information about currentmedications and other therapies, areoften very much relevant when newtreatment is sought, and the patientcannot seek to withhold thisinformation from subsequent providerswithout risk.

Under this proposal, individualscould request broad restrictions onfurther uses and disclosures fortreatment, payment or health careoperations, or could request morelimited restrictions relating to furtheruses or disclosures of particularportions of the protected healthinformation or to further disclosures toparticular persons. Covered entitiescould choose to honor the individual’srequest, could decline to treat or

provide coverage to the individual, orcould propose an alternative restrictionof further use or disclosure. The coveredentity would not be bound by anindividual’s request for restriction untilits scope has been agreed to by theindividual and the provider. Once anagreement has been reached, however, acovered entity that uses or discloses theprotected health information resultingfrom the encounter in any manner thatviolates such agreement would be inviolation of this provision.

We are not proposing to extend thisright to individuals receiving emergencymedical care, because emergencysituations may not afford sufficientopportunity for the provider and patientto discuss the potential implications ofrestricting further use and disclosure ofthe resulting medical information.Additionally, a health care providermay not be free to refuse treatment to anemergency patient if the provider doesnot wish to honor a request to restrictfurther use or disclosure of healthinformation, leaving the provider in anunfair position where she or he mustchoose between permitting medicalharm to come to the patient or honoringa request that she or he feels may beinappropriate or which may violate theprovider’s business practices orcontractual obligations. Some healthcare providers are legally required totreat emergency patients (e.g., hospitalemergency rooms), and would have noopportunity to refuse treatment as aresult of a request to restrict further useand disclosure under this provision.Under the pressure of an emergency, aprovider should not be expected toadhere to the restrictions associatedwith a particular individual’sinformation.

Under this proposal, covered entitieswould not be responsible for ensuringthat agreed-upon restrictions arehonored when the protected healthinformation leaves the control of thecovered entity or its business partners.For example, a provider would not beout of compliance if information she orhe disclosed to another provider(consistent with the agreed uponrestrictions and with notice of theapplicable restrictions on uses anddisclosures) is subsequently used ordisclosed in violation of the restrictions.

The agreement to restrict use anddisclosure under this provision wouldhave to be documented to be binding onthe covered entity. In proposed§ 164.520, we would require coveredentities to develop and documentpolicies and procedures reasonablydesigned to ensure that the requests arefollowed, i.e., that unauthorized usesand disclosures are not made.



We note that this proposed rulewould not permit covered entities torequire individuals to invoke their rightto restrict uses and disclosures; only thepatient could make a request and invokethis right to restrict.

We considered providing individualssubstantially more control over theirprotected health information byrequiring all covered entities to attemptto accommodate any restrictions on useand disclosure requested by patients.We rejected this option as unworkable.While industry groups have developedprinciples for requiring patientauthorizations, we have not foundwidely accepted standards forimplementing patient restrictions onuses or disclosures. Restrictions oninformation use or disclosure containedin patient consent forms are sometimesignored because they may not be read orare lost in files. Thus, it seems unlikelythat a requested restriction couldsuccessfully follow a patient’sinformation through the health caresystem—from treatment to payment,through numerous operations, andpotentially through certain permissibledisclosures. Instead we would limit theprovision to restrictions that have beenagreed to by the covered entity.

We recognize that the approach thatwe are proposing could be difficultbecause of the systems limitationsdescribed above. However, we believethat the limited right for patientsincluded in this proposed rule can beimplemented because it only applies ininstances in which the covered entityagrees to the restrictions. We assumethat covered entities would not agree torestrictions that they are unable toimplement.

We considered limiting the rightsunder this provision to patients whopay for their own health care (or forwhom no payment was made by ahealth plan). Individuals and healthcare providers that engage in self-paytransactions have minimal effect on therights or responsibilities of payers orother providers, and so there would befew instances when a restriction agreedto in such a situation would havenegative implications for the interests ofother health care actors. Limiting theright to restrict to self-pay patients alsowould reduce the number of requeststhat would be made under thisprovision. We rejected this approachhowever, because the desire to restrictfurther uses and disclosures arises inmany instances other than self-paysituations. For example, a patient couldrequest that his or her records not beshared with a particular physicianbecause that physician is a familyfriend. Or an individual could be

seeking a second opinion and might notwant his or her treating physicianconsulted. Individuals have a legitimateinterest in restricting disclosures inthese situations. We solicit comment onthe appropriateness of limiting thisprovision to instances in which nohealth plan payment is made on behalfof the individual.

In making this proposal, we recognizethat it could be difficult in someinstances for patients to have a realopportunity to make agreements withcovered entities, because it would notbe clear in all cases whichrepresentatives of a covered entity couldmake an agreement on behalf of thecovered entity. There also are concernsabout the extent to which coveredentities could ensure that agreed-uponrestrictions would be followed. Asmentioned above, current restrictionscontained in patient consent forms aresometimes ignored because the personhandling the information is unaware ofthe restrictions. We solicit comments onthe administrative burdens thisprovision creates for covered entities,such as the burdens of administering asystem in which some information isprotected by federal law and otherinformation is not.

We would note that we expect thatsystems for handling patient requests torestrict use and disclosure ofinformation will become moreresponsive as technology develops.Therefore, we will revisit this provisionas what is practicable changes overtime. Proposed requirements fordocumenting internal procedures toimplement this proposed provision areincluded in proposed § 164.520. Werequest comments on whether the finalrule should provide examples ofappropriate, scalable systems thatwould be in compliance with thisstandard.

4. Creation of De-identified Information(164.506(d))

[Please label comments about this sectionwith the subject: ‘‘Creation of de-identifiedinformation’’]

In this rule we are proposing thatcovered entities and their businesspartners be permitted to use protectedhealth information to create de-identified health information. Coveredentities would be permitted to furtheruse and disclose such de-identifiedinformation in any way, provided thatthey do not disclose the key or othermechanism that would enable theinformation to be re-identified, andprovided that they reasonably believethat such use or disclosure of de-identified information will not result inthe use or disclosure of protected health

information. See proposed§ 164.506(d)(1). This means that acovered entity could not disclose de-identified information to a person if thecovered entity reasonably believes thatthe person would be able to re-identifysome or all of that information, unlessdisclosure of protected healthinformation to such person would bepermitted under this proposed rule. Inaddition, a covered entity could not useor disclose the key to coded identifiersif this rule would not permit the use ordisclosure of the identified informationto which the key pertains. If a coveredentity re-identifies the de-identifiedinformation, it may only use or disclosethe re-identified information consistentwith these proposed rules, as if it werethe original protected healthinformation.

In some instances, covered entitiescreating de-identified healthinformation could want to use codes oridentifiers to permit data attributable tothe same person to be accumulated overtime or across different sources of data.For example, a covered entity couldautomatically code all billinginformation as it enters the system,substituting personal identifiers withanonymous codes that permit trackingand matching of data but do not permitpeople handling the data to createprotected health information. Such amechanism would be permissible aslong as the key to unlocking the codesis not available to the people workingwith the de-identified information, andthe entity otherwise makes no attemptto create protected health informationfrom the de-identified information.

There are many instances in whichsuch individually identifiable healthinformation is stripped of theinformation that could identifyindividual subjects and is used foranalytical, statistical and other relatedpurposes. Large data sets of de-identified information can be used forinnumerable purposes that are vital toimproving the efficiency andeffectiveness of health care delivery,such as epidemiological studies,comparisons of cost, quality or specificoutcomes across providers or payers,studies of incidence or prevalence ofdisease across populations, areas ortime, and studies of access to care ordiffering use patterns acrosspopulations, areas or time. Researchersand others often obtain large data setswith de-identified information fromproviders and payers (including frompublic payers) to engage in these typesof studies. This information is valuablefor public health activities (e.g., toidentify cost-effective interventions for aparticular disease) as well as for



commercial purposes (e.g., to identifyareas for marketing new health careservices).

We intend that this proposedprovision will permit the importanthealth care research that is beingconducted today to continue under thisrule. Indeed, it would be our hope thatcovered entities, their business partners,and others would make greater use ofde-identified health information thanthey do today, when it is sufficient forthe research purpose. Such practicewould reduce the confidentialityconcerns that result from the use ofindividually identifiable healthinformation for some of these purposes.The selective transfer of healthinformation without identifiers into ananalytic database would significantlyreduce the potential for privacyviolations while allowing broader accessto information for analytic purposes,without the overhead of audit trails andIRB review. For example, providing de-identified information to apharmaceutical manufacturer to use indetermining patterns of use of aparticular pharmaceutical by generalgeographic location would beappropriate, even if the informationwere sold to the manufacturer. Suchanalysis using protected healthinformation would be research andtherefore would require individualauthorization or approval by an IRB orsimilar board. We note that data thatincludes an individual’s address is‘‘identifiable’’ by definition and couldnot be used in such databases.

We invite comment on the approachthat we are proposing and on whetheralternative approaches to standards forentities determining when healthinformation can reasonably beconsidered no longer individuallyidentifiable.

5. Application to business partners.(§ 164.506(e))

[Please label comments about thissection with the subject: ‘‘Businesspartners’’]

In § 164.506(e), we propose to requirecovered entities to take specific steps toensure that protected health informationdisclosed to a business partner remainsprotected. We intend these provisions toallow customary business relationshipsin the health care industry to continuewhile providing privacy protections tothe information shared in theserelationships. Business partners wouldnot be permitted to use or discloseprotected health information in waysthat would not be permitted of thecovered entity itself under these rules.

Other than for purposes ofconsultation or referral for treatment, we

would allow covered entities to discloseprotected health information to businesspartners only pursuant to a writtencontract that would, among otherspecified provisions, limit the businesspartner’s uses and disclosures ofprotected health information to thosepermitted by the contract, and wouldimpose certain security, inspection andreporting requirements on the businesspartner. We would hold the coveredentity responsible for certain violationsof this proposed rule made by theirbusiness partners, and requireassignment of responsibilities when acovered entity acts as a business partnerof another covered entity.

a. Who is a business partner? Underthis proposed rule, a business partnerwould be a person to whom the coveredentity discloses protected healthinformation so that the person can carryout, assist with the performance of, orperform on behalf of, a function oractivity for the covered entity. Thiswould include contractors or otherpersons who receive protected healthinformation from the covered entity (orfrom another business partner of thecovered entity) for the purposesdescribed in the previous sentence,including lawyers, auditors,consultants, third-party administrators,health care clearinghouses, dataprocessing firms, billing firms, andother covered entities. This would notinclude persons who would be membersof the covered entity’s workforce. Thekey features of the relationship wouldbe that the business partner isperforming an activity or function for oron behalf of the covered entity and thatthe business partner receives protectedhealth information from the coveredentity as part of providing such activityor function.

Many critical functions are performedevery day by individuals andorganizations that we would define asbusiness partners. Under the proposal,billing agents, auditors, third-partyadministrators, attorneys, privateaccreditation organizations,clearinghouses, accountants, datawarehouses, consultants and manyother actors would be consideredbusiness partners of a covered entity.Most covered entities will use one ormore business partners, to assist withfunctions such as claims filing, claimsadministration, utilization review, datastorage, or analysis. For example, if acovered entity seeks accreditation froma private accreditation organization andprovides such organization withprotected health information as part ofthe accreditation process, the privateaccreditation organization would be abusiness partner of the covered entity.

This would be true even if a third party,such as an employer or a public agency,required accreditation as a condition ofdoing business with it. Theaccreditation is being performed for thecovered entity, not the third party, insuch cases.

The covered entity may have businessrelationships with organizations thatwould not be considered to be businesspartners because protected healthinformation is not shared or becauseservices are not provided to the coveredentity. For example, a covered entitycould contract with anotherorganization for facility management orfood services; if these organizations donot receive protected health informationfor these functions or activities, theywould not be considered businesspartners. In the case where a coveredentity provides management services toanother organization, the otherorganization would not be a businesspartner because it would be receiving,not providing, a service or function.

Under the proposal, a covered entitycould become a business partner ofanother covered entity, such as when ahealth plan acts as a third-partyadministrator to an insurancearrangement or a self-funded employeebenefit plan. In such cases, we proposethat the authority of the covered entityacting as a business partner to use anddisclose protected health information beconstrained to the authority that anybusiness partner in the same situationwould have. Thus, the authority of acovered entity acting as a businesspartner to use and disclose protectedhealth information obtained as abusiness partner would be limited bythe contract or arrangement that createdthe business partner relationship.

In most cases, health careclearinghouses would fall under ourdefinition of ‘‘business partner’’ becausethey receive protected healthinformation in order to provide paymentprocessing and other services to healthplans, health care providers and theirbusiness partners, a case that would fallunder our definition of ‘‘businesspartner.’’ Therefore, although healthcare clearinghouses would be coveredentities, in many instances under thisproposed rule they would also betreated as business partners of thehealth care providers or health plans forwhom they are performing a service. Wewould note that because health careclearinghouses would generally beoperating as business partners, we areproposing not to apply severalrequirements to health careclearinghouses that we otherwise wouldapply to covered plans and providers,such as requiring a notice of information



practices, access for inspection andcopying, and accommodation ofrequests for amendment or correction.See proposed §§ 164.512, 164.514 and164.516.

b. Limitations on use or disclosure.i. Scope of the covered entity’s

authority.Under this proposed rule, a business

partner would be acting on behalf of acovered entity, and we propose that itsuse or disclosure of protected healthinformation be limited to the sameextent that the covered entity for whomthey are acting would be limited. Thus,a business partner could have no moreauthority to use or disclose protectedhealth information than that possessedby the covered entity from which thebusiness partner received theinformation. For example, a businesspartner could not sell protected healthinformation to a financial services firmwithout individual authorizationbecause the covered entity would not bepermitted to do so under these proposedrules. We would note that a businesspartner’s authority to use and discloseprotected health information could befurther restricted by its contract with acovered entity, as described below.

We are not proposing to require thebusiness partners of covered entities todevelop and distribute a notice ofinformation practices, as provided inproposed § 164.512. A business partnerwould, however, be bound by the termsof the notice of the covered entity fromwhich it obtains protected healthinformation. For example, if a coveredentity provided notice to its subscribersthat it would not engage in certainpermissible disclosures of protectedhealth information, we are proposingthat such a limitation would apply to allof the business partners of the coveredentity that made the commitment. Seeproposed § 164.506(e). We are proposingthis approach so that individuals couldrely on the notices that they receivefrom the covered entities to which theydisclose protected health information. Ifthe business partners of a covered entitywere able to make wider use or makemore disclosures than the coveredentity, the patients or enrollees of thecovered entity would have difficultyknowing how their information wasbeing used and to whom it was beingdisclosed.

ii. Scope of the contractualagreement.

We are also proposing that a businesspartner’s use and disclosure of protectedhealth information be limited by theterms of the business partner’scontractual agreement with the coveredentity. We propose that a contractbetween a covered entity and a business

partner could not grant the businesspartner authority to make uses ordisclosures of protected healthinformation that the covered entity itselfwould not have the authority to make.The contract between a covered entityand a business partner could furtherlimit the business partner’s authority touse or disclose protected healthinformation as agreed to by the parties.Further, the business partner wouldhave to apply the same limitations to itssubcontractors (or persons with similararrangements) who assist with or carryout the business partner’s activities.

To help ensure that the uses anddisclosures of business partners wouldbe limited to those recognized asappropriate by the covered entities fromwhom they receive protected healthinformation, subject to the exceptiondiscussed below, we are proposing thatcovered entities be prohibited fromdisclosing protected health informationto a business partner unless the coveredentity has entered into a writtencontract with the business partner thatmeets the requirements of thissubsection. See proposed§ 164.506(e)(2)(i). The written contractbetween a covered entity and a businesspartner would be required to:

• Prohibit the business partner fromfurther using or disclosing the protectedhealth information for any purposeother than the purpose stated in thecontract.

• Prohibit the business partner fromfurther using or disclosing the protectedhealth information in a manner thatwould violate the requirements of thisproposed rule if it were done by thecovered entity. As discussed above, thecovered entity could not permit thebusiness partner to make uses ordisclosures that the covered entity couldnot make.

• Require the business partner tomaintain safeguards as necessary toensure that the protected healthinformation is not used or disclosedexcept as provided by the contract. Weare only proposing a generalrequirement; the details can benegotiated to meet the particular needsof each arrangement. For example, if thebusiness partner is a two-person firmthe contractual provisions regardingsafeguards may focus on controllingphysical access to a computer or filedrawers, while a contract with abusiness partner with 500 employeeswould address use of electronictechnologies to provide security ofelectronic and paper records.

• Require the business partner toreport to the covered entity any use ordisclosure of the protected healthinformation of which the business

partner becomes aware that is notprovided for in the contract.

• Require the business partner toensure that any subcontractors or agentsto whom it provides protected healthinformation received from the coveredentity will agree to the same restrictionsand conditions that apply to thebusiness partner with respect to suchinformation.

• Establish how the covered entitywould provide access to protectedhealth information to the subject of thatinformation, as would be required under§ 164.514, when the business partnerhas made any material alteration in theinformation. The covered entity and thebusiness partner would determine inadvance how the covered entity wouldknow or could readily ascertain, whena particular individual’s protectedhealth information has been materiallyaltered by the business partner, and howthe covered entity could provide accessto such information.

• Require the business partner tomake available its internal practices,books and records relating to the useand disclosure of protected healthinformation received from the coveredentity to HHS or its agents for thepurposes of enforcing the provisions ofthis rule.

• Establish how the covered entitywould provide access to protectedhealth information to the subject of thatinformation, as would be required under§ 164.514, in circumstances where thebusiness partner will hold the protectedhealth information and the coveredentity will not.

• Require the business partner toincorporate any amendments orcorrections to protected healthinformation when notified by thecovered entity that the information isinaccurate or incomplete.

• At termination of the contract,require the business partner to return ordestroy all protected health informationreceived from the covered entity that thebusiness partner still maintains in anyform to the covered entity and prohibitthe business partner from retaining suchprotected health information in anyform.

• State that individuals who are thesubject of the protected healthinformation disclosed are intended to bethird party beneficiaries of the contract.

• Authorize the covered entity toterminate the contract, if the coveredentity determines that the businesspartner has repeatedly violated a term ofthe contract required by this paragraph.

Each specified contract term abovewould be considered a separateimplementation specification under thisproposal for situations in which a



contract is required, and, as discussedbelow, a covered entity would beresponsible for assuring that each suchimplementation standard is met by thebusiness partner. See proposed§ 164.506(e)(2). The contract couldinclude any additional arrangementsthat do not violate the provisions of thisregulation.

The contract requirement that we areproposing would permit coveredentities to exercise control over theirbusiness partners’ activities and providedocumentation of the relationshipbetween the parties, particularly thescope of the uses and disclosures ofprotected health information thatbusiness partners could make. Thepresence of a contract also wouldformalize the relationship, betterensuring that key questions such assecurity, scope of use and disclosure,and access by individuals areadequately addressed and that the rolesof the respective parties are clarified.Finally, a contract can bind the businesspartner to return any protected healthinformation from the covered entitywhen the relationship is terminated.

In lieu of a contracting requirement,we considered imposing onlyaffirmative duties on covered entities toensure that their relationships withbusiness partners conformed to thestandards discussed in the previousparagraph. Such an approach could beconsidered less burdensome andrestrictive, because we would be leavingit to the parties to determine how tomake the standards effective. Werejected this approach primarily becausewe believe that in the vast majority ofcases, the only way that the partiescould establish a relationship with theseterms would be through contract. Wealso determined that the value ofmaking the terms explicit through awritten contract would better enable theparties to know their roles andresponsibilities, as well as better enablethe Secretary to exercise her oversightrole. In addition, we understand thatmost covered entities already enter intocontracts in these situations andtherefore this proposal would notdisturb general business practice. Weinvite comment on whether there areother contractual or non-contractualapproaches that would afford anadequate level of protection toindividuals’ protected healthinformation. We also invite comment onthe specific provisions and terms of theproposed approach.

We are proposing one exception to thecontracting requirement: when acovered entity consults with or makes areferral to another covered entity for thetreatment of an individual, we would

propose that the sharing of protectedhealth information pursuant to thatconsultation or referral not be subject tothe contracting requirement describedabove. See proposed § 164.506(e)(1)(i).Unlike most business partnerrelationships, which involve thesystematic sharing of protected healthinformation under a businessrelationship, consultation and referralsfor treatment occur on a more informalbasis among peers, and are specific to aparticular individual. Such exchanges ofinformation for treatment also appear tobe less likely to raise concerns aboutfurther impermissible use or disclosure,because health care providers receivingsuch information are unlikely to have acommercial or other interest in using ordisclosing the information. We invitecomment on the appropriateness of thisexception, and whether there areadditional exceptions that should beincluded in the final regulation.

We note that covered health careproviders receiving protected healthinformation for consultation or referralpurposes would still be subject to thisrule, and could not use or disclose suchprotected health information for apurpose other than the purpose forwhich it was received (i.e., theconsultation or referral). Further, wenote that providers making disclosuresfor consultations or referrals should becareful to inform the receiving providerof any special limitations or conditionsto which the disclosing provider hasagreed to impose (e.g., the disclosingprovider has provided notice to itspatients that it will not makedisclosures for research).

Under the system that we areproposing, business partners (includingbusiness partners that are coveredentities) that have contracts with morethan one covered entity would have noauthority to combine, aggregate orotherwise use for a single purposeprotected health information obtainedfrom more than one covered entityunless doing so would have been alawful use or disclosure for each of thecovered entities that supplied theprotected health information that isbeing combined, aggregated or used. Inaddition, the business partner must beauthorized through the contract orarrangement with each covered entitythat supplied the protected healthinformation to combine or aggregate theinformation. For example, a businesspartner of a health plan would bepermitted to disclose information toanother health plan for coordination ofbenefits purposes, if such a disclosurewere authorized by the businesspartner’s contract with the coveredentity that provided the protected health

information. However, a businesspartner that is performing an audit of agroup medical practice on behalf ofseveral health plans could not combineprotected health information that it hadreceived from each of the plans, even ifthe business partner’s contracts with theplans attempted to allow such activity,because the plans themselves would notbe permitted to exchange protectedhealth information for such a purpose.A covered entity would not bepermitted to obtain protected healthinformation through a business partnerthat it could not otherwise obtain itself.

We further note that, as discussedabove in section II.C.4, under ourproposal a business partner generallycould create a database of de-identifiedhealth information drawn from theprotected health information of morethan one covered entity with which itdoes business, and could use anddisclose information and analyses fromthe database as they see fit, as long asthere was no attempt to re-identify thedata to create protected healthinformation. In the example from thepreceding paragraph, the businesspartner could review the utilizationpatterns of a group medical practice onbehalf of several groups of plans byestablishing a data base of de-identifiedhealth information drawn from all of itscontracts with covered entities andreview the use patterns of all of theindividuals in the data base who hadbeen treated by the medical group. Theresults of the analyses could be used byor distributed to any person, subject tothe limitation that the data could not beidentified. We would caution thatbusiness partners releasing suchinformation and analyses would need toensure that they do not inadvertentlydisclose protected health information byreleasing examples or discussingspecific cases in such a way that theinformation could be identified bypeople receiving the analysis or report.

c. Accountability. We are proposingthat covered entities be accountable forthe uses and disclosures of protectedhealth information by their businesspartners. A covered entity would be inviolation of this rule if the coveredentity knew or reasonably should haveknown of a material breach of thecontract by a business partner and itfailed to take reasonable steps to curethe breach or terminate the contract. Seeproposed § 164.506(e)(2)(iii). A coveredentity that is aware of impermissibleuses and disclosures by a businesspartner would be responsible for takingsuch steps as are necessary to preventfurther improper use or disclosures and,to the extent practicable, for mitigatingany harm caused by such violations.



This could include, for example,requiring the business partner toretrieve inappropriately disclosedinformation (even if the businesspartner must pay for it) as a conditionof continuing to do business with thecovered entity. A covered entity thatknows or should know of impermissibleuse of protected health information byits business partner and fails to takereasonable steps to end the breachwould be in violation of this rule.

Where a covered entity acts as abusiness partner to another coveredentity, the covered entity that is actingas business partner would also beresponsible for any violations of theregulation.

We considered requiring coveredentities to terminate relationships withbusiness partners if the business partnercommitted a serious breach of contactterms required by this subsection or ifthe business partner exhibited a patternor practice of behavior that resulted inrepeated breaches of such terms. Werejected that approach because of thesubstantial disruptions in businessrelationships and customer servicewhen terminations occur. We insteadrequire the covered entity to takereasonable steps to end the breach andmitigate its effects. We would expectcovered entities to terminate thearrangement if it becomes clear that abusiness partner cannot be relied uponto maintain the privacy of protectedhealth information provided to it. Weinvite comments on our approach hereand whether requiring automatictermination of business partnercontracts would be warranted in anycircumstances.

We also considered imposing morestrict liability on covered entities for theactions of their business partners, just asprincipals are strictly liable for theactions of their agents under commonlaw. We decided, however, that thiscould impose too great a burden oncovered entities, particularly smallproviders. We are aware that, in somecases, the business partner will be largerand more sophisticated with respect toinformation handling than the coveredentity. Therefore we instead opted topropose that covered entities monitoruse of protected health information bybusiness partners, and be heldresponsible only when they knew orreasonably should have known ofimproper use of protected healthinformation.

Our intention in this subsection is torecognize the myriad businessrelationships that currently exist and toensure that when they involve theexchange of protected healthinformation, the roles and

responsibilities of the different partieswith respect to the protected healthinformation are clear. We do notpropose to fundamentally alter the typesof business relationships that exist inthe health care industry or the mannerin which they function. We requestcomments on the extent to which ourproposal would disturb existingcontractual or other arrangementsamong covered entities and businesspartners.

6. Application to Information AboutDeceased Persons (§ 164.506(f))

[Please label comments about thissection with the subject: ‘‘Deceasedpersons’’]

We are proposing that informationotherwise protected by these regulationsretain that protection for two years afterthe death of the subject of theinformation. The only exception that weare proposing is for uses and disclosuresfor research purposes.

HIPAA includes no temporallimitations on the application of theprivacy protections. Although we havethe authority to protect individuallyidentifiable health informationmaintained by a covered entityindefinitely, we are proposing that therequirements of this rule generallyapply for only a limited period, asdiscussed below. In traditional privacylaw, privacy interests, in the sense ofthe right to control use or disclosure ofinformation about oneself, cease atdeath. However, good arguments existin favor both of protecting and notprotecting information about thedeceased. Considering that one of theunderlying purposes of healthinformation confidentiality is toencourage a person seeking treatment tobe frank in the interest of obtaining care,there is good reason for protectinginformation even after death. Federalagencies and others sometimes withholdsensitive information, such as healthinformation, to protect the privacy ofsurviving family members. At the sametime, perpetual confidentiality hasserious drawbacks. If information isneeded for legitimate purposes, theconsent of a living person legallyauthorized to grant such consent mustbe obtained, and the further from thedate of death, the more difficult it maybe to identify the person. Theadministrative burden of perpetualprotection may eventually outweigh theprivacy interests served.

The proposed two-year period ofconfidentiality, with an exception foruses and disclosures for researchpurposes, would preserve dignity andrespect by preventing uncontrolleddisclosure of information immediately

after death while allowing access to theinformation for proper purposes duringthis period and for any purposethereafter. We would not subject the useor disclosure of protected healthinformation of deceased individuals tothe requirements in proposed§ 164.510(j) governing most uses anddisclosures for research because webelieve that it is important to remain asconsistent as possible with the CommonRule. The Common Rule does notconsider deceased persons to be‘‘human subjects’’ and therefore theyhave never been covered in the standardresearch protocol assessmentsconducted under the Common Rule.The Department of Health and HumanServices will examine this issue in thecontext of an overall assessment of theCommon Rule. Pending the outcome ofthis examination, we concluded thatthis exception was warranted so as notto interfere with standard researchpractice. We invite comments onwhether the exception that we areproposing is necessary, or whetherexisting research using the protectedhealth information of deceasedindividuals could proceed under therequirements of proposed § 164.510(j).

Under our proposal, and subject to theexceptions discussed above, the right tocontrol the individual’s healthinformation within that two-year timeperiod would be held by an executor oradministrator, or in the absence of suchan officer, by next-of-kin, as determinedunder applicable law, or in absence ofboth, by the holder of the healthinformation. This is reflected in theproposed definition of ‘‘individual’’discussed above. The legally authorizedrepresentative would make decisions forthe individual with regard to uses ordisclosures of the information forpurposes not related to treatment,payment or health care operations.Likewise, an authorized representativecould exercise the individual rights ofinspection, copying, amendment orcorrection under proposed §§ 164.514and 164.516.

Under our proposal, informationholders could choose to keepinformation confidential for a longerperiod. These proposed rules alsowould not override any legally requiredprohibitions on disclosure for longerperiods.

One area of concern regarding theproposed two-year period of protectionrelates to information on individualgenetic make-up or individual diseasesand conditions that may be hereditary.Under the proposed rules, coveredentities would be legally allowed to usesuch information or to disclose recordsto others, such as commercial collectors



of information, two years after the deathof the individual. Since geneticinformation about one family membermay reveal health information aboutother members of that family, the healthdata confidentiality of living relativescould be compromised by such uses ordisclosures. Likewise, informationregarding the hereditary diseases orconditions of the deceased person mayreveal health information about livingrelatives. In the past, information thatmay not have been legally protected wasde facto protected for most peoplebecause of the difficulty of its collectionand aggregation. With the dramaticproliferation of large electronicdatabases of information aboutindividuals, growing software-basedintelligence, and the declining cost oflinking information from disparatesources, such information could now bemore readily and cost-effectivelyaccessed.

While various State laws have beenpassed specifically addressing privacyof genetic information, there is currentlyno federal legislation that deals withthese issues. We considered extendingthe two-year period for genetic andhereditary information, but were unableto construct criteria for protecting thepossible privacy interests of livingchildren without creating extensiveburden for information holders andhampering health research. We invitecomments on whether further action isneeded in this area and what types ofpractical provisions may be appropriateto protect genetic and hereditary healthinformation.

7. Adherence to the Notice ofInformation Practices (§ 164.506(g))

[Please label comments about thissection with the subject: ‘‘Adherence tonotice’’]

In § 164.506(g), we are proposing thatcovered plans and providers be requiredto adhere to the statements reflected inthe notice of information practices thatwould be required under proposed§ 164.512. In binding covered plans andproviders to their notices, we intend tocreate a system where open andaccurate communication betweenentities and individuals would becomenecessary and routine. The corollary tothis general rule is that the covered planor provider would be permitted tomodify its notice at any time.

The information practices reflected inthe most recent notice would apply toall protected health informationregardless of when the information wascollected. For example, if informationwas collected during a period when thenotice stated that no disclosures wouldbe made to researchers, and the covered

plan or provider later decided that itwanted to disclose information toresearchers, the entity would then needto revise its notice. The entity would bepermitted to disclose all of theinformation in its custody to researchersas long as the notice is revised and re-distributed as provided below in§ 164.512. We considered permitting acovered entity to change its informationpractices only with respect to protectedhealth information obtained after itrevised its notice. Such a requirementwould ensure individuals that thenotice they received when theydisclosed information to the coveredentity would continue to apply to thatinformation. We rejected that approachbecause compliance with such astandard would require covered entitiesto segregate or otherwise markinformation to be based on theinformation practices that were in effectat different times. Such an approachwould make covered entities extremelyreluctant to revise the informationpractices, and otherwise would beextremely burdensome to administer.

We are concerned that by requiringcovered plans and providers to adhereto the practices reflected in their notice,we would encourage entities to createbroad, general notices so that allpossible uses, disclosures and otherpractices would be included. Suchbroad notices would not achieve thegoals of open and accuratecommunication between entities andindividuals. We welcome comments onthis requirement and alternativeproposals to achieve the same goals.

8. Application to Covered Entities ThatAre Components of Organizations ThatAre Not Covered Entities

[Please label comments about thissection with the subject: ‘‘Componententities’’]

In this section we describe how theprovisions of this proposed rule applyto persons or organizations that providehealth care or have created health plansbut are primarily engaged in otherunrelated activities. Examples of suchorganizations include schools thatoperate on-site clinics, employers whooperate self-funded health plans, andinformation processing companies thatinclude a health care servicescomponent. The health care component(whether or not separately incorporated)of the organization would be thecovered entity. Therefore, anymovement of protected healthinformation into another component ofthe organization would be a‘‘disclosure,’’ and would be lawful onlyif such disclosure would be authorizedby this regulation. In addition, we

propose to require such entities to createbarriers to prevent protected healthinformation from being used ordisclosed for other activities notauthorized or permitted under theseproposed rules.

For example, schools frequentlyemploy school nurses or operate on-siteclinics. In doing so, the nurse or cliniccomponent of the school would beacting as a provider, and must conformto this proposed rule. School clinicswould be able to use protected healthinformation obtained in an on-site clinicfor treatment and payment purposes,but could not disclose it to the schoolfor disciplinary purposes except aspermitted by this rule. Similarly, anemployee assistance program of anemployer could meet the definition of‘‘provider,’’ particularly if health careservices are offered directly by theprogram. Protected health informationobtained by the employee assistanceprogram could be used for treatmentand payment purposes, but not for otherpurposes such as hiring and firing,placement and promotions, except asmay be permitted by this rule.

D. Uses and Disclosures With IndividualAuthorization (§ 164.508)

[Please label comments about thissection With the subject: ‘‘Individualauthorization’’]

This section addresses therequirements that we are proposingwhen protected health information isdisclosed pursuant to the individual’sexplicit authorization. The regulationwould require that covered entities haveauthorization from individuals beforeusing or disclosing their protectedhealth information for any purpose nototherwise recognized by this regulation.Circumstances where an individual’sprotected health information may beused or disclosed without authorizationare discussed in connection withproposed §§ 164.510 and 164.522 below.

This section proposes differentconditions governing suchauthorizations in two situations inwhich individuals commonly authorizecovered entities to disclose information:

• Where the individual initiates theauthorization because he or she wants acovered entity to disclose his or herrecord, and

• Where a covered entity asks anindividual to authorize it to disclose oruse information for purposes other thantreatment, payment or health careoperations.

In addition, this section proposesconditions where a covered entity or theindividual initiates an authorization foruse or disclosure of psychotherapynotes or research information unrelated



to treatment. See discussion above insection II.C.1.c.

Individually identifiable healthinformation is used for a vast array ofpurposes not directly related toproviding or paying for an individual’shealth care. Examples of such usesinclude targeted marketing of newproducts and assessing the eligibility ofan individual for certain public benefitsor for commercial products based ontheir health status. Under these rules,these types of uses and disclosurescould only be made by a covered entitywith the specific authorization of thesubject of the information. Therequirements proposed in this sectionare not intended to interfere withnormal uses and disclosures ofinformation in the health care deliveryor payment process, but only to permitcontrol of uses extraneous to healthcare. The restrictions on disclosure thatthe regulation would apply to coveredentities may mean that some existinguses and disclosures of informationcould take place only if the individualexplicitly authorized them under thissection.

Authorization would be required forthese uses and disclosures becauseindividuals probably do not envisionthat the information they provide whengetting health care would be disclosedfor such unrelated purposes. Further,once a patient’s protected healthinformation is disclosed outside of thetreatment and payment arena, it couldbe very difficult for the individual todetermine what additional entities haveseen, used and further disclosed theinformation. Requiring an authorizationfrom the patient for such uses anddisclosures would enhance individuals’control over their protected healthinformation.

We considered requiring a uniform setof requirements for all authorizations,but concluded that it would beappropriate to treat authorizationsinitiated by the individual differentlyfrom authorizations sought by coveredentities. There are fundamentaldifferences in the uses of informationand in the relationships andunderstandings among the parties inthese two situations. When individualsinitiate authorizations, they are morelikely to understand the purpose of therelease and to benefit themselves fromthe use or disclosure. When a coveredentity asks the individual to authorizedisclosure, we believe the entity shouldmake clear what the information will beused for, what the individual’s rightsare, and how the covered entity wouldbenefit from the requested disclosure.

Individuals seek disclosure of theirhealth information to others in many

circumstances, such as when applyingfor life or disability insurance, whengovernment agencies conduct suitabilityinvestigations, and in seeking certainjob assignments where health isrelevant. Another common instance istort litigation, where an individual’sattorney needs individually identifiablehealth information to evaluate an injuryclaim and asks the individual toauthorize disclosure of records relatingto the injury to the attorney.

There could also be circumstanceswhere the covered entity asks anindividual to authorize use or disclosureof information, for example to discloseit to a subsidiary to market lifeinsurance to the individual. Similarly,the covered entity might ask that theindividual authorize it to sendinformation to a person outside thatcovered entity—possibly anothercovered entity or class of coveredentity—for purposes outside oftreatment, payment, or health careoperations. See proposed§ 164.508(a)(2)(ii).

1. Requirements When the IndividualHas Initiated the Authorization

We are proposing severalrequirements that would have to be metin the authorization process when theindividual has initiated theauthorization.

The authorization would have toinclude a description of the informationto be used or disclosed with sufficientspecificity to allow the covered entity toknow to which information theauthorization references. For example,the authorization could include adescription of ‘‘laboratory results fromJuly 1998’’ or ‘‘all laboratory results’’ or‘‘results of MRI performed in July1998.’’ The covered entity would thenuse or disclose that information andonly that information. If the coveredentity does not understand whatinformation is covered by theauthorization, the use or disclosurewould not be permitted unless thecovered entity were able to clarify therequest.

We are proposing no limitations onthe information to be disclosed. If anindividual wishes to authorize acovered entity to disclose his or herentire medical record, the authorizationcould so specify. But in order for thecovered entity to disclose the entiremedical record, the authorization wouldhave be specific enough to ensure thatindividuals have a clear understandingof what information is to be disclosedunder the circumstances. For example,if the Social Security Administrationseeks authorization for release of allhealth information to facilitate the

processing of benefit applications, thenthe description would need to specify‘‘all health information.’’

We would note that our proposal doesnot require a covered entity to discloseinformation pursuant to an individual’sauthorization. Therefore individualsmay face reluctance on the part ofcovered entities that receiveauthorizations requiring them to classifyand selectively disclose informationwhen they do not benefit from theactivity. Individuals would need toconsider this when specifying theinformation in the authorization.Covered entities may respond torequests to analyze and separateinformation for selective disclosure byproviding the entire record to theindividual, who may then redact andrelease the information to others.

We do not propose to require anauthorization initiated by an individualto state a purpose. When the individualhas initiated the authorization, theentity would not need to know why heor she wants the information disclosed.Ideally, anyone asking an individual toauthorize release of individuallyidentifiable health information wouldindicate the purpose and the intendeduses. We are unable to imposerequirements on the many entities thatmake such requests, and it would not befeasible to ask covered entities to makejudgments about intended uses ofrecords that are disclosed. In theabsence of legal controls in thissituation, the prudent individual wouldobtain a clear understanding of why therequester needs the information andhow it would be used.

We are proposing that theauthorization would be required toidentify sufficiently the covered entityor covered entities that would beauthorized to use or disclose theprotected health information by theauthorization. Additionally, theauthorization would be required toidentify the person or persons thatwould be authorized to use or receivethe protected health information withsufficient specificity to reasonablypermit a covered entity responding tothe authorization to identify theauthorized user or recipient. When anauthorization permits a class of coveredentities to disclose information to anauthorized person, each covered entitywould need to know with reasonablecertainty that the individual intendedfor it to release protected healthinformation under the authorization.

Often, individuals provideauthorizations to third parties, whopresent them to one or more coveredentities. For example, an authorizationcould be completed by an individual



and provided to a government agency,authorizing the agency to receivemedical information from any healthcare provider that has treated theindividual within a defined period.Such an authorization would bepermissible (subject to the otherrequirements of this part) if itsufficiently identifies the governmententity as the recipient of the disclosuresand it sufficiently identifies the healthcare providers who would be authorizedto release the individual’s protectedhealth information under theauthorization.

We are proposing that theauthorization must state a specificexpiration date. We consideredproviding an alternative way ofdescribing the termination of theauthorization, such as ‘‘the conclusionof the clinical trial,’’ or ‘‘uponacceptance or denial of this applicationfor life insurance’’ (an ‘‘event’’), but weare concerned that covered entitiescould have difficulty implementingsuch an approach. We also consideredproposing that if an expiration datewere indicated on the authorization, itbe no more than two or three years afterthe date of the signature. We aresoliciting comment on whether an eventcan be a termination specification, andwhether this proposed rule shouldpermit covered entities to honorauthorizations with ‘‘unlimited’’ orextremely lengthy expiration dates orlimit it to a set term of years, such astwo or three years.

We are proposing that theauthorization include a signature orother authentication (e.g., electronicsignature) and the date of the signature.If the authorization is signed by anindividual other than the subject of theinformation to be disclosed, thatindividual would have to indicate his orher authority or relationship with thesubject.

The authorization would also berequired to include a statement that theindividual understands that he or shemay revoke an authorization except tothe extent that action has been taken inreliance on the authorization.

When an individual authorizesdisclosure of health information to otherthan a covered entity, the informationwould no longer be protected under thisregulation once it leaves the coveredentity. Therefore, we propose that theauthorization must clearly state that theindividual understands that when theinformation is disclosed to anyoneexcept a covered entity, it would nolonger be protected under thisregulation.

We understand that the requirementsthat we are imposing here would make

it quite unlikely that an individualcould actually initiate a completedauthorization, because few individualswould know to include all of theseelements in a request for information.We understand that in most instances,individuals accomplish authorizationsfor release of health records bycompleting a form provided by anotherparty, either the ultimate recipient ofthe records (who may have a formauthorizing them to request the recordsfrom the record holders) or a health careprovider or health plan holding therecords (who may have a form thatdocuments a request for the release ofrecords to a third party). For this reason,we do not believe that our proposalwould create substantial new burdenson individuals or covered entities incases when an individual is initiating anauthorized release of information. Weinvite comment on whether we areplacing new burdens on individuals orcovered entities. We also invitecomment on whether the approach thatwe have proposed provides sufficientprotection to individuals who seek tohave their protected health informationused or disclosed.

2. Requirements When the CoveredEntity Initiates the Authorization

We are proposing that when coveredentities initiate the authorization byasking individuals to authorizedisclosure, the authorization be requiredto include all of the items requiredabove as well as several additionalitems. We are proposing additionalrequirements when covered entitiesinitiate the request for authorizationbecause in many cases it could be thecovered entity, and not the individual,that achieves the primary benefit of thedisclosure. We considered permittingcovered entities to requestauthorizations with only the basicfeatures proposed for authorizationsinitiated by the individual, for the sakeof simplicity and consistency. However,we believe that additional protectionswould be merited when the entity thatprovides or pays for health care requestsan authorizations to avert possiblecoercion.

When a covered entity asks anindividual to sign an authorization, wepropose to require that it provide on theauthorization a statement that identifiesthe purposes for which the informationis sought as well as the proposed usesand disclosures of that information. Therequired statements of purpose wouldprovide individuals with the facts theyneed to make an informed decision asto whether to allow release of theinformation. Covered entities and theirbusiness partners would be bound by

the statements provided on theauthorization, and use or disclosure bythe covered entity inconsistent with thestatement would constitute a violationof this regulation. We recognize that thecovered entities cannot know or controluses and disclosures that will be madeby persons who are not businesspartners to whom the information isproperly disclosed. As discussed above,authorizations would need to notifyindividuals that when the information isdisclosed to anyone except a coveredentity, it would no longer be protectedunder this regulation.

We propose to require thatauthorizations requested by coveredentities be narrowly tailored toauthorize use or disclosure of only theprotected health information necessaryto accomplish the purpose specified inthe authorization. The request would besubject to the minimum necessaryrequirement as discussed in sectionII.C.2. We would prohibit the use ofbroad or blanket authorizationsrequesting the use or disclosure ofprotected health information for a widerange of purposes. Both the informationthat would be used or disclosed and thespecific purposes for such uses ordisclosures would need to be specifiedin the notice.

We are proposing that when coveredentities ask individuals to authorize useor disclosure for purposes other than fortreatment, payment, or health careoperations, they be required to adviseindividuals that they may inspect orcopy the information to be used ordisclosed as provided in proposed§ 164.514, that they may refuse to signthe authorization, and that treatmentand payment could not be conditionedon the patient’s authorization. Forexample, a request for authorization touse or disclose protected healthinformation for marketing purposeswould need to clearly state that theindividual’s decision would have noinfluence on his or her health caretreatment or payment. In addition, weare proposing that when a coveredentity requests an authorization, it mustprovide the individual with a copy ofthe signed authorization form.

Finally, we are proposing that whenthe covered entity initiates theauthorization and the covered entitywould be receiving financial or in-kindcompensation in exchange for using ordisclosing the health information, theauthorization would include a statementthat the disclosure would result incommercial gain to the covered entity.For example, a health plan may wish tosell or rent its enrollee mailing list. Apharmaceutical company may offer aprovider a discount on its products if



the provider can obtain authorization todisclose the demographic information ofpatients with certain diagnoses so thatthe company can market new drugs tothem directly. A pharmaceuticalcompany could pay a pharmacy to sendmarketing information to individuals onits behalf. Each such case would requirea statement that the requesting entitywill gain financially from thedisclosure.

We considered requiring a contractbetween the provider and thepharmaceutical company in this type ofarrangement, because such a contractcould enhance protections andenforcement options against entitieswho violate these rules. A contract alsowould provide covered entities a basisto enforce any limits on further use ordisclosures by authorized recipients.Although we are not proposing thisapproach now, we are solicitingcomment on how best to protect theinterests of the patient when theauthorization for use or disclosurewould result in commercial gain to thecovered entity.

3. Model FormsCovered entities and third parties that

wish to have information disclosed tothem would need to prepare forms forindividuals to use to authorize use ordisclosure. A model authorization formis displayed in Appendix to thisproposed rule. We consideredpresenting separate model forms for thetwo different types of authorizations(initiated by the individual and notinitiated by the individual). However,this approach could be subject to misuseand be confusing to covered entities andindividuals, who may be unclear as towhich form is appropriate in specificsituations. The model in the appendixaccordingly is a unitary model, whichincludes all of the requirements for bothtypes of authorization.

4. Plain Language RequirementWe are proposing that all

authorizations must be written in plainlanguage. If individuals cannotunderstand the authorization they maynot understand the results of signing theauthorization or their right to refuse tosign. See section II.F.1 for morediscussion of the plain languagerequirement.

5. Prohibition on ConditioningTreatment or Payment

We propose that covered entities beprohibited, except in the case of clinicaltrial as described below, fromconditioning treatment or payment forhealth care on obtaining anauthorization for purposes other than

treatment, payment or health careoperations. This is intended to preventcovered plans and providers fromcoercing individuals into signing anauthorization for a disclosure that is notnecessary for treatment, payment orhealth care operations. For example, aprovider could not refuse to treat anindividual because the individualrefused to authorize a disclosure to apharmaceutical manufacturer for thepurpose of marketing a new product.

We propose one exception to thisprovision: health care providers wouldbe permitted to condition treatmentprovided as part of a clinical trial onobtaining an authorization from theindividual that his or her protectedhealth information could be used ordisclosed for research associated withsuch clinical trial. Permitting use ofprotected health information is part ofthe decision to receive care through aclinical trial, and health care providersconducting such trials should be able tocondition participation in the trial onthe individual’s willingness to authorizethat his or her protected healthinformation be used or disclosed forresearch associated with the trial. Wenote that the uses and disclosureswould be subject to the requirements of§ 164.510(j) below.

Under the proposal, a covered entitywould not be permitted to obtain anauthorization for use or disclosure ofinformation for treatment, payment orhealth care operations unless requiredby applicable law. Where such anauthorization is required by law,however, it could not be combined inthe same document with an individualauthorization to use or disclosure ofprotected health information for anypurpose other than treatment, paymentor health care operations (e.g., research).We would require that a separatedocument be used to obtain any otherindividual authorizations to make itclear to the individual that providing anauthorization for such other purpose isnot a condition of receiving treatment orpayment.

6. Inclusion in the Accounting andDisclosures

As discussed in section II.H.6, wepropose that covered entities berequired to keep a record of alldisclosures for purposes other thantreatment, payment or health careoperations, including those madepursuant to authorization. In addition,we propose that when an individualrequests such an accounting or requestsa copy of a signed authorization form,the covered entity must give a copy tothe individual. See proposed § 164.515.

7. Revocation of an Authorization by theIndividual

We are proposing that an individualbe permitted to revoke an authorizationat any time except to the extent thataction has been taken in reliance on theauthorization. See proposed§ 164.508(e). That is, an individualcould change her or his mind about anauthorization and cancel it, except thatshe or he could not thereby prevent theuse or disclosure of information if therecipient has already acted in relianceon the authorization. For example, anindividual might cancel her or hisauthorization to receive futureadvertisements, but the entity may beunable to prevent mailing of theadvertisements that the covered entityor third party has already prepared butnot yet mailed.

An individual would revoke the oldauthorization and sign a newauthorization when she or he wishes tochange any of the information in theoriginal authorization. Upon receipt ofthe revocation, the covered entity wouldneed to stop processing the informationfor use or disclosure to the greatestextent practicable.

8. Expired, Deficient, or FalseAuthorization

The model authorization form or adocument that includes the elements setout at proposed § 164.508 would meetthe requirements of this proposed ruleand would have to be accepted by thecovered entity. Under § 164.508(b),there would be no ‘‘authorization’’within the meaning of the rulesproposed below if the submitteddocument has any of the followingdefects:

• The date has expired;• On its face it substantially fails to

conform to any of the requirements setout in proposed § 164.508, because itlacks an element;

• It has not been filled outcompletely. Covered entities may notrely on a blank or incompleteauthorization;

• The authorization is known to havebeen revoked; or

• The information on the form isknown by the person holding therecords to be materially false.

We understand that it would bedifficult for a covered entity to confirmthe identity of the person who signedthe authorization. We invite commenton reasonable steps that a covered entitycould take to be assured that theindividual who requests the disclosureis whom she or he purports to be.



E. Uses and Disclosures PermittedWithout Individual Authorization(§ 164.510)

[Please label comments about thissection with the subject: ‘‘Introductionto uses and disclosures withoutindividual authorization’’]

This section describes uses anddisclosures of protected healthinformation that covered entities couldmake for purposes other than treatment,payment, and health care operationswithout individual authorization, andthe conditions under which such usesand disclosures could be made. Wepropose to allow covered entities to useor disclose protected health informationwithout individual authorization forsuch purposes if the use or disclosurewould comply with the applicablerequirements of this section.

These categories of allowable usesand disclosures are designed to permitand promote key national health carepriorities, and to ensure that the healthcare system operates smoothly. For eachof these categories, this rule wouldpermit—but not require—the coveredentity to use or disclose protected healthinformation without the individual’sauthorization. Some covered entitiescould conclude that the records theyhold, or portions of them, should not beused or disclosed for one or more ofthese permitted purposes withoutindividuals’ authorization (absent a lawmandating such disclosure), even underthe conditions imposed here. Theproposed regulation is intended toreflect the importance of safeguardingindividuals’ confidentiality, while alsoenabling important national priorityactivities that require protected healthinformation.

We considered permitting uses anddisclosures only where lawaffirmatively requires the covered entityto use or disclose protected healthinformation. However, because theactivities described below are soimportant to the population as a whole,we decided to permit a covered entityto use or disclose information topromote those activities even whensuch activities are not legally mandated.In some cases, however, we wouldpermit a use or disclosure only whensuch use or disclosure is authorized byother law. The requirements forverification of legal authority arediscussed in each relevant section.

Where another law forbids the use ordisclosure of protected healthinformation without the individual’sauthorization, nothing in this sectionwould permit such use or disclosure.

Other law may require use ordisclosure of protected health

information. If such a use or disclosureis not otherwise addressed in proposed§ 164.510(b) through (m), we would inproposed § 164.510(n) permit coveredentities to use or disclose protectedhealth information without individualauthorization pursuant to any law thatmandates such use or disclosure. To bein compliance with this rule, thecovered entity must meet therequirements of such other lawrequiring the use or disclosure.Similarly, nothing in this rule wouldprovide authority for a covered entity torestrict or refuse to make a use ordisclosure mandated by other law.

The HIPAA legislative authoritygenerally does not bring the entities thatreceive disclosures pursuant to thissection, including public healthauthorities, oversight and lawenforcement agencies, researchers, andattorneys, under the jurisdiction of thisproposed rule. We therefore generallycannot propose restrictions on thefurther use and disclosure of protectedhealth information obtained by therecipients of these disclosures (unlessthe recipient is also a covered entity).We believe, however, that in mostinstances it is sound policy to restrictfurther uses and disclosures of suchprotected health information. Forexample, the Secretary’sRecommendations proposed thatprotected health information obtainedby researchers not be further disclosedexcept for emergency circumstances, fora research project that meets certainconditions, and for oversight ofresearch. We believe that federallegislation should include appropriaterestrictions on further use anddisclosure of protected healthinformation received by entities forpurposes such as those described in thissection. We note that, under S.578(introduced by Senator Jeffords),protected health information disclosedfor oversight could not be used againstthe subject of the protected healthinformation unless the action arises outof and is directly related to a health carefraud or a fraudulent claim for benefits,unless such use is judicially authorized.We believe such safeguards strike theright balance between encouragingnational priority oversight activities andprotecting individuals’ privacy.

The provisions of this section containrequirements related to use andrequirements related to disclosure, asappropriate to each of the purposesdiscussed. For many of these purposes,only requirements relating to disclosureare proposed because there are noappropriate internal uses for such apurpose. Examples include disclosures

for next-of-kin and disclosures forbanking and financial purposes.

For many of these permitteddisclosures, we would require thecovered entity to verify the identity ofthe requestor and his or her legalauthority to make the request.Requirements for verifying the identityand authority of requests forinformation are further discussed inII.G, ‘‘Administrative Requirements.’’ Asdiscussed in more detail in sectionII.G.3. of this preamble, the verificationrequirement would apply where theidentity of the person making therequest is not already known to thecovered entity (e.g., where thedisclosure is not part of a routinebusiness transaction). We would askhealth plans and health care providersto take reasonable steps to verify theidentity of persons requesting protectedhealth information, such as asking to seea badge or other proof of the identity ofgovernment officials, and would allowcovered entities to rely on the statementof government officials and othersregarding the legal authority for theactivity. We would not require coveredentities to make an independent inquiryinto the legal authority behind requestsfor protected health information.

The provisions below would permitcovered entities to use or discloseprotected health information withoutindividual authorization, pursuant tocertain requirements. Although healthcare clearinghouses would be defined ascovered entities under this rule, in mostinstances clearinghouses will bereceiving and maintaining protectedhealth information as the businesspartner of a covered health plan orprovider. In such cases, proposed§ 164.510(a)(2) provides that theclearinghouses that hold protectedhealth information as business partnerswould not be permitted to make uses ordisclosures otherwise permitted by thissection unless such uses or disclosuresalso were permitted under the terms ofthe contract between the clearinghouseand the business partner.

1. Uses and Disclosures for PublicHealth Activities (§ 164.510(b))[Please label comments about thissection with the subject: ‘‘Publichealth’’]

We propose to permit covered entitiesto disclose protected health informationwithout individual authorization topublic health authorities carrying outpublic health activities authorized bylaw, to non-governmental entitiesauthorized by law to carry out publichealth activities, and to persons whomay be at risk of contracting orspreading a disease (when other law



authorizes notification). Where thecovered entity also is a public healthagency, such as a public hospital orlocal health department, it would bepermitted to use protected healthinformation in all cases in which itwould be permitted to disclose suchinformation for public health activitiesunder this section.

a. Importance of public health andneed for protected health information.Public health authorities are responsiblefor promoting health and quality of lifeby preventing and controlling disease,injury, and disability. Inherent in thecollection of information for publichealth activities is a balancing ofindividual versus communal interests.While the individual has an interest inmaintaining the privacy of his or herhealth information, public healthauthorities have an interest in theoverall health and well-being of theentire population of their jurisdictions.To accomplish this, public healthauthorities engage in a number ofactivities, including: traditional publichealth surveillance; investigations andinterventions with respect tocommunicable diseases; registries (suchas immunization or cancer registries);programs to combat diseases thatinvolve contacting infected persons andproviding treatment; and actions toprevent transmission of seriouscommunicable diseases.

Public health activities also includeregulatory investigations andinterventions such as pre-market reviewof medical products, and evaluations ofthe risk-benefit profile of a drug ormedical product before and afterapproval (relying on criticalepidemiological techniques andresources such as HMO claimsdatabases and medical records). Publichealth agencies use the results ofanalyses to make important labelingchanges and take other actions, such asthe removal of non-compliant productsfrom the market.

We considered requiring individualauthorization for certain public healthdisclosures, but rejected this approachbecause many important public healthactivities would not be possible ifindividual authorization were required.In the case of contagious diseases, forexample, if individual authorizationwere required before individuallyidentifiable information could beprovided to public health workers,many other people who may beharboring contagious diseases may bemissed by efforts to halt the spread ofdisease because they failed to providethe appropriate individualauthorization. Their failure to authorizecould place the general population at

risk for contracting an infectiousdisease. Furthermore, always requiringindividual authorization to discloseprotected health information to publichealth authorities would be impracticaldue to the number of reports and thevariety of sources from which they aremade. If individuals were permitted toopt out from having their informationincluded in these public health systems,the number of persons with a particularcondition would be undercounted.Furthermore, the persons who didauthorize the inclusion of theirinformation in the system might not berepresentative of all persons with thedisease or condition.

We also considered limiting certainpublic health disclosures to de-identified health information. However,identifiable information could berequired in order to track trends in adisease over time, and to assess thesafety of medical treatments. While de-identified information could beappropriate for many public healthactivities, there are also many publichealth activities that require individualidentifiers. We decided not to attempt todefine specific public health activitiesfor which only de-identifiedinformation could be disclosed, in partbecause public health data collectionrequirements would be better addressedin public health laws, and in part toreflect the variation in informationtechnologies available to public healthauthorities. Instead, we rely on thejudgment of public health authorities asto what information would be necessaryfor a public health activity. Seediscussion in section II.C.2.

b. Public health activities. We intenda broad reading of the term ‘‘publichealth activities’’ to include theprevention or control of disease, injury,or disability. We considered whether topropose a narrow or broad scope ofpublic health activities for whichdisclosure without individualauthorization would be permitted. Forthe reasons described above, we believethat both the general public andindividual interests are best served by abroad approach to public healthdisclosures.

We therefore propose that coveredentities be permitted to discloseprotected health information to publichealth authorities for the full range ofpublic health activities described above,including reporting of diseases, injuries,and conditions, reporting of vital eventssuch as birth and death to vital statisticsagencies, and a variety of activitiesbroadly covered by the terms publichealth surveillance, public healthinvestigation, and public healthintervention. These would include

public health activities undertaken bythe FDA to evaluate and monitor thesafety of food, drugs, medical devices,and other products. These terms wouldbe intended to cover the spectrum ofpublic health activities carried out byfederal, State, and local public healthauthorities. The actual authorities andterminology used for public healthactivities will vary under differentjurisdictions. We do not intend todisturb or limit current public healthactivities.

c. Permitted recipients of disclosuresfor public health activities. Disclosureswithout individual authorization forpublic health activities would bepermitted to be made to only three typesof persons: public health authorities,non-governmental entities authorized bylaw to carry out public health activities,and persons who may be at risk ofcontracting or spreading a disease, ifother law authorizes notification.

i. Public health authorities.We propose to define ‘‘public health

authority’’ broadly, based on thefunction being carried out, not the titleof the public entity. Therefore,disclosures under this proposed rulewould not be limited to traditionalpublic health entities such as Statehealth departments. Other governmentagencies and entities carry out publichealth activities in the course of theirmissions. For example, theOccupational Safety and HealthAdministration, the Mine Safety andHealth Administration, and the NationalInstitute for Occupational Safety andHealth conduct public healthinvestigations related to occupationalhealth and safety. The NationalTransportation Safety Board investigatesairplane and train crashes in an effort toreduce mortality and injury by makingrecommendations for safetyimprovements. Similar inquiries areconducted by the military services. TheFood and Drug Administration reviewsproduct performance prior to marketing,and investigates adverse events reportedafter marketing by industries, healthprofessionals, consumers, and others.The Environmental Protection Agencyinvestigates the effects of environmentalfactors on health. The definition ofpublic health authority reflects the needfor access to data and informationincluding protected health informationby these other agencies and authoritiesconsistent with their official mandatesunder applicable law.

ii. Non-governmental entities carryingout public health activities.

The proposed rule would furtherprovide that disclosures may be madenot only to government agencies, butalso to other public and private entities



as otherwise required or authorized bylaw. For example, this would includetracking medical devices, where theinitial disclosure is not to a governmentagency, but to a device manufacturerthat collects information under explicitlegal authority, or at the direction of theFood and Drug Administration. Also,the cancer registries mentioned abovecould be operated by non-profitorganizations such as universitiesfunded by public health authoritieswhich receive reports from physiciansand laboratories pursuant to Statestatutory requirements to report.

We considered limiting public healthdisclosures to only government entities,but the reality of current public healthpractice is that a variety of activities areconducted by public health authoritiesin collaboration with non-governmentalentities. Federal agencies also use avariety of mechanisms includingcontracts, grants, cooperativeagreements, and other agreements suchas memoranda of understanding to carryout and support public health activities.These relationships could be based onspecific or general legal authorities. It isnot our intent to disturb theserelationships. Limiting the ability tocollaborate with other entities anddesignate them to receive protectedhealth information, could potentiallyhave an adverse impact on public healthpractice.

iii. Persons who may be at risk ofcontracting or spreading a disease.

The proposed rule would allowdisclosure to a person who could havebeen exposed to a communicabledisease or may otherwise be at risk ofcontracting or spreading a disease orcondition and is authorized by law to benotified as necessary in the conduct ofa public health intervention orinvestigation. Physicians, in carryingout public health interventionsauthorized by law, can notify personswho have been exposed to acommunicable disease, or whootherwise may be at risk of contractingor spreading a disease or condition.That notification may implicitly orexplicitly reveal the identity of theindividual with the disease to which theperson could have been exposed, butshould be permitted as a disclosure inthe course of a legally authorized publichealth intervention or investigation. Theproposed rule would not (and, underthe HIPAA legislative authority, cannot)impose a confidentiality obligation onthe person notified.

d. Additional requirements. Underproposed § 164.518(c), covered entitieswould have to verify the identity of theperson requesting protected healthinformation and the legal authority

supporting that request, before thedisclosure would be permitted underthis subsection. Preamble section II.G.3describes these requirements in moredetail.

We note that to the extent that thepublic health authority is providingtreatment as defined in proposed§ 164.504, the public health authoritywould be a covered health care providerfor purposes of that treatment, andwould be required to comply with thisregulation.

We also note that the preemptionprovision of the HIPAA statute createsa special rule for a subset of publichealth disclosures: this regulationcannot preempt State law regarding‘‘public health surveillance, or publichealth investigation or intervention* * *’’.

2. Use and Disclosure for HealthOversight Activities. (§ 164.510(c))[Please label comments about thissection with the subject: ‘‘Healthoversight’’]

In section § 164.510(c), we propose toallow covered entities to discloseprotected health information to publicoversight agencies (and to privateentities acting on behalf of suchagencies) without individualauthorization, for health oversightactivities authorized by law. In cases inwhich a covered entity is also anoversight agency, it would be permittedto use protected health information inall cases in which it would be permittedto disclose such information for healthoversight activities under this section.

a. Importance of oversight and needfor protected health information.Oversight activities are critical tosupport national priorities, includingcombating fraud in the health careindustry, ensuring nondiscrimination,and improving the quality of care. Thegoals of public agencies’ oversightactivities are: to monitor the fiscal andprogrammatic integrity of healthprograms and of government benefitprograms; to ensure that payments orother benefits of these programs arebeing provided properly; to safeguardhealth care quality; to monitor the safetyand efficacy of medical products; and toensure compliance with statutes,regulations, and other administrativerequirements applicable to publicprograms and to health care delivery.

Oversight activities are a nationalpriority in part because of the losses inthe healthcare system due to error andabuse. For example, the HHS Office ofInspector General recently estimatedlosses due to improper Medicare benefitpayments to be about seven percent. See‘‘Improper Fiscal Year 1998 Medicare

Fee-For Service-Payments,’’ transmittalfrom Inspector General June GibbsBrown to HCFA Administrator Nancy-Ann Min DeParle (February 9, 1999).Similarly, the final report of thePresident’s Advisory Commission onConsumer Protection and Quality in theHealth Care Industry concluded that‘‘employing the extensive knowledgeand expertise of organizations thatoversee health care quality * * * isessential to quality improvement.’’(http://www.hcqualitycommission.gov/final/chap09.html)

There are certain oversight activitiesdone as statistical inquiries that can beconducted without direct access toindividually identifiable healthinformation. However, many instancesexist in which government oversightagencies, and private entities undercontracting to act on their behalf, needto examine individually identifiablehealth information to conduct theirinvestigations effectively. For example,to determine whether a hospital hasengaged in fraudulent billing practices,it could be necessary to examine billingrecords for a set of individual cases.Billing abuses are detected by cross-checking the records of specific patientsto see the medical documentation insupport of a service. To determinewhether a health plan is complying withfederal or State health care qualitystandards, it may be necessary toexamine individually identifiable healthinformation. Other inquiries requirereview of individually identifiablehealth information to identify specificinstances of the anomalies in treatmentor billing patterns detected in statisticalanalysis. Even in most statisticalinquiries of the type just described, ina paper environment particular patientcharts must be examined, and thepatient’s name would be disclosedbecause it would be on each page of thechart.

b. Proposed requirements.Specifically, we would permit coveredentities to disclose protected healthinformation without individualauthorization to a health oversightagency to conduct oversight activitiesauthorized by law. Disclosures alsocould be made to private entitiesworking under a contract with or grantof authority from one or more of thegovernment oversight agenciesdescribed above. As discussed below,oversight activities by private entitiesoperating pursuant to contracts withcovered entities, such as accreditationorganizations, would not be permittedto receive information under thisprovision, even if accreditation by suchan organization is recognized by law asfulfilling a government requirement or



condition of participation in agovernment program (often referred toas ‘‘deemed status’’).

Under our rule, oversight activitieswould include conducting orsupervising the following activities:Audits; investigations; inspections;civil, criminal or administrativeproceedings or actions; and otheractivities necessary for appropriateoversight of the health care system, ofgovernment benefit programs for whichhealth information is relevant tobeneficiary eligibility, and ofgovernment regulatory programs forwhich health information is necessaryfor determining compliance withprogram standards. This regulation doesnot create any new right of access tohealth records by oversight agencies,and could not be used as authority toobtain records not otherwise legallyavailable to the oversight agency.

Under our rule, a health oversightagency would be defined as a publicagency authorized by law to conductoversight activities relating to the healthcare system, a government program forwhich health information is relevant todetermining beneficiary eligibility or agovernment regulatory program forwhich health information is necessaryfor determining compliance withprogram standards. Examples ofagencies in the first category wouldinclude State insurance commissions,State health professional licensureagencies, Offices of Inspectors Generalof federal agencies, the Department ofJustice, State Medicaid fraud controlunits, Defense Criminal InvestigativeServices, the Pension and WelfareBenefit Administration, the HHS Officefor Civil Rights, and the FDA. Examplesof agencies in the second categoryinclude the Social SecurityAdministration and the Department ofEducation. Examples of agencies in thethird category include the workplacesafety programs such as theOccupational Health and SafetyAdministration and the EnvironmentalProtection Agency. Agencies thatconduct both oversight and lawenforcement activities would be subjectto this provision when conductingoversight activities.

In cases where health oversightagencies are working in tandem withother agencies overseeing public benefitprograms to address compliance, fraud,or other integrity issues that could spanacross programs, the oversight activitiesof the team would be considered healthoversight and disclosure to and amongteam members would be permittedunder the proposed rule to the extentpermitted under other law. For example,a fraud investigation could attempt to

find a pattern of abuse across relatedprograms, such as Medicaid and thesupplemental security income program.Protected health information could bedisclosed to the team of oversightagencies and could be shared amongsuch agencies for oversight activities.

Public oversight agencies sometimescontract with private entities to conductprogram integrity activities on a publicagency’s behalf. Such audits orinvestigations may include, for example,program integrity reviews of fraud andabuse in billing Federal and State healthcare programs; investigations conductedin response to consumer complaintsregarding the quality or accessibility ofa particular provider, health plan, orfacility; and investigations related todisciplinary action against a health careprovider, health plan, or health carefacility. Covered entities may discloseprotected health information to theseagents to the extent such disclosurewould be permitted to the publicoversight body.

In many cases today, public agencies’contracts with private entitiesconducting investigations on theirbehalf require the private oversightorganization to implement safeguards toprotect individual privacy. HIPAA doesnot provide statutory authority toregulate the contracts between publicoversight entities and their agents.However, we encourage public oversightentities to include privacy safeguards inall such contracts, and believe it wouldbe appropriate for federal legislation toimpose such safeguards.

In developing our proposal, weconsidered but rejected the option ofproviding an exemption from thegeneral rules for situations in which acovered entity has a contract with aprivate accreditation organization toconduct an accreditation inspection. Insuch instances, the accreditationorganization is performing a service forthe covered entity much like any othercontractor. The situation is notmaterially different in instances whereaccreditation from a privateorganization would have the effect of‘‘deeming’’ the covered entity to be incompliance with a government standardor condition of participation in agovernment program. In both cases, theaccreditation organization is performinga service for the covered entity, not forthe government. In our considerations,we were unable to identify a reason thatcovered entities should hold thesecontractors to lesser standards than theirother contractors. Individuals’ privacyinterests would not be diminished inthis situation, nor is there any reasonwhy such accreditation organizationsshould not be held to the requirements

described above for business partners.Proposed rules for disclosure to theseentities are discussed in section II.C.5.,‘‘Application to business partners.’’ Weinvite comment on our proposedapproach.

c. Additional considerations. We donot propose any new administrative orjudicial process prior to disclosure. Thisregulation would permit disclosure ofprotected health information withoutcompulsory process where suchdisclosure is otherwise allowed.However, this regulation also would notabrogate or modify other statutoryrequirements for administrative orjudicial determinations or for otherprocedural safeguards, nor would itpermit disclosures forbidden by otherlaw.

Under this § 164.518(c), coveredentities would have an obligation toverify the identity of the personrequesting protected health informationand the legal authority behind therequest before the disclosure would bepermitted under this subsection.Preamble section II.G.3. describes theserequirements in more detail.

3. Use and Disclosure for Judicial andAdministrative Proceedings(§ 164.510(d))

[Please label comments about thissection with the subject: ‘‘Judicial andadministrative proceedings’’]

In § 164.510(d), we propose to permitcovered entities to disclose protectedhealth information in a judicial oradministrative proceeding if the requestfor such protected health information ismade through or pursuant to an order bya court or administrative tribunal. Acourt order would not be required if theprotected health information beingrequested relates to a party to theproceeding whose health condition is atissue, or if the disclosure wouldotherwise be permitted under this rule.A covered entity that also is agovernment entity would be permittedto use protected health information in ajudicial or administrative proceedingunder the same conditions that it couldmake a disclosure of protected healthinformation under this paragraph.

a. Importance of judicial andadministrative process and the need forprotected health information. Protectedhealth information is often needed aspart of an administrative or judicialproceeding. Examples of suchproceedings would include personalinjury or medical malpractice cases orother lawsuits in which the medicalcondition of a person is at issue, andjudicial or administrative proceedings todetermine whether an illness or injurywas caused by workplace conditions or



exposure to environmental toxins. Theinformation may be sought well beforea trial or hearing, to permit the party todiscover the existence or nature oftestimony or physical evidence, or inconjunction with the trial or hearing, inorder to obtain the presentation oftestimony or other evidence. These usesof health information are clearlynecessary to allow the smoothfunctioning of the legal system.Requiring the authorization of thesubject prior to disclosure could meanthat crucial information would not beavailable, and could be unfair to personswho have been wronged.

b. Proposed requirements. Wepropose to permit covered entities todisclose protected health information ina judicial or administrative proceedingif the request for such protected healthinformation is made through orpursuant to a court order or an order byan administrative law judge specificallyauthorizing the disclosure of protectedhealth information. The exception tothis requirement is where the protectedhealth information being requestedrelates to a party to the proceedingwhose health condition is at issue, andwhere the disclosure is made pursuantto lawful process (e.g., a discover order)or is otherwise authorized by law. Wenote that this would not apply wherethe disclosure would otherwise bepermitted under this rule.

The proposed provisions of thissection are intended to apply to thebroad spectrum of judicial andadministrative procedures by whichlitigants, government agencies, andothers request information for judicialor administrative proceedings,including judicial subpoenas,subpoenas duces tecum, notices ofdeposition, interrogatories,administrative subpoenas, and anydisclosure pursuant to the Federal Rulesof Civil Procedures, the Federal Rules ofCriminal Procedures, comparable rulesof other courts (including State,tribunal, or territorial courts) andcomparable rules of administrativeagencies. Under the rule, a coveredentity could not respond to suchrequests unless they determined that therequest is pursuant to a court orderauthorizing disclosure of protectedhealth information or if the individualwho is the subject of the protectedhealth information is a party to theproceeding and his or her medicalcondition or history is at issue.

Covered entities generally would notbe required to conduct any independentinvestigation of the legality of theprocess under which the protectedhealth information is being sought, butwould need to review the request

protected health information to ensurethat the disclosure would meet theterms of this provision. Where therequest is accompanied by an orderfrom a court, the covered entity couldrely on a statement in the orderauthorizing disclosure of protectedhealth information. The statement couldbe a general one, indicating thatprotected health information is relevantto the matter, or it could identifyspecifically what protected healthinformation may be disclosed. Thecovered entity could rely on either typeof statement, but it could not disclosemore information than was authorizedby the court where the scope of theauthorized disclosure is clear.

Where the request is not accompaniedby a court order or order from anadministrative law judge, the coveredentity would be required to determinewhether the request relates to theprotected health information of alitigant whose health is at issue, awritten statement from the requestercertifying that the protected healthinformation being requested is about alitigant to the proceeding and that thehealth condition of such litigant is atissue at such proceeding. Such acertification could be from the agencyrequesting the information (e.g., in anadministrative proceeding) or from legalcounsel representing a party tolitigation. We invite comments onwhether this requirement is overlyburdensome and on whether it issufficient to protect protected healthinformation from unwarranteddisclosures.

We are not proposing to preclude acovered entity from contesting thenature or scope of the process when theprocedural rules governing theproceeding so allow and coveredentities could well choose to assertprivileges against disclosure on behalfof individuals.

In developing our proposal, weconsidered permitting covered entitiesto disclose protected health informationpursuant to any request made inconjunction with a judicial oradministrative proceeding. We rejectedthis option because we believe thatcurrent procedures for documentproduction could result in unwarranteddisclosure of protected healthinformation. Under current practice,requests for documents are developedby the parties to a proceeding, with littlereview or oversight unless the request ischallenged by the opposing party. Inmany instances, the parties make verybroad discovery requests that result inthe production of large numbers ofdocuments for review. Recipients ofbroad motions for document production

often provide the requester with asubstantial quantity of material,expecting the requester to page throughthe documents to identify the ones thatare relevant to the proceeding. Whilesuch a process may be appropriate formany types of records, we areconcerned that it could lead tosubstantial breaches of privacy wherethe material being requested is protectedhealth information. We are unsure if itis appropriate for private attorneys,government officials and others whodevelop such requests to be able tocircumvent the protections provided bythis rule with simple motions fordocument production that have notbeen subject to third-party review.

Under our proposal, therefore, a partyto a proceeding that wishes productionof information that includes protectedhealth information would generallyneed to seek judicial review of therequest. If a court determines that arequest for protected health informationis appropriate to the proceeding, acovered entity can produce theprotected health information pursuantto an otherwise lawful request.

We propose an exception to thegeneral requirement for judicial reviewfor protected health information forinstances in which the protected healthinformation of a party to the proceedingis relevant to the proceeding. In suchinstances, the party will have counselwho can object to an overly broad orunwarranted discovery of the party’sprotected health information or willreceive the discovery request directlyand, again, will have an opportunity toobject prior to disclosure.

We note that there are other existinglegal requirements governing thedisclosure of protected healthinformation, and which govern theprocedures in federal, State and otherjudicial and administrative proceedings.For example, 42 U.S.C. 290dd–2 and theimplementing regulations, 42 CFR part2, will continue to govern the disclosureof substance abuse patient records.There may also be provisions of aparticular State’s law governing Statejudicial or administrative proceedings,including State medical record privacystatutes, as well as precedential courtopinions, which apply to thecircumstances described in the section,that will not be preempted by this part.Also, the discovery of psychiatriccounseling records in federalproceedings governed by section 501 ofthe Federal Rules of Evidence, has beenrestricted in certain circumstances, byJaffee v. Redmond, 116 S. Ct. 1923(1996). These more stringent ruleswould remain in place.



4. Disclosure to Coroners and MedicalExaminers (§ 164.510(e))

[Please label comments about thissection with the subject: ‘‘Coroners andmedical examiners’’]

In § 164.510(e), we propose to allowcovered entities to disclose protectedhealth information without individualauthorization to coroners and medicalexaminers, as authorized by law, foridentification of a deceased person or todetermine cause of death.

a. Importance of disclosure tocoroners and medical examiners andthe need for protected healthinformation. Coroners and medicalexaminers, who under State or other lawtypically are public officials, have alegitimate need to obtain protectedhealth information in an expeditiousmanner in order to carry out their legalresponsibility to identify deceasedpersons and determine cause of death.Such disclosure would be clearly in thepublic interest, and should be includedamong the types of disclosures forwhich the public interest in efficientsharing of medical informationoutweighs any individual privacyinterests that may be compromised.

b. Proposed requirements. Proposed§ 164.510(e) would allow coveredentities to disclose protected healthinformation about a deceased personwithout individual authorization tocoroners and medical examiners,consistent with other law, for thepurpose of a post-mortem investigation.

We recognize that a deceased person’smedical record could includeinformation that potentially couldreveal health information about others,for example, relatives who have thesame genetically linked disease as thedeceased individual. In developing thissection of the proposed rule, weconsidered requiring covered entities toredact any protected health informationabout persons other than the deceasedbefore giving the record to coroners ormedical examiners.

We rejected this option for tworeasons. First, coroners and medicalexaminers typically need significantportions of a deceased person’s medicalrecord, and, in some cases, all medicalrecords that are available, to conduct apost-mortem investigation, which mayalso include an autopsy. Second, theyneed to obtain the record quickly,because there is a limited time periodafter death within which an autopsy canbe conducted. Requiring coveredentities to take the time to review andredact portions of the healthinformation before providing it to acoroner or medical examiner wouldcreate delays that could make it

impossible to conduct an autopsyappropriately. Nothing in this rulewould prohibit a covered entity fromundertaking such redaction on its owninitiative so long as the informationprovided would meet the needs of thecoroner or medical examiner.

In addition to these two reasons, it isour understanding that health careproviders, as a standard record keepingpractice, rarely identify specific personsother than the patient in the record. Weare soliciting comment on whetherhealth care providers routinely identifyother persons specifically in aindividual’s record and if so, whetherwe should require the provider to redactthe information about the other personbefore providing it to a coroner ormedical examiner.

Under § 164.518(c), covered entitieswould have an obligation to verify theidentity of the coroner or medicalexaminer making the request forprotected health information and thelegal authority supporting the request,before the disclosure would bepermitted under this subsection.Preamble section II.G.3. describes theserequirements in more detail.

We intend to allow only thosedisclosures that are authorized by otherapplicable law. Laws vary widelyregarding release of health informationto coroners and medical examiners forthe purposes of identifying deceasedpersons or determining cause of death,and we do not intend to disturb thosepractices.

5. Disclosure for Law Enforcement(§ 164.510(f))[Please label comments about thissection with the subject: ‘‘Lawenforcement’’]

In § 164.510(f), we propose to permitcovered entities to disclose protectedhealth information without individualauthorization to a law enforcementofficial conducting a law enforcementinquiry authorized by law if the requestfor protected health information is madepursuant to a judicial or administrativeprocess, as described below. Similarly,we propose to permit covered entities todisclose protected health information toa law enforcement official withoutindividual authorization for the conductof lawful intelligence activities. We alsopropose to permit covered entities todisclose protected health information toa law enforcement official about thevictim of a crime, abuse or other harm,if the information is needed todetermine both whether a violation oflaw by a person other than the victimhas occurred and whether an immediatelaw enforcement activity might benecessary. We would further permit

such disclosure for the purpose ofidentifying a suspect, fugitive, materialwitness, or missing person, if thecovered entity discloses only limitedidentifying information. Finally, wewould permit disclosure of protectedhealth information by a health plan ora health care provider withoutindividual authorization to lawenforcement officials if the plan orprovider believed in good faith that thedisclosed protected health informationwould constitute evidence of criminalconduct that constitutes health carefraud, occurred on the premises of thecovered entity, or was witnessed by anemployee of the covered entity.

i. Law enforcement need for protectedhealth information. Law enforcementofficials need protected healthinformation for their investigations in avariety of circumstances. Healthinformation about a victim of a crimemay be needed to investigate the crime,or to allow prosecutors to determine theproper charge. For some crimes, theseverity of the victim’s injuries willdetermine what charge should bebrought against a suspect. The medicalcondition of a defendant could also berelevant to whether a crime wascommitted, or to the seriousness of acrime. The medical condition of awitness could be relevant to thereliability of that witness. Medical,billing, accounting or otherdocumentary records in the possessionof a covered entity can be importantevidence relevant to criminal fraud orconspiracy investigations. Nor is thislist of important uses by lawenforcement exhaustive.

In many cases, the law enforcementofficial will obtain such evidencethrough legal process, such as judiciallyexecuted warrant, an administrativesubpoena, or a grand jury subpoena. Inother circumstances, time constraintspreclude use of such process. Forexample, health information may beneeded when a law enforcement officialis attempting to apprehend an armedsuspect who is rapidly fleeing. Healthinformation may be needed fromemergency rooms to locate a fleeingprison escapee or criminal suspect whowas injured and is believed to havestopped to seek medical care.

Protected health information could besought as part of a law enforcementinvestigation, to determine whether andwho committed a crime, or it could besought in conjunction with the trial tobe presented as evidence. These uses ofmedical information are clearly in thepublic interest. Requiring theauthorization of the subject prior todisclosure could impede important lawenforcement activities by making



apprehension and conviction of somecriminals difficult or impossible.

As described above, this proposedrule seeks to respond appropriately tonew risks to privacy that could emergeas the form of medical records changesin coming years. The administrativesimplification mandated by HIPAA willlead to far greater exchanges ofindividually identifiable healthinformation among covered entities inthe future, increasingly in electronicform. If a misperception were to developthat law enforcement had instant andpervasive access to medical records, thegoals of this proposed regulation couldbe undermined. For instance,individuals might become reluctant toseek needed care or might reportinaccurately to providers to avoidrevealing potentially embarrassing orincriminating information. In addition,popular concerns about governmentaccess to sensitive medical recordsmight impede otherwise achievableprogress toward administrativesimplification. We believe that theproposed prophylactic andadministrative rules governingdisclosure to law enforcement officials,as described below, are justified in orderto avoid these harms in the future.

ii. Proposed requirements. In§ 164.510(f), we propose to permitcovered entities to disclose protectedhealth information to law enforcementofficials conducting or supervising a lawenforcement inquiry or proceedingauthorized by law if the request forprotected health information is made:

• Pursuant to a warrant, subpoena, ororder issued by a judicial officer;

• Pursuant to a grand jury subpoena;• Pursuant to an administrative

subpoena or summons, civilinvestigative demand, or similarcertification or written order issuedpursuant to federal or state law where(i) the records sought are relevant andmaterial to a legitimate law enforcementinquiry; (ii) the request is as specificand narrowly drawn as is reasonablypracticable to meet the purposes of theinquiry; and (iii) de-identifiedinformation could not reasonably beused to meet the purposes of theinquiry;

• For limited identifying informationwhere necessary to identify a suspect,fugitive, witness, or missing person;

• By a law enforcement officialrequesting protected health informationabout an individual who is, or who issuspected to be, the victim of a crime,abuse or other harm, if such lawenforcement official represents that (i)such information is needed to determinewhether a violation of law by a personother than the victim has occurred and

(ii) immediate law enforcement activitywhich depends on the official obtainingsuch information may be necessary;

• For the conduct of lawfulintelligence activities conductedpursuant to the National Security Act of1947 (50 U.S.C. 401 et seq.) or inconnection with providing protectiveservices to the President or otherindividuals pursuant to section 3056 oftitle 18, United States Code, and thedisclosure is otherwise authorizedunder Federal or state law; or

• To law enforcement officials whena covered entity believes in good faiththat the disclosed protected healthinformation constitutes evidence ofcriminal conduct that: (i) Arises out ofand is directly related to the receipt ofhealth care or payment for health care(including a fraudulent claim for healthcare) or qualification for or receipt ofbenefits, payments or services based ona fraudulent statement or materialmisrepresentation of the health of apatient; (ii) occurred on the premises ofthe covered entity; or (iii) was witnessedby an employee or other workforcemember of the covered entity.

In drafting the proposed rule, we haveattempted to match the level ofprocedural protection for privacy withthe nature of the law enforcement needfor access. Therefore, access for lawenforcement under this rule would beeasier where other rules would imposeprocedural protections, such as whereaccess is granted after review by anindependent judicial officer. Accesswould also be easier in an emergencysituation or where only limitedidentifying information would beprovided. By contrast, this rule proposesstricter standards for administrativerequests, where other rules could notimpose appropriate proceduralprotections.

Under the first part of this proposal,we would authorize disclosure ofprotected health information pursuantto a request that has been reviewed bya judicial officer. Examples of suchrequests include State or federalwarrants, subpoenas, or other orderssigned by a judicial officer. Review bya judicial officer is significantprocedural protection for the properhandling of individually identifiablehealth information. Where such reviewexists, we believe that it would beappropriate for covered entities todisclose individually identifiable healthinformation pursuant to the order.

Under the second part of thisproposal, we would authorizedisclosure of protected healthinformation pursuant to a State orfederal grand jury subpoena.Information disclosed to a grand jury is

covered by significant secrecyprotections, such as under Federal Ruleof Criminal Procedure 6(e) and similarState laws. Our understanding is thatState grand juries have secrecyprotections substantially as protective asthe federal rule. We solicit comment onwhether there are any State grand jurysecrecy provisions that are notsubstantially as protective.

Under the third part of this proposal,we would set somewhat stricterstandards than exist today for disclosurepursuant to administrative requests,such as an administrative subpoena orsummons, civil investigative demand, orsimilar process authorized under law.These administrative actions do nothave the same procedural protections asreview by an independent judicialofficer. They also do not have the grandjury secrecy protections that exist underfederal and State law. Foradministrative requests, an individuallaw enforcement official can define thescope of the request, sometimes withoutany review by a superior, and present itto the covered entity. We propose,therefore, that a greater showing shouldbe made for an administrative requestbefore the covered entity would bepermitted to release protected healthinformation. We also believe that thesomewhat stricter test for administrativerequests would provide some reason forofficials to choose to obtain protectedhealth information through process thatincludes the protections offered byjudicial review or grand jury secrecy.

We therefore propose that a coveredentity could disclose protected healthinformation pursuant to anadministrative request, issued pursuantto a determination that: (i) The recordssought are relevant and material to alegitimate law enforcement inquiry; (ii)the request is as specific and narrowlydrawn as is reasonably practicable; and(iii) de-identified information could notreasonably be used to meet the purposeof the request.

Because our regulatory authority doesnot extend to law enforcement officials,we are seeking comment on how tocreate an administrable system forimplementing this three-part test. We donot intend that this provision require acovered entity to second guessrepresentations by an appropriate lawenforcement official that the three parttest has been met.

To verify that the three-part test hasbeen met, we propose that a coveredentity be permitted to disclose protectedhealth information to an appropriatelaw enforcement official pursuant to asubpoena or other coveredadministrative request that on its faceindicates that the three-part test has



been met. In the alternative, where theface of the request does not indicate thatthe test has been met, a covered entitycould disclose the information uponproduction of a separate document,signed by a law enforcement official,indicating that the three-part test hasbeen met. Under either of thesealternatives, disclosure of theinformation can also be made if thedocument applies any other standardthat is as strict or stricter than the three-part test.

This approach would parallel theresearch provisions of proposed§ 164.510(j). Under that section,disclosure would be authorized by acovered entity where the party seekingthe records produces a document thatstates it has met the standards for theinstitutional review board process. Wesolicit comments on additional,administrable ways that a lawenforcement official could demonstratethat the appropriate issuing authorityhas determined that the three-part testhas been met.

We solicit comment on the burdensand benefits of the proposed three-parttest for administrative requests. Forcovered entities, we are interested incomments on how burdensome it wouldbe to determine whether the three-parttest has been met, and we wouldexplore suggestions for approaches thatwould be more easily administered. Forlaw enforcement, we are interested inthe potential impact that this approachmight have on current law enforcementpractices, and the extent to which lawenforcement officials believe that theiraccess to information critical to lawenforcement investigations could beimpaired. We solicit comment on theburden on law enforcement officials,compared to current practice, of writingthe administrative requests. We wouldalso like comments on whether there areany federal, State, or local laws thatwould create an impediment toapplication of this section, including theproposed three-part test. If there aresuch impediments, we would solicitcomment on whether extending theeffective date of this section could helpto prevent difficulties. On the benefitside, we are interested in comments onthe specific gains for privacy that wouldresult from requiring law enforcement tocomply with greater procedures thancurrently exist for gaining access toprotected health information.

As the fourth part of this proposal, weaddress limited circumstances wherethe disclosure of health information bycovered entities would not be madepursuant to lawful process such asjudicial order, grand jury subpoena, oradministrative request. In some cases

law enforcement officials could seeklimited but focused information neededto obtain a warrant. For example, awitness to a shooting may know thetime of the incident and the fact that theperpetrator was shot in the left arm, butnot the identity of the perpetrator. Lawenforcement would then have alegitimate need to ask local emergencyrooms whether anyone had presentedwith a bullet wound to the left arm nearthe time of the incident. Lawenforcement may not have sufficientinformation to obtain a warrant, butinstead would be seeking suchinformation. In such cases, when onlylimited identifying information isdisclosed and the purpose is solely toascertain the identity of a person, theinvasion of privacy would beoutweighed by the public interest.

In such instances, we propose topermit covered entities to disclose‘‘limited identifying information’’ forpurposes of identifying a suspect,fugitive, material witness, or missingperson. We would define ‘‘limitedidentifying information’’ as the name,address, social security number, date ofbirth, place of birth, type of injury, dateand time of treatment, and date of death.Disclosure of any additional informationwould cause the covered entity to be outof compliance with this provision, andsubject to sanction. The request for suchinformation could be made orally or inwriting. Requiring the request to be inwriting could defeat the purposes of thisprovision. We solicit comment onwhether the list of ‘‘limited identifyinginformation’’ is appropriate, or whetheradditional identifiers, such as bloodtype, also should be permitteddisclosures under this section.Alternatively, we solicit comment onwhether any of the proposed items onthe list are sufficiently sensitive towarrant a legal process requirementbefore they should be disclosed.

Under the fifth part of the proposal,we would clarify that the protectedhealth information of the victim of acrime, abuse or other harm could bedisclosed to a law enforcement officialif the information is needed todetermine both whether a violation oflaw by a person other than the victimhas occurred and whether an immediatelaw enforcement activity might benecessary. There could be importantpublic safety reasons for obtainingmedical records or other protectedhealth information quickly, perhapsbefore there would be time to get ajudicial order, grand jury subpoena, oradministrative order. In particular,where the crime was violent,information about the victim’s conditioncould be needed to present to a judge in

a bond hearing in order to keep thesuspect in custody while furtherevidence is sought. Information aboutthe victim also could be important inmaking an appropriate chargingdecision. Rapid access to victims’medical records could reduce the risk ofadditional violent crimes, such as incases of spousal or child abuse or insituations where the protected healthinformation could reveal evidence of theidentity of someone who is engaged inongoing criminal activities.

In some of these instances, release ofprotected health information would beauthorized under other sections of thisproposed regulation, pursuant toprovisions for patient consent, healthoversight, circumstances, or disclosurepursuant to mandatory reporting lawsfor gunshot wounds or abuse cases. (Asdiscussed later in section II.I, our rulewould not be construed to invalidate orlimit the authority, powers orprocedures established under any lawthat provides for reporting of injury,child abuse or death.) In addition,§ 164.510(k) addressing emergencycircumstances would permit coveredentities to disclose protected healthinformation in instances where thedisclosure could prevent imminentharm to the individuals or to the public.However, we propose to include thisfifth provision for law enforcementaccess to ensure that immediate need forlaw enforcement access to informationabout a victim would be permittedunder this rule.

Under the sixth part of this proposal,we seek to assure that this rule wouldnot interfere with the conduct of lawfulsecurity functions in protection of thepublic interest, as defined by theCongress. Therefore, we would allowdisclosure of protected healthinformation for the conduct of lawfulintelligence activities conductedpursuant to the National Security Act of1947. Similarly, we would allowdisclosure of protected healthinformation for providing protectiveservices to the President or otherindividuals pursuant to section 3056 oftitle 18, United States Code. Where suchdisclosures are authorized by Federal orstate law, we would not interfere withthese important national securityactivities.

Under the final part of this proposal,we would permit covered entities thatuncover evidence of health care fraud todisclose the protected healthinformation that evidences such fraud tolaw enforcement officials withoutreceiving a request from such officials.This provision would permit coveredentities to make certain disclosures tolaw enforcement officials on their own



initiative if the information disclosedconstitutes evidence of criminalconduct that arises out of and is directlyrelated to (i) the receipt of health careor payment for health care (including afraudulent claim for health care) or (ii)qualification for or receipt of benefits,payments or services based on afraudulent statement or materialmisrepresentation of the health of apatient. Similarly, we would permitcovered entities on their own initiativeto disclose to law enforcement officialsprotected health information that thecovered entity believes in good faithconstitutes evidence of criminalconduct that either occurred on thecovered entity’s premises or waswitnessed by an employee (or otherworkforce member) of the coveredentity. In such situations, coveredentities should be permitted to takeappropriate steps to protect the integrityand safety of their operations or toassure that the such criminal conduct isproperly prosecuted.

To be protected by this provision, thecovered entity would have to have goodfaith belief that the disclosed protectedhealth information was evidence of suchconduct. If the covered entity disclosedprotected health information in goodfaith but was wrong in its belief that theinformation evidenced a legal violation,the covered entity would not be subjectto sanction under this regulation. Wewould not require the covered entity toaccurately predict the outcome of acriminal investigation.

There also are situations where lawenforcement officials would need accessto information for emergencycircumstances. In those cases, thedisclosure could be made under§ 164.510(k), ‘‘Disclosure in emergencycircumstances.’’

Pursuant to § 164.518(c), coveredentities would have an obligation toverify the identity of the person seekingdisclosure of protected healthinformation and the legal authoritybehind the request. As described insection II.H.3. of this preamble, wewould permit covered entities to rely ona badge or similar identification toconfirm that the request for protectedhealth information is being made by alaw enforcement official. If the requestis not made in person, we would permitthe covered entity to rely on officialletter head or similar proof.

Where the covered entity must verifythat lawful process has been obtained,§ 164.518(c) would require the coveredentity to review the documentevidencing the order. The covered entitycould not disclose more informationthan was authorized in the document.

Because the regulation applies tocovered entities, and not to the lawenforcement officials seeking theprotected health information, thecovered entity would not be in aposition to determine with any certaintywhether the underlying requirementsfor the process have been met. Forinstance, it may be difficult for thecovered entity to determine whether thethree-part test has been met for anadministrative request. In light of thisdifficulty facing covered entities, theproposed rule would include a goodfaith provision. Under that provision,covered entities would not be liableunder the rule for disclosure ofprotected health information to a lawenforcement official where the coveredentity or its business partners acted ina good faith belief that the disclosurewas permitted under this title. Wesolicit comment on the extent to whichthis good faith provision would makethe proposed rule less burdensome oncovered entities and law enforcementofficials. We also solicit comment on theextent to which the provision couldundermine the effectiveness of theprovision.

For requests for the conduct ofintelligence activities or for protectiveservices, covered entities would berequired to verify the identity of theperson or entity requesting theinformation, through a badge or otheridentification, or official letter head, asjust described. If such verification ofidentity is obtained, covered entitieswould be permitted to reasonably relyon the representations of such personsthat the request is for lawful nationalsecurity or protective service activitiesand is authorized by law. Similarly, todisclose limited identifying information,covered entities would be required toobtain verification that the requestcomes from a law enforcement official,and would be permitted to reasonablyrely on such official’s representationthat the information is needed for thepurpose of identifying a suspect,fugitive, material witness, or missingperson and is authorized by law.

iii. Additional considerations. Thissection is not intended to limit orpreclude a covered entity from assertingany lawful defense or otherwisecontesting the nature or scope of theprocess when the procedural rulesgoverning the proceeding so allow,although it is not intended to create abasis for appealing to federal courtconcerning a request by state lawenforcement officials. Each coveredentity would continue to have availablelegal procedures applicable in theappropriate jurisdiction to contest suchrequests where warranted. This

proposed rule would not create any newaffirmative requirement for disclosure ofprotected health information. Similarly,this section is not intended to limit acovered entity from disclosing protectedhealth information for law enforcementpurposes where other sections of therule permit such disclosure, e.g., aspermitted by § 164.510 underemergency circumstances, for oversightor public health activities, to coroners ormedical examiners, and in othercircumstances permitted by the rule.

In obtaining protected healthinformation, law enforcement officialswould have to comply with whateverother law was applicable. In certaincircumstances, while this subsectioncould authorize a covered entity todisclose protected health information tolaw enforcement officials, there couldbe additional applicable statutes thatfurther govern the specific disclosure. Ifthe preemption provisions of thisregulation do not apply, the coveredentity must comply with therequirements or limitations establishedby such other law, regulation or judicialprecedent. See proposed §§ 160.201through 160.204. For example, if Statelaw would permit disclosure only aftercompulsory process with court review,a provider or payer would not beallowed to disclose information to statelaw enforcement officials unless theofficials had complied with thatrequirement. Similarly, disclosure ofsubstance abuse patient records subjectto, 42 U.S.C. 290dd–2, and theimplementing regulations, 42 CFR part2, would continue to be governed bythose provisions.

In some instances, disclosure ofprotected health information to lawenforcement officials would becompelled by other law, for example, bycompulsory judicial process orcompulsory reporting laws (such aslaws requiring reporting of wounds fromviolent crimes, suspected child abuse,or suspected theft of prescriptioncontrolled substances). Disclosure ofprotected health information under suchother mandatory law would bepermitted under proposed § 164.510(n).

In developing our proposal, weconsidered permitting covered entitiesto disclose protected health informationpursuant to any request made by a lawenforcement official, rather thanrequiring some form of legal process ornarrowly defined other circumstances.We rejected this option because webelieve that in most instances someform of review should be required.Individuals’ expectation of privacy withrespect to their health information issufficiently strong to require some formof process prior to disclosure to the



government. At the same time, werecognize that the public interest wouldnot be served by requiring such formalprocess in every instance. Under ourproposal, therefore, law enforcementcould obtain certain identifyinginformation in order to identify suspectsand witnesses, and could obtaininformation for national security orprotective services activities or inemergency circumstances. Similarly, wewould not require process before a lawenforcement official could obtaininformation about the victim of a crime,where the information is necessary asthe basis for immediate action. Inaddition, in seeking an appropriatebalance between public safety andindividuals’ expectation of privacy, weare proposing that covered entities notbe subject to enforcement under thisregulation if they disclose protectedhealth information to law enforcementofficials in a good faith belief that thedisclosure was permitted under thistitle.

We solicit comment on whatadditional steps, if any, are appropriatefor allowing law enforcement access toprotected health information. We areinterested in comments concerningsituations where needed access toprotected health information would notbe available under these or otherprovisions of this proposed rule. Wealso seek comment on specific privacyor other concerns that would apply ifthe final regulation included provisionfor law enforcement access to protectedhealth information without requiring ajudicial order, grand jury subpoena, oradministrative request, under suchadditional defined circumstances.

In some of these instances, release ofprotected health information would beauthorized under the proposedregulation pursuant to provisions forpatient consent, health oversight,emergency circumstances, or undermandatory reporting laws for gunshotwounds or abuse cases. We areinterested in comments concerningsituations where needed access toprotected health information would notbe available under these or otherprovisions of this proposed rule. Wealso seek comment on specific privacyor other concerns that would apply ifthe final regulation included provisionfor law enforcement access to protectedhealth information without requiring ajudicial order, grand jury subpoena, oradministrative request, under suchadditional defined circumstances.

Our proposal with respect to lawenforcement has been shaped by thelimited scope of our regulatory authorityunder HIPAA, which applies only to thecovered entities and not to law

enforcement officials. We believe theproposed rule sets the correct standardsfor when an exception to the rule ofnon-disclosure is appropriate for lawenforcement purposes. There may beadvantages, however, to legislation thatapplies the appropriate standardsdirectly to judicial officers, prosecutorsin grand juries, and to those makingadministrative or other requests forprotected health information, ratherthan to covered entities as in theproposed regulation. These advantagescould include measures to hold officialsaccountable if they seek or receiveprotected health information contrary tothe legal standard. In Congressionalconsideration of law enforcementaccess, there have also been usefuldiscussions of other topics, such aslimits on re-use of protected healthinformation gathered in the court ofoversight activities. These limitations onour regulatory authority provideadditional reason to supportcomprehensive medical privacylegislation.

6. Uses and Disclosures forGovernmental Health Data Systems(§ 164.510(g))

[Please label comments about thissection with the subject: ‘‘Governmentalhealth data systems’’]

In § 164.510(g), we propose to permitcovered entities to disclose protectedhealth information for inclusion in Stateor other governmental health datasystems without individualauthorization when such disclosures areauthorized by State or other law insupport of policy, planning, regulatoryor management functions.

a. Importance of Governmental healthdata systems and the need for protectedhealth information. Governmentalagencies collect and analyzeindividually identifiable healthinformation as part of their efforts toimprove public policies and programmanagement, improve health care andreduce costs, and improve informationavailable for consumer choices.Governments use the information toanalyze health care outcomes, quality,costs and patterns of utilization, effectsof public policies, changes in the healthcare delivery system, and related trends.These important purposes are related topublic health, research and oversight(although the information in State orother governmental data systemsusually is not collected specifically toaudit or evaluate health care providersor for public health surveillance). Thedata are an important resource that canbe used for multiple public policyevaluations.

The collection of health informationby governmental health data systemsoften occurs without specification of theparticular analyses that could beconducted with the information. Thesegovernmental data collection programsfrequently call for reporting ofinformation for all individuals treated orreleased by specified classes ofproviders. For example, many Statesrequest and receive from hospitalsrecords containing individual diagnosisand treatment data for all dischargesfrom their facilities. State hospitaldischarge data have been used tocompare treatment practices and costsbetween hospitals, to evaluateimplications for funding of health care,as well as to provide hospital ‘‘reportcards’’ to consumers. As part of itsgeneral evaluation activities, the DODmaintains a very large database, calledthe Comprehensive Clinical EvaluationProgram, involving military personnelwho have reported illnesses possiblyarising from service during the GulfWar.

b. Proposed requirements. Wepropose to permit covered entities todisclose protected health informationfor inclusion in State or othergovernmental health data systems whensuch disclosure is authorized by law foranalysis in support of policy, planning,regulatory, and management functions.The recipient of the information must bea government agency (or privacy entityacting on behalf of a governmentagency). Where the covered entity isitself a government agency that collectshealth data for analysis in support ofpolicy, planning, regulatory, ormanagement functions, it would bepermitted to use protected healthinformation in all cases in which it ispermitted to disclose such informationfor government health data systemsunder this section.

We believe that Congress intended topermit States, Tribes, territories, andother governmental agencies to operatehealth data collection systems foranalyzing and improving the health caresystem. In section 1178(c), ‘‘Stateregulatory reporting,’’ HIPAA providesthat it is not limiting the ability of aState to require a health plan to report,or to provide access to, information fora variety of oversight activities, as wellas for ‘‘program monitoring andevaluation.’’ We also believe that theconsiderations Congress applied to Statecapacities to collect data would apply tosimilar data collection efforts by otherlevels of government, such as thoseundertaken by Tribes, territories andfederal agencies. Therefore, weconsidered two questions regardinggovernmental health data systems; first,



which entities could make suchdisclosures; and second, what type oflegal authority would be necessary forthe disclosure to be permitted.

We considered whether to allowdisclosure by all covered entities togovernmental data collection systems orto limit permitted disclosures to thosemade by health plans, as specified inthe regulatory reporting provision ofHIPAA. While this provision onlymentions data collected from healthplans, the conference agreement notesthat laws regarding ‘‘State reporting onhealth care delivery or costs, or for otherpurposes’’ should not be preempted bythis rule. States would be likely torequire sources of information otherthan health plans, such as health careproviders or clearinghouses, in order toexamine health care delivery or costs.Therefore, we do not believe it isappropriate to restrict States’ or othergovernmental agencies’ ability to obtainsuch data. This viewpoint is consistentwith the Recommendations, whichwould permit this disclosure ofprotected health information by allcovered entities.

We also asked what type of law wouldbe required to permit disclosure withoutindividual authorization togovernmental health data systems. Weconsidered requiring a specific statuteor regulation that requires the collectionof protected health information for aspecified purpose. A law that explicitlyaddresses the conditions under whichprotected health information iscollected would provide individualsand covered entities with a betterunderstanding of how and why theinformation is to be collected and used.

We understand, however, that explicitauthority to collect information is notalways included in relevant law.Governmental agencies may collecthealth data using a broad public healthor regulatory authority in statute orregulation. For example, a law may callon a State agency to report on healthcare costs, without providing specificauthority for the agency to collect thehealth care cost data they need do so.Consequently, the agency may use itsgeneral operating authority to requesthealth care providers to release theinformation. We recognize that manygovernmental agencies rely on broadlegal authority for their activities and donot intend this proposed rule to hamperthose efforts.

Under § 164.518(c), covered entitieswould have an obligation to verify theidentity of the person requestingprotected health information, and thelegal authority behind the request beforethe disclosure would be permittedunder this subsection. Preamble section

II.G.3. describes these requirements inmore detail.

7. Disclosure of Directory Information(§ 164.510(h))

[Please label comments about thissection with the subject: ‘‘Directoryinformation’’]

In § 164.510(h), we propose to permitcovered entities to disclose informationthat could reveal protected healthinformation about an individual forpurposes of a facility patient directory,if the individual has indicated consentto such disclosures, or if the individualwho is incapacitated had not previouslyexpressed a preference in this regardand a covered entity determines thatincluding such information in thedirectory would be consistent with goodmedical practice. Directory informationcould include only the person’s name,location in the institution, and generalcondition.

a. Importance of directory informationand need for protected healthinformation. When individuals enterinpatient facilities, they are not alwaysable to contact people who may need toknow their whereabouts, want to visitthem, or want to send them flowers orsome other expression of concern.Today, facilities typically operatepatient directories, allowingconfirmation of a person’s presence in afacility, providing the room number forvisits and deliveries, and sometimeproviding general information on thepatient’s condition. These servicescannot be performed without disclosingprotected health information. Sincemost patients find this a welcomeconvenience, we believe it would beimportant to allow these practices tocontinue. However, not everyone mayappreciate this service. We areproposing to accommodate the wishesof such people, where possible.

b. Proposed requirements. In§ 164.510(h), we would require coveredentities to ask individuals whether theywish to be included in the entity’sdirectory. For individuals who areincapacitated or otherwise unable tocommunicate their wishes and whohave not previously expressed apreference, the decision would be left tothe discretion of the covered entity,consistent with good medical practice.We note that legal representatives couldmake such decisions on behalf ofpersons who are incapacitated orotherwise unable to communicate theirwishes, consistent with State or otherlaw, since they would stand as the‘‘individual.’’ In the absence of a legalrepresentative or prior expression of apreference by the individual, thedecision would be left to the discretion

of the covered entity, consistent withgood medical practice.

i. Individuals capable of makingdecisions.

For individuals who are notincapacitated, this rule would requirethe covered entity to ask whetherinformation about the individual’spresence in the facility, room numberand general condition can be includedin the general patient directory. Whenindividuals are capable of making sucha determination, their wishes should berespected.

We considered whether also torequire covered entities to allow anindividual to specify that informationcan be provided to specific persons butnot others. For example, someone mayfeel that it is acceptable to releaseinformation to family members but notto friends. While we would like torespect individuals’ wishes to thegreatest extent possible, we areconcerned about placing on coveredentities the burden of verifying theidentify of a person requesting directoryinformation. We are therefore notincluding this additional requirement,but are requesting comments on currentpractices and how such requests mightbe accommodated.

We would not require a formalindividual authorization pursuant to§ 164.508. A verbal or other informalinquiry and agreement would besufficient. We require only thatindividuals be given the choice.

ii. Incapacitated individuals.If an individual is not able to make

determinations as to whether location orstatus information should be released tofamily and friends, and had not in thepast expressed a preference in thisregard, we would leave the decision asto whether to include the individual ina directory to the discretion of thecovered entity. Often individuals areunconscious or otherwise unable due toa medical condition to communicatetheir wishes to the entity and norepresentative is available to act forthem. In these cases, we encourage thecovered entity to take into considerationa number of factors when decidingwhether or not to include such anindividual in the directory:

• Could disclosing that an individualis in the facility reasonably cause dangerof harm to the individual? For example,if a person is unconscious and receivingtreatment for injuries resulting fromphysical abuse from an unknownsource, an entity may determine thatrevealing that the individual is in thefacility could give the attacker enoughinformation to seek out the individualand repeat the abuse.



• Could disclosing the locationwithin the facility of the patient giveinformation about the condition of thepatient? If a patient’s room numberwould reveal the nature of the medicalcondition, the entity may decide that itis inappropriate to give thatinformation. For example, if one floor ofa hospital has been specificallydesignated as the psychiatric floor,simply saying that a patient is locatedon that floor discloses some informationabout the condition of the individual.

• Is it necessary or appropriate to givethe status of a patient to family orfriends? Covered entities often needinformation from family or friends forthe treatment of an incapacitatedindividual. For example, if a patient isunconscious, family or friends may beable to give valuable information thatwill assist the care giver in makingurgent decisions. Family members orfriends may be able to give informationon drugs or medications that theindividual has been taking. On the otherhand, it may be that revealing the statusof an individual gives more informationthan the individual would havedisclosed if they could make thedetermination themselves.

• If an individual had, prior tobecoming incapacitated, expressed adesire not to be included in such adirectory and the covered entity learnsof that statement of preference, thecovered entity would be required to actin accordance with the statedpreference.

Individuals who enter a facilityincapacitated and then improve to thepoint of being able to make their owndeterminations should be asked withina reasonable time period for permissionto include information in the facility’sdirectory.

When the condition of an individualwho has opted not to allow protectedhealth information to be included in thefacility’s directory deteriorates, and theindividual is no longer capable ofmaking disclosure decisions, thecovered entity would be required toabide by the individual’s initialdecision. However, such a decisionshould not prevent a provider fromcontacting the family if such contact isrequired for good medical practice. Aprovider could need information fromthe family to treat a newly incapacitatedperson. If good medical practice wouldinclude contacting family or friends, theindividual’s initial request should notprohibit such contact. But the coveredentity would still be prohibited fromincluding information about theindividual in its directory.

8. Disclosure for Banking and PaymentProcesses (§ 164.510(i))

[Please label comments about thissection with the subject: ‘‘Banking andpayment processes’’]

In § 164.510(i), we propose to allowcovered entities to disclose protectedhealth information to financialinstitutions, or entities acting forfinancial institutions, if necessary forprocessing payments for health care andhealth care premiums.

a. Importance of financialtransactions and the need for protectedhealth information. Checks thatindividuals use to pay for health caretypically include the names of providersor provider groups that could implicitlyidentify the medical condition forwhich treatment was rendered.Similarly, a credit card transaction willalso reveal the identify of the providerand thus potentially the nature of themedical condition involved. While suchinformation would constitute protectedhealth information under this rule, thereis no practical way of concealing thisinformation when the provider depositsthe check or claims credit card payment.Failure to allow this kind of disclosureof protected health information wouldimpede the efficient operations of thehealth care system.

b. Proposed requirements. Wepropose that covered entities bepermitted to disclose protected healthinformation to financial institutions forthe specific purposes listed in thesection. The permissible purposes arethose identified in the statute, and theregulatory text would copy the statutorylist of allowable uses.

Under section 1179 of the Act,activities of financial institutions areexempt from HIPAA’s AdministrativeSimplification requirements to theextent that those activities constitute‘‘authorizing, processing, clearing,settling, billing, transferring,reconciling, or collecting payments’’ forhealth care or health plan premiums.This section of the statute states thatfinancial institutions can use or discloseprotected health information for thesepurposes. We read this part of thestatute as indicating that Congressintended that this regulation not impedethe efficient processing of thesetransactions, and accordingly areallowing covered entities to discloseprotected health information tofinancial institutions for the purposeslisted in section 1179 of the statute.

Proposed § 164.510(i) would notallow covered entities to include anydiagnostic or treatment information inthe data transmitted to financialinstitutions. Such information is never

necessary to process a paymenttransaction. We believe that, in mostcases, the permitted disclosure wouldinclude only: (1) The name and addressof the account holder; (2) the name andaddress of the payer or provider; (3) theamount of the charge for health services;(4) the date on which health serviceswere rendered; (5) the expiration datefor the payment mechanism, ifapplicable (i.e., credit card expirationdate); and (6) the individual’s signature.At this time, we are not proposing toinclude in the regulation an exclusivelist of information that could belawfully disclosed for this purpose. Weare, however, soliciting comment onwhether more elements would benecessary for these banking andpayment transactions and on whetherincluding a specific list of the protectedhealth information that could bedisclosed is an appropriate approach.

We understand that financialinstitutions may also provide coveredentities that accept payment via creditcard with software that, in addition tofields for information required toprocess the transaction, includes blankfields in which health plans or healthcare providers may enter any type ofinformation regarding their patients,such as diagnostic and treatmentinformation, or other information thatthe covered entity wished to track andanalyze. Other financial institutionscould provide services to coveredentities that constitute ‘‘health careoperations’’ as defined in proposed§ 164.504.

We do not know whether and to whatextent health plans and health careproviders are using such software torecord and track diagnostic andtreatment and similar information.However, we recognize that thecapability exists and that if a plan orprovider engages in this practice,information not necessary for processingthe payment transaction could beforwarded to financial institutions alongwith other information used to processpayments. Disclosing such informationto a financial institution (absent abusiness partner relationship) wouldviolate the provisions of this rule.

We also understand that banks, inaddition to offering traditional bankingservices, may be interested in offeringadditional services to covered entitiessuch as claims management and billingsupport. Nothing in this regulationwould prohibit banks from becomingthe business partners of covered entitiesin accordance with and subject to theconditions of § 164.506(e). If a bankoffers an integrated package oftraditional banking services and healthclaims and billing services, it could do



so through a business partnerarrangement that meets therequirements of proposed § 164.506(e).Any services offered by the bank thatare not on the list of exempt services in1179 would be subject to the terms ofthis rule.

We recognize that financialinstitutions’ role in providinginformation management systems tocustomers is evolving and that in thefuture, banks and credit card companiescould develop and market to healthplans and health care providers softwaredesigned specifically to record and trackdiagnostic and treatment informationalong with payment information. Inlight of the rapid evolution ofinformation management technologyavailable to plans and providers, weseek comment on the types of servicesthat financial institutions areperforming or may soon perform forcovered entities, and how these servicescould be best addressed by thisproposed rule.

Finally, we note that we wouldimpose no verification requirements formost routine banking and paymentactivities. However, if a bank orfinancial institution seeks informationoutside payment processing transactions(e.g., during a special audit), we wouldrequire the covered entity to takereasonable steps to verify the identity ofthe person requesting the disclosure.

9. Uses and Disclosures for Research(§ 164.510(j))

[Please label comments about thissection with the subject: ‘‘Research’’]

In § 164.510(j), we propose to permitcovered entities to use and discloseprotected health information forresearch without individualauthorization, provided that the coveredentity receives documentation that theresearch protocol has been reviewed byan Institutional Review Board orequivalent body—a privacy board—andthat the board found that the researchprotocol meets specified criteria(regarding protected health information)designed to protect the subject. Absentsuch documentation, the subject’sprotected health information could bedisclosed for research only with theindividual’s authorization, pursuant tothe authorization requirements inproposed § 164.508.

Our proposed requirements for thisdisclosure build on the requirements forsuch disclosure under the Federalregulation that protects human subjectsin research conducted or funded by theFederal government, the Federal Policyfor the Protection of Human Subjects(often referred to as the ‘‘CommonRule’’), first published for several

agencies at 56 FR 28,002–028, 032(1991), and codified for the Departmentof Health and Human Services at 45CFR part 46.

a. Importance of research and theneed for protected health information.Much important and sometimeslifesaving knowledge has come fromstudies that used individuallyidentifiable health information,including biomedical and behavioralresearch, epidemiological studies,health services research, and statisticalactivities. This type of research has leadto dramatic improvements in thenation’s health. For example, the resultsof such research include the associationof a reduction in the risk of heartdisease with dietary and exercise habits,the association between the use ofdiethylstilbestrol (DES) by pregnantwomen and vaginal cancer in theirdaughters, and the value of beta-blockertherapy in reducing re-hospitalizationsand in improving survival amongelderly survivors of acute myocardialinfarction.

Likewise, research on behavioral,social, and economic factors that affecthealth, and the effect of health on otheraspects of life may require individuallyidentifiable health information. Studiesof this kind can yield importantinformation about treatment outcomesand patterns of care, diseasesurveillance and trends, health carecosts, risk factors for disease, functionalability, and service utilization—whichmay ultimately lead to improvements inthe quality of patient care, theidentification and eradication of publichealth threats, and the development ofnew devices and pharmaceuticalproducts. For example, such researchuncovered the fact that diseasescreening and treatment patterns varywith the race of the person, which inturn has lead to focused outreachprograms to improve health. Suchresearch showed that the results ofcertain highly invasive surgicaltreatments are better when the care isprovided in hospitals that performed ahigh volume of these procedures.

It is not always possible forresearchers to obtain the consent ofevery subject that a researcher may wishto include within a study. Thousands ofrecords may be involved. Trackingdown the subjects may entail costs thatmake the research impracticable. Therequirement to obtain consent also maylead to biased study results, becausethose who refuse consent may be moreor less likely than average to have aparticular health problem or condition.This may be a particular concern wherethe research topic involves sensitive orpotentially embarrassing information.

At the same time, the privilege of usingindividually identifiable healthinformation for research purposeswithout individual authorizationrequires that the information be usedand disclosed under strict conditionsthat safeguard individuals’confidentiality.

b. Definition of research. In proposed§ 164.504, we would define ‘‘research’’as a systematic investigation, includingresearch development, testing andevaluation, designed to develop orcontribute to generalizable knowledge.This is the definition of ‘‘research’’ inthe Common Rule. This definition iswell understood in the researchcommunity and elsewhere, and wepropose to use it here to maintainconsistency with other federalregulations that affect research.

For purposes of determining whetheran activity is research under thisproposed rule, it would not be relevantwhether the information is given gratis,sold, bartered, rented, or otherwiseprovided for commercial gain. Thepurpose of this proposed rule regardingdisclosure of protected healthinformation for research is to protect thesubjects of the information. Where theactivity meets the definition of researchand involves use or disclosure ofprotected health information, the rulesin this section would apply. We requestcomments on any aspect of ourproposed definition of research.

We understand that research andhealth care operations often look alike,and may overlap. We have provideddefinitions for these terms in § 164.504.We solicit comments on ways to furtherdistinguish between research andoperations, or otherwise clarify theapplication of this rule to suchactivities.

c. Privacy board review requirement.In § 154.510(j), we would requirecovered entities that wish to use ordisclose protected health informationfor research without individualauthorization to obtain documentationthat a privacy board has reviewed theresearch protocol and has determinedthat specified criteria (described below)for waiver of authorization for use ordisclosure of the information have beenmet. The board could be an IRBconstituted under the Common Rule, oran equivalent privacy board that meetsthe requirements in this proposed rule.We propose to apply these requirementsto uses and disclosures of protectedhealth information by all coveredentities, regardless of the source offunding of the research.

We propose no requirements for thelocation or sponsorship of the IRB orprivacy board. The covered entity could



3 The following 17 Departments and Agencieshave adopted the Common Rule: (1) Department ofAgriculture; (2) Department of Commerce; (3)Department of Defense; (4) Department ofEducation; (5) Department of Energy; (6)Department of Health and Human Services; (7)Department of Housing and Urban Development; (8)Department of Justice; (9) Department ofTransportation; (10) Department of Veterans Affairs;(11) International Development CooperativeAgency: Agency for International Development; (12)Consumer Product Safety Commission; (13)Environmental Protection Agency; (14) NationalAeronautics and Space Administration; (15)National Science Foundation; (16) Social SecurityAdministration; (17) Central Intelligence Agency. Inaddition, the White House Office of Science andTechnology Policy is a signatory to the CommonRule, but its policy is not codified in the Code ofFederal Regulations.

create such a board, and could rely onit to review proposals for uses anddisclosure of records. An outsideresearcher could come to the coveredentity with the necessarydocumentation from his or her ownuniversity IRB. A covered entity couldengage the services of an outside IRB orprivacy board to obtain the necessarydocumentation. The documentationwould have to be reviewed by thecovered entity prior to a use ordisclosure subject to this provision.

Under our proposal, we would requirethat the documentation provided by theIRB or privacy board state: (1) That thewaiver of authorization has beenapproved by the IRB or privacy board;(2) that the board either is an IRBestablished in accordance with the HHSregulations (45 CFR 46.107) orequivalent regulations of another federalagency, or is a privacy board whosemembers (i) have appropriate expertisefor review of records research protocols,(ii) do not have a conflict of interestwith respect to the research protocol,and (iii) include at least one person notaffiliated with the institutionconducting the research; (3) that theeight criteria for waiver of authorization(described below) are met by theprotocol; and (4) the date of boardapproval of the waiver of authorization.We would also require that thedocumentation be signed by the chair ofthe IRB or privacy board.

i. Application to disclosures and usesregardless of funding source.

The Common Rule describesconditions under which research maybe conducted when obtainingauthorization is not possible. Thoseconditions are intended to ensure thatresearch on human subjects, includingresearch using their health records, isconducted in a manner that minimizesor eliminates the risk of harm toindividuals. The Common Rule hasbeen adopted by seventeen Federalagencies,3 representing most of the

federal agencies sponsoring humansubjects research.

However, a significant amount ofresearch involving protected healthinformation is currently conducted inthe absence of these federal protections.Pharmaceutical companies, healthplans, and colleges and universitiesconduct research supported by privatefunds. Identifiable information currentlyis being disclosed and used by theseentities without individualauthorization without any assessment ofrisk or of whether individual privacyinterests are being adequately protected.

The Secretary’s Recommendationscall for the extension of the CommonRule principles for waiver ofauthorization for research uses anddisclosures of identifiable healthinformation to all research. TheRecommendations also proposeadditional principles that directlyaddress waiver of authorization forresearch use of such information. TheRecommendations would require anexternal board to review proposals forresearch on health information undercriteria designed to ensure that the needfor waiver of authorization is real, thatthe public interest in the researchoutweighs the individual’s privacyinterest, and that privacy will beprotected as much as possible. Inaddition, the Secretary’sRecommendations proposed importantrestrictions on use and re-disclosure ofinformation by researchers, andrequirements for safeguarding protectedinformation, that are not currentlyapplied under the Common Rule.

Under the Secretary’sRecommendations, these requirementswould apply to researchers who want touse or obtain identifiable informationwithout first obtaining the authorizationof the individual who is the subject ofthe information. However, underHIPAA, we do not have the authority toregulate researchers unless theresearcher is also acting as a provider,as in a clinical trial. We can onlydirectly regulate health care providers,health plans, and health careclearinghouses. This means that formost research-related disclosures ofhealth information, we can directlyregulate the entities that disclose theinformation, but not the recipients ofthe information. Therefore, in order toimplement the principles in theSecretary’s Recommendations, we mustimpose any protections on the healthplans and health care providers that useand disclose the information, ratherthan on the researcher seeking theinformation.

We understand that this approachinvolves imposing burdens on covered

entities rather than on researchers.However, our jurisdiction under thisstatute leaves us the choice of takingthis approach, or failing to provide anyprotection for individuals whoseinformation is made the subject ofresearch, or requiring individualauthorization whenever a covered entitywants to disclose protected healthinformation for research. The secondapproach would provide no protectionfor individuals, and the third approachwould make much important researchimpossible. Therefore, we are proposinga mechanism that we believe imposes aslittle burden as possible on the coveredentity while providing enhancedprotection for individuals. This is notthe approach we advocate for newfederal privacy legislation, where wewould propose that standards beapplied directly to researchers, but itwould be a useful and appropriateapproach under the HIPAA legislativeauthority.

We considered a number of otherapproaches for protecting informationfrom research subjects, particularlywhen covered entities use protectedhealth information internally forresearch. We considered approachesthat would apply fewer requirements forinternal research uses of protectedhealth information; for example, weconsidered permitting covered entitiesto use protected health information forresearch without any additional review.We also considered options for a morelimited review, including requiring thatinternal uses for research usingprotected health information bereviewed by a designated privacyofficial or by an internal privacycommittee. Another option that weconsidered would require coveredentities to have an IRB or privacy boardreview their administrative procedures,either for research or more generally,but not to require such review for eachresearch project. See the preamblesection II.E.9.

We are not recommending theseapproaches because we are concernedabout applying fewer protections tosubjects of private sector research thanare applied to subjects of federally-funded research subject to CommonRule protections, where IRB review isrequired for internal research uses ofprotected health information. At thesame time, we recognize that theproposed rule would place newrequirements on research uses anddisclosures for research projects notfederally-funded. We solicit commenton the approach that we are proposing,including on whether the benefits of theIRB or privacy board reviews wouldoutweigh the burdens associated with



4 It should be noted that for the Department ofDefense, 10 U.S.C. 980 prohibits the waiver ofinformed consent. Only those studies that qualifyfor exemption per 45 CFR 46.101(b), or studies thatdo not meet the 45 CFR part 46 definition of humansubjects research can be performed in the absence

Continued

the proposed requirements. We alsosolicit comment on whether alternativeapproaches could adequately protect theprivacy interests of research subjects.We are interested in the extent to whichthe proposed rule could affect theamount and quality of researchundertaken by covered entities or byresearchers receiving information fromcovered entities. People commenting onthe proposed rule also may wish toaddress the appropriateness of applyingdifferent procedures or different levelsof protection to federally andnonfederally-funded research. Wewould note that, as discussed below,privacy boards or IRBs could adoptprocedures for ‘‘expedited review’’similar to those provided in theCommon Rule (Common Rule§ll.110) for review of recordsresearch that involves no more thanminimal risk. The availability ofexpedited review may affect the burdenassociated with the proposed approach.

ii. Documentation of privacy boardapproval. We considered severaloptions for applying Common Ruleprinciples to research not reviewed byCommon Rule IRBs through imposingrequirements on covered entities. Wechose the use of the privacy boardbecause it gives covered entities themaximum flexibility consistent withprotecting research subjects. Under thisapproach, each covered entity thatwants to use or disclose protectedhealth information for research withoutindividual authorization could obtainthe required documentation directlyfrom an existing privacy board, aninternal privacy board created by thecovered entity, or from a privacy boardused by the researcher.

We considered prohibiting disclosureof protected health information forresearch unless covered entities enterinto contracts, enforceable under law,which would require the researcher tomeet the review criteria. Under thisapproach, the covered entity would berequired to enter into a contract with theresearcher in order to be permitted todisclose protected health informationwithout individual authorization. In thecontract, the researcher would agree tomeet the criteria described below, aswell as the additional restrictions onreuse and disclosure and the physicalsafeguards (also described below), inexchange for obtaining the informationfrom the covered entity.

We did not adopt this approachbecause of the potentially burdensomeadministrative costs that could stemfrom the need to negotiate the contractsand ensure that they are legallyenforceable under law. In addition, thecovered entity may have little incentive

to enforce these contracts. However, weseek comments on whether the benefitsof this approach outweigh the burdens,whether we could expect the burdens tobe eased by the development of modelcontracts by local universities orprofessional societies, and whethercovered entities could be expected toenforce these contracts. We also seekcomments on whether covered entitiescould be given a choice between thedocumentation approach proposed inthis NPRM and a contract approach. Weare particularly interested in commentson this approach, because it appears tobe the only mechanism for includingrestrictions on reuse and disclosure byresearchers in this proposed rule.

iii. Use of boards that are not IRBs.The Secretary’s Recommendations statethat privacy protections for privatesector records research should bemodeled on the existing Common Ruleprinciples. The cornerstone of theCommon Rule approach to waiver ofauthorization is IRB approval. At thesame time, we understand that CommonRule IRBs are not the only bodiescapable of performing an appropriatereview of records research protocols. Inworking with the Congress to developcomprehensive privacy legislation, wehave explored the use of limitedpurpose privacy boards to reviewresearch involving use or disclosure ofhealth information. If the review criteriaand operating rules of the privacy boardare sufficiently consistent with theprinciples stated in the Secretary’sRecommendations to afford the samelevel of protection, there would be noneed to insist that the review board bea formal Common Rule IRB.

Among the Common Rulerequirements for IRB membership, asstated in 45 CFR 46.107, are thefollowing:

• Each IRB must have members withvarying backgrounds and appropriateprofessional competence as necessary toreview research protocols.

• Each IRB must include at least onemember who is not affiliated with theinstitution or related to a person who isaffiliated with the institution.

• No IRB member may participate inreview of any project in which themember has a conflict of interest.

We propose to require that a coveredentity could not use or discloseprotected health information forresearch without individualauthorization if the board that approvedthe waiver of authorization does notmeet these three criteria.

We considered applying theadditional criteria for IRB membershipstated in the Common Rule. However,many of the additional criteria are

relevant to research generally, but lessrelevant for a board whose sole functionis to review uses or disclosures of healthinformation. In addition, the CommonRule IRB membership criteria are moredetailed than the criteria for privacyboard membership we propose here.Since our legislative authority reachesto covered entities, but not to theprivacy board directly, we decided thatimposing additional or more detailedrequirements on privacy boards wouldimpose added burdens on coveredentities that did not clearly bringconcomitant increases in patientprotections. We continue to supportmore complete application of CommonRule criteria directly to these privacyboards through federal legislation. Webelieve the approach we propose herestrikes the appropriate balancingbetween protecting individuals’ privacyinterests and keeping burdens oncovered entities to a minimum.

d. Criteria. In § 164.510(j)(2)(iii), wepropose to prohibit the use or disclosureof protected health information forresearch without individualauthorization unless the covered entityhas documentation indicating that thefollowing criteria are met:

• The use or disclosure of protectedhealth information involves no morethan minimal risk to the subjects;

• The waiver or alteration will notadversely affect the rights and welfare ofthe subjects;

• The research could not practicablybe carried out without the waiver oralteration;

• Whenever appropriate, the subjectswill be provided with additionalpertinent information afterparticipation;

• The research would beimpracticable to conduct without theprotected health information;

• The research project is of sufficientimportance to outweigh the intrusioninto the privacy of the individual whoseinformation would be disclosed;

• There is an adequate plan to protectthe identifiers from improper use anddisclosure; and

• There is an adequate plan to destroythe identifiers at the earliest opportunityconsistent with conduct of the research,unless there is a health or researchjustification for retaining the identifiers.

The first four criteria are in theCommon Rule. (The Common Rule§ll.116(d)).4 These criteria were



of a process to provide informed consent toprospective subjects. This proposed rule would notaffect DOD’s implementation of 10 U.S.C. 980.

designed for research generally, and notspecifically to protect individuals’privacy interests regarding medicalrecords research. For this reason, theSecretary’s Recommendations includethe last four criteria, which weredeveloped specifically for research onmedical records.

As part of the IRB or privacy board’sreview of the use of protected healthinformation under the research protocol,we assume that in case of a clinical trial,it would also review whether anywaiver of authorization could alsoinclude waiver of the subject’s right ofaccess to such information during thecourse of the trial. See § 164.514(b)(iv).

We recognize that the fourth criterionmay create awkward situations for someresearchers. Where authorization hasbeen waived, it may be difficult to laterapproach individuals to give theminformation about the research project.However, in some cases the researchcould uncover information that wouldbe important to provide to theindividual (e.g., the possibility that theyare ill and should seek furtherexamination or treatment). For thisreason, we are including this criterionin the proposed rule.

We also recognize that the fifthcriterion, which would ask the board toweigh the importance of the researchagainst the intrusion of privacy, wouldrequire the board to make a moresubjective judgment than that requiredby the other criteria. This balancing, wefeel, goes to the heart of the privacyinterest of the individual. Weunderstand, however, that some mayview this criterion as a potentialimpediment to certain types of research.We solicit comment on theappropriateness of the criterion, theburden it would place on privacy boardsand IRBs, and its potential effects on theability of researchers to obtaininformation for research.

The Secretary’s Recommendationspropose that a researcher who obtainsprotected health information this wayshould be prohibited from further usingor disclosing it except when necessaryto lessen a serious and imminent threatto the health or safety of an individualor to the public health, or for oversightof the research project, or for a newresearch project approved by an IRB orsimilar board. In addition theRecommendations propose anobligation on researchers to destroy theidentifiers unless an IRB or similarboard determines that there is a researchor health justification for retaining them

and an adequate plan to protect themfrom improper disclosure.

We do not have the authority underHIPAA to place such requirementsdirectly on researchers. While criteria tobe met in advance can be certified indocumentation through board review ofa research protocol, a board would haveno way to assess or certify a researcher’sbehavior after completion of theprotocol (e.g., whether the researcherwas engaging in improper reuse ordisclosure of the information, orwhether the researcher had actuallydestroyed identifiers). We insteadpropose to require the researcher toshow a plan for safeguarding theinformation and destroying theidentifiers, which the privacy board orIRB can review and evaluate indetermining whether the requesteddisclosure is proper. We solicitcomment on how to include ongoingprotections for information so disclosedunder this legislative authority withoutplacing excessive burdens on coveredentities.

We note that privacy boards or IRBscould adopt procedures for ‘‘expeditedreview’’ similar to those provided in theCommon Rule (Common Rule§lll.110) Under the Common Rule’sexpedited review procedure, review ofresearch that involves no more thanminimal risk, and involves onlyindividuals’ medical records may becarried out by the IRB chairperson or byone or more reviewers designated by thechairperson from among the members ofthe IRB. The principle of expeditedreview could be extended to otherprivacy boards for disclosures forrecords-based research. Like expeditedreview under the Common Rule, aprivacy board could choose to have oneor more members review the proposedresearch.

e. Additional provisions of thisproposed rule affecting research.

i. Research including health care.To the extent that the researcher

studying protected health information isalso providing treatment as defined inproposed § 164.504, such as in a clinicaltrial, the researcher would be a coveredhealth care provider for purposes of thattreatment, and would be required tocomply with all the provisions of thisrule applicable to health care providers.

ii. Individual access to researchinformation.

The provisions of § 164.514 of thisproposed rule, regarding individualaccess to records, would also applywhere the research includes the deliveryof health care. We are proposing anexception for clinical trials where theinformation was obtained by a coveredprovider in the course of a clinical trial,

the individual has agreed to the denialof access when consenting to participatein the trial (if the individual’s consentto participate was obtained), and thetrial is in still in progress.

iii. Research on records of deceasedpersons.

In § 164.506(f), we propose that,unlike the protections provided by theremainder of this rule, the protections ofthis proposed rule will end at the deathof the subject for the purpose ofdisclosure of the subject’s informationfor research purposes. In general, thisproposed rule would apply to theprotected health information of anindividual for two years after theindividual’s death. However, requiringIRB or privacy board review of researchstudies that use only health informationfrom deceased persons would be asignificant change from therequirements of the Common Rule,which apply to individually identifiableinformation about living individualsonly. In addition, some of the CommonRule criteria for waiver of authorizationare not readily applicable to deceasedpersons. To avoid a conflict betweenCommon Rule requirements and therequirements of this proposed rule, weare proposing that the protections of thisproposed rule end at the death of thesubject for the purpose of disclosure ofthe subject’s information for researchpurposes.

iv. Verification.In § 164.518(c), we propose to require

covered entities to verify the identity ofmost persons making requests forprotected health information and, insome cases, the legal authority behindthat request. For disclosures ofprotected health information forresearch purposes under thissubsection, the required documentationof IRB or privacy board approval wouldconstitute sufficient verification. Noadditional verification would benecessary under § 164.518(c).

f. Application to research covered bythe Common Rule. Some researchprojects would be covered by both theCommon Rule and the HIPAAregulation. This proposed rule wouldnot override the Common Rule. Thus,where both the HIPAA regulation andthe Common Rule would apply toresearch conducted by a covered entity,both sets of regulations would need tobe followed. Because only half of thesubstantive criteria for board approvalproposed in this rule are applied byIRBs today, this would entail newresponsibilities for IRBs in thesesituations. However, we believe that theadditional burden would be minimal,since the IRBs will already be reviewingthe research protocol, and will be asked



only to assess the protocol against someadditional criteria. This burden isjustified by the enhancement of privacyprotections gained by applying rulesspecifically designed to protect thesubjects of medical records research.

We considered excluding researchcovered by the Common Rule from theprovisions of this proposed rule. Werejected this approach for two reasons.First, the additional proposedrequirements applied through HIPAAare specifically designed to protect theprivacy interests of the researchsubjects, and the small additionalburden on IRBs would be outweighedby the improved protections forindividuals. Second, such an approachwould allow federally-funded researchto proceed under fewer restrictions thanprivately funded research. We believethat the source of funding of theresearch should not determine the levelof protection afforded to the individual.

We note that the definition of‘‘identifiable’’ information proposed in§ 164.504 of this rule differs from theinterpretation of the term under theCommon Rule. In particular, if acovered entity encodes identifiers asrequired under § 164.506(d) beforeundertaking a disclosure of healthinformation for research purposes, therequirements of this section would notapply. However, the encodedinformation would still be considered‘‘identifiable’’ under the Common Ruleand therefore may fall under the humansubjects regulations.

g. Obtaining the individual’sauthorization for research use ordisclosure of protected healthinformation. If a covered entity choosesto obtain individual authorization foruse or disclosure of information forresearch, the requirements applicable toindividual authorizations for release ofprotected health information wouldapply. These protections are describedin § 164.508.

For research projects to which boththe Common Rule and this proposedrule would apply, both sets ofrequirements for obtaining theauthorization of the subject for researchwould apply. As with criteria for waiverof authorization, this proposed rulewould impose requirements forobtaining authorization that aredifferent from Common Rulerequirements for obtaining consent. Inparticular, the regulation would requiremore information to be given toindividuals regarding who could seetheir information and how it would beused. For the reasons explained above,we are proposing that both sets ofrequirements apply, rather than allowfederally-funded research to operate

with fewer privacy protections thanprivately-funded research.

h. Need to assess the Common Rule.In general, the Common Rule wasdesigned to protect human subjectsparticipating in research projects fromphysical harm. It was not specificallydesigned to protect an individual’smedical records when used for research.For research in which only the medicalinformation of the human subject isused, i.e., records research, there areseveral ways in which the CommonRule protections could be enhanced.

In developing these proposedregulations, and in reviewing thecomprehensive medical privacylegislation pending before Congress, ithas become clear that the Department’shuman subject regulations (45 CFR part46, 21 CFR part 50, and 21 CFR part 56)may not contain all of the safeguardsnecessary to protect the privacy ofresearch participants. Because thesource of research funding should notdictate the level of privacy protectionafforded to a research subject, theSecretary of HHS will immediatelyinitiate plans to review theconfidentiality provisions of theCommon Rule.

To further that process, we solicitcomments here on how Common Ruleprotections for the subjects of recordsreview should be enhanced. Forexample, we will consider the adequacyof the Common Rule’s provisionsregarding conflict of interest, expeditedreview, exemptions (such as theexemption for certain research onfederal benefits programs), deceasedsubjects, and whether IRB’s shouldplace greater emphasis onconfidentiality issues when reviewingresearch protocols. We also seekcomment on whether the Common Rulerequirements for obtaining consent forrecords research should be modified toreflect the specific risks entailed in suchresearch.

In addition, because seventeen otherDepartments and Agencies aresignatories to the Common Rule andeach has its own human subjectregulations, the Secretary of HHS willconsult with these Departments andAgencies regarding potential changes tothe Common Rule.

10. Uses and Disclosures in EmergencyCircumstances (§ 164.510(k))

[Please label comments about thissection with the subject: ‘‘Emergencycircumstances’’]

In § 164.510 (k), we propose to permitcovered entities to use or discloseprotected health information inemergencies, consistent with applicablelaw and standards of ethical conduct,

based on a reasonable belief that the useor disclosure is necessary to prevent orlessen a serious and imminent threat tothe health or safety of any person or thepublic.

a. Importance of emergency responseand the need for protected healthinformation. Circumstances could arisethat are not otherwise covered in therules proposed in §§ 164.510(b) and164.510(f) for law enforcement andpublic health, where covered entitiesmay need to disclose protected healthinformation to prevent or lessen aserious and imminent threat of harm topersons or the public. Persons at riskinclude the individual who is thesubject of the protected healthinformation as well as others. Throughtheir professional activities, coveredentities, particularly health careproviders, may obtain information thatleads them to believe that an individualis at risk of harm to him or herself, orposes a threat to others. Thisinformation could be needed byemergency and first responders(including law enforcement officials) todeal with or prevent an emergencysituation posing a serious and imminentthreat of harm to such persons or thepublic.

b. Proposed requirements. We wouldpermit covered entities, consistent withapplicable law and standards of ethicalconduct, to disclose protected healthinformation based on a reasonable beliefthat the disclosure is necessary toprevent or lessen a serious andimminent threat to the health or safetyof a person or the public. Coveredentities would only be permitted tomake such disclosures to persons whoare reasonably able to prevent or lessenthe threat, including to the target of thethreat.

Anticipating all circumstances underwhich emergency disclosure could benecessary is not possible. This sectionmust be stated in somewhat generalterms. We intend to permit coveredentities to respond to emergencyrequests for protected healthinformation, where it is reasonable forthe covered entity to believe that suchdisclosure would prevent or reduce aserious emergency situation. Suchemergencies may threaten a singleperson or the general public. We do notintend to permit disclosure of protectedhealth information in response tohypothetical scenarios or potentialemergencies that are not imminent andserious. This permitted disclosurewould be narrow; it should not becomea loophole for disclosures not permittedby the other provisions of the proposedrule.



This provision would permitdisclosure of relevant information inresponse to credible requests from lawenforcement, public health, or othergovernment officials. The covered entitywould be permitted to reasonably relyon credible representations that anemergency exists and that protectedhealth information could lessen thethreat. If the disclosure was made in agood faith belief that thesecircumstances exist, it would be lawfulunder this section. A covered entitycould also disclose protected healthinformation on its own initiative if itdetermined that the disclosure werenecessary, consistent with otherapplicable legal or ethical standards.Our proposed rule is intended to permitsuch disclosures where they areotherwise permitted by law or ethicalstandards. We do not intend to permitdisclosures by health care providers orothers that are currently prohibited byother law or ethical standards.

Disclosure for emergencycircumstances could be authorized bystatute or common law and could alsobe addressed in medical professionalethics and standards. For example, theAmerican Medical AssociationPrinciples of Medical Ethics onConfidentiality provides that:

[T]he obligation to safeguard patientconfidences is subject to certain exceptionsthat are ethically and legally justified becauseof overriding social consideration. Where apatient threatens to inflict serious bodilyharm to another person or to him or herselfand there is a reasonable probability that thepatient may carry out the threat, thephysician should take reasonable precautionsfor the protection of the intended victim,including notification of law enforcementauthorities.

The duty to warn third persons at riskhas been addressed in court cases, andthe provision proposed permitsdisclosures in accord with such legalduties. The leading case on this issue isTarasoff v. Regents of the University ofCalifornia, 17 Cal. 3d 425 (1976). In thatcase, a therapist’s patient made crediblethreats against the physical safety of aspecific person. The Supreme Court ofCalifornia found that the therapistinvolved in the case had an obligationto use reasonable care to protect theintended victim of his patient againstdanger, including warning the victim ofthe peril. Many States have adopted(judicially or legislatively) versions ofthe Tarasoff duty to warn, but not allStates have done so. This proposed ruleis not intended to create a duty to warnor disclose but would simply permit thedisclosure under the emergencycircumstances consistent with otherapplicable legal or ethical standards.

An emergency disclosure provisiondoes present some risks of improperdisclosure. There will be pressures anduncertainties when disclosures arerequested under emergencycircumstances, and decisions must oftenbe made instantaneously and withoutthe ability to seek individualauthorization or to perform completeverification of the request. We believethat this risk would be warranted whenbalancing the individual’s interest inconfidentiality against the societalinterests to preserve life and protectpublic safety in those rare emergencycircumstances where disclosure isnecessary. A covered entity that makesa reasonable judgement under suchpressure and discloses protected healthinformation in good faith would not beheld liable for wrongful disclosure ifcircumstances later prove not to havewarranted the disclosure.

We would also exempt emergencydisclosures from provisions that allowindividuals to request restrictions onuses and disclosures of their protectedhealth information for treatment,payment and health care operations. Inemergency situations, health careprofessionals need to have anyinformation that will allow them torespond to the emergency circumstance,and cannot be expected to take the timeto remind themselves of restrictions onparticular information. See proposed§ 164.506(c).

11. Disclosure to Next-of-Kin(§ 164.510(l))[Please label comments about thissection with the subject: ‘‘Next-of-kin’’]

In § 164.510(l), we propose to requirehealth care providers to obtain a verbalagreement from the individual beforedisclosing protected health informationto next-of-kin, to other family members,or to others with whom the individualhas a close personal relationship. Whereit is not practical or feasible to requestand obtain such verbal agreement,providers could disclose to next-of-kin,to other family members, or to otherswith whom an individual has a closepersonal relationship, protected healthinformation that is directly relevant tothe person’s involvement in theindividual’s care, consistent with goodprofessional health practice and ethics.

a. Importance of disclosures to next-of-kin and the need for protected healthinformation. In some cases, disclosureof protected health information to next-of-kin, to other relatives, or to personswith whom the individual has a closepersonal relationship and who areinvolved in caring for or helping theindividual, can facilitate effective healthcare delivery. We do not intend to

impede the disclosure of protectedhealth information to relatives or friendswhen expeditious disclosure of suchinformation clearly would be in theindividual’s best interest.

b. Proposed requirements. Wepropose that when an individual has thecapacity to make his or her own healthdecisions, providers could discloseprotected health information to theindividual’s next-of-kin, to otherrelatives, or to persons with whom theindividual has a close personalrelationship, if the individual hasverbally agreed to such disclosure.Verbal agreement could be indicatedinformally, for example, from the factthat the individual brought a familymember or friend to the physicianappointment and is actively includingthe family member or friend in thediscussion with the physician. If,however, the situation is less clear andthe provider is not certain that theindividual intends for the familymember or friend to be privy toprotected health information about theindividual, the provider would berequired to ask the individual. In thesecases, when verbal agreement can beobtained, that agreement would besufficient verification of the identity ofthe person to meet the requirements of§ 164.518(c).

We would also permit health careproviders to disclose protected healthinformation without verbal agreement tonext-of-kin, to other relatives, or topersons with whom the individual hasa close personal relationship, if suchagreement cannot practicably orreasonably be obtained and thedisclosure is consistent with goodhealth professional practice and ethics.When verbal agreement cannot beobtained, the provider would berequired to take reasonable steps toverify the identity of the family memberor friend in order to meet theverification requirement under§ 164.518(c). Verbal inquiry wouldsuffice; we would not require anyspecific type of identity check.

We considered requiring a writtenauthorization for each disclosure inthese situations, but rejected that optionbecause it is not practicable and doesnot provide sufficient additional privacyprotection to justify the burden it wouldplace on health care providers andindividuals. Many of theseconversations are unscheduled and ofshort duration, and requiring a writtenauthorization may impede treatmentand detain the individual. Therefore wewould allow a one-time verbalagreement and (where required)verification to suffice for disclosure ofprotected health information relevant to



the individual’s care. For example, ahealth care provider could discloseprotected health information about anindividual’s treatment plan to theindividual’s adult child who is takingthe individual home from the hospital,if the provider has verbally requestedand individual has agreed to providingthe adult child with relevantinformation about aspects of theindividual’s health care. Disclosure alsocould be appropriate in cases where averbal agreement cannot practicably beobtained. For example, a pharmacistcould be guided by his or herprofessional judgment in dispensing afilled prescription to someone whoclaims to be picking it up on behalf ofthe individual for whom theprescription was filled.

In such cases, disclosures would haveto follow the ‘‘minimum necessary’’provisions of proposed § 164.506(b). Forexample, health care providers couldnot disclose without individualauthorization extensive informationabout the individual’s surgery or pastmedical history to the neighbor who issimply driving the individual home andhas no need for this information. Werequest comment on this approach.

The proposed definition of‘‘individual’’ addresses relateddisclosures regarding minors andincapacitated individuals.

12. Additional Uses and DisclosuresRequired by Other Law (§ 164.510(n))

[Please label comments about thissection with the subject: ‘‘Additionaluses and disclosures required by otherlaw’’]

In § 164.510(n) we propose to allowcovered entities to use or discloseprotected health information if such useor disclosure is not addressed elsewherein § 164.510, is required by other law,and the disclosure meets all the relevantrequirements of such law.

Other laws may require uses ordisclosures of protected healthinformation for purposes not capturedby the other provisions of proposed§ 164.510. An example is State workers’compensation laws, which couldrequire health care providers to discloseprotected health information to aworkers’ compensation insurer or to anemployer. Covered entities generallycould make uses and disclosuresrequired by such other laws.

Where such a use or disclosure wouldalso be addressed by other provisions ofthis regulation, the covered entitywould also have to follow therequirements of this regulation. Wherethe provisions of the other lawrequirements are contrary to theprovisions in this proposed rule and

more protective of the individual’sprivacy, the provisions of the other lawwould generally control. See discussionin section II.I below.

We have included this sectionbecause it is not our intention toobstruct access to information deemedimportant enough by other authorities torequire it by law. We consideredomitting this provision because we areconcerned that we do not know enoughabout the required disclosures it wouldencompass, but decided to retain it inorder to raise the issue of permittingdisclosures for other, undeterminedpurposes. We solicit comment on thepossible effects of omitting or narrowingthis provision.

Under this section, health careproviders could make reports of abuseof any person that are required by Statelaw. All States require reports of abuse.All States require reporting to childprotective agencies of instances of childabuse or neglect that they identify, andmost States require similar reports ofabuse or neglect of elderly persons.These are valuable requirements whichwe support and encourage. The Act (insection 1178(b)) specifically requiresthat this regulation not interfere withState requirements for reporting ofabuse. Additionally, all States requirehealth care providers to report gunshotwounds and certain other healthconditions related to violence; thisprovision would permit such reports.

Section 164.518(c), requiringverification of the identity and legalauthority of persons requestingdisclosure of protected healthinformation would apply to disclosuresunder § 164.510(n). As noted above, weare not familiar with all of thedisclosures of protected healthinformation that are mandated by Statelaw, so we cannot be certain that theverification requirements in § 164.518(c)would always be appropriate. We solicitcomments on whether thoserequirements would be appropriate forall disclosures that would be permittedhere.

13. Application to Specialized Classes(§ 164.510(m))

In the following categories wepropose use and disclosure provisionsthat respond to the uniquecircumstances of certain federalprograms. We request comment onwhether additional provisions arenecessary to comply with the suitabilityand national security determinationrequirements of Executive Order 10450,as amended, and other national securitylaws.

a. Application to military services.

[Please label comments about thissection with the subject: ‘‘Militaryservices’’]

To address the special circumstancesof the Armed Forces and their healthcare systems, we propose to permitmilitary and other federal providers andhealth plans to use and discloseprotected health information aboutactive duty members of the ArmedForces for certain purposes, and toexclude from coverage under this rulehealth information about certainpersons who receive care from militaryproviders.

i. Members of the Armed Forces.The primary purpose of the health

care system of the military servicesdiffers in its basic character from that ofthe health care system of society ingeneral. The special nature of militaryservice is acknowledged by theConstitutional provision for separatelawmaking for them (U.S. Constitution,article I, section 8, clause 14) and intheir separate criminal justice systemunder the Uniform Code of MilitaryJustice (10 U.S.C. 801, et seq.).

The military health care system, likeother federal and civilian health caresystems, provides medical care andtreatment to its beneficiary population.However, it also serves a criticalnational defense purpose, ensuring thatthe Armed Forces are in a state ofmedical readiness to permit thedischarge of those responsibilities asdirected by the National CommandAuthority.

The health and well-being of militarymembers is key and essential. This istrue whether such personnel are servingin the continental United States oroverseas or whether such service iscombat-related or not. In allenvironments, operational or otherwise,the Armed Forces must be assured thatits personnel are medically qualified toperform their responsibilities. This iscritical as each and every personperforms a vital service upon whichothers must rely in executing a specifieddefense requirement. Unqualifiedpersonnel not only jeopardize thepossible success of an assignment oroperation, but they pose an undue riskand danger to others.

To assure that such persons aremedically fit, health information isprovided to proper commandauthorities regarding military membersperforming certain critical functions formedical screening and other purposesso that determinations can be maderegarding the ability of such personnelto perform assigned duties. Forexample, health information is providedregarding:



• A pilot receiving medication thatmay affect alertness;

• An Armed Forces member with anintolerance for a vaccine necessary fordeployment to certain geographicalareas;

• Any significant medical orpsychological changes in a militarymember who is a member of the NuclearWeapons Personnel Reliability Program;

• A military recruit or member withan illness or injury which disqualifieshim or her from military service;

• Compliance with controlledsubstances policies.

The military and the Coast Guardobtain such information from their ownhealth care systems, as well as fromother agencies that provide health careto service members, such as theDepartment of Transportation (DOT),which is responsible for the UnitedStates Coast Guard and other federalagencies which provide medical care tomembers of the Armed Forces (e.g., theDepartment of State (DOS) providessuch care to military attaches andMarine security personnel assigned toembassies and consulates overseas, theDepartment of Veterans Affairs providescare in certain areas of the country or incases involving specialized services).Other health care providers could alsoprovide information, for example, whena private sector physician treats amember injured in an accident.

The special needs of the DOD andDOT for accessing information forpurposes other than treatment, paymentor health care operations wererecognized in the Secretary’sRecommendations. We consideredseveral options for accommodating theunique circumstances of a militaryhealth care environment. We consideredproviding special rule-making authorityto the DOD and other federal agencieswhich provide care to members of themilitary, but HIPAA does not allow forsuch delegation by the Secretary ofHHS. Therefore, we propose that healthcare providers and health plans of theDOD, the DOT, the DOS, theDepartment of Veterans Affairs as wellas any other person or entity providinghealth care to Armed Forces personnel,could use or disclose protected healthinformation without individualauthorization for activities deemednecessary by appropriate militarycommand authorities to assure theproper execution of the militarymission.

The appropriate military commandauthorities, the circumstances in whichuse or disclosure without individualauthorization would be required, andthe activities for which such use ordisclosure would occur in order to

assure proper execution of the militarymission, would be identified throughFederal Register notices promulgated bythe DOD or the DOT (for the CoastGuard). The verification requirements in§ 164.518(c) would apply to disclosurespermitted without authorization.

This proposal would not conferauthority on the DOD or the DOT toenact rules which would permit use ordisclosure of health information that isrestricted or controlled by otherstatutory authority.

ii. Foreign diplomatic and militarypersonnel.

The Department of Defense, as well asother federal agencies, provide medicalcare to foreign military and diplomaticpersonnel, as well as their dependents.Such care is provided pursuant to eitherstatutory authority (e.g., 10 U.S.C. 2549)or international agreement. The caremay be delivered either in the UnitedStates or overseas. Also, where healthcare is provided in the United States, itmay be furnished by non-governmentproviders when government deliveredcare is not available or the beneficiaryelects to obtain private as opposed togovernment health care. Examplesinclude:

• Foreign military personnel beingtrained, or assigned to U.S. militaryorganizations, in the United States whoreceive care from either government orprivate health care providers;

• The DOD operated medical clinicwhich provides care to all alliedmilitary and diplomatic personnelassigned to NATO SHAPE Headquartersin Brussels, Belgium;

• The DOS, which also is engaged inarranging health care for foreigndiplomatic and military personnel andtheir families, could also have legitimateneeds for information concerning thehealth services involved.

We believe that the statute was notintended to cover this unique class ofbeneficiaries. These persons arereceiving U.S., either private orgovernmental, furnished health care,either in the United States or overseas,because of the beneficiary’s military ordiplomatic status. For such personnel,we believe that the country-to-countryagreements or federal statutes whichcall for, or authorize, such care infurtherance of a national defense orforeign policy purpose should apply.We propose to exclude foreign militaryand diplomatic personnel and theirdependents who receive health careprovided by or paid for by the DOD orother federal agency, or by an entityacting on its behalf pursuant to acountry-to-country agreement or federalstatute, from the definition of an‘‘individual’’ in § 164.504. Therefore,

the health information created aboutsuch persons by a DOD or other federalagency health care provider would notbe protected under this rule. However,information created about such personsby covered health care providers whoseservices are not paid for by or providedon behalf of a federal agency would beprotected health information.

iii. Overseas foreign nationalbeneficiaries.

The Department of Defense, as well asother federal agencies and U.S.-basednon-governmental organizations,provide health care to foreign nationalsoverseas incident to U.S. sponsoredmissions or operations. Such care isprovided pursuant to federal statute,international agreement, internationalorganization sponsorship, or incident tomilitary operations (includinghumanitarian and peacekeepingoperations). Examples include:

• The DOD provides general healthcare to an indigenous populationincident to military deployment;

• The DOD provides health care tocaptured and detained personnel as aconsequence of overseas combatoperations. Such care is mandated byinternational agreement, i.e., the GenevaConventions. The most recent exampleinvolves the surrender or capture ofIraqi soldiers during the conduct ofOperation Desert Storm;

• A number of federal agencies andnon-governmental organizations providehealth care services as part of organizeddisaster relief or other humanitarianprograms and activities around theworld.

We believe that the statute did notcontemplate these unique beneficiarypopulations. Under circumstanceswhere healthcare is being furnished toforeign nationals incident to sanctionedU.S. activities overseas, application ofthese proposed rules could have theunintended effect of impeding orfrustrating the conduct of suchactivities, and producing incongruousresults. Examples include:

• Requiring preparation of a noticeadvising the local population of theinformation practices of the DODincident to receiving free medical careas part of disaster relief.

• Medical information involving aprisoner of war could not be disclosed,without the prisoner’s consent, to U.S.military authorities who haveresponsibility for operating the POWcamps.

Therefore, we propose to excludeoverseas foreign national beneficiariesof health care provided by the DOD orother federal agency, or by non-governmental organizations acting onbehalf of a federal agency, from the



definition of an individual. Thisexclusion would mean that any healthinformation created when providinghealth care to this population would notbe protected health information andtherefore not covered by these rules.

iv. Disclosure to the Department ofVeterans Affairs.

Upon completion of an individual’smilitary service, the DOD routinelytransfers that person’s entire militaryservice record, including protectedhealth information, to the Department ofVeterans Affairs so the file can beretrieved quickly if the individual orhis/her dependents apply for veteransbenefits. This practice was initiated inan effort to expedite veterans benefitseligibility determinations by ensuringtimely access to complete, accurateinformation on the veteran’s militaryservice. Under the proposed rule, thetransfer of these files would requireindividual authorization if protectedhealth information is included. Whilethis change could increase the timenecessary for benefits processing insome cases, we believe the privacyinterests outweigh the relatedadministrative challenges. We invitecomment on whether our assessment ofcosts and benefits is accurate. We alsoinvite comment on alternative methodsfor ensuring privacy while expeditingbenefits processing.

b. Application to the Department ofVeterans Affairs.

[Please label comments about thissection with the subject: ‘‘Department ofVeterans Affairs’’]

We propose to permit protectedhealth information to be used withoutindividual authorization by and amongcomponents of the Department ofVeterans Affairs that determineeligibility for or entitlement to, or thatprovide, benefits under lawsadministered by the Secretary ofVeterans Affairs.

This exemption recognizes that theVeterans Administration is two separatecomponents: The Veterans HealthAdministration (which operates healthcare facilities) and the Veterans BenefitsAdministration (which operates theVeterans disability program). The closeintegration of the operations of the twocomponents may make requiringindividual authorizations beforetransferring protected healthinformation particularly disruptive.Further, the Veterans HealthAdministration transfers medicalinformation on a much larger scale thanmost other covered entities, andrequiring individual authorization fortransfers among components couldcompromise the Department of Veterans

Affairs’ ability to fulfill its statutorymandates.

Nonetheless, we invite comments onthis approach. In particular, we areinterested in whether the requirementfor individual authorization fordisclosure of medical records for use inbenefits calculations would increaseprivacy protections for veterans, orwhether it would be of questionablevalue since most veterans wouldauthorize disclosure if it were tied totheir benefits. We also are interested incomments on whether the proposedapproach would unreasonably hamperthe Department of Veterans Affairs in itsability to make accurate benefitsdeterminations in cases in whichindividuals chose not to authorizedisclosure.

c. Application to the Department ofState.

[Please label comments about thissection with the subject: ‘‘Department ofState’’]

We propose to permit the Departmentof State to use and disclose protectedhealth information for certain purposesunrelated to its role as a health careprovider but necessary for theachievement of its mission.

i. Importance of Foreign Servicedeterminations and the need forprotected health information.

The Secretary of State administersand directs the Foreign Service. Ascontemplated in the Foreign ServiceAct, the Foreign Service is ‘‘to serveeffectively the interests of the UnitedStates’’ and ‘‘provide the highest caliberof representation in the conduct offoreign affairs;’’ members of the ForeignService are to be available to serve inassignments throughout the world. Ascalled for under the Foreign Service Act,the DOS has established a health careprogram to promote and maintain thephysical and mental health of membersof the Service and that of otherGovernment employees serving abroadunder chief of mission authority, as wellas accompanying family members. TheDOS provides health care services tothousands of Foreign Service officers,other government employees and theirfamilies serving abroad, many of whomare frequently changing posts orassignments.

Worldwide availability for service is acriterion for entrance into the ForeignService, so that applicants withconditional offers of employment mustundergo medical clearanceexaminations to establish their physicalfitness to serve in the Foreign Service ona worldwide basis prior to entrance intothe Foreign Service. Employees andaccompanying family members alsomust be medically cleared before

assignments overseas, to precludeassignment to posts where existingmedical conditions would beexacerbated or where resources tosupport an existing medical conditionare inadequate.

The DOS uses protected healthinformation gained through its role as ahealth care provider to fulfill its otherresponsibilities. The information is usedto make medical clearance and fitnessdecisions as well as other types ofdeterminations requiring medicalinformation (such as fitness for duty oreligibility for disability retirement ofForeign Service members). Suchinformation is also used to determinewhether to immediately evacuate anindividual for evaluation or treatment,or to determine whether to allow anemployee or family member to remainin a position or at post abroad. Anindividual’s record can include medicalinformation provided to the DOS withthe individual’s authorization byoutside health care providers, protectedhealth information about treatmentprovided or paid for by the DOS, andmedical information collected from non-treatment processes such as theclearance process.

ii. Proposed requirements.We are proposing to exempt the DOS

from the requirement to obtainindividual authorization (§ 164.508) inorder to use or disclose protected healthinformation maintained by its healthcare program in certain cases.Specifically, the exemption wouldapply to the disclosure or use ofprotected health information of thefollowing individuals for the followingpurposes: (1) Of applicants to theForeign Service for medical clearancedeterminations of physical fitness toserve in the Foreign Service on aworldwide basis, including: medicaland mental conditions limitingassignability abroad; conformance tooccupational physical standards, whereapplicable; and suitability;

(2) of members of the Foreign Serviceand other United States Governmentemployees assigned to serve abroadunder Chief of Mission authority, for (a)medical clearance determinations forassignment to posts abroad, including:medical and mental conditions limitingsuch assignment; conformance tooccupational physical standards, whereapplicable; continued fitness for duty,suitability, and continuation of serviceat post (including decisions oncurtailment); (b) separation medicalexaminations; and (c) determinations ofeligibility of members of the ForeignService for disability retirement(whether on application of the employeeor the Secretary);



(3) of eligible family members ofForeign Service or other United StatesGovernment employees, for medicalclearance determinations like thosedescribed in (2) above to permit suchfamily members to accompanyemployees to posts abroad onGovernment orders, as well asdeterminations regarding familymembers remaining at post andseparation medical examinations.

The proposed exemption is intendedto maintain the DOS’s proceduresregarding internal of medicalinformation in conformance with thePrivacy Act of 1974, as amended, and 42CFR Part 2, which would continue toapply to the DOS. The verificationrequirements of § 164.518(c) wouldapply to these disclosures.

The DOS is considering the need toadd national security determinationsunder Executive Order 10450, asamended, and other suitabilitydeterminations to the exemptedpurposes listed above. We thereforerequest comment as to the purposes forwhich use or disclosure of protectedhealth information without individualauthorization by the DOS would beappropriate.

d. Application to employees of theintelligence community.

[Please label comments about thissection with the subject: ‘‘Intelligencecommunity’’]

We propose to permit covered entitiesto disclose protected health informationabout individuals who are employees ofthe intelligence community (as definedin Section 4 of the National SecurityAct, 50 U.S.C. 401a), and theirdependents, to intelligence communityagencies without individualauthorization when authorized by law.

This provision addresses the specialcircumstances of the nationalintelligence community. Thepreservation of national securitydepends to a large degree on the healthand well-being of intelligencepersonnel. To determine fitness forduty, including eligibility for a securityclearance, these agencies must havecontinued access to the complete healthrecords of their employees. To ensurecontinued fitness for duty, it is criticalthat these agencies have access to theentire medical record on a continuingbasis. An incomplete medical file thatexcluded mental health information, forinstance, could result in an improperjob placement and a potential breach insecurity.

The term ‘‘intelligence community’’ isdefined in section 4 of the NationalSecurity Act, 50 U.S.C. 401a, to include:the Office of the Director of CentralIntelligence, which shall include the

Office of the Deputy Director of CentralIntelligence, the National IntelligenceCouncil (as provided for in 50 U.S.C.403–5(b)(3) [1]), and such other officesas the Director may designate; theCentral Intelligence Agency; theNational Security Agency; the DefenseIntelligence Agency; the NationalImagery and Mapping Agency; theNational Reconnaissance Office; otheroffices within the DOD for the collectionof specialized national intelligencethrough reconnaissance programs; theintelligence elements of the Army, theNavy, the Air Force, the Marine Corps,the Federal Bureau of Investigation, theDepartment of the Treasury, and theDepartment of Energy; the Bureau ofIntelligence and Research of theDepartment of State; and such otherelements of any other department oragency as may be designated by thePresident, or designated jointly by theDirector of Central Intelligence and thehead of the department or agencyconcerned, as an element of theintelligence community.

We would permit covered entities todisclose protected health informationconcerning employees of theintelligence community and theirdependents where authorized by law.The verification requirements of§ 164.518(c) would apply to thesedisclosures.

F. Rights of individuals.[Please label comments about this

section with the subject: ‘‘Introductionto rights of individuals’’]

The following proposed sections areintended to facilitate individualunderstanding of and involvement inthe handling of their protected healthinformation. Four basic individualrights would be created under thissection: the right to a notice ofinformation practices; the right to obtainaccess to protected health informationabout them; the right to obtain access toan accounting of how their protectedhealth information has been disclosed;and the right to request amendment andcorrection of protected healthinformation.

The rights described below wouldapply with respect to protected healthinformation held by health careproviders and health plans. We areproposing that clearinghouses not besubject to all of these requirements. Webelieve that as business partners ofcovered plans and providers,clearinghouses would not usuallyinitiate or maintain direct relationshipswith individuals. The contractualrelationship between a clearinghouse (asa business partner) and a covered planor provider would bind the

clearinghouse to the notice ofinformation practices developed by theplan or provider and it will includespecific provisions regarding inspection,copying, amendment and correction.Therefore, we do not believe theclearinghouses should be required toprovide a notice or provide access forinspection, copying, amendment orcorrection. We would requireclearinghouses to provide an accountingof any disclosures for purposes otherthan treatment, payment and health careoperations to individuals upon request.See proposed § 164.515. It is ourunderstanding that the vast majority ofthe clearinghouse function falls withinthe scope of treatment, payment, andhealth care operations and therefore wedo not believe providing this importantright to individuals will impose asignificant burden on the industry. Weinvite comment on whether or not weshould require clearinghouses tocomply with all of the provisions of theindividual rights section.

1. Rights and Procedures for a WrittenNotice of Information Practices.(§ 164.512)

[Please label comments about thissection with the subject: ‘‘Notice ofinformation practices’’]

a. Right to a written notice ofinformation procedures. We areproposing that individuals have a rightto an adequate notice of the informationpractices of covered plans andproviders. The notice would beintended to inform individuals aboutwhat is done with their protected healthinformation and about any rights theymay have with respect to thatinformation. Federal agencies mustadhere to a similar notice requirementpursuant to the Privacy Act of 1974 (5U.S.C. 552a(e)(3)).

We are not proposing that businesspartners (including health careclearinghouses) be required to develop anotice of information practices because,under this proposed rule, they would bebound by the information practices ofthe health plan or health care providerwith whom they are contracting.

We considered requiring coveredplans or providers to obtain a signedcopy of the notice form (or some othersigned indication of receipt) when theygive the form to individuals. There areadvantages to including such arequirement. A signed acknowledgmentwould provide evidence that the noticeform has been provided to theindividual. Further, the request to theindividual to formally acknowledgmentreceipt would highlight the importanceof the notice, providing additionalencouragement for the individual to



read it and ask questions about itscontent.

We are concerned, however, thatrequiring a signed acknowledgmentwould significantly increase theadministrative and paperwork burden ofthis provision. We also are unsure of thebest way for health plans to obtain asigned acknowledgment because plansoften do not have face-to-face contactwith enrollees. It may be possible tocollect an acknowledgment at initialenrollment, for example by adding anadditional acknowledgment to theenrollment form, but it is less clear howto obtain it when the form is revised.We solicit comment on whether weshould require a signedacknowledgment. Comments thataddress the relative advantages andburdens of such a provision would bemost useful. We also solicit comment onthe best way to obtain signedacknowledgments from health plans ifsuch a provision is included in the finalrule. We also solicit comments on otherstrategies, not involving signedacknowledgments, to ensure thatindividuals are effectively informedabout the information practices ofcovered plans or providers.

b. Revising the notice. We areproposing that covered plans andproviders be permitted to change theirpolicies and procedures at any time.Before implementing a change inpolicies and procedures, the coveredplan or provider must revise its noticeaccordingly. However, where thecovered plan or provider determinesthat a compelling reason exists to takean action that violates its notice, it maydo so only if it documents the reasonsupporting the action and revises itsnotice within 30 days of taking suchaction. The distribution requirementsthat would apply when the notice hasbeen materially revised are discussed indetail below.

c. Content of the notice. In § 164.512,we propose the categories ofinformation that would be required ineach notice of information practices, thespecific types of information that wouldhave to be included in each category,and general guidance as to thepresentation of written materials. Asample notice is provided in theAppendix to this preamble. This samplenotice is provided as an example of howthe policies of a specific covered healthcare provider could be presented in anotice. Each covered health plan andhealth care provider would be requiredto create a notice that complies with therequirements of this proposed rule andreflects its own unique informationpractices. It does not indicate allpossible information practices or all

issues that could be addressed in thenotice. Covered plans and providersmay want to include significantly moredetail, such as the business hoursduring which an individual couldreview their records or its standard timeframe for responding to requests toreview records; entities could choose tolist all types of mandatory disclosures.

In a separate section of this proposedrule, we would require covered plans orproviders to develop and documentpolicies and procedures relating to use,disclosure, and access to protectedhealth information. See proposed§ 164.520. We intend for thedocumentation of policies andprocedures to be a tool for educating theentity’s personnel about its policies andprocedures. In addition, thedocumentation would be the primarysource of information for the notice ofinformation practices. We intend for thenotice be a tool for educatingindividuals served by the covered planor provider about the informationpractices of that entity. The informationcontained in the notice would not be ascomprehensive as the documentation,but rather provide a clear and concisesummary of relevant policies andprocedures.

We considered prescribing specificlanguage that each covered plan orprovider would include in its notice.The advantages of this approach wouldbe that the recipient would get exactlythe same information from each coveredplan or provider in the same format, andthat it would be convenient for coveredplans or providers to use a uniformmodel notice.

There are, however, severaldisadvantages to this approach. First,and most important, no model noticecould fully capture the informationpractices of every covered plan orprovider. Large entities will havedifferent information practices thansmall entities. Some health careproviders, for example academicteaching hospitals, may routinelydisclose identifiable health informationfor research purposes. Other health careproviders may rarely or never makesuch disclosures. To be useful toindividuals, each entity’s notice ofinformation practices should reflect itsunique privacy practices.

Another disadvantage of prescribingspecific language is that it would limiteach covered plan or provider’s abilityto distinguish itself in the area ofprivacy protections. We believe that ifinformation on privacy protections werereadily available, individuals mightcompare and select plans or providersbased on their information practices. Inaddition, a uniform model notice could

easily become outdated. As newcommunication methods ortechnologies are introduced, the contentof the notices might need to reflect thosechanges.

A covered plan or provider thatadopts and follows the notice contentand distribution requirements describedbelow, we would presume, for thepurposes of compliance, that the plan orprovider has provided adequate notice.However, the proposed requirements forthe content of the notice are notintended to be exclusive. Covered plansor providers could include additionalinformation and additional detail,beyond that required. In particular, allfederal agencies must still comply withthe Privacy Act of 1974. For federalagencies that are covered plans orproviders, this would mean that thenotice must comply with the noticerequirements provided in the PrivacyAct as well as those included in thisproposed rule.

i. Uses and disclosures of protectedhealth information.

In proposed § 164.512, we wouldrequire each covered plan and providerto include in the notice an explanationof how it uses and discloses protectedhealth information. The explanationmust be provided in sufficient detail asto put the individual on notice of theuses and disclosures expected to bemade of his or her protected healthinformation. As explained above insection II.C.5, covered plans andproviders may only use and discloseprotected health information forpurposes stated in this notice.

This section of the notice might be assimple as a statement that informationwill be used and disclosed fortreatment, payment, administrativepurposes, and quality assurance. If theentity will be using or disclosing theinformation for other purposes, thenotice must include a brief explanation.For example, some entities mightinclude a statement that protectedhealth information will be used forclinician education and disclosed forresearch purposes. We are solicitingcomment on the level of detail thatshould be required in describing theuses and disclosures, specifically withrespect to uses and disclosures forhealth care operations.

In addition we would require thatnotices distinguish between those usesand disclosures the entity makes thatare required by law and those that arepermitted but not required by law. Bydistinguishing between uses anddisclosures that an entity is required tomake those that the entity is choosing tomake, the notice would provide the



individual with a clearer understandingof the entity’s privacy practices.

For uses and disclosures required bylaw, the notice need only list thecategories of disclosures that areauthorized by law, and note that itcomplies with such requirements. Thislanguage could be the same for everycovered entity within a State, territoryor other locale. We encourage states,state professional associations, andother organizations to develop modellanguage to assist covered plans orproviders in preparing this section ofthe notice.

For each type of permissible use ordisclosure that the entity makes (e.g.,research, public health, and next-of-kin), the notice would include a briefstatement explaining the entity’s policywith respect to that type of disclosure.For example, if all relevant laws permithealth care providers to discloseprotected health information to publichealth without individual authorization,the entity would need to developpolicies and procedures regarding whenand how it will make such disclosures.The entity would then document thosepolicies and procedures as required by§ 164.520 and the notice would includea statement of these policies. Forexample, the notice might state ‘‘we willdisclose your protected healthinformation to public health authoritiesupon request.’’

We considered requiring the notice toinclude not only a discussion the actualdisclosure practices of the coveredentity, but also a listing or discussion ofall additional disclosures that areauthorized by law. We considered thisapproach because, under this proposedrule, covered plans or providers wouldbe permitted to change their informationpractices at any time, and thereforeindividuals would not be able to rely onthe entity’s current policies alone tounderstand how their protected healthinformation may be used in the future.We recognize that in order to be fullyinformed, individuals need tounderstand when their informationcould be disclosed.

We rejected this approach because wewere concerned that a notice with sucha large amount of information could beburdensome to both the individualsreceiving the notices and the entitiesrequired to prepare and distribute them.There are a substantial number ofrequired and permitted disclosuresunder State or other applicable law, andthis rule generally would permit them tobe made.

Alternatively, we consideredrequiring that the notice include all ofthe types of permissible disclosuresunder this rule (e.g., public health,

research, next-of-kin). We rejected thatapproach for two reasons. First, we feltthat providing people with notice of theintended or likely disclosures of theirprotected health information was moreuseful than describing all of thepotential types of disclosures. Second,in many States and localities, differentlaws may affect the permissibledisclosures that an entity may make, inwhich case a notice only discussingpermissible disclosures under thefederal rule would be misleading. Whileit would be possible to require coveredplans or providers to develop noticesthat discuss or list disclosures thatwould be permissible under this ruleand other law, we were concerned thatsuch a notice may be very complicatedbecause of the need to discuss theinterplay of federal, State or other lawfor each type of permissible disclosure.We invite comments on the bestapproach to provide most usefulinformation to the individuals withoutoverburdening either covered plans orproviders or the recipients of thenotices.

In § 164.520, we are proposing torequire all covered entities to developand document policies and proceduresfor the use of protected healthinformation. The notice would simplysummarize those documented policiesand procedures and therefore wouldentail little additional burden.

ii. Required statements.We are proposing that the notice

include several basic statements toinform the individual of their rights andinterests with respect to protectedhealth information. First, we propose torequire the notice to inform individualsthat the covered plan or provider willnot use or disclose their protectedhealth information for purposes notlisted in the notice without theindividual’s authorization. Individualsneed to understand that they canauthorize a disclosure of their protectedhealth information and that the coveredentity may request the individual toauthorize a disclosure, and that suchdisclosures are subject to their control.The notice should also informindividuals that such authorizations canbe revoked.

Second, we propose that the noticeinform individuals that they have theright to request that the covered plan orprovider restrict certain uses anddisclosures of protected healthinformation about them. The noticewould also inform individuals that thecovered plan or provider is not requiredto agree to such a request.

Third, we propose that the notice alsoinform individuals about their right ofaccess to protected health information

for inspection and copying and to anaccounting of disclosures as provided inproposed §§ 164.514 and 164.515. Inaddition, the notice would informindividuals about their right to requestan amendment or correction ofprotected health information asproposed in § 164.516. The noticewould include brief descriptions of theprocedures for submitting requests tothe covered plan or provider.

Fourth, the notice would be requiredto include a statement that there arelegal requirements that require thecovered plan or provider to protect theprivacy of its information, provide anotice of information practices, andabide by the terms of that notice.Individuals should be aware that thereare government requirements in place toprotect their privacy. Without thisstatement, individuals may not realizethat covered plans or providers arerequired to take measures to protecttheir privacy, and may therefore be lessinterested in pursuing their rights orfinding out more information.

Fifth, the notice would be required toinclude a statement that the entity mayrevise its policies and procedures withrespect to uses or disclosures ofprotected health information at any timeand that such a revision could result inadditional uses or disclosures withoutthe individual’s authorization. Thenotice also should inform the individualhow a revised notice would be madeavailable when material revisions inpolicies and procedures are made. Forexample, when a provider makes amaterial change to its notice, proposed§ 164.512(e) would require the providerto post a new notice.

Finally, we propose that the noticeinform individuals that they have theright to complain to the covered entityand to the Secretary if they believe thattheir privacy rights have been violated.

iii. Identification of a contact personfor complaints and additionalinformation.

We propose that the notice berequired to identify a contact person oroffice within the covered plan orprovider to receive complaints, asprovided in proposed § 164.518(a)(2),and to help the individual obtain furtherinformation on any of the issuesidentified in the notice. A specificperson would not need to be named inthe notice. It could be an office orgeneral number where someone whocan answer privacy questions orconcerns can be reached.

In § 164.518(d), we are proposing thatcovered plans and providers permitindividuals to submit complaints to thecovered entity. We are proposing thatthe contact person identified in the



notice be responsible for initiallyreceiving such complaints. The contactperson might or might not beresponsible for processing and resolvingcomplaints, but, if not, he or she wouldforward the complaints to theappropriate personnel or office. Seediscussion of the complaint process insection II.G.4, below.

In addition to receiving complaints,the contact person would be able to helpthe individual obtain furtherinformation on any of the issuesidentified in the notice. The contactperson would be able to refer to thedocumented policies and proceduresrequired by proposed § 164.520. Wewould not prescribe a formal method forresponding to questions.

The administrative requirementssection below, proposed § 164.518(a),would also require the entity todesignate an official to develop policiesfor the use and disclosure of protectedhealth information and to supervisepersonnel with respect to use anddisclosure of protected healthinformation. We would not require thisofficial to also be the contact person.Depending on the size and structure ofthe entity, it might be appropriate torequire one person to fill both roles.

iv. Date the notice was produced.We are proposing that covered plans

and providers include the date that thenotice was produced on the face of thenotice. We would also encourage theprovider to highlight or otherwiseemphasize any changes to help theindividual recognize such changes.

d. Requirements for distribution of thenotice. It is critical to the effectivenessof this proposed rule that individuals begiven the notice often enough to remindthem of their rights, but withoutoverburdening covered plans orproviders. We propose that all coveredplans and providers would be requiredto make their notice available to anyindividual upon request, regardless ofwhether the requestor is already apatient or enrollee. We believe thatbroad availability would encourageindividuals or organizations to comparethe privacy practices of plans orproviders to assist in making enrollmentor treatment choices. We also proposeadditional distribution requirements forupdating notices, which would bedifferent for health plans and healthcare providers. The requirements forhealth plans and health care providersare different because we recognize thatthey have contact with individuals atdifferent points in time in the healthcare system.

i. Health plans.We considered a variety of

combinations of distribution practices

for health plans and are proposing whatwe believe is the most reasonableapproach. We would require healthplans to distribute the notice by theeffective date of the final rule, atenrollment, within 60 days of a materialchange to the plan’s informationpractices, and at least once every threeyears.

We considered requiring health plansto post the notice either in addition toor instead of distribution. Because mostindividuals rarely visit the office of theirhealth plan, we do not believe that thiswould be an effective means ofcommunication. We also consideredeither requiring distribution of thenotice more or less frequently thanevery three years. As compared to mosthealth care providers, we believe thathealth plans often are larger and haveexisting administrative systems to costeffectively provide notification toindividuals. Three years was chosen asa compromise between the importanceof reminding individuals of their plans’information practices and the need tokeep the burden health plans to theminimum necessary to achieve thisobjective. We are soliciting comment onwhether requiring a notice every threeyears is reasonable for health plans.

ii. Health care providers.We are proposing to require that

covered health care providers provide acopy of the notice to every individualserved at the time of first servicedelivery, that they post the notice in aclear and prominent location where it isreasonable to expect individuals seekingservice from the provider to be able toread the notice, and that copies beavailable on-site for individuals to takewith them. In addition, we areproposing to require that covered healthcare providers provide a copy of thenotice to individuals they are currentlyserving at their first instances of servicedelivery within a year of the effectivedate of the final rule.

We would not require health careproviders to mail or otherwisedisseminate their notices after giving thenotice to individuals at the time of thefirst service delivery. Health careproviders’ patient lists may includeindividuals they have not served indecades. It would be difficult forproviders to distinguish between‘‘active’’ patients, those who are seenrarely, and those who have moved todifferent providers. While someindividuals will continue to beconcerned with the informationpractices of providers who treated themin the distant past, overall the burden ofan active distribution requirementwould not be outweighed by improved

individual control and privacyprotection.

We recognize that some health careproviders, such as clinical laboratories,pathologists and mail order pharmacies,do not have face-to-face contact withindividuals during service delivery.Such providers would be required toprovide the required notice in areasonable period of time following firstservice delivery, through mail,electronic notice (i.e. e-mail), or otherappropriate medium. For example, aweb-based pharmacy could meet thisdistribution requirement by providing aprominent and conspicuous link to itsnotice on its home page and byrequiring review of that notice beforeprocessing an order.

If a provider wishes to make amaterial change in the informationpractices addressed in the notice, itwould be required to revise its notice inadvance. After making the revision, theprovider would be required to post thenew notice promptly. We believe thatthis approach creates the minimumburden for health care providersconsistent with giving individuals aclear source of accurate information.

e. Plain language requirement. We areproposing to apply a plain languagerequirement to notices developed bycovered plans or providers under theseproposed rules. A covered plan orprovider could satisfy the plainlanguage requirement if it made areasonable effort to: organize material toserve the needs of the reader; writesentences in the active voice, use ‘‘you’’and other pronouns; use common,everyday words in sentences; write inshort sentences; and divide materialinto short sections.

We also considered proposingformatting specifications such asrequiring the covered plan or providerto use easy-to-read design features (e.g.,lists, tables, graphics, contrasting colors,and white space), type face, and fontsize in the notice. We are solicitingcomment on whether these additionalformat specifications should berequired.

The purpose of the notice proposed inthe rules below is to tell the recipienthow protected health informationcollected about them will be used.Recipients who cannot understand theentity’s notice would miss importantinformation about their privacy rightsand how the entity is protecting healthinformation about them. One of thegoals of this proposed rule is to createan environment of open communicationand transparency with respect to the useand disclosure of protected healthinformation. A lack of clarity in thenotice could undermine this goal and



create misunderstandings. Coveredplans or providers have an incentive tomake their notice statements clear andconcise. We believe that the moreunderstandable notices are, the moreconfidence the public will have in theentity’s commitment to protecting theprivacy of health information.

It is important that the content of thenotice be communicated to allrecipients and therefore we wouldencourage the covered plan or providerto consider alternative means ofcommunicating with certainpopulations. We note that any coveredentity that is a recipient of federalfinancial assistance is generallyobligated under title VI of the CivilRights Act of 1964 to provide materialordinarily distributed to the public inthe primary languages of persons withlimited English proficiency in therecipients’ service areas. Specifically,this title VI obligation provides that,where a significant number orproportion of the population eligible tobe served or likely to be directly affectedby a federally assisted program needservice or information in a languageother than English in order to beeffectively informed of or participate inthe program, the recipient shall takereasonable steps, considering the scopeof the program and the size andconcentration of such population, toprovide information in languageappropriate to such persons. For entitiesnot subject to title VI, the title VIstandards provide helpful guidance foreffectively communicating the contentof their notices to non-English speakingpopulations.

We also would encourage coveredplans or providers to be attentive to theneeds of individuals who cannot read.For example, an employee of the entitycould read the notice to individualsupon request or the notice could beincorporated into a video presentationthat is played in the waiting area.

The requirement of a printed noticeshould not be interpreted as alimitation. For example, if an individualwho is requesting a notice from acovered plan or providers were to ask toreceive the notice via e-mail, therequirements of this proposed rulecould be met by providing the notice viae-mail. The proposed rule would notpreclude the use of alternative forms ofproviding the notice and we wouldencourage covered plans or providers touse other forms of distribution, such asposting their privacy notices on theirweb sites. While this will not substitutefor paper distribution when that isrequested by an individual, it mayreduce the number of requests for papercopies.

2. Rights and Procedures for Access forInspection and Copying (§ 164.514)

a. Right of access for inspection orcopying. (§ 164.514(a))

[Please label comments about thissection with the subject: ‘‘Access forinspection or copying’’]

In § 164.514, we are proposing that,with very limited exceptions,individuals have a right to inspect andcopy protected health information aboutthem maintained by a covered healthplan or health care provider in adesignated record set. Individualswould also have a right of access toprotected health information in adesignated record set that is maintainedby a business partner of a covered planor provider when such information isnot a duplicate of the information heldby the plan or provider, including whenthe business partner is the only holderof the information or when the businesspartner has materially altered theprotected health information that hasbeen provided to it.

This right of access means that anindividual would be able to eitherinspect or obtain copies of his or herhealth information maintained in adesignated record set by covered plansand providers and, in limitedcircumstances, by their businesspartners. Inspection and copying is afundamental aspect of protectingprivacy; this right empowersindividuals by helping them tounderstand the nature of the healthinformation about them that is held bytheir providers and plans and to correcterrors. In order to facilitate an open andcooperative relationship with providersand allow the individual a fairopportunity to know what informationis held by an entity, inspection andcopying should be permitted in almostevery case.

While the right to have access to one’sinformation may appear somewhatdifferent from the right to keepinformation private, these two policygoals have always been closely tied. Forexample, individuals are given analmost absolute right of access toinformation in federal health recordsystems under the Privacy Act of 1974(5 U.S.C. 552a(d)). The PrivacyProtection Study Commissionrecommended that this right beavailable. (Personal Privacy in anInformation Society 299 (1977)). Theright of access was a key component ofthe President’s Advisory Commissionon Consumer Protection and Quality inthe Health Care Industryrecommendations in the Consumer Billof Rights and Responsibilities. TheCommission’s report stated that

consumers should ‘‘have the right toreview and copy their own medicalrecords and request amendments totheir records.’’ (Consumer Bill of Rightsand Responsibilities, Chapter Six:Confidentiality of Health Information,November 1997). Most recently, theHealth Privacy Project issued astatement of ‘‘Best Principles for HealthPrivacy’’ that included the samerecommendation. Health PrivacyProject, Institute for Health PolicySolutions, Georgetown University (June1999) (http://www.healthprivacy.org).

Open access to health information canbenefit both the individuals and thecovered entities. It allows individuals tobetter understand their own diagnosisand treatment, and to become moreactive participants in their health care.It can increase communication, therebyenhancing individuals’ trust in theirhealth care providers and increasingcompliance with the providers’instructions. If individuals have accessto and understand their healthinformation, changing providers maynot disrupt health care or create risksbased on lack of information (e.g., drugallergies or unnecessary duplication oftests).

i. Information available for inspectionand copying.

In § 164.514(a), we are proposing togive the individual a right of access toinformation that is maintained in adesignated record set. We intend toprovide a means for individuals to haveaccess to any protected healthinformation that is used to affect theirrights and interests. This would include,for example, information that would beused to make health care decisions orinformation that would be used indetermining whether an insurance claimwould be paid. Covered plans orproviders often incorporate the sameprotected health information that isused to make these types of decisionsinto a variety of different data systems.Not all of those data systems will beutilized to make determinations aboutspecific individuals. For example,information systems that are used forquality control analyses are not usuallyused to make determinations about aspecific patient. We would not requireaccess to these other systems.

In order to ensure that individualshave access to the protected healthinformation that is used, we areintroducing the concept of a‘‘designated record set.’’ In using theterm ‘‘designated record set,’’ we aredrawing on the concept of a ‘‘system ofrecords’’ that is used in the Privacy Act.Under the Privacy Act, federal agenciesmust provide an individual with accessto ‘‘information pertaining to him which



is contained in (a system of records).’’5 U.S.C. 552a(d)(1). A ‘‘system ofrecords’’ is defined as ‘‘a group of anyrecords under the control of any agencyfrom which information is retrieved bythe name of the individual or by someidentifying number, symbol, or otheridentifying particular assigned to theindividual.’’ 5 U.S.C. 552a(a)(5). Underthis rule, a ‘‘designated record set’’would be ‘‘a group of any records underthe control of any covered entity fromwhich information is retrieved by thename of the individual or by someidentifying number, symbol, or otheridentifying particular assigned to theindividual.’’ See discussion in sectionII.B.

Files used to backup a primary datasystem or the sequential files created totransmit a batch of claims to aclearinghouse are clear examples of datafiles which do not fall under thisdefinition. We rejected requiringindividual access to all records in whichshe or he was identifiable because of theextreme burden it would place oncovered plans or providers withoutproviding additional information orprotection for the individual. We alsorejected using the subset of such recordswhich were accessed directly byindividual identifiers because of theredundancy of information involvedand the increasing use of databasemanagement systems to replace legacysystems that do sequential processing.These would be accessed by individualidentifier but would contain redundantdata and be used for routine processingthat did not directly affect theindividual. We concluded that access toonly such record sets that were actuallyaccessed by individual identifier andthat were used to make substantivedecisions that affect individuals wouldprovide the desired information with aminimum of burden for the coveredplans or providers.

We note that the standard wouldapply to records that are ‘‘retrieved’’ byan identifier and not records that areonly ‘‘retrievable’’ by an identifier. Inmany cases, technology will permitsorting and retrieving by a variety offields and therefore the ‘‘retrievable’’standard would be relativelymeaningless. We intend to limit accessto those sets of records actually used toaffect the interests of the individual.

We believe that by providing access toprotected health informationmaintained in a designated record set,we would be ensuring that individualswill be able to inspect or copy relevantand appropriate information withoutplacing too significant of a burden oncovered plans or providers. We aresoliciting comment on whether limiting

access to information maintained in adesignated record set is an appropriatestandard when applied to covered plansand providers and their businesspartners.

ii. Right of access to informationmaintained by business partners.

In § 164.506(e), we are proposing thatcovered plans and providers includespecific terms in their contract witheach business partner. One of therequired terms would be that thebusiness partner must provide forinspection and copying of protectedhealth information as provided in thissection. Because our authority is limitedby HIPAA to the covered entities, wemust rely upon covered plans andproviders to ensure that all of thenecessary protected health informationprovided by the individual to the planor provider is available for inspectionand copying. We would require coveredplans and providers to provide access toinformation held in the custody of abusiness partner when it is differentfrom information maintained by thecovered plan or provider. We identifiedtwo instances where this seemedappropriate: when the protected healthinformation is only in the custody of abusiness partner and not in the custodyof the covered plan or provider; andwhen protected health information hasbeen materially altered by a businesspartner. We are soliciting comment onwhether there are other instances whereaccess should be provided to protectedhealth information in the custody of abusiness partner.

Other than in their capacity asbusiness partners, we are not proposingto require clearinghouses to provideaccess for inspection and copying. Asexplained above in section II.C.5,clearinghouses would usually bebusiness partners under this proposedrule and therefore they would be boundby the contract with the covered plan orprovider. See proposed § 164.506(e). Wecarefully considered whether to requireclearinghouses to provide access forinspection and copying above andbeyond their obligations as a businesspartner, but determined that the typicalclearinghouse activities of translatingrecord formats and batchingtransmissions do not involve setting updesignated record sets on individuals.Although the data maintained by theclearinghouse is protected healthinformation, it is normally not accessedby individual identifier and anindividual’s records could not be foundexcept at great expense. In addition,although clearinghouses processprotected health information anddiscover errors, they do not create thedata and make no changes in the

original data. They, instead, refer theerrors back to the source for correction.Thus, individual access toclearinghouse records provides no newinformation to the individual but couldimpose a significant burden on theindustry.

As technology improves it is likelythat clearinghouses will find ways totake advantage of databases of protectedhealth information that aggregaterecords on the basis of the individualsubject of the information. Thistechnology would allow more cost-effective access to clearinghouse recordson individuals and therefore access forinspection and copying could beappropriate and reasonable.

iii. Duration of the right of access.We are proposing that covered plans

and providers be required to provideaccess for as long as the entity maintainsthe protected health information. Weconsidered requiring covered plans andproviders to provide access for aspecific period or defining a specificretention period. We rejected thatapproach because many laws andprofessional standards already designatespecific retention periods and we didnot want to create unnecessaryconfusion. In addition, we concludedthat individuals should be permitted tohave access for as long as theinformation is maintained by thecovered plan or provider. We aresoliciting comments on whether weshould include a specific durationrequirement in this proposed rule.

b. Grounds for denial of access forinspection and copying. Proposed§ 164.514 would permit denial ofinspection and copying under verylimited circumstances. The categories ofdenials would not be mandatory; theentity could always elect to provide allof the requested health information tothe individual. For each request by anindividual, the entity could provide allof the information requested or it couldevaluate the requested information,consider the circumstances surroundingthe individual’s request, and make adetermination as to whether that requestshould be granted or denied. We intendto create narrow exceptions to the statedrule of open access and we wouldexpect covered plans and providers toemploy these exceptions rarely, if at all.

In proposing these categories ofpermissible denials, we are notintending to create a legal duty for theentity to review all of the healthinformation before releasing it. Rather,we are proposing them as a means ofpreserving the flexibility and judgmentof covered plans or providers underappropriate circumstances.



Entities subject to the Privacy Actwould not be able to deny a request forinspection and copying under all of thecircumstances permitted by thisproposed rule. They would continue tobe governed by the denials permitted bythe Privacy Act and applicableregulations. See section II.I.4.a forfurther discussion.

i. Disclosures reasonably likely toendanger life or physical safety.

In § 164.514(b)(1)(i), we propose thatcovered plans and providers bepermitted to deny a request forinspection or copying if a licensedhealth care professional has determinedthat, in the exercise of reasonableprofessional judgment, the inspectionand copying requested is reasonablylikely to endanger the life or physicalsafety of the individual or anotherperson. Denial based on this provision,as with all of the provisions in thissection, would be discretionary. Whileit is important to protect the individualand others from physical harm, we arealso concerned about the subjectivity ofthe standard and are solicitingcomments on how to incorporate a moreobjective standard into this provision.

We are proposing that covered plansand providers should only considerdenying a request for inspection andcopying under this provision insituations where a licensed health careprofessional (such as a physician,physician’s assistant or nurse) makesthe determination that access forinspection and copying would bereasonably likely to endanger life orphysical safety. We are proposing torequire a licensed health careprofessional to make the determinationbecause it would rely entirely on theexisting standards and ethics in themedical profession. In some instances,the covered plan or provider would bea licensed health care professional andtherefore, he or she could make thedetermination independently. However,when the request is made to a healthplan, the entity would need to consultwith a health care professional in orderto deny access under this provision.

We are soliciting comments as towhether the determination under thisprovision should be limited to healthcare professionals who have an existingrelationship with the individual. Whilesuch a limitation would significantlyrestrict the scope of this provision andcould reduce the number of denials ofrequests for inspection and copying, itcould also ensure that the determinationof potential harm is as accurate aspossible.

By proposing to allow covered plansand providers to deny a request forinspection and copying based on

potential endangerment, we are notsuggesting that entities should deny arequest on that basis. This provision isnot intended to be used liberally as ameans of denial of individual inspectionand copying rights for all mental healthrecords or other ‘‘sensitive’’ healthinformation. Each request for accesswould have to be assessed on its ownmerits. We would expect the medicalcommunity to rely on its currentprofessional standards for determiningwhat constitutes a threat to life orphysical safety.

As explained above, we are notproposing to create a new ‘‘duty’’whereby entities can be held liable forfailure to deny inspection and copying.We simply are acknowledging that someproviders, based on reasonableprofessional judgment, may alreadyassume a duty to protect an individualfrom some aspect of their healthinformation because of the potential forphysical harm. The most commonlycited example is when an individualexhibits suicidal or homicidaltendencies. If a health care professionaldetermines that an individual exhibitssuch tendencies and that permittinginspection or copying of some of theirhealth information could reasonablyresult in the individual committingsuicide, murder or other physicalviolence, then the individual could bedenied access to that information.

We considered whether covered plansand providers should be permitted todeny access on the basis of sensitivityof the health information or thepotential for causing emotional orpsychological harm. Many States allowdenial of access on similar grounds. Inbalancing the desire to provideindividual access against the need toprotect the individual, we concludedthat the individual access shouldprevail because in the current age ofhealth care , it is critical that theindividual is aware of his or her healthinformation.

Therefore, if a health care professionaldetermines that inspection and copyingof the requested information may causeemotional or psychological harm, but isnot reasonably likely to endanger thelife or physical safety of the individualor another person, then the covered planor provider would not be permitted todeny the individual’s request. If theentity is concerned about the potentialfor emotional or psychological harm, wewould encourage it to offer specialprocedures for explaining theinformation or counseling theindividual. For example, an entity couldoffer to have a nurse or other employeereview the information or the formatwith the individual or provide

supplemental written materialsexplaining a diagnosis. If the entityelects to offer such special procedures,the entity would not be permitted tocondition inspection and copying uponcompliance with the procedures. We arenot proposing to require covered plansor providers to establish anyinformational or counseling proceduresand we are not proposing thatindividuals be required to comply withany procedures in order to obtain accessto their protected health information.We invite comment on whether astandard such as emotional distress orpsychological harm should be includedas a reason for which a covered plan orprovider could deny a request forinspection or copying.

ii. Disclosures likely to cause harm toanother individual.

We propose that covered plans andproviders be permitted to deny a requestfor inspection or copying if theinformation requested is about anotherperson (other than a health careprovider) and a licensed health careprofessional has determined thatinspection or copying is reasonablylikely to cause substantial harm to thatother person. We believe that it is rarethat information about one personwould be maintained within the healthrecords of another without one or bothof their knowledge. On some occasionswhen health information about oneperson is relevant to the care of another,a physician may incorporate it into thelatter’s record, such as information fromgroup therapy sessions and illnesseswith a genetic component. In someinstances the information could beshared without harm, or may already beknown to the individual. There may,however, be situations where disclosurecould harm the other person, such as byimplicitly revealing facts about pastsexual behavior, nonpaternity, orsimilarly sensitive information. Thisprovision would permit withholding ofinformation in such cases.

We believe that this determinationshould be based on the existingstandards and ethics in the medicalprofession. We are soliciting commentson whether the determination underthis provision should be limited tohealth care professionals who have anexisting relationship with the personwho is expected to be harmed as a resultof the inspection or copying.

Information about a third party mayappear in an individual’s recordsunbeknownst to the individual. In suchcases if the individual chooses toexercise her right to inspect herprotected health information, thecovered plan or provider providing heraccess would be making an



unauthorized disclosure unless the thirdparty has provided a writtenauthorization. We considered requiringthat access to such information bedenied because the third party had notprovided an authorization. Weconsidered proposing that the coveredplan or provider would be required todeny an individual’s request for accessto any information about anotherperson, unless there was a potential forharm to the individual who would bedenied. This would have been the onlyinstance where we would require thataccess be denied as a general rule. Werecognized that such requirementswould ultimately require covered plansand providers to review every piece ofprotected health information beforepermitting inspection and copying todetermine if information about anotherperson was included and whether therequester would be harmed withoutsuch information. We concluded thatthis would impose a significant burdenon covered plans and providers. Weseek comment on whether and howoften individual health records containidentifiable information about otherpersons, and current practice relating tothe handling of such information inresponse to individual requests foraccess.

iii. Disclosures of confidentialinformation likely to reveal the source.

We propose that covered plans orproviders be permitted to deny a requestfor inspection and copying if the entitydetermines that the requestedinformation was obtained under apromise of confidentiality fromsomeone other than a health careprovider and such access would belikely to reveal the source of theinformation. This provision is intendedto preserve an entity’s ability tomaintain an implicit or explicit promiseof confidentiality.

Covered plans and providers wouldnot be permitted to deny access whenthe information has been obtained fromanother health care provider. Anindividual is entitled to have access toall information about him or hergenerated by the health care system(apart from the other exceptions wepropose here), and confidentialitypromises by health care providers toother providers should not interferewith that access.

iv. Disclosures of clinical trialinformation.

While a clinical trial is research, it isalso health care as defined in § 160.103,and the information generated in thecourse of the trial would be protectedhealth information. In § 164.514(b)(iv),we are proposing that a researcher/provider could deny a request for

inspection and copying of the clinicaltrial record if the trial is still in progress,and the subject-patient had agreed to thedenial of access in conjunction with thesubject’s consent to participate in thetrial. The IRB or privacy board woulddetermine whether such waiver ofaccess to information is appropriate, aspart of its review of the researchprotocol. In the rare instances in whichindividuals are enrolled in trialswithout consent (such as thosepermitted under FDA regulations, at 21CFR 50.23), the covered entity coulddeny access to information during thecourse of the trial even without advancesubject consent.

Clinical trials are often masked—thesubjects do not know the identity of themedication they are taking, or of otherelements of their record while the trialis in progress. The research designprecludes their seeing their own recordsand continuing in the trial. Thus it isappropriate for the patient to waive theright to see the record while the trial isin progress. This understanding wouldbe an element of the patient’s consent toparticipate in the trial; if the consentsigned by the patient did not includethis fact, the patient would have thenormal right to see the record. In allcases, the subject would have the rightto see the record after the trial iscompleted.

As with all grounds for denial ofaccess, denial would not be requiredunder these circumstances. We wouldexpect all researchers to maintain a highlevel of ethical consideration for thewelfare of trial participants and provideaccess where appropriate. For example,if a participant has a severe adversereaction, disclosure of informationduring the course of the trial may benecessary to give the participantadequate information for propertreatment decisions.

v. Disclosure of information compiledfor a legal proceeding.

In § 164.514(b)(1)(v), we are proposingthat covered plans and providers bepermitted to deny a request forinspection and copying if theinformation is compiled in reasonableanticipation of, or for use in, a legalproceeding. This provision wouldpermit the entity to deny access to anyinformation that relates specifically tolegal preparations but not to theindividual’s underlying healthinformation. For example, when aprocedure results in an adverseoutcome, a hospital’s attorney mayobtain statements or other evidencefrom staff about the procedure, or askconsultants to review the facts of thesituation for potential liability. Anydocuments containing protected health

information that are produced as aresult of the attorney’s inquiries couldbe kept from the individual requestingaccess. This provision is intended toincorporate the attorney work-productprivilege. Similar language is containedin the Privacy Act and has beeninterpreted to extend beyond attorneysto information prepared by ‘‘layinvestigators.’’

We considered limiting this provisionto ‘‘civil’’ legal proceedings butdetermined that such a distinctioncould create difficulties inimplementation. In many situations,information is gathered as a means ofdetermining whether a civil or criminalviolation has occurred. For example, ifseveral patients were potentiallymistreated by a member of a provider’sstaff, the provider may choose to getcopies of the patients’ records andinterview other staff members. Theprovider may not know at the time theyare compiling all of this informationwhether any investigation, civil orcriminal, will take place. We areconcerned that if we were to require theentity to provide the individual withaccess to this information, we mightunreasonably interfere with this type ofinternal monitoring.

c. Provision of other protected healthinformation where access for inspectionand copying is denied. In proposed§ 164.514(b)(2), we would require acovered plan or provider that elects todeny a request for inspection or copyingas provided above to make any otherprotected health information requestedavailable to the individual to the extentpossible consistent with the denial. Theplan or provider could redact orotherwise exclude only the informationthat falls within one or more of thedenial criteria described above andwould be required to permit inspectionand copying of all remaininginformation. This provision is key to theright to inspect and copy one’s healthinformation. We intend to create narrowexceptions to the stated rule of openaccess for inspection and copying andwe would expect covered plans orproviders to employ these exceptionsrarely, if at all. In the event that acovered plan or provider would find itnecessary to deny access, then thedenial would need to be as limited inscope as possible.

d. Procedures to effect right of accessfor inspection and copying. In§ 164.514(c) and (d), we are proposingthat covered plans and providers berequired to have procedures that enableindividuals to exercise their rights toinspect and obtain a copy of protectedhealth information as explained above.



We considered whether this proposedrule should include detailed proceduresgoverning a individual’s request forinspection and copying. Because thisproposed rule will affect such a widerange of entities, we concluded that itshould only provide general guidelinesand that each entity should have thediscretion to develop proceduresconsistent with its own size, systems,and operations.

i. Time limits.In § 164.514(d)(2), we are proposing

that the covered plans and providerswould take action upon the request assoon as possible but not later than 30days following receipt of the request.We considered the possibility of notincluding a time limitation but ratherimposing a ‘‘reasonableness’’requirement on the covered plans orproviders. We concluded that theindividual is entitled to know when toexpect a response. This is particularlyimportant in the context of healthinformation, where an individual mayneed access to his or her information inorder to make decisions about care.Therefore, in order to determine whatwould be ‘‘reasonable,’’ we examinedthe time limitations provided in thePrivacy Act, the Freedom of InformationAct (FOIA), and several State laws.

If the entity had fulfilled all of itsduties under this proposed rule withinthe required time period, then the entityshould not be penalized for any delayby the individual. For example, if,within the 30 days, a provider approvesa request for inspection and copying,makes copies of the requestedinformation, and notifies the individualthat this information is available to bepicked up and paid for at the provider’soffice, then the provider’s duty wouldbe discharged under the rule. Theindividual might not be able to pick upthe information for another two weeks,but this extra time should not becounted against the provider.

The Privacy Act requires that uponreceipt of a request for amendment (notaccess), the agency would send anacknowledgment to the individualwithin 10 working days. (5 U.S.C. 552a(d)(2)). We considered several optionsthat included such an acknowledgmentrequirement. An acknowledgmentwould be valuable because it wouldassure the individual that their requestwas received. Despite the potentialvalue of requiring an acknowledgment,we concluded that it could impose asignificant administrative burden onsome of the covered plans andproviders. This proposed rule will covera wide range of entities with varyingcapacities and therefore, we arereluctant to create requirements that

would overwhelm smaller entities orinterfere too much with proceduresalready in place. We would encourageplans and providers to have anacknowledgment procedure in place,but would not require it at this point.We are soliciting comment on whetherthis proposed rule should require suchan acknowledgment.

We also considered whether toinclude specific procedures governing‘‘urgent’’ or ‘‘emergency’’ requests. Suchprocedures would require covered plansand providers to respond in a shortertime frame. We recognize thatcircumstances may arise where anindividual will request inspection andcopying on an expedited basis and weencourage covered plans or providers tohave procedures in place for handlingsuch requests. We are not proposingadditional regulatory time limitations togovern in those circumstances. The 30-day time limitation is intended to be anoutside deadline, rather than anexpectation. Rather, we would expect aplan or provider to always be attentiveto the circumstances surrounding eachrequest and respond in an appropriatetime frame, not to exceed 30 days.

Finally, we considered including asection governing when and how anentity could have an extension forresponding to a request for inspectionand copying. For example, the FOIAprovides that an agency may requestadditional time to respond to a requestif the agency needs to search for andcollect the requested records fromfacilities that are separate from theoffice processing the request; to searchfor, collect, and appropriately examinea voluminous amount of separate anddistinct records; and to consult withanother entity or component having asubstantial interest in the determinationof the request. We determined that thecriteria established in the FOIA aretailored to government informationsystems and therefore may not beappropriate for plans and providerscovered by this proposed rule.Furthermore, we determined that the30-day time period would be sufficientfor responding to requests for inspectionand copying and that extensions shouldnot be necessary. We are solicitingcomments on whether a structuredextension procedure should be includedin this proposed rule.

ii. Notification of accepted requests.In § 164.514(d)(3), we are proposing

that covered plans or providers berequired to notify the individual of thedecision to provide access and of anysteps necessary to fulfill the request. Inaddition we propose that the entityprovide the information requested in theform or format requested if it is readily

producible in such form or format.Finally, if the covered plan or provideraccepts an individual’s request, it wouldbe required to facilitate the process ofinspection and copying.

For example, if the plan or providerwill be making copies and sending themdirectly to the individual with aninvoice for copying costs, then it wouldneed to ensure that the individual isaware of this procedure in advance andthen send the information within the30-day time period. If the plan orprovider has procedures that require theindividual to inspect the healthinformation on site, then in addition tonotifying the individual of theprocedure, the entity would need toensure that there are representativesavailable during reasonable businesshours at the usual business address whocan assist with inspection and copying.If the plan or provider maintains healthinformation electronically and theindividual requests an electronic copy,the plan or provider would need toaccommodate such request if possible.

iii. Copying fees.In proposed § 164.514(d)(3)(iv), we

would permit a covered plan orprovider to charge a reasonable, cost-based fee for copying health informationprovided pursuant to this section. Weconsidered whether we should followthe practice in the FOIA and include astructured fee schedule. We concludedthat the FOIA was developed to reflectthe relatively uniform government costsand that this proposed rule would applyto a broader range of entities. Dependingon the size of the entity, copying costscould vary significantly. Therefore, wepropose that the entity simply charge areasonable, cost-based fee.

The inclusion of a fee for copying isnot intended to impede the ability ofindividuals to copy their records.Rather, it is intended to reduce theburden on covered plans and providers.When establishing a fee for copying, weencourage covered plans and providersto consider the impact on individuals ofsuch a cost. If the cost is excessivelyhigh, some individuals would not beable to obtain a copy. We wouldencourage covered plans or providers tomake efforts to keep the fee for copyingwithin reach of all individuals.

iv. Statement of denial of access forinspection and copying.

In § 164.514(d)(4), we propose that acovered plan or provider that denies anindividual’s request for inspection andcopying in whole or in part be requiredto provide the individual with a writtenstatement in plain language explainingthe reason for the denial. The statementcould include a direct reference to thesection of the regulation relied upon for



the denial, but the regulatory citationalone would not sufficiently explain thereason for the denial. The statementwould need to include the name andnumber of the contact person or officewithin the entity who is responsible forreceiving complaints. In addition, thestatement would need to includeinformation regarding the submission ofa complaint with the Departmentpursuant to § 164.522(b).

We considered proposing that coveredplans and providers provide amechanism for appealing a denial ofinspection and copying. We believe,however, that the requirement proposedin § 164.518(d) that covered plans andproviders have complaint procedures toaddress patient and enrollee privacyissues generally would allow theindividual to raise the issue of a denialwith the covered plan or provider. Wewould expect the complaint proceduresto be scalable; for example, a large planmight develop a standard complaintprocess in each location where itoperates whereas, a small practice mightsimply refer the original request anddenial to the clinician in charge forreview. We would encourage coveredplans and providers to institute a systemof appeals, but would not require it byregulation. In addition, the individualwould be permitted to file a complaintwith the Department pursuant to§ 164.522(b).

3. Rights and Procedures With Respectto an Accounting of Disclosures.(§ 164.515)

[Please label comments about thissection with the subject: ‘‘Accounting ofdisclosures’’]

a. Right to accounting of disclosures.In this rule, we propose that individualshave a right to receive an accounting ofall instances where protected healthinformation about them is disclosed bya covered entity for purposes other thantreatment, payment, and health careoperations, subject to certain time-limited exceptions for disclosures to lawenforcement and oversight agencies asdiscussed below. Providing such anaccounting would allow individuals tounderstand how their healthinformation is shared beyond the basicpurposes of treatment, payment andhealth care operations.

We considered whether to requirecovered entities to account for alldisclosures, including those fortreatment, payment and health careoperations. We rejected this approachbecause it would be burdensome andbecause it would not focus on thedisclosures of most interest toindividuals. Upon entering the healthcare system, individuals are generally

aware that their information will beused and shared for the purpose oftreatment, payment and health careoperations. They have the greatestinterest in an accounting ofcircumstances where the informationwas disclosed for other purposes thatare less easy to anticipate. For example,an individual might not anticipate thathis or her information would be sharedwith a university for a research project,or would be requested by a lawenforcement agency.

We are not proposing that coveredentities include uses and disclosures fortreatment, payment and health careoperations in the accounting. Webelieve that it is appropriate for coveredentities to monitor all uses anddisclosures for treatment, payment andhealth care operations, and they wouldbe required to do so for electronicallymaintained information by the SecurityStandard. However, we do not believethat covered entities should be requiredto provide an accounting of the uses anddisclosures for treatment payment andhealth care operations.

The proposed Security Standardwould require that ‘‘[e]ach organization* * * put in place audit controlmechanisms to record and examinesystem activity. They would beimportant so that the organization canidentify suspect data access activities,assess its security program, and respondto potential weaknesses.’’ The purposeof the audit control mechanism, or audittrail, in the Security Standard would beto provide a means for the coveredentity to police access to the protectedhealth information maintained in itssystems. By contrast, the purpose of theaccounting would be to provide a meansfor individuals to know how thecovered entity is disclosing protectedhealth information about them. An audittrail is critical to maintaining securitywithin the entity and it could beconstructed in such a way to enable thecovered plan or provider to satisfy therequirements of both regulations. Forexample, every time protected healthinformation was used or disclosed, theaudit mechanism could prompt the userfor a ‘‘purpose.’’ If the disclosure wasfor a purpose other than treatment,payment or health care operations, thenthe information could be flagged orcopied into a separate database. Thiswould allow the entity to both monitorsecurity and have the ability to providean accurate accounting upon request.

Covered entities should know how allprotected health information is usedand disclosed, but should not berequired to provide an exhaustiveaccounting of all uses and disclosures toindividuals upon request. Such an

accounting could be extremely long anddetailed. It would place a tremendousburden on the covered entities and itcould be far too detailed to adequatelyinform the individual. We determinedthat when individuals seek health care,they understand that information aboutthem will be used and disclosed inorder to provide treatment or obtainpayment and therefore, they would havethe most significant interest in knowinghow protected health information wasused and disclosed beyond the expectedrealm of treatment, payment and healthcare operations. We are solicitingcomment on whether the scope ofaccounting strikes an appropriatebalance between providing informationto the individual and imposingrequirements on covered entities.

We are proposing that covered entitiesbe required to provide an accounting ofdisclosures for as long as the entitymaintains the protected healthinformation. We considered onlyrequiring the accounting for a specifiedperiod of time, but concluded thatindividuals should be permitted to learnhow their information was disclosed foras long as the information is maintainedby the covered plan or provider. We aresoliciting comments on whether weshould include a specific time period inthis proposed rule.

b. Procedures for providing anaccounting of disclosures.

i. Form or format.This proposed rule does not specify a

particular form or format for theaccounting. In order to satisfy theaccounting requirement, a coveredentity could elect to maintain asystematic log of disclosures or it couldelect to rely upon detailed recordkeeping that would permit the entity toreadily reconstruct the history when itreceives a request from an individual.We would require that covered entitiesbe able to respond to a request foraccounting within a reasonable timeperiod. In developing the form or formatof the accounting, covered entitiesshould adopt policies and proceduresthat will permit them to respond torequests within the 30-day time periodin this proposed rule.

ii. Content of the accounting ofdisclosures.

We are proposing that the accountinginclude all disclosures for purposesother than treatment, payment, andhealth care operations, subject to certainexceptions for disclosures to lawenforcement and oversight agencies,discussed below. This would alsoinclude disclosures that are authorizedby the individual. The accountingwould include the date of eachdisclosure; the name and address of the



organization or person who received theprotected health information; and a briefdescription of the informationdisclosed. For all disclosures that areauthorized by the individual, we areproposing that the covered entitymaintain a copy of the authorizationform and make it available to theindividual with the accounting.

We considered whether theaccounting of disclosures shouldinclude the name of the person whoauthorized the disclosure ofinformation. The proposed SecurityStandard would require covered entitiesto have an audit mechanism in place tomonitor access by employees. Weconcluded that it was unnecessary andinappropriate to require the coveredentity to include this additionalinformation in the accounting. If theindividual identifies an improperdisclosure by an entity, he or she shouldhold the entit—not the employee of theentity—accountable. It is theresponsibility of the entity to train itsworkforce about its policies andprocedures for the disclosure ofprotected health information and toimpose sanctions if such policies andprocedures are violated.

We are proposing that protectedhealth information that is disclosed to ahealth oversight or law enforcementagency would be excluded from theaccounting if the oversight or lawenforcement agency provides a writtenrequest stating that the exclusion isnecessary for a specified time periodbecause access by the individual duringthat time period would be reasonablylikely to impede the agency’s activities.The written request must specificallystate how long the information shouldbe excluded. At the expiration of thatperiod, the covered entity would berequired to include the information inan accounting for the individual.

We are proposing this time-limitedexclusion for law enforcement andoversight activities because we do notintend to unreasonably interfere withinvestigations and other activities thatare in the public interest. TheRecommendations simply provide thatdisclosures to law enforcement andoversight agencies should be excludedfrom the accounting where access by theindividual could be reasonably likely toimpede the agency’s activities. We wereconcerned that it would be difficult forcovered entities to determine whetheraccess by the individual was‘‘reasonably likely to impede theagency’s activities.’’ In order to addressthis concern, we considered excludingall disclosures to law enforcement andoversight from the accounting, butconcluded that such an exclusion would

be overly broad. As a means of creatinga clearly defined rule for the coveredentity to follow, we are proposing thatcovered entities require a time-limited,written statement from the oversight orlaw enforcement agency. We aresoliciting comment on whether thistime-limited exclusion strikes theappropriate balance between ensuringindividual access to an accounting ofdisclosures and preserving the integrityof law enforcement and oversightinvestigations.

iii. Time limits.We are proposing that the accounting

of disclosures, including copies ofsigned authorization forms, be madeavailable to the individual as quickly asthe circumstances require, but not laterthan 30 days following receipt of therequest.

4. Rights and Procedures forAmendment and Correction (§ 164.516)[Please label comments about thissection with the subject: ‘‘Amendmentor correction’’]

a. Right to request amendment orcorrection of protected healthinformation. This proposed rule wouldprovide an individual with the right torequest a covered plan or provider toamend or correct protected healthinformation relating to the individual. Acovered plan or provider would berequired to accommodate requests withrespect to any information that thecovered plan or provider determines tobe erroneous or incomplete, that wascreated by the plan or provider, and thatwould be available for inspection andcopying under proposed § 164.514.

i. Accuracy and completeness.The first criteria that a covered entity

would need to consider is whether theprotected health information at issue iseither erroneous or incomplete. Thebasic concept comes from the PrivacyAct of 1974, governing records held byFederal agencies, which permits anindividual to request correction oramendment of a record ‘‘which theindividual believes is not accurate,relevant, timely, or complete.’’ (5 U.S.C.552a(d)(2)). We would adopt thestandards of ‘‘accuracy’’ and‘‘completeness’’ and draw on theclarification and analysis of these termsthat has emerged in administrative andjudicial interpretations of the PrivacyAct over the last 25 years.

We are not proposing to permitcorrection on the basis of anindividual’s belief that information isirrelevant or untimely. The Privacy Actof 1974 imposes affirmative obligationson Federal agencies to maintain recordswith accuracy, relevance, timeliness,and completeness, and permits

individuals to seek correction of recordsthat do not meet that standard. Theamendment and correction rightcomplements and helps to enforce theagency obligation.

Our view is that the relevance andtimeliness standards, while veryappropriate for Federal agenciesgenerally, would be difficult to imposeby regulation upon health recordkeeping, which depends to a largeextent on clinical judgment. Theincreasingly-recognized impact oflifestyle and environmental factors onhealth may, for example, motivatephysicians to record information whichappears irrelevant, but which may infact serve as a diagnostic clue, or whichmay alert later users of the record toclinically relevant aspects of thepatient’s life. We invite comment onhow any such standard might bestructured to avoid interferinginappropriately with clinical judgment.

We also are concerned about theburden that requests for amendment orcorrection may place on covered plansand providers and have tried to limit theprocess to those situations whereamendment or correction would appearto be most important. We invitecomment on whether our approachreasonably balances burden withadequately protecting individualinterests.

We note that for Federal agencies thatare also covered plans or providers, therule we are proposing would notdiminish their present obligations underthe Privacy Act of 1974, under which allfour factors are bases for amendmentand correction.

ii. Original creator of the information.We propose to require a covered plan

or provider to accommodate a requestfor amendment or correction if the planor provider created the information indispute.

We considered requiring coveredplans and providers to amend or correctany erroneous or incompleteinformation it maintains, regardless ofwhether it created the information.Under this approach, if the plan orprovider did not create the information,then it would have been required totrace the information back to theoriginal source to determine accuracyand completeness. We rejected thisoption because we concluded that itwould not be appropriate to require theplan or provider that receives a requestto be responsible for verifying theaccuracy or completeness of informationthat it did not create. We also wereconcerned about the burden that wouldbe imposed on covered plans andproviders if they were required to tracethe source of any erroneous or



incomplete information transmitted tothem.

We would rely on a combination ofthree other requirements to ensure thatprotected health information remains asaccurate as possible as it travels throughthe health care system. First, we areproposing that a covered plan orprovider that makes an amendment orcorrection be required to notify anyrelevant persons, organizations, or otherentities of the change or addition.Second, we are proposing that othercovered plans or providers that receivesuch a notification be required toincorporate the necessary amendment orcorrection. Finally, we are proposingthat covered plans or providers requiretheir business partners who receivesuch notifications to incorporate anynecessary amendments or corrections.See discussion in section II.F.4.c.iii. Weare soliciting comments whether thisapproach would effectively ensure thatamendments and corrections arecommunicated appropriately.

iii. Information available foramendment or correction.

We are proposing that the right torequest amendment or correction extendto all protected health information thatwould be available for inspection andcopying under § 164.514. We wouldonly require covered plans andproviders to amend or correct thatinformation maintained in a designatedrecord set but would encourage thedevelopment of systems that wouldaccommodate these types of changes forall data collections. For protected healthinformation that is maintained solely bya business partner or that has beenmaterially altered by a business partner,the covered plan or provider wouldneed to make arrangements with thebusiness partner to accommodate anyrequests.

This right would not be intended tointerfere with medical practice, ormodify standard business recordkeeping practices. Perfect records arenot required, but instead a standard ofreasonable accuracy and completenessshould be used. In addition, this rightwould not be intended to provide aprocedure for substantive review ofdecisions such as coveragedeterminations by payers. It would onlyaffect the content of records, not theunderlying truth or correctness ofmaterials recounted therein. Attemptsunder the Privacy Act of 1974 to usethis correction mechanism as a basis forcollateral attack on agencydeterminations have generally beenrejected by the courts. The same resultswould be intended here.

iv. Duration of the right to requestamendment or correction.

We are proposing that covered plansand providers be required toaccommodate requests for amendmentor correction for as long as the entitymaintains the protected healthinformation. We considered requiringcovered plans and providers toaccommodate requests for a specificperiod or defining a specific retentionperiod. We rejected that approachbecause many laws and professionalstandards already designate specificretention periods and we did not wantto create confusion. In addition, weconcluded that individuals should bepermitted to request amendments orcorrections for as long as theinformation is maintained by thecovered plan or provider. We aresoliciting comments on whether weshould include a specific durationrequirement in this proposed rule.

b. Grounds for denial of request foramendment or correction. We areproposing that a covered plan orprovider would be permitted to deny arequest for amendment or correction if,after a reasonable review, the plan orprovider determines that it did notcreate the information at issue, theinformation would not be available forinspection and copying under proposed§ 164.514, the information is accurateand complete, or if it is erroneous orincomplete, it would not adverselyaffect the individual.

c. Procedures for requestingamendment or correction.

i. Individual requests for amendmentor correction.

In § 164.516, we are proposing thatcovered plans and providers be requiredto have procedures that enableindividuals to exercise their rights torequest amendment or correction,including a means by which individualscan request amendment or correction ofprotected health information aboutthem. We considered whether thisproposed rule should include detailedprocedures governing an individual’srequest. But as with the procedures forrequesting inspection and copying, weare only providing a generalrequirement and permitting each plan orprovider to develop procedures inaccordance with its needs. Once theprocedures are developed, the plan orprovider would document them inaccordance with section § 164.520 andinclude a brief explanation in the noticethat is provided to individuals pursuantto section § 164.512.

ii. Time limits.We are proposing that the covered

plan or provider would take action ona request for amendment or correctionas quickly as the circumstances require,but not later than 60 days following the

request. The justification forestablishing a time limitation foramendment and correction is virtuallyidentical to that provided for the timelimitation for inspection and copying.We concluded that the entity should beprovided with some additionalflexibility in this context. Depending onthe nature of the request, an amendmentor correction could require significantlymore time than a request for inspectionand copying. If a covered plan orprovider needed more than 30 days tomake a decision, we would encourage,but not require, it to send anacknowledgment of receipt to theindividual including an explanation ofthe reasons for the delay and a datewhen the individual can expect a finaldecision.

iii. Acceptance of a request foramendment or correction.

If a covered plan or provider acceptsan individual’s request for amendmentor correction, it would be required tomake the appropriate amendments orcorrections. In making the change, theentity would have to either add theamended or corrected information as apermanent part of the record or markthe challenged entries as amended orcorrected entries and, if appropriate,indicate the place in the record wherethe amended or corrected information islocated. Covered plans or providerswould not be required to expunge anyprotected health information, but rathermark it as erroneous or incomplete.

We also propose in § 164.506(e) thatentities include a contract requirementthat when the covered plan or providernotifies the business partner of anamendment or correction, the businesspartner must make the necessaryamendments or corrections to protectedhealth information in its custody.

In § 164.516(c)(3), we are proposingthat, upon accepting an amendment orcorrection, the covered plan or providerwould be required to make reasonableefforts to notify relevant persons,organizations, or other entities of thechange or addition. An entity would berequired to notify such persons that theindividual identifies, or that the coveredplan or provider identifies as (1) arecipient of the erroneous or incompleteinformation, and (2) a person who:

• Has relied upon that information tothe detriment of the individual; or

• Is a person who may foreseeablyrely on such erroneous or incompleteinformation to the detriment of theindividual.

We are concerned about the potentialburden that this notificationrequirement would impose on coveredplans and providers. We do not,however, anticipate that a significant



number of requests would be submittedto any entity and therefore the need forsuch notifications would be rare. Inaddition, we determined that becausehealth information can travel so quicklyand efficiently in the modern healthcare system, the need for notificationoutweighed the potential burden. It isimportant to note that a reasonablenessstandard should be applied to thenotification process—if the recipient hasnot relied upon the erroneous orincomplete information to the detrimentof the individual or if it is notforeseeable that the recipient will do so,then it would not be reasonable for thecovered plan or provider to incur thetime and expense of notification. If,however, the incorrect information isreasonably likely to be used to thedetriment of the individual, the entityshould make every effort to notify therecipients of the information of thechanges as quickly as possible.

iv. Denial of a request for amendmentor correction.

In proposed § 164.516(c)(4), we wouldrequire a covered plan or provider toprovide the individual with a writtenstatement in plain language of thereason for the denial and permit theindividual to file a written statement ofdisagreement with the decision to denythe request.

The statement prepared by coveredplan or provider would be required toexplain the basis for the denial. Thestatement would include a descriptionof how the individual may complain tothe covered plan or provider asprovided in § 164.518(d). The statementwould include the name and number ofthe contact person within the plan orprovider who is responsible forreceiving complaints. The statementalso would include informationregarding filing a complaint with theSecretary pursuant to § 164.522(b)(1),including the mailing address and anyforms that may be available. Finally, thestatement would explain that theindividual has the right to file a writtenstatement of disagreement that would bemaintained with the disputedinformation and the procedure for filingsuch a statement of disagreement.

If the individual chooses to file astatement of disagreement, then thecovered plan or provider must retain acopy of the statement with the protectedhealth information in dispute. Thecovered plan or provider could requirethat the statement be a reasonablelength, provided that the individual hasreasonable opportunity to state thenature of the disagreement and offer hisor her version of accurate and completeinformation. In all subsequentdisclosures of the information requested

to be amended or corrected, the coveredplan or provider would be required toinclude a copy of its statement of thebasis for denial and, if provided by theindividual, a copy of his or herstatement of disagreement. If thestatement submitted by the individual isunreasonably long, the covered plan orprovider could include a summary insubsequent disclosures whichreasonably explains the basis of theindividual’s position. The covered planor provider would also be permitted toprovide a rebuttal to the individual’sstatement of disagreement and includethe rebuttal statement in any subsequentdisclosures.

We considered requiring the coveredplan or provider to provide amechanism for appealing denials ofamendment or correction but concludedthat it would be too burdensome. We aresoliciting comment on whether theapproach we have adopted reasonablybalances the burdens on covered plansor providers with the rights ofindividuals.

v. Receipt of a notification ofamendment or correction.

If a covered plan or provider receivesa notification of erroneous orincomplete protected health informationas provided in proposed § 164.516(d),we are proposing that the covered planor provider or be required to make thenecessary amendment or correction toprotected health information in itscustody that would be available forinspection and copying. This affirmativeduty to incorporate amendments andcorrections would be necessary toensure that individuals’ protectedhealth information is as accurate andcomplete as possible as it travelsthrough the health care system.

G. Administrative Requirements(§ 164.518)[Please label comments about thissection with the subject: ‘‘Introductionto administrative requirements’’]

In § 164.518, we are proposing generaladministrative requirements for coveredentities. We would require all coveredentities to designate a privacy official,train members of their workforceregarding privacy requirements,safeguard protected health information,and establish sanctions for members ofthe workforce who do not abide by theentity’s privacy policies and procedures.In addition, we are proposing thatcovered plans and providers be requiredto establish a means for individuals tocomplain to the covered plan orprovider if they believe that theirprivacy rights have been violated. In thediscussions of each proposed provision,we provide examples of how different

kinds of covered entities could satisfythese requirements.

1. Designation of a Privacy Official(§ 164.518(a))[Please label comments about thissection with the subject: ‘‘Privacyofficial’’]

In proposed § 164.518(a)(1), we wouldrequire covered entities to designate anemployee or other person to serve as theofficial responsible for the developmentof policies and procedures for the useand disclosure of protected healthinformation. The designation of anofficial would focus the responsibilityfor development of privacy policy.

We considered whether coveredentities should be required to designatea single official or an entire board. Weconcluded that a single official wouldbetter serve the purposes of focusing theresponsibility and providingaccountability within the entity. Theimplementation of this requirementwould depend on the size of the entity.For example, a small physician’spractice might designate the officemanager as the privacy official, and heor she would assume this as one of hisor her broader administrativeresponsibilities. A large entity mightappoint a person whose soleresponsibility is privacy policy, and heor she might choose to convene acommittee representing several differentcomponents of the entity to develop andimplement privacy policy.

In proposed § 164.518(a)(2), we wouldrequire a covered entity to designate acontact person or office to receivecomplaints and provide informationabout the matters covered by the entity’snotice. The covered entity could, butwould not be required to, designate thedesignated privacy official as theentity’s contact person.

In proposed § 164.512, we wouldrequire the covered plan or provider’sprivacy notice to include the name of acontact person for privacy matters. Wewould not require that the contactperson and the designated privacyofficial be the same person. This wouldbe left to the discretion of each coveredentity.

2. Training (§ 164.518(b))[Please label comments about thissection with the subject: ‘‘Training’’]

In proposed § 164.518(b), we wouldrequire covered entities to providetraining on the entities policies andprocedures with respect to protectedhealth information. Each entity wouldbe required to provide initial training bythe date on which this proposed rulebecomes applicable. After that date,each covered entity would have to



provide training to new members of theworkforce within a reasonable timeperiod after joining the entity. Inaddition, we are proposing that when acovered entity makes material changesin its privacy policies or procedures, itwould be required to retrain thosemembers of the workforce whose dutiesare directly affected by the changewithin a reasonable time of making thechange.

The entities would be required totrain all members of the workforce (e.g.,all employees, volunteers, trainees, andother persons under the direct control ofa persons working on behalf of thecovered entity on an unpaid basis whoare not business partners) who are likelyto have contact with protected healthinformation.

Upon completion of the training, theperson would be required to sign astatement certifying that he or shereceived the privacy training and willhonor all of the entity’s privacy policiesand procedures. Entities woulddetermine the most effective means ofcommunicating with their workforce.For example, in a small physicianpractice, the training requirement couldbe satisfied by providing each newmember of the workforce with a copy ofthe practice’s information policies andrequiring members of the workforce toacknowledge that they have reviewedthe policies. A large health plan couldprovide for a training program with liveinstruction, video presentations orinteractive software programs. Thesmall physician practice’s solutionwould not protect the large plan’s data,and the plan’s solution would be neithereconomically feasible nor necessary forthe small physician practice.

At least once every three years afterthe initial training, covered entitieswould be required to have each memberof the workforce sign a new statementcertifying that he or she will honor allof the entity’s privacy policies andprocedures. The initial certificationwould be intended to make members ofthe workforce aware of their duty toadhere to the entity’s policies andprocedures. By requiring arecertification every three years, theywould be reminded of this duty.

We considered several differentoptions for recertification. Weconsidered proposing that members ofthe workforce be required to recertifyevery six months, but concluded thatsuch a requirement would be tooburdensome. We considered proposingthat recertification be required annuallyconsistent with the recommendations ofThe American Health InformationManagement Association (Brandt, MaryD., Release and Disclosure: Guidelines

Regarding Maintenance and Disclosureof Health Information, 1997). Weconcluded that annual recertificationcould also impose a significant burdenon covered entities.

We also considered requiring that thecovered entity provide ‘‘refresher’’training every three years in addition tothe recertification. We concluded thatour goals could be achieved by onlyrequiring recertification once everythree years, and retraining in the eventof material changes in policy. We aresoliciting comment on this approach.

3. Safeguards (§ 164.518(c))[Please label comments about thissection with the subject: ‘‘Safeguards’’]

In proposed § 164.518(c), we wouldrequire covered entities to put in placeadministrative, technical, and physicalsafeguards to protect against anyreasonably anticipated threats orhazards to the privacy of theinformation, and unauthorized uses ordisclosures of the information. Weproposed similar requirements forcertain electronic information in theNotice of Proposed Rulemaking entitledthe Security and Electronic SignatureStandards (HCFA–0049–P), which canbe found at 63 FR 43241. We areproposing parallel and consistentrequirements for safeguarding theprivacy of protected health information.

a. Verification procedures. As notedin section II.E. above, for manypermitted disclosures the covered entitywould be responding to a request fordisclosure of protected healthinformation. For most categories ofpermitted disclosures, when the requestfor disclosure of protected healthinformation is from a person with whomthe covered entity does not routinely dobusiness, we would require the coveredentity to verify the identity of therequestor. In addition, for certaincategories of disclosures, coveredentities would also be required to verifythe requestor’s legal authority to makethe request.

Under § 164.514, a covered entitywould be required to give individualsaccess to protected health informationabout them (under most circumstances).The covered entity would also berequired to take reasonable steps toverify the identity of the individualmaking the request for access. We donot propose to mandate particularidentification requirements (e.g., driverslicence, photo ID, etc), but rather wouldleave this to the discretion of thecovered entity.

Covered entities would be required toverify both the identity of personsrequesting protected health informationand their authority for requesting such

information when the request is from aperson with whom the covered entitydoes not routinely do business and thedisclosure would be permitted by thefollowing subsections of § 164.510:under § 164.510(b) for public health,under § 164.510(c) for oversight, under§ 164.510(e) to coroners and medicalexaminers, under § 164.510(f) for lawenforcement, under § 164.510(g) forgovernmental health data systems,under § 164.510(m) for special classes,and for disclosures required by otherlaws under § 164.510(n). Coveredentities would be required to verify theidentity of the requester by examinationof reasonable evidence, such as awritten statement of identity on agencyletterhead, an identification badge, orsimilar proof of official status. Similarly,covered entities would be required toverify the legal authority supporting therequest by examination of reasonableevidence, such as a written requestprovided on agency letterhead thatdescribes the legal authority forrequesting the release. Unless § 164.510explicitly requires written evidence oflegal process or other authority before adisclosure may be made, a publicofficial’s proof of identity and theofficial’s oral statement that the requestis authorized by law would bepresumed to constitute the requiredreasonable evidence of legal authority.Where § 164.510 does require writtenevidence of legal process or authority,only the required written evidence willsuffice.

We considered specifying the type ofdocumentation or proof that would beacceptable, but decided that the burdenof such specific regulatory requirementson covered entities would beunnecessary. Therefore, we proposeonly a general requirement forreasonable verification of identity andlegal authority.

In § 164.522, we would requiredisclosure to the Secretary for purposesof enforcing this regulation. When acovered entity is asked by the Secretaryto disclose protected health informationfor compliance purposes, the coveredentity should verify the sameinformation that it would verify for anyother law enforcement or oversightrequest for disclosure.

In some circumstances a person orentity acting on behalf of a governmentagency may make a request fordisclosure of protected healthinformation under these subsections.For example, public health agenciesmay contract with a nonprofit agency tocollect and analyze certain data. In suchcases the covered entity would berequired to verify the requestor’sidentity and authority through



examination of reasonabledocumentation that the requestor isacting on behalf of the governmentagency. Reasonable evidence wouldinclude a written request provided onagency letterhead that describes thelegal authority for requesting the releaseand states that the person or entity isacting under the agency’s authority, orother documentation, including acontract, a memorandum ofunderstanding, or purchase order thatconfirms that the requestor is acting onbehalf of the government agency.

For disclosures permitted under§ 164.510(k) for emergencycircumstances and under § 164.510(l) tonext-of-kin, legal authority for therequest would not be an issue. Thereforecovered entities would only be requiredto verify the identity of the personrequesting the disclosure. Whereprotected health information isrequested by next-of-kin, coveredentities would be required to makereasonable verbal attempts to establishthe identity of the person making therequest. Written proof would not berequired. Covered entities could rely onprior acquaintance with the next-of-kin;verbal verification of identity would notbe required at each encounter. Whereprotected health information isrequested in an emergency, the coveredentity would similarly not be requiredto demand written proof that the personrequesting the protected healthinformation is legally authorized.Reasonable reliance on verbalrepresentations would be appropriate insuch situations.

When another person is acting as theindividual through power of attorney orother legal authority, covered entitieswould also be required to makereasonable attempts to ascertain that theperson making the request has thenecessary legal authority or relationshipin order to make the disclosure. Forexample, a health care provider couldrequire a copy of a power of attorney,or could ask questions to determine thatan adult acting for a young child has therequisite relationship to the child.

Most disclosures under § 164.510(i)are routine transactions with bankingand other financial institutions. Asnoted above, for routine transactionsthere would be no verificationrequirements. However, should suchfinancial institution make a specialrequest for information in addition tothe information routinely provided forpayment purposes (e.g., pursuant to afraud or similar investigation), thecovered entity would be required toobtain reasonable evidence of theidentity of the person requesting theinformation.

The conditions for disclosures forjudicial and administrative proceedingsand research are discussed in § 164.510(d) and § 164.510(j), respectively.Conditions for permitted disclosuresunder § 164.510(h) for facilitydirectories include no verificationrequirements.

b. Whistleblowers. In Section§ 164.518(c)(4), we would address theissue of disclosures by employees orothers of protected health informationin whistleblower cases. We wouldclarify that under the proposed rule, acovered entity would not be held inviolation because a member of theirworkforce or a person associated with abusiness partner of the covered entitydiscloses protected health informationthat such person believes is evidence ofa civil or criminal violation, and thedisclosure is: (1) Made to relevantoversight agencies and law enforcementor (2) made to an attorney to allow theattorney to determine whether aviolation of criminal or civil law hasoccurred or to assess the remedies oractions at law that may be available tothe person disclosing the information.

Allegations of civil and criminalwrongdoing come from a variety ofsources. Sometimes an individual nototherwise involved in law enforcementuncovers evidence of wrongdoing, andwishes to bring that evidence to theattention of appropriate authorities.Persons with access to protected healthinformation sometimes discoverevidence of billing fraud or similarviolations; important evidence ofunlawful activities may be available toemployees of covered entities, such asbilling clerks or nurses.

Some whistleblower activities can beaccomplished without individuallyidentifiable health information. Thereare, however, instances in which onlyidentifiable information will suffice todemonstrate that an allegation ofwrongdoing merits the investment oflegal or investigatory resources. Abilling clerk who suspects that ahospital has engaged in fraudulentbilling practices may need to use billingrecords for a set of specific cases todemonstrate the basis of his suspicion toan oversight agency.

The persons who find such evidenceare likely to be employees of the suspectentity. Congress and the states haverecognized the importance ofwhistleblowing activities by acting toprotect whistleblowers from retaliation.Federal statutes that include protectionsfor whistleblowers who contactappropriate authorities include theClear Air Act, the Federal WaterPollution Control Act, the ToxicSubstances Control Act, and the Safe

Drinking Water Act. Congress alsopassed the Whistleblower ProtectionAct, to protect federal employees whocomplain about improper personnelpractices at federal agencies. At leasteleven states have passed whistleblowerprotection laws that protect both privateand public employees who provideevidence of wrongdoing to theappropriate authorities, and many morestates have laws that provide suchprotections only for public employees.

The qui tam provisions of the FederalFalse Claims Act go further, and providea mechanism for the individual toprosecute a case against a person whohas allegedly defrauded the government.Like traditional whistleblower actions,qui tam actions were created by theCongress to further the public interest ineffective government. Qui tam suits arean important way that individuals canprotect the public interest, by investingtheir own time and resources to helpreduce fraud. And, also likewhistleblower actions, the individualmay need protected health informationto convince an attorney that a viable quitam case exists.

We would note that this sectionwould not apply to informationrequested by oversight agencies, lawenforcement officials, or attorneys, evenprior to initiation of an investigation orlaw suit. It would apply only to adisclosure initiated by a member of anentity’s workforce or a person associatedwith one of its business partners.

We are concerned that a person, in theguise of ‘‘whistleblowing,’’ might,maliciously or otherwise, discloseprotected health information withoutany actual basis to believe that there hasbeen a violation of the law. We areconcerned, however, with addingqualifying language that may restrictsuch disclosures and, therefore, impedethe pursuit of law violators. We seekcomments regarding whether thisprovision should include anylimitations (e.g., a requirement that onlythe minimum amount of informationnecessary for these purposes can bedisclosed).

4. Internal Complaint Process(§ 164.518(d))

In proposed § 164.518(d), we wouldrequire covered plans and providers tohave some mechanism for receivingcomplaints from individuals regardingthe covered plan’s or provider’scompliance with the requirements ofthis proposed rule. The covered plan orprovider would be required to acceptcomplaints about any aspect of theirpractices regarding protected healthinformation. For example, individualswould be able to file a complaint when



they believe that protected healthinformation relating to them has beenused or disclosed improperly, that anemployee of the plan or provider hasimproperly handled the information,that they have wrongfully been deniedaccess to or opportunity to amend theinformation, or that the entity’s noticedoes not accurately reflect itsinformation practices. We would notrequire that the entity develop a formalappeals mechanism, nor that ‘‘dueprocess’’ or any similar standard beapplied. We would not require thatcovered entities respond in anyparticular manner or time frame. We areproposing two basic requirements forthe complaint process. First, the coveredplan or provider would be required toidentify a contact person or office in thenotice of information practices forreceiving complaints. This person oroffice could either be responsible forhandling the complaints or could putthe individual in touch with theappropriate person within the entity tohandle the particular complaint. Seeproposed § 164.512. This person could,but would not have to be, the entity’sprivacy official. See § 164.518(a)(2).Second, the covered plan or providerwould be required to maintain a recordof the complaints that are filed and abrief explanation of the resolution, ifany.

Covered plans and providers couldimplement this requirement through avariety of mechanisms based on theirsize and capabilities. For example, asmall practice could assign a clerk to login written and/or verbal complaints asthey are received, and assign onephysician to review all complaintsmonthly, address the individualsituations and make changes to policiesor procedures as appropriate. Results ofthe physician’s review of individualcomplaints then could be logged by theclerk. A larger provider or health plancould choose to implement a formalappeals process with standardized timeframes for response.

We considered requiring coveredplans and providers to provide a formalinternal appeal mechanism, but rejectedthat option as too costly andburdensome for some entities. We alsoconsidered eliminating this requiremententirely, but rejected that optionbecause a complaint process would givecovered plans or providers a way tolearn about potential problems withprivacy policies or practices, or trainingissues. We also hope that providing anavenue for covered plans or providers toaddress complaints would lead toincreased consumer satisfaction. Webelieve this approach strikes areasonable balance between allowing

covered plans or providers flexibilityand accomplishing the goal ofpromoting attention to improvement inprivacy practices. If an individual and acovered plan or provider are able toresolve the individual’s complaint, theremay be no need for the individual to filea complaint with the Secretary underproposed § 164.522(b). However, anindividual has the right to file acomplaint with the Secretary at anytime. An individual may file acomplaint with the Secretary before,during, after, or concurrent with filing acompliant with the covered plan orprovider or without filing a complaintwith the covered plan or provider.

We are considering whethermodifications of these complaintprocedures for intelligence communityagencies may be necessary to addressthe handling of classified informationand solicit comment on the issue.

5. Sanctions (§ 164.518(e))[Please label comments about thissection with the subject: ‘‘Sanctions’’]

In proposed § 164.518(e), we wouldrequire all covered entities to developand apply when appropriate sanctionsfor failure to comply with policies orprocedures of the covered entity or withthe requirements of this proposed rule.All members of the workforce who haveregular contact with protected healthinformation should be subject tosanctions, as would the entity’s businesspartners. Covered entities would berequired to develop and imposesanctions appropriate to the nature ofthe issue. The type of sanction appliedwould vary depending on factors suchas the severity of the violation, whetherthe violation was intentional orunintentional, and whether theviolation indicates a pattern or practiceof improper use or disclosure ofprotected health information. Sanctionscould range from a warning totermination.

We considered specifying particularsanctions for particular kinds ofviolations of privacy policy, but rejectedthis approach for several reasons. First,the appropriate sanction will vary withthe entity’s particular policies. Becausewe cannot anticipate every kind ofprivacy policy in advance, we cannotpredict the response that would beappropriate when that policy isviolated. In addition, it is important toallow covered entities to develop thesanctions policies appropriate to theirbusiness and operations.

6. Duty To Mitigate (§ 164.518(f))[Please label comments about thissection with the subject: ‘‘Duty tomitigate’’]

We propose that covered entities berequired to have procedures formitigating, to the extent practicable, anydeleterious effect of a use or disclosureof protected health information by theirmembers of their workforce or businesspartners.

With respect to business partners, wealso propose that covered entities havean affirmative duty to take reasonablesteps in response to breaches of contractterms. For example, a covered entitythat becomes aware that a businesspartner has improperly disclosedprotected health information couldrequire that business partner to takesteps to retrieve the disclosedinformation. The covered entity alsocould require that business partner toadopt new practices to better assure thatprotected health information isappropriately handled. Covered entitiesgenerally would not be required tomonitor the activities of their businesspartners, but would be required to takesteps to address problems of which theybecome aware, and, where the breach isserious or repeated, would also berequired to monitor the businesspartner’s performance to ensure that thewrongful behavior has been remedied.For example, the covered entity couldrequire the business partner to submitreports or subject itself to audits todemonstrate compliance with thecontract terms required by this rule.Termination of the arrangement wouldbe required only if it becomes clear thata business partner cannot be relied uponto maintain the privacy of protectedhealth information provided to it.

We expect that sanctions would bemore formally described andconsistently carried out in larger, moresophisticated entities. Smaller, lesssophisticated entities would be givenmore latitude and flexibility. For suchsmaller entities and less sophisticatedentities, we would not expect aprescribed sanctions policy, but wouldexpect that actions be taken if repeatedinstances of violations occur.

H. Development and Documentation ofPolicies and Procedures (§ 164.520)[Please label comments about thissection with the subject: ‘‘Policies andprocedures’’]

In proposed § 164.520, we wouldrequire covered entities to develop anddocument their policies and proceduresfor implementing the requirements ofthis rule. This requirement is intendedas a tool to facilitate covered entities’efforts to develop appropriate policies toimplement this rule, to ensure that themembers of its workforce and businesspartners understand and carry outexpected privacy practices, and to assist



5 The Small Business Administration definessmall businesses in the health care field as thosegenerating less than $5 million annually. Smallbusinesses represent approximately 85% of healthcare entities.

covered entities in developing a noticeof information practices.

The scale of the policies developedshould be consistent with the size of thecovered entity. For example, a smalleremployer could develop policiesrestricting access to health planinformation to one designatedemployee, empowering that employee todeny release of the information tocorporate executives and managersunless required for health planadministration. Larger employers couldhave policies that include usingcontractors for any function thatrequires access to protected healthinformation or requiring all reports theyreceive for plan administration to be de-identified unless individualauthorization is obtained.

Clearly, implementation of theserequirements would differ significantlybased on the size, capabilities andactivities of each covered entity. A solopractitioner’s documentation of herpolicies and procedures could providerelatively straightforward statements,such as:

This practice does not use or disclose anyprotected health information that is notauthorized or permitted under the federalprivacy regulation and therefore does notrequest any authorized disclosures frompatients. Staff R.N. reviews all individuallyauthorized requests for disclosures to ensurethey contain all required elements andreviews the copied information to ensureonly authorized information is released inresponse. Information requests that wouldrequire extensive redaction will be denied.

Larger entities with many functionsand business relationships and who aresubject to multi-state reporting andrecord-keeping requirements wouldneed to develop and document moreextensive policies. A health plan wouldneed to describe all activities that wouldbe considered health care operationsand identify the use and disclosurerequirements of each activity. A healthplan may determine that underwritingdepartment employees must provide awritten request, approved by a teamleader, to access any identifiable claimsinformation; that such requests must beretained and reviewed every quarter forappropriateness; and the underwritingdepartment must destroy suchinformation after use for an approvedactivity. We urge professionalassociations to develop model policies,procedures and documentation for theirmembers of all sizes.

We are proposing general guidelinesfor covered entities to develop anddocument their own policies andprocedures. We considered a moreuniform, prescriptive approach butconcluded that a single approach would

be neither effective in safeguardingprotected health information norappropriate given the vast differencesamong covered entities in size, businesspractices and level of sophistication. Itis important that each covered entity’sinternal policies and procedures forimplementing the requirements of thisregulation are tailored to the nature andnumber of its business arrangements,the size of its patient population, itsphysical plant and computer system, thesize and characteristics of its workforce,whether it has one or many locations,and similar factors. The internal policiesand procedures appropriate for aclearinghouse would not be appropriatefor a physician practice; the internalpolicies and procedures appropriate fora large, multi-state health plan wouldnot be appropriate for a smaller, localhealth plan.

After evaluating the requirements offederal, State, or other applicable laws,covered entities should develop policiesand procedures that are appropriate fortheir size, type, structure, and businessarrangements. Once a covered plan orprovider has developed anddocumented all of the policies andprocedures as required in this section, itwould have compiled all of theinformation needed to develop thenotice of information practices requiredin § 164.512. The notice is intended toinclude a clear and concise summary ofmany of the policies and proceduresdiscussed in this section. Further, if anindividual has any questions about theentity’s privacy policies that are notaddressed by the notice, a representativeof the entity can easily refer to thedocumented policies and procedures foradditional information.

Before making a material change in apolicy or procedure, the covered entitywould, in most instances, be required tomake the appropriate changes to thedocumentation required by this sectionbefore implementing the change. Inaddition, covered plans and providerswould be required to revise the noticeof information practices in advance.Where the covered entity determinesthat a compelling reason exists to takean action that is inconsistent with itsdocumentation or notice before makingthe necessary changes, it may take suchaction if it documents the reasonssupporting the action and makes thenecessary changes within 30 days oftaking such action.

In an attempt to ensure that largeentities develop coordinated andcomprehensive policies and proceduresas required by this section, weconsidered proposing that entities with

annual receipts greater than $5 million 5

be required to have a privacy boardreview and approve the documentationof policies and procedures. As originallyconceived, the privacy board wouldonly serve to review research protocolsas described in § 164.510(j). We believethat such a board could also serve as‘‘privacy experts’’ for the covered entityand could review the entity’sdocumented policies and procedures. Inthis capacity, the overriding objective ofthe board would be to fosterdevelopment of up-to-date,individualized policies that enable theorganization to protect healthinformation without unnecessarilyinterfering with the treatment andpayment functions or business needs.This type of review is particularlyimportant for large entities who wouldhave to coordinate policies andprocedures among a large staff, butsmaller organizations would beencouraged, but not required, to take asimilar approach (i.e., have a widelyrepresentative group participate in thedevelopment and/or review of theorganization’s internal privacy policiesand the documentation thereof). Wesolicit comment on this proposal.

We also considered requiring thecovered entity to make itsdocumentation available to personsoutside the entity upon request. Werejected this approach because coveredentities should not be required to sharetheir operating procedures with thepublic, or with their competitors.

We recognize that the documentationrequirement in this proposed rulewould impose some paperwork burdenon covered plans and providers.However, we believe that it is necessaryto ensure that covered plans andproviders establish privacy policiesprocedures in advance of any requestsfor disclosure, authorization, or subjectaccess. It is also necessary to ensure thatcovered entities and members of theirworkforce have a clear understanding ofthe permissible uses and disclosures ofprotected health information and theirduty to protect the privacy of suchinformation under specificcircumstances.

1. Uses and Disclosures of ProtectedHealth Information

We propose that covered entities berequired to develop and documentpolicies and procedures for howprotected health information would beused and disclosed by the entity and its



business partners. The documentationwould include policies to ensure theentity is in compliance with therequirements for use and disclosurepursuant to an individual’sauthorization. This would also includedocumentation of how the coveredentity would comply with individual’srevocation of an authorization, asprovided in proposed § 164.508(e). Forexample, upon receipt of a revocation,the entity may need to take steps tonotify each business partner that isresponsible for using or disclosingprotected health information on behalfof the covered entity based on theindividual’s authorization. Because theentity is ultimately responsible for theprotected health information, it maywant written confirmation from thebusiness partner that it received noticeof the revocation.

The covered entity would be requiredto include policies and proceduresnecessary to address disclosuresrequired by applicable law. Forexample, the covered entity may want toinclude a list of the relevant reportingrequirements such as those for abuse,neglect and communicable disease andits policies and procedures forcomplying with each requirement.

It would also include policies andprocedures for uses and disclosureswithout the individual’s authorization,including uses and disclosures fortreatment, payment and health careoperations under § 164.506(a)(1)(i). Thedocumentation should address all of thelegally permissible uses and disclosuresthat the covered entity is reasonablylikely to make and should clearlyspecify the policy of the entity withrespect to each. For example, allcovered plans and providers face areasonable likelihood of a request fordisclosure from a health oversightagency, so every covered plan andprovider should develop and documentpolicies and procedures for respondingto such requests. However, a providerthat only treats adults would not needto specify a policy with respect to statelaws that authorize disclosure relatingto measles in young children. In thislatter case, the provider knows that heor she is not reasonably likely to makesuch a disclosure and therefore, couldwait until he or she is presented withsuch a request before developing thenecessary policies and procedures.

The documentation would includethe entity’s policies and procedure forcomplying with the requirements ofproposed § 164.506(e) for disclosingprotected health information to businesspartners, including policies andprocedures for monitoring the business

partners, mitigating harm, and imposingsanctions where appropriate.

It would address the policies andprocedures for implementation of theminimum necessary requirement asprovided in proposed § 164.506(b). Itwould also include policies andprocedures addressing the creation ofde-identified information pursuant to§ 164.506(d). For example, a plan couldhave a policy that requires employees toremove identifiers from protected healthinformation for all internal cost, quality,or performance evaluations. The planwould document this policy and theprocedures for removing the identifiers.

2. Individual Requests for RestrictingUses and Disclosures

We propose to require covered healthcare providers to document how theywould implement an individual’srequest to restrict uses and disclosures.Under proposed § 164.506(c)(1)(iii), acovered entity need not agree to suchrestrictions. This section of thedocumentation would describe who (ifanyone) in the covered entity ispermitted to agree to such restrictions,and if such restrictions were accepted,how they would be implemented. Forexample, a provider may require thatonce an individual has requested alimitation on a use or disclosure, theaffected information is stamped, markedor kept in a separate file. The providercould also have a policy of neveragreeing to requests for suchrestrictions.

3. Notice of Information PracticesWe propose to require covered plans

and providers to document theirpolicies and procedures for complyingwith the requirement in § 164.512 todevelop, make available or disseminate,and amend their notices of informationpractices. This documentation wouldaddress, at a minimum, who isresponsible for developing and updatingthe notice, who would serve as the‘‘contact’’ person on the notice, how thenotice would be disseminated toindividuals, and how to respond toinquiries regarding informationpractices.

4. Inspection and CopyingWe propose to require covered plans

and providers to document policies andprocedures to address how they wouldreceive and comply with individualrequests for inspection, and copying, incompliance with § 164.514 of thisproposed rule. Policies and proceduresshould address, at a minimum, a listingof the designated record sets to whichaccess will be provided, any fees to becharged, and the reasons (if any) that the

entity would deny a request forinspection and copying.

5. Amendment or CorrectionWe propose to require covered plans

and providers to develop and documentpolicies and procedures to address howthey would receive and comply withindividual requests for amendment orcorrection of their records, incompliance with § 164.516 of thisproposed rule. Policies and proceduresshould include the process fordetermining whether a request foramendment or correction should begranted, the process to follow if arequest is denied, and how the entitywould notify other entities, includingbusiness partners, if the request isaccepted. For example, if a coveredentity accepts an individual’s requestfor an amendment or correction, theentity could document specificprocedures regarding how to make theappropriate additions or notations to theoriginal information. Without suchdocumentation, members of theworkforce could accidentally expungeor remove the incorrect information.

6. Accounting for DisclosuresWe propose to require covered

entities to develop and document theirpolicies and procedures for complyingwith the requirement in § 164.515 toprovide on request an accounting fordisclosures for purposes other thantreatment, payment or health careoperations. In order to respond torequests for accounting within areasonable period of time, the entitywould need to have a system foraccounting in place well in advance ofany potential requests. The entity wouldneed to evaluate its record keepingsystem and determine how best to buildin the capacity to respond to such arequest. For example, if the entitychooses to keep a regular log ofdisclosures, it would have to beginkeeping such logs routinely. If insteadthe entity chooses to rely on a recordkeeping system to reconstruct anaccounting, it should developappropriate procedures for members ofthe workforce to follow when faced withan individual’s request.

7. Administrative RequirementsWe propose to require covered

entities to document their policies andprocedures for complying with theapplicable administrative requirementsin proposed § 164.518. This wouldinclude designation of the privacyofficial required by § 164.518(a)including a description of his or herresponsibilities; a description of howthe entity would comply with the



training and certification requirementsfor members of its workforce under§ 164.518(b); a description of thecovered entity’s safeguards required by§ 164.518(c); a description of how thecovered plan or provider would meetthe requirements of § 164.518(d) toreceive individual’s complaints; adescription of how the covered entitywould meet the requirements forsanctioning members of its workforceunder § 164.518(e); and a description ofhow the covered entity would take stepsto mitigate any deleterious effect of ause or disclosure of protected healthinformation as required by § 164.518(f).

The documentation would alsoaddress how access to protected healthinformation is regulated by the entity,including safeguards, including theprocedures that would be required byproposed § 164.518. For covered entitiesthat are part of a larger organization thatis not a covered entity (e.g., an on-siteclinic at a university or the group healthplan component of an employer), wewould require such entities to developand document policies and proceduresthat ensure that protected healthinformation does not flow outside thehealth care component of theorganization in violation of thisproposed rule. For example, a school-based health clinic should have policiesand procedures to prevent treatmentinformation from crossing over into theschool’s record system.

Many disclosures would requireverification of the identity of the personmaking the request, and sometimes alsoverification of the legal authority behindthe request. The documentationrequired by this section would includea description of the entity’s verificationpolicies (e.g., what proof would beacceptable), and who would beresponsible for ensuring that thenecessary verification has occurredbefore the information is disclosed.

8. Record Keeping RequirementsWe propose record keeping

requirements related to severalprovisions. In addition to thedocumentation of policies andprocedures described above, we wouldrequire covered entities, as applicable,to: document restrictions on uses anddisclosures agreed to pursuant to§ 164.506(c); maintain copies ofauthorization forms and signedauthorizations (§ 164.508) and contractsused with business partners(§ 164.506(e)); maintain notices ofinformation practices developed under§ 164.512; maintain written statementsof denials of requests for inspection andcopying pursuant to § 164.514; maintainany response made to a request from an

individual for amendment or correctionof information, either in the form of thecorrection or amendment or thestatement of the reason for denial and,if supplied, the individual’s statementof disagreement, for as long as theprotected health information ismaintained (§ 164.516); maintain signedcertifications by members of theworkforce required by § 164.518(b); and,maintain a record of any complaintsreceived (§ 164.518(d)). Unlessotherwise addressed in this proposal,covered entities would be required toretain these documents for six years,which is the statute of limitationsperiod for the civil penalties. We notethat additional records or compliancereports may be required by the Secretaryfor enforcement of this rule.(§ 164.522(d)(1)).

I. Relationship to Other Laws

1. Relationship to State Laws

[Please label comments about thissection with the subject: ‘‘Relationshipto State laws’’]

Congress addressed the issue ofpreemption of State law explicitly in thestatute, in section 1178 of the Act.Consonant with the underlying statutorypurpose to simplify the financial andadministrative transactions associatedwith the provision of health care, thenew section 1178(a)(1) sets out a‘‘general rule’’ that State law provisionsthat are contrary to the provisions orrequirements of part C of title XI or thestandards or implementationspecifications adopted or establishedthereunder are preempted by the federalrequirements. The statute provides threeexceptions to this general rule: (1) ForState laws which the Secretarydetermines are necessary to preventfraud and abuse, ensure appropriateState regulation of insurance and healthplans, for State reporting on health caredelivery, and other purposes; (2) forState laws which address controlledsubstances; and (3) for State lawsrelating to the privacy of individuallyidentifiable health information which,as provided for by the related provisionof section 264(c)(2), are contrary to andmore stringent than the federalrequirements. Section 1178 also carvesout, in sections 1178(b) and 1178(c),certain areas of State authority whichare not limited or invalidated by theprovisions of part C of title XI; theseareas relate to public health and Stateregulation of health plans.

Section 264 of HIPAA contains arelated preemption provision. Section264(c)(2) is, as discussed above, anexception to the ‘‘general rule’’ that thefederal standards and requirements

preempt contrary State law. Section264(c)(2) provides, instead, that contraryState laws that relate to the privacy ofindividually identifiable healthinformation will not be preempted bythe federal requirements, if they are‘‘more stringent’’ than thoserequirements. This policy, under whichthe federal privacy protections act as afloor, but not a ceiling on, privacyprotections, is consistent with theSecretary’s Recommendations.

Aside from the cross-reference tosection 264(c)(2) in section1178(a)(2)(B), several provisions ofsection 1178 relate to the proposedprivacy standards. These include thegeneral preemption rule of section1178(a)(1), the carve-out for publichealth and related reporting undersection 1178(b), and the carve-out forreporting and access to records for theregulation of health plans by Statesunder section 1178(c). Other terms thatoccur in section 264(c)(2) also appear insection 1178: The underlying test forpreemption—whether a State law is‘‘contrary’’ to the federal standards,requirements or implementationspecifications—appears throughoutsection 1178(a), while the issue of whatis a ‘‘State law’’ for preemptionpurposes applies throughout section1178. In light of these factors, it seemslogical to develop a regulatoryframework that addresses the variousissues raised by section 1178, not justthose parts of it implicated by section264(c)(2). Accordingly, the rulesproposed below propose regulatoryprovisions covering these issues as partof the general provisions in proposedpart 160, with sections madespecifically applicable to the proposedprivacy standard where appropriate.

a. The ‘‘general rule’’ of preemption ofState law. Section 1178(a)(1) providesthe following ‘‘general rule’’ for thepreemption of State law:

Except as provided in paragraph (2), aprovision or requirement under this part(part C of title XI), or a standard orimplementation specification adopted orestablished under sections 1172 through1174, shall supersede any contrary provisionof State law, including a provision of Statelaw that requires medical or health planrecords (including billing information) to bemaintained or transmitted in written ratherthan electronic form.

As we read this provision, theprovisions and requirements of part C oftitle XI, along with the standards andimplementation specifications adoptedthereunder, do not supplant State law,except to the extent such State law is‘‘contrary’’ to the federal statutory orregulatory scheme. Moreover, theprovisions and requirements of part C of



title XI, along with the standards andimplementation specifications adoptedthereunder, do not preempt contraryState law where one of the exceptionsprovided for by section 1178(a)(2)applies or the law in question lieswithin the scope of the carve-outs madeby sections 1178(b) and (c). Thus, Statesmay continue to regulate in the areacovered by part C of title XI and theregulations and implementationspecifications adopted or establishedthereunder, except to the extent Statesadopt laws that are contrary to thefederal statutory and regulatory scheme,and even those contrary State laws maycontinue to be enforceable, if they comewithin the statutory exceptions or carve-outs.

We note, however, that many of theAdministrative Simplificationsregulations will have preemptive effect.The structure of many of theregulations, particularly thoseaddressing the various administrativetransactions, is to prescribe the use of aparticular form or format for thetransaction in question. Where theprescribed form or format is used,covered entities are required to acceptthe transaction. A State may well not beable to require additional requirementsfor such transactions consistent with thefederally prescribed form or format.

b. Exceptions for State laws theSecretary determines necessary forcertain purposes. Section 1178(a)(2)lists several exceptions to the generalpreemption rule of section 1178(a)(1).The first set of exceptions are thoselisted at sections 1178(a)(2)(A)(i) and1178(a)(2)(A)(ii). These exceptions arefor provisions of State law which theSecretary determines are necessary: (1)To prevent fraud and abuse; (2) toensure appropriate State regulation ofinsurance and health plans; (3) for Statereporting on health care delivery orcosts; (4) for other purposes; or (5)which address controlled substances.

Proposed § 160.203(a) below providesfor determinations under these statutoryprovisions. The criteria at proposed§ 160.203(a) follow the statute. As ismore fully discussed below, however,two of the terms used in this section ofthe proposed rules are defined terms:‘‘contrary’’ and ‘‘State law.’’ The processfor making such determinations isdiscussed below.

c. Exceptions for State laws relating tothe privacy of individually identifiablehealth information. The third exceptionto the ‘‘general rule’’ that the federalrequirements, standards, andimplementation specifications preemptcontrary State law concerns State lawsrelating to the privacy of individuallyidentifiable health information. Section

1178(a)(2)(B) provides that a State law isexcepted from this general rule, which,‘‘subject to section 264(c)(2) of theHealth Insurance Portability andAccountability Act of 1996, relates tothe privacy of individually identifiablehealth information.’’ Section 264(c)(2) ofHIPAA provides that the HIPAA privacyregulation, which is proposed in theaccompanying proposed subpart B ofproposed part 160, will not supersede‘‘a contrary provision of State law, if theprovision of State law imposesrequirements, standards, orimplementation specifications that aremore stringent than the requirements,standards, or implementationspecifications imposed’’ under theregulation at proposed subpart E ofproposed part 164.

It is recognized that States generallyhave laws that relate to the privacy ofindividually identifiable healthinformation. These laws continue to beenforceable, unless they are contrary topart C of title XI or the standards,requirements, or implementationspecifications adopted or establishedpursuant to the proposed subpart x.Under section 264(c)(2), not all contraryprovisions of State privacy laws arepreempted; rather, the law provides thatcontrary provisions that are also ‘‘morestringent’’ than the federal regulatoryrequirements or implementationspecifications will continue to beenforceable.

d. Definitions. There are a number ofambiguities in sections 1178(a)(2)(B)and 264(c)(2) of HIPAA. Clarifying thestatute through the regulations willgenerally provide substantially moreguidance to the regulated entities andthe public as to which requirements,standards, and implementationspecifications apply. For these reasons,the rules propose below to interpretseveral ambiguous statutory terms byregulation.

There are five definitional questionsthat arise in considering whether or nota State law is preempted under section264(c)(2): (1) What is a ‘‘provision’’ ofState law? (2) What is a ‘‘State law’’? (3)What kind of State law, under section1178(a)(2)(B), ‘‘relates to the privacy ofindividually identifiable healthinformation?’’ (4) When is a provision ofState law at issue ‘‘contrary’’ to theanalogous provision of the federalregulations? (5) When is a provision ofState law ‘‘more stringent than’’ theanalogous provision of the federalregulations? We discuss these questionsand our proposed regulatory answersbelow.

i. What is a ‘‘provision’’ of State law?The initial question that arises in the

preemption analysis is, what does one

compare? The statute directs thisanalysis by requiring the comparison ofa ‘‘provision of State law [that] imposesrequirements, standards, orimplementations specifications’’ with‘‘the requirements, standards, orimplementation specifications imposedunder’’ the federal regulation. Thestatute thus appears to contemplate thatwhat will be compared are the State andfederal requirements that are analogous,i.e., that address the same subjectmatter. Accordingly, a dictionary-typedefinition of the term ‘‘provision’’ doesnot seem appropriate, as the contours ofa given ‘‘provision’’ will be largelydefined by the contours of the specific‘‘requirement[], standard[], orimplementation specification’’ at issue.

What does one do when there is aState provision and no comparable oranalogous federal provision, or theconverse is the case? The short answerwould seem to be that, since there isnothing to compare, there cannot be anissue of a ‘‘contrary’’ requirement, andso the preemption issue is notpresented. Rather, the stand-alonerequirement—be it State or federal—iseffective. There may, however, besituations in which there is a federalrequirement with no directly analogousState requirement, but where severalState requirements in combinationwould seem to be contrary in effect tothe federal requirement. This situationusually will be addressed through thetests for ‘‘contrary,’’ discussed below.

At this juncture, it is difficult to frameoptions for dealing with this issue,because it is not clear that more of astructure is needed than the statutealready provides. Rather, we solicitcomment on how the term ‘‘provision’’might be best defined for the purpose ofthe preemption analysis under thestatute, along with examples of possibleproblems in making the comparisonbetween a provision of State law and thefederal regulations.

ii. What is a ‘‘State law’’?It is unclear what the term ‘‘provision

of State law’’ in sections 1178 and264(c) means. The question is whetherthe provision in question must, in orderto be considered to have preemptiveeffect, be legislatively enacted orwhether administratively adopted orjudicially decided State requirementsmust also be considered. Congressexplicitly addressed the same issue in adifferent part of HIPAA, section 102.Section 102 enacted section 2723 of thePublic Health Service Act, which is apreemption provision that applies toissuers of health insurance to ERISAplans. Section 2723 contains insubsection (d)(1) the followingdefinition of ‘‘State law’’: ‘‘The term



‘‘State law’’ includes all laws, decisions,rules, regulations, or other State actionhaving the effect of law, of any State. Alaw of the United States applicable onlyto the District of Columbia shall betreated as a State law rather than a lawof the United States.

By contrast, Congress provided nodefinition of the term ‘‘State law’’ insection 264. This omission suggests twopolicy options. One is to adopt theabove definition, as a reasonabledefinition of the term and as anindication of what Congress probablyintended in the preemption context (thepolicy embodied in section 2723 isanalogous to that embodied in section264(c)(2), in the sense that the Statelaws that are not preempted are onesthat provide protections to individualsthat go above and beyond the federalrequirements). The other option is toargue by negative implication that, sinceCongress could have but did not enactthe above definition in connection withsections 264 and 1178, it intended thata different definition be used, and thatthe most reasonable alternative is tolimit the State laws to be considered tothose that have been legislativelyenacted.

The Department does not consider thelatter option to be a realistic one. It islegally questionable and is also likely tobe extremely confusing and unworkableas a practical matter, as it will bedifficult to divorce State ‘‘laws’’ fromimplementing administrativeregulations or decisions or from judicialdecisions. Also, much State ‘‘privacylaw’’—e.g., the law concerning thephysician/patient privilege—is notfound in statutes, but is rather in Statecommon law. Finally, since health careproviders and others are bound by Stateregulations and decisions, they wouldmost likely find a policy that drew aline based on where a legal requirementoriginated very confusing andunhelpful. As a result, we conclude thatthe language in section 102 represents alegally supportable approach that is, forpractical reasons, a realistic option, andit is accordingly proposed in proposed§ 160.202 below.

iii. What is a law that ‘‘relates to theprivacy of individually identifiablehealth information’’?

The meaning of the term ‘‘relate to’’has been extensively adjudicated in asomewhat similar context, the issue ofthe preemption of State laws by ERISA.Section 514(a) of ERISA (29 U.S.C.1144(a)) provides that ERISA ‘‘shallsupersede any and all State laws insofaras they may now or hereafter relate toany employee benefit plan.’’ (Emphasisadded.) The U.S. Supreme Court alonehas decided 17 ERISA preemption

cases, and there are numerous lowercourt cases. The term also has beeninterpreted in other contexts. Thus,there would seem to be several optionsfor defining the term ‘‘relates to’’: (1) Byusing the criteria developed by theSupreme Court as they evolve, (2) byusing the criteria developed by theSupreme Court, but on a static basis,and (3) based on the legislative history,by setting federal criteria.

The first option would be based onthe definition adopted in an earlyERISA case, Shaw v. Delta Airlines, Inc.,463 U.S. 85 (1983), as it continues toevolve. In Shaw, a unanimous SupremeCourt adopted a very broad reading ofthe term, holding that a law ‘‘relates to’’an employee benefit plan ‘‘if it has aconnection with or reference to’’ such aplan. Later cases have developed a moreparticularized and complex definition ofthis general definition. The SupremeCourt has also applied the Shawdefinition outside of the ERISA context.In Morales v. Trans World Airlines, 504U.S. 374 (1992), the Court defined theterm ‘‘relating to’’ in the AirlineDeregulation Act by using the definitionof the term ‘‘relates to’’ developed underthe ERISA cases above. While thisoption would appear to be a supportablereading of the statutory term, tying theagency interpretation to an evolvingcourt interpretation will make it moredifficult to make judgments, andparticular judgments may change as theunderlying court interpretations change.

The second option we consideredwould ‘‘freeze’’ the definition of ‘‘relatesto’’ as the Court has currently defined it.This option also is a supportablereading of the statutory term, but is lessof a moving target than the prior option.The complexity of the underlying courtdefinition presents problems.

The option selected and reflected inthe rules proposed below grows out ofthe movement in recent years of theSupreme Court away from the literal,textual approach of Shaw and relatedcases to an analysis that looks more atthe purposes and effects of thepreemption statute in question. In NewYork State Conference of Blue Cross v.Travelers Insurance Co., 514 U.S. 645(1995), the Court held that the properinquiry in determining whether theState law in question related to anemployee benefit plan was to look to theobjectives of the (ERISA) statute as aguide to the scope of the State law thatCongress understood would survive.The Court drew a similar line inMorales, concluding that State actionsthat affected airline rates, routes, orservices in ‘‘too tenuous, remote, orperipheral a manner’’ would not bepreempted. 504 U.S. at 384. The Court

drew a conceptually consistent linewith respect to the question of the effectof a State law in English v. GeneralElectric Co., 496 U.S. 72, 84 (1990); seealso, Gade v. National Solid WastesManagement Ass’n., 505 U.S. 88 (1992).The Court held that deciding whichState laws were preempted by the OSHAct required also looking at the effect ofthe State law in question, and that thosewhich regulated occupational safety andhealth in a ‘‘clear, direct, andsubstantial way’’ would be preempted.These cases suggest an approach thatlooks to the legislative history of HIPAAand seeks to determine what kinds ofState laws Congress meant, in this area,to leave intact and also seeks to applymore of a ‘‘rule of reason’’ in decidingwhich State laws ‘‘relate to’’ privacy andwhich do not.

The legislative history of HIPAAoffers some insight into the meaning ofthe term ‘‘relates to.’’ The House Report(House Rep. No. 496, 104th Cong., 2dSess., at 103) states that—

The intent of this section is to ensure thatState privacy laws that are more stringentthan the requirements and standardscontained in the bill are not superseded.

Based on this legislative history, onecould argue that the ‘‘State laws’’covered by the ‘‘relates to’’ clause aresimply those that are specifically orexplicitly designed to regulate theprivacy of personal health information,and not ones that might have theincidental effect of doing so. Thus, theoption selected below appears to beconsistent with the Court’s approach inTravelers, and, together with the‘‘effect’’ test, seems to be closer to howthe Court is analyzing preemptionissues. It makes sense on a commonsense basis as well, and appears, fromthe little legislative history available, tobe what Congress intended in thiscontext.

iv. When is a provision of State law‘‘contrary’’ to the analogous federalrequirement?

The statute uses the same language inboth section 1178(a)(1) and section264(c)(2) to delineate the generalprecondition for preemption: theprovision of State law must be‘‘contrary’’ to the relevant federalrequirement, standard, orimplementation specification; the term‘‘contrary,’’ however, is not defined. Itshould be noted that this issue (themeaning of the term ‘‘contrary’’) doesnot arise solely in the context of theproposed privacy standard. The term‘‘contrary’’ appears throughout section1178(a) and is a precondition for anypreemption analysis done under thatsection.



The definition set out at proposed§ 160.202 embodies the tests that thecourts have developed to analyze whatis known as ‘‘conflict preemption.’’ Inthis analysis, the courts will consider aprovision of State law to be in conflictwith a provision of federal law where itwould be impossible for a private partyto comply with both State and federalrequirements or where the provision ofState law ‘‘stands as an obstacle to theaccomplishment and execution of thefull purposes and objectives ofCongress.’’ This latter test has beenfurther defined as, where the State lawin question ‘‘interferes with the methodsby which the federal statute wasdesigned to reach (its) goal.’’International Paper Co. v. Ouellette, 479U.S. 481, 494 (1987). In Gade, theSupreme Court applied this latter test topreempt an Illinois law and regulationsthat imposed additional, non-conflictingconditions on employers, holding thatthe additional conditions conflictedwith the underlying congressionalpurpose to have one set of requirementsapply. This test, then, is particularlyrelevant with respect to the otherHIPAA regulations, where Congressclearly intended uniform standards toapply nationwide.

The Department is of the view thatthis definition should be workable andis probably what Congress intended inusing the term—as a shorthandreference to the case law. We considereda broader definition (‘‘inconsistentwith’’), but rejected it on the groundsthat it would have less legal support andwould be no easier to apply than thestatutory term ‘‘contrary’’ itself.

v. What is the meaning of ‘‘morestringent’?

The issue of when a provision of Statelaw is ‘‘more stringent’’ than thecomparable ‘‘requirements, standards,or implementation specifications’’ of theHIPAA privacy regulation is not an easyone. In general, it seems reasonable toassume that ‘‘more stringent’’ means‘‘providing greater privacy protection’’but, such an interpretation leads tosomewhat different applications,depending on the context. For example,a State law that provided for fewer andmore limited disclosures than theHIPAA privacy regulation would be‘‘more stringent.’’ At the same time, aState law that provides for more and/orgreater penalties for wrongfuldisclosures than does the HIPAAprivacy regulation would also be ‘‘morestringent.’’ Thus, in the former case,‘‘more stringent’’ means less or fewer,while in the latter case, ‘‘morestringent’’ means more or greater. Inaddition, some situations are moredifficult to characterize. For example, if

the HIPAA privacy regulation requiresdisclosure to the individual on requestand a State law prohibits disclosure inthe circumstance in question, which lawis ‘‘more stringent’’ or ‘‘provides moreprivacy protection’?

A continuum of regulatory options isavailable. At one end of the continuumis the minimalist approach of notinterpreting the term ‘‘more stringent’’further or spelling out only a generalinterpretation, such as the ‘‘providesmore privacy protection’’ standard, andleaving the specific applications to latercase-by-case determinations. At theother end of the continuum is theapproach of spelling out in theregulation a number of differentapplications, to create a very specificanalytic framework for futuredeterminations. We propose below thelatter approach for several reasons:specific criteria will simplify thedetermination process for agencyofficials, as some determinations will bealready covered by the regulation, whileothers will be obvious; specific criteriawill also provide guidance fordeterminations where issue of‘‘stringency’’ is not obvious; courts willbe more likely to give deference toagency determinations, leading togreater uniformity and consistency ofexpectation; and the public, regulatedentities, and States will have morenotice as to what the determinations arelikely to be.

The specific criteria proposed atproposed § 160.202 are extrapolatedfrom the principles of the fairinformation practices that underlie andinform these proposed rules and theSecretary’s Recommendations. Forexample, limiting disclosure of personalhealth information obviously protectsprivacy; thus, under the criteriaproposed below, the law providing forless disclosure is considered to be‘‘more stringent.’’ Similarly, as theaccess of an individual to his or herprotected health information isconsidered to be central to enabling theindividual to protect such information,the criteria proposed below treat a lawgranting greater rights of access as‘‘more stringent.’’ We recognize thatmany State laws require patients toauthorize or consent to disclosures oftheir health information for treatmentand/or payment purposes. We considerindividual authorization generally to bemore protective of privacy interests thanthe lack of such authorization, so suchState requirements would generallystand, under the definition proposedbelow.

However, we would interpret a Statelaw relating to individual authorizationto be preempted if the law requires, or

would permit a provider or health planto require, as a condition of treatment orpayment for health care, an individualto authorize uses or disclosures forpurposes other than treatment, paymentand health care operations, and if suchauthorization would overriderestrictions or limitations in thisregulation relating to the uses anddisclosures for purposes other thantreatment, payment and health careoperations. For example, if a State lawpermitted or required a provider toobtain an individual authorization fordisclosure as a condition of treatment,and further permitted the provider toinclude in the authorization disclosuresfor research or for commercial purposes,the State law would be preempted withrespect to the compelled authorizationfor research or commercial purposes. Atthe same time, if a State law required aprovider to obtain an individualauthorization for disclosure as acondition of treatment, and furtherrequired the provider to include anauthorization for the provider todisclosure data to a State data reportingagency, such a law would not bepreempted, because State laws thatrequire such data reporting are savedfrom preemption under section§ 1178(c) of the statute.

In addition, to the extent that a Stateconsent law does not contain otherconsent or authorization requirementsthat parallel or are stricter than theapplicable federal requirements, thosedetailed federal requirements wouldalso continue to apply. We solicitcomment in particular on how theseproposed criteria would be likely tooperate with respect to particular Stateprivacy laws.

e. The process for makingadministrative determinations regardingthe preemption of State healthinformation privacy laws. BecauseStates generally have laws that relate tothe privacy of individually identifiablehealth information, there may beconflicts between provisions of variousState laws and the federal requirements.Where such conflicts appear to exist,questions may arise from the regulatedentities or from the public concerningwhich requirements apply. It is possiblethat such questions may also arise in thecontext of the Secretary’s enforcementof the civil monetary penalty provisionsof section 1176. The Secretaryaccordingly proposes to adopt thefollowing process for responding tosuch comments and making thedeterminations necessary to carry outher responsibilities under section 1176.

The rules proposed below wouldestablish two related processes: one formaking the determinations called for by



section 1178(a)(2)(A) of the Act and theother for issuing advisory opinionsregarding whether a provision of Statelaw would come within the exceptionprovided for by section 1178(a)(2)(B).

i. Determinations under section1178(a)(2)(A).

The rules proposed below should notusually implicate section 1178(a)(2)(A),which provides that a State law will notbe preempted where the Secretarydetermines it is necessary for one ormore of five specific purposes: (1) Toprevent fraud and abuse; (2) to ensureappropriate State regulation ofinsurance and health plans; (3) for Statereporting on health care delivery orcosts; (4) for other purposes; or (5)which address controlled substances.The process for implementing thisstatutory provision is proposed here,because the issue of how suchpreemption issues will be handled hasbeen raised in prior HIPAA rulemakingsand needs to be addressed, and, asexplained above, the statutory provisionitself is fairly intertwined (in terms ofthe specific terms used), with thepreemption provisions of the statutethat relate to privacy.

The process proposed below fordeterminations by the Secretary wouldpermit States to request an exception tothe general rule of preemption. Thedecision to limit, at least as an initialmatter, the right to request suchdeterminations to States was made forseveral reasons. First, States areobviously most directly concerned bypreemption, in that it is State legislative,judicial, or executive action that thefederal requirements supersede.Principles of comity dictate that Statesbe given the opportunity to make thecase that their laws should not besuperseded. Second, States are in thebest position to address the issue of howtheir laws operate and what their intentis, both of which are relevant to thedetermination to be made. Third, weneed to control the process as an initialmatter, so that the Secretary is notoverwhelmed by requests. Fourth,where particular federal requirementswill have a major impact on providers,plans, or clearinghouses within aparticular State, we assume that theywill be able to work with their Stategovernments to raise the issue with theSecretary; the discussion process thatsuch negotiations should entail shouldhelp crystallize the legal and otherissues for the Secretary and, hence,result in better determinations. Weemphasize that HHS may well revisitthis issue, once it has gained someexperience with the proposed process.

Proposed § 160.204(a)(1) sets out anumber of requirements for requests for

determinations. In general, the purposeof these requirements is to provide ascomplete a statement as possible of therelevant information as an initial matter,to minimize the time needed for theSecretarial determination.

The remaining requirements ofproposed § 160.204(a) generally aredesigned to set out an orderly processand effect of the determinations. Ofparticular note is proposed§ 160.204(a)(5), which provides thatsuch determinations apply only totransactions that are wholly intrastate.We recognize that in today’s economy,many, perhaps most, transactions willbe interstate, so that the effect of apositive determination could beminimal under this provision.Nonetheless, we think that there is nopractical alternative to the proposedpolicy. We do not see how it would bepractical to split up transactions thatinvolved more than one State, when oneState’s law was preempted and theother’s was not. We do not see why thenon-preempted law should govern thetransaction, to the extent it involved anentity in a State whose law waspreempted. Quite aside from thesovereignty issues such a result wouldraise, such a result would be veryconfusing for the health care industryand others working with it and thusinconsistent with the underlying goal ofadministrative simplification. Rather,such a situation would seem to be aclassic case for application of federalstandards, and proposed § 160.204(a)(5)would accordingly provide for this.

ii. Advisory opinions under section1178(a)(2)(B).

The rules proposed below lay out asimilar process for advisory opinionsunder section 1178(a)(2)(B). Thatsection of the statute provides that,subject to the requirements of section264(c)(2) (the provision of HIPAA thatestablishes the ‘‘more stringent’’preemption test), State laws that ‘‘relateto the privacy of individuallyidentifiable health information’’ areexcepted from the general rule that theHIPAA standards, requirements, andimplementation specifications preemptcontrary State law.

Unlike section 1178(a)(2)(A), section1178(a)(2)(B) does not provide for themaking of a determination by theSecretary. Nonetheless, it is clear thatthe Secretary may make judgmentsabout the legal effect of particular Stateprivacy laws in making compliance andenforcement decisions. It is alsoforeseeable that the Secretary will beasked to take a position on whetherparticular State privacy laws arepreempted or not. We have concludedthat the best way of addressing these

concerns is to provide a mechanism bywhich the Secretary can issue advisoryopinions, so that the public may beinformed about preemption judgmentsthe Secretary has made. See proposed§ 160.204(b).

The process proposed below forrequesting advisory opinions is limitedto States, for the reasons described inthe preceding section. The requirementsfor requests for advisory opinions aresimilar to the requirements fordeterminations in proposed§ 160.204(a), but are tailored to thedifferent statutory requirements ofsections 1178(a)(2)(A) and 264(c)(2). Aswith proposed § 164.204(a), the processproposed below would provide forpublication of advisory opinions issuedby the Secretary on an annual basis, toensure that the public is informed of thedecisions made in this area.

f. Carve-out for State public healthlaws. Section 1178(b) provides that‘‘Nothing in this part shall be construedto invalidate or limit the authority,power, or procedures established underany law providing for the reporting ofdisease or injury, child abuse, birth, ordeath, public health surveillance, orpublic health investigation orintervention.’’ This section appears tocarve out an area over which the Stateshave traditionally exercised oversightand authority—the collection of vitalstatistics, the enforcement of lawsregarding child abuse and neglect, andthe conduct of public healthsurveillance, investigation, andintervention. State laws in these areasmay involve reporting of individuallyidentifiable health information to Stateor local authorities. Section 1178(b)indicates that existing or future Statelaws in these areas are enforceable,notwithstanding any privacyrequirements adopted pursuant tosection 264(c). In addition, coveredentities should not be inhibited fromcomplying with requests authorized byState law for release of information bypublic health authorities for the statedpurposes.

It should be noted that the limitationof section 1178(b) applies to the‘‘authority, power, or proceduresestablished under any law.’’ Publichealth laws often convey broad generalauthorities for the designated agency toprotect public health, includingenforcement powers, and these Stateauthorities and powers would remainenforceable. Further, section 1178(b)also covers ‘‘procedures’’ authorized bylaw; we read this language as includingState administrative regulations andguidelines.

The proposed rules propose toaddress these concerns by treating the



disclosures covered by section 1178(b)as allowable disclosures for publichealth activities under proposed§ 164.510(b). Thus, those disclosurespermitted under proposed § 164.510(b)are intended to be, with respect todisclosures authorized by State law, atleast as broad as section 1178(b). Thismeans that disclosures that areauthorized by State law but which donot come within the scope of proposed§ 164.510(b) are considered to falloutside of the limitation of section1178(b). In addition, since similaractivities and information gathering areconducted by the federal government,disclosures to public health authoritiesauthorized by federal law would bepermitted disclosures under thisproposed rule and applicable federallaw will govern the use and re-disclosure of the information.

g. Carve-out for State laws relating tooversight of health plans. Section1178(c) provides that nothing in part Cof title XI limits the ability of States torequire health plans ‘‘to report, or toprovide access to, information formanagement audits, financial audits,program monitoring and evaluation,facility licensure or certification, orindividual licensure or certification.’’This section thus also carves out an areain which the States have traditionallyregulated health care as an area whichthe statute intends to leave in place.State laws requiring the reporting of oraccess to information of the typecovered by section 1178(c) will incertain cases involve the reporting of, oraccess to, individually identifiablehealth information. Accordingly,provision has been made for suchreporting and access by making suchreporting and access permitteddisclosures and uses under thisproposed rule. See proposed§ 164.510(c).

2. Relationship to Other Federal Laws[Please label comments about thissection with the subject: ‘‘Relationshipto other federal laws’’]

The rules proposed below also wouldaffect various federal programs, some ofwhich may have requirements that are,or appear to be, inconsistent with therequirements proposed below. Suchfederal programs include thoseprograms that are operated directly bythe federal government, such as thehealth benefit programs for federalemployees or the health programs formilitary personnel. They also include awide variety of health services or benefitprograms in which health services orbenefits are provided by the privatesector or by State or local government,but which are governed by various

federal laws. Examples of the lattertypes of programs would be theMedicare and Medicaid programs, thehealth plans governed by the EmployeeRetirement Income Security Act of 1974,29 U.S.C. 1001, et seq. (ERISA), thevarious clinical services programsfunded by federal grants, and substanceabuse treatment programs.

Some of the above programs areexplicitly covered by HIPAA. Section1171 of the Act defines the term ‘‘healthplan’’ to include the following federallyconducted, regulated, or fundedprograms: group plans under ERISAwhich either have 50 or moreparticipants or are administered by anentity other than the employer whoestablished and maintains the plan;federally qualified health maintenanceorganizations; Medicare; Medicaid;Medicare supplemental policies; thehealth care program for active militarypersonnel; the health care program forveterans; the Civilian Health andMedical Program of the UniformedServices (CHAMPUS); the Indian healthservice program under the Indian HealthCare Improvement Act, 25 U.S.C. 1601,et seq.; and the Federal EmployeesHealth Benefits Program. There also aremany other federally conducted,regulated, or funded programs in whichindividually identifiable healthinformation is created or maintained,but which do not come within thestatutory definition of ‘‘health plan.’’While these latter types of federallyconducted, regulated, or assistedprograms are not explicitly covered bypart C of title XI in the same way thatthe programs listed in the statutorydefinition of ‘‘health plan’’ are covered,the statute may nonetheless apply totransactions and other activitiesconducted under such programs. This islikely to be the case where the federalentity or federally regulated or fundedentity provides health services; therequirements of part c are likely toapply to such an entity as a ‘‘health careprovider.’’ Thus, the issue of howdifferent federal requirements apply islikely to arise in numerous contexts.

When two federal statutes appear toconflict, the courts generally engage inwhat is called an ‘‘implied repeal’’analysis. The first step in such ananalysis is to look for some way inwhich to reconcile the apparentlyconflicting requirements. Only if theconflicting provisions cannot bereconciled do courts reach the secondstep of the analysis, in which they lookto see whether the later statute repealedthe prior statute (to the extent of theconflict) by implication. In making sucha determination, the courts look to thelater statute and its legislative history, to

see if there is evidence as to whetherCongress intended to leave the priorstatute in place or whether it intendedthe later statute to supersede the priorstatute, to the extent of the conflictbetween the two. It is not a foregoneconclusion that a later statute willrepeal inconsistent provisions of a priorstatute. Rather, there are cases in whichthe courts have held prior, more specificstatutes not to be impliedly repealed bylater, more general statutes.

As noted above, the section 1171 ofthe Act explicitly makes certain federalprograms subject to the standards andimplementation specificationspromulgated by the Secretary, whileentities carrying out others areimplicitly covered by the scope of theterm ‘‘health care provider.’’ Thelegislative history of the statute is silentwith respect to how these requirementswere to operate in the federal sector vis-a-vis these and other federal programswith potentially conflictingrequirements. Congress is presumed tohave been aware that various federalprograms that the privacy and otherstandards would reach would begoverned by other federal requirements,so the silence of the legislative historyand the limited reach of the statutewould seem to be significant. On theother hand, Congress’ express inclusionof certain federal programs in the statutealso has significance, as it constitutes anexpress Congressional statement that theHIPAA standards and implementationspecifications apply to these programs.In light of the absence of relevantlegislative history, we do not considerthis Congressional statement strongenough to support a conclusion ofimplied repeal, where the conflict is onebetween the HIPAA regulatorystandards and implementationspecifications and another federalstatute. However, it seems strongenough to support an inference that,with respect to these programs, theHIPAA standards and implementationspecifications establish the federalpolicy in the case of a conflict at theregulatory level.

Thus, the first principle that applieswhere both the HIPAA standards andimplementation specifications and therequirements of another federal programapply is that we must seek to reconcileand accommodate any apparentlyconflicting federal requirements. Twoconclusions flow from this principle.First, where one federal statute orregulation permits an activity thatanother federal statute or regulationrequires, and both statutes apply to theentity in question, there is no conflict,because it is possible to comply withboth sets of federal requirements.



Second, where one federal statute orregulation permits, but does not require,an activity that another federal statute orregulation prohibits, there is again noconflict, because it is possible to complywith both sets of federal requirements.In each case, the entity has lost somediscretion that it would otherwise havehad under the more permissive set ofrequirements, but in neither case has itbeen required to do something that isillegal under either federal program.

There will, however, also be caseswhere the privacy or otherAdministrative Simplification standardsand implementation specificationscannot be reconciled with therequirements of another federalprogram. In such a case the issue ofimplied repeal is presented. Assuggested above, we think that wherethe conflict is between the privacy orother Administrative simplificationregulations and another federal statute,the regulatory requirements would giveway, because there is insufficientevidence to support a finding that partC of title XI is intended to repeal otherfederal laws. For example, if other lawprohibits the dissemination of classifiedor other sensitive information, thisrule’s requirements for grantingindividuals’ right to copy their ownrecords would give way. Where theconflict is between the AdministrativeSimplification regulatory requirementsand other federal regulatoryrequirements that are discretionary (notmandated by the other federal law), wethink that there is also insufficientevidence to support a finding of impliedrepeal of the latter regulatoryrequirements, where the other federalprogram at issue is not one specificallyaddressed in section 1171. However,where the other federal program at issueis one of the ones which Congressexplicitly intended to have theAdministrative Simplification standardsand implementation specificationsapply to, by including them in thedefinition of ‘‘health plan’’ in section1171, we think that there is evidencethat the Administrative Simplificationstandards and implementationspecifications should prevail overcontrary exercises of discretion underthose programs.

We considered whether thepreemption provision of section264(c)(2) of Public Law 104–191,discussed in the preceding section,would give effect to State laws thatwould otherwise be preempted byfederal law. For example, we consideredwhether section 264(c)(2) could be readto make the Medicare program subject toState laws relating to informationdisclosures that are more stringent than

the requirements proposed in this rule,where such laws are presentlypreempted by the Medicare statute. Wealso considered whether section264(c)(2) could be read to apply suchState laws to procedures and activitiesof federal agencies, such asadministrative subpoenas andsummons, that are prescribed under theauthority of federal law. In general, wedo not think that section 264(c)(2)would work to apply State lawprovisions to federal programs oractivities with respect to which theState law provisions do not presentlyapply. Rather, the effect of section264(c)(2) is to give preemptive effect toState laws that would otherwise be ineffect, to the extent they conflict withand are more stringent than therequirements promulgated under theAdministrative Simplification authorityof HIPAA. Thus, we do not believe thatit is the intent of section 264(c)(2) togive an effect to State law that it wouldnot otherwise have in the absence ofsection 264(c)(2).

We explore some ramifications ofthese conclusions with respect tospecific federal programs below. Wenote that the summaries below do notidentify all possible conflicts oroverlaps of the proposed rules withother federal requirements; rather, wehave attempted to explain the generalnature of the relationship of thedifferent federal programs. We wouldanticipate issuing more detailedguidance in the future, when the finalprivacy policies are adopted, and theextent of conflict or overlap can beascertained. We also invite commentwith respect to issues raised by otherfederal programs.

a. The Privacy Act. The Privacy Act of1974, 5 U.S.C. 552a, is not preempted oramended by part C of title XI. ThePrivacy Act applies to all federalagencies, and to certain federalcontractors who operate Privacy Actprotected systems of records on behalfof federal agencies. It does not, however,apply to non-federal entities that arereached by part C. While the proposedrules are applicable to federal and non-federal entities, they are not intended tocreate any conflict with Privacy Actrequirements. In any situation wherecompliance with the proposed ruleswould lead a federal entity to a resultcontrary to the Privacy Act, the PrivacyAct controls. In sections of the proposedrules which might otherwise create theappearance of a conflict with PrivacyAct requirements, entities subject to thePrivacy Act are directed to continue tocomply with Privacy Act requirements.

Because the Privacy Act gives federalagencies the authority to promulgate

agency-specific implementingregulations, and because the Privacy Actalso allows agencies to publish routineuses that have the status of exceptionsto the Privacy Act’s general ruleprohibiting disclosure of Privacy Actprotected information to third parties,the issue of possible conflicts betweenthe proposed AdministrativeSimplification rules and existingPrivacy Act rules and routine uses mustbe addressed. Where the federalprogram at issue is one of the ones thatCongress explicitly intended to have theAdministrative Simplification standardsand implementation specificationsapply to, by including them in thedefinition of ‘‘health plan’’ in section1171, we think that there is evidencethat the Administrative Simplificationstandards and implementationspecifications should prevail overcontrary exercises of discretion underthose programs. That is, to the extentthat a routine use is truly discretionaryto an agency which is also a coveredentity under section 1172(a), the agencywould not have discretion to ignore theAdministrative Simplificationregulations. It is possible, however, thatin some cases there might be underlyingfederal statutes that call for disclosure ofcertain types of information, and routineuses could be promulgated as the onlyway to implement those statutes andstill comply with the Privacy Act. If thiswere to happen or be the case, theroutine use should prevail.

b. The Substance AbuseConfidentiality regulations. Regulationsthat are codified at 42 CFR part 2establish confidentiality requirementsfor the patient records of substanceabuse ‘‘programs’’ that are ‘‘federallyassisted.’’ Substance abuse programs arespecialized programs or personnel thatprovide alcohol and drug abusetreatment, diagnosis, or referral fortreatment. 42 CFR 2.11. The term‘‘federally assisted’’ is broadly defined,and includes federal tax exempt statusand Medicare certification, among othercriteria. 42 CFR 2.12(b). Such programsmay not disclose patient identifyinginformation without the written consentof the patient, unless the information isneeded to respond to a medicalemergency, or such information isdisclosed for purposes of research,audit, or evaluation. Disclosures maynot be made in response to a subpoena;rather, a court order is required in orderfor a disclosure of covered records to belawfully made. Limited disclosures mayalso be made by such programs to Stateor local officials under a State lawrequiring reporting of incidents ofsuspected child abuse and neglect and



to law enforcement officials regarding apatient’s crime on program premises oragainst program personnel or a threat tocommit such a crime. 42 CFR 2.12.Unlike the rules proposed below, theconfidentiality protections continueindefinitely after death, although part 2would permit disclosure of identifyinginformation relating to the cause ofdeath under laws relating to thecollection of vital statistics or permittinginquiry into cause of death.

It seems likely that most, if not all,programs covered by the part 2regulations will also be covered, ashealth care providers, by the rulesproposed below. As can be seen fromthe above summary, the part 2regulations would not permit manydisclosures that would be permittedunder proposed § 164.510 below, suchas many disclosures for lawenforcement, directory information,governmental health data systems, andjudicial and other purposes. In addition,the general permissive disclosure fortreatment or payment purposes atproposed § 164.506 below would beinconsistent with the more restrictiverequirements at part 2. In suchsituations, providers (or others) subjectto both sets of requirements could notmake disclosures prohibited by part 2,even if the same disclosures would bepermitted under the rules proposedbelow.

There are also a number ofrequirements of the part 2 regulationsthat parallel the requirements proposedbelow. For example, the minimumnecessary rule, where applicable, wouldparallel a similar requirement at 42 CFR2.13(a). Similarly, the noticerequirements of part 2, at 42 CFR 2.22parallel the notice requirementsproposed below, although the noticerequired below would be more detailedand cover more issues. The preemptiveeffect on State law should be the sameunder both part 2 and section 264(c)(2).The requirements for disclosures forresearch proposed below are likewisesimilar to those in part 2. In such cases,health care providers would have tocomply with the more extensive ordetailed requirements, but there shouldbe no direct conflict.

Many other provisions of theproposed rules, however, simply haveno counterpart in part 2. For example,the part 2 regulations do not requireprograms to maintain an accounting ofuses and disclosures, nor do theyprovide for a right to requestamendment or correction of patientinformation. Similarly, the part 2regulations contain no prohibition onconditioning treatment or payment onprovision of an individual authorization

for disclosure. In such situations, healthcare providers would be bound by bothsets of requirements.

c. ERISA. ERISA was enacted in 1974to regulate pension and welfareemployee benefit plans that areestablished by private sector employers,unions, or both, to provide benefits totheir workers and dependents. Anemployee welfare benefit plan includesplans that provide ‘‘through thepurchase of insurance or otherwise* * * medical, surgical, or hospital careor benefits, or benefits in the event ofsickness, accident, disability, (or)death.’’ 29 U.S.C. 1002(1). In 1996,Public Law 104–191 amended ERISA torequire portability, nondiscrimination,and renewability of health benefitsprovided by group health plans andgroup health insurance issuers.Numerous, although not all, ERISAplans are covered under the rulesproposed below as ‘‘health plans.’’

As noted above, section 514(a) ofERISA, 29 U.S.C. 1144(a), preempts allState laws that ‘‘relate to’’ any employeebenefit plan. However, section 514(b) ofERISA, 29 U.S.C. 1144(b)(2)(A),expressly saves from preemption Statelaws which regulate insurance. Sectionof ERISA, 29 U.S.C. 1144(b)(2)(B),provides that an ERISA plan is deemednot to be an insurer for the purpose ofregulating the plan under the Stateinsurance laws. Thus, under the deemerclause, States may not treat ERISA plansas insurers subject to direct regulationby State law. Finally, section 514(d) ofERISA, 29 U.S.C. 1144(d), provides thatERISA does not ‘‘alter, amend, modify,invalidate, impair, or supersede any lawof the United States.’’

We considered whether thepreemption provision of section264(c)(2) of Public Law 104–191,discussed in the preceding section,would give effect to State laws thatwould otherwise be preempted bysection 514(a) of ERISA. Our reading ofthe statutes together is that the effect ofsection 264(c)(2) is simply to leave inplace State privacy protections thatwould otherwise apply and which aremore stringent than the federal privacyprotections. In the case of ERISA plans,however, if those laws are preempted bysection 514(a), they would nototherwise apply. We do not think thatit is the intent of section 264(c)(2) togive an effect to State law that it wouldnot otherwise have in the absence ofsection 264(c)(2). Thus, we would notview the preemption provisions belowas applying to State laws otherwisepreempted by section 514(a) of ERISA.

Many plans covered by the rulesproposed below are also subject toERISA requirements. To date our

discussions and consultations have notuncovered any particular ERISArequirements that would conflict withthe rules proposed below. However, weinvite comment, particularly in the formof specific identification of statutory orregulatory provisions, of requirementsunder ERISA that would appear toconflict with provisions of the rulesproposed below.

d. Other federally funded healthprograms. There are a number ofauthorities under the Public HealthService Act and other legislation thatcontain explicit confidentialityrequirements either in the enablinglegislation or in the implementingregulations. Many of these are so generalthat there would appear to be noproblem of inconsistency, in thatnothing in the legislation or regulationswould appear to restrict the assistedprovider’s discretion to comply with therequirements proposed below. Thereare, however, several authorities underwhich either the requirements of theenabling legislation or of the programregulations would impose requirementsthat would differ from the rulesproposed below. We have identifiedseveral as presenting potential issues inthis regard. First, regulations applicableto the substance abuse block grantprogram funded under section 1943(b)of the Public Health Service Act requirecompliance with 42 CFR part 2, andthus raise the issues identified insection 2 above. Second, there are anumber of federal programs which,either by statute or by regulation,restrict the disclosure of patientinformation to, with minor exceptions,disclosures ‘‘required by law.’’ See, forexample, the program of projects forprevention and control of sexuallytransmitted diseases funded undersection 318(e)(5) of the Public HealthService Act (42 CFR 51b.404); theregulations implementing thecommunity health center programfunded under section 330 of the PublicHealth Service Act (42 CFR 51c.110);the regulations implementing theprogram of grants for family planningservices under title X of the PublicHealth Service Act (42 CFR 59.15); theregulations implementing the programof grants for black lung clinics fundedunder 30 U.S.C. 437(a) (42 CFR55a.104); the regulations implementingthe program of maternal and childhealth projects funded under section501 of the Act (42 CFR 51a.6); theregulations implementing the programof medical examinations of coal miners(42 CFR 37.80(a)). These legalrequirements would restrict the granteesor other entities under the programs



involved from making many of thedisclosures that proposed § 164.510would permit. In some cases, permissivedisclosures for treatment, payment orhealth care operations would also belimited. Since proposed § 164.510 ismerely permissive, there would not bea conflict between the programrequirements, as it would be possible tocomply with both. However, it shouldbe recognized that entities subject toboth sets of requirements would nothave the total range of discretion thatthe rules proposed below wouldsuggest.

J. Compliance and Enforcement(§ 164.522)

1. Compliance

[Please label written comments aboutthis section with the subject:‘‘Compliance.’’]

The rules proposed below at § 164.522would establish several requirementsdesigned to enable the Secretary tomonitor and seek to ensure compliancewith the provisions of this subpart. Thegeneral philosophy of this section is toprovide a cooperative approach toobtaining compliance, including use oftechnical assistance and informal meansto resolve disputes. However, inrecognition of the fact that it would notalways be possible to achievecompliance through cooperation, thesection also would provide theSecretary with tools for carrying out herstatutory mandate to achievecompliance.

a. Principles for achievingcompliance. Proposed § 164.522(a)would establish the principle that theSecretary will seek the cooperation ofcovered entities in obtainingcompliance. Section 164.522(a)(2)provides that the Secretary couldprovide technical assistance to coveredentities to help them come intocompliance with this subpart. It isclearly in the interests of both thecovered entities and the individualsthey serve to minimize the costs ofcompliance with the privacy standards.To the extent that the Department couldfacilitate this by providing technicalassistance, it would endeavor to do so.

b. Individual complaints andcompliance reviews. We are proposingin § 164.522(b) that individuals have theright to file a complaint with theSecretary if they believe that a coveredplan or provider has failed to complywith the requirements of this subpart.Because individuals would havereceived notice, pursuant to proposed§ 164.512, of the uses and disclosuresthat the entity could make and of theentity’s privacy practices, they would

have a basis for making a realisticjudgment as to when a particular actionor omission would be improper. Thenotice would also inform individualshow they could find out how to filesuch complaints. We thus consider theproposed complaint right to be one thatcould realistically be exercised byindividuals, given the regulatorystructure proposed.

We are concerned about the burdenthat handling the potential volume ofsuch complaints would create for thisDepartment, but we recognize that sucha complaint mechanism would providehelpful information about the privacypractices of covered plans or providersand could serve to identify particularlytroublesome compliance problems on anearly basis.

The procedures proposed in thissection are modeled on those used bythe Department’s Office for Civil Rights,although they would be adapted toreflect the requirements of this subpart.We would require complainants toidentify the entities and describe theacts or omissions alleged to be out ofcompliance and would requireindividuals to file such complaintswithin 180 days of those acts oromissions. We have tried to keep therequirements for filing complaints asminimal as possible, to facilitate use ofthis right. The Secretary would alsoattempt to keep the identity ofcomplainants confidential, if possible.However, we recognize that it could benecessary to disclose the identity ofcomplainants in order to investigate thesubstance of their complaints, and therules proposed below would permitsuch disclosures.

The Secretary could promulgatealternative procedures for complaintsbased on agency-specific concerns. Forexample, to protect classifiedinformation, we may promulgate rulesthat would allow an intelligencecommunity agency to create a separatebody within that agency to receivecomplaints.

The Secretary would try to resolvecomplaints on an informal basiswherever possible. Where a resolutioncould not be reached, the Secretarycould make a formal finding ofnoncompliance. However, resolutioncould occur, and an agreement reachedwith the covered entity, even after afinding that a violation occurred. TheSecretary could use the finding as abasis to initiate an action under section1176 of the Act or to refer the matter tothe Department of Justice forprosecution under section 1177 of theAct. It should be recognized that thedecision to initiate an action undereither section of the law would be a

discretionary one, and proposed§ 164.522 would not require suchprosecutorial action to be taken.Proposed § 164.522(e)(1)(ii) would,however, permit the use of findingsmade in connection with a complaint,group of complaints, or compliancereview to be acted on in this fashion.

The rules proposed below also wouldprovide that the Secretary would informboth the covered plan or provider andthe complainant, whenever a decisionwas made on a complaint.

We are proposing in § 164.522(c) thatthe Secretary could conduct compliancereviews to determine whether coveredentities are in compliance. Acompliance review could be based oninformation indicating a possibleviolation of this subpart even though aformal complaint has not been filed. Asis the case with a complaintinvestigation, a compliance review mayexamine the policies, practices orprocedures of a covered entity and mayresult in voluntary compliance or in aviolation or no violation finding.

c. Responsibilities of covered entities.Proposed § 164.522(d) establishescertain obligations for covered entitiesthat would be necessary to enable theSecretary to carry out her statutory roleto determine their compliance withthese requirements. Proposed§ 164.522(d)(1) would require coveredentities to maintain records as directed.Proposed § 164.522(d)(2) would requirethem to participate as required incompliance reviews. Proposed§ 164.522(d)(3) would affirmativelyestablish their obligation to provideinformation to the Secretary upondemand. Finally, paragraph (d)(4)would prohibit intimidating,discriminatory or other retaliatoryactions by a covered entity against aperson who files a complaint with theSecretary; testifies, assists orparticipates in any manner in aninvestigation, compliance review,proceeding, or hearing under this Act;or opposes any act or practice madeunlawful by this subpart. This languageis modeled after the Americans withDisabilities Act and title VII of the CivilRights Act of 1964. Prohibitions againstretaliation are also common throughoutDepartment programs. The experienceof the federal government in enforcingcivil rights and other laws has been thatvoluntary compliance with and effectiveenforcement of such laws depend inlarge part on the initiative of personsopposed to illegal practices. Ifretaliation for opposing practices that aperson reasonably believes are unlawfulwere permitted to go unremedied, itwould have a chilling effect upon thewillingness of persons to speak out and



to participate in administrativeprocesses under this subpart.

Opposition to practices of coveredentities refers to a person’scommunication of his or her good faithbelief that a covered entity’s activitiesviolate this subpart. Oppositionincludes, but is not limited to, filing acomplaint with the covered entity under§ 164.518(d) and making a disclosure asa whistleblower under § 164.518(c)(4).This provision would not protect aperson whose manner of opposition isso unreasonable that it interferes withthe covered entities’ legitimateactivities. This provision would coversuch situations such as where anemployee of a physician is fired inretaliation for confronting the doctorregarding her practice of illegallydisclosing individuals’ records or wherea health plan drops coverage after anenrollee argues to the plan that he hasa right to access to his records.

We recognize that under theserequirements the covered entity wouldbe disclosing protected healthinformation to representatives of theDepartment when such information isrelevant to a compliance investigationor assessment. We recognize that thiswould create a mandatory disclosure ofprotected health information and thatsuch a requirement carries significantprivacy concerns. Those concerns must,however, be weighed against the need toobtain compliance by entities with theprivacy standards, and to protect againstfuture improper uses and disclosures ofprotected health information. Theproposed rule accordingly attempts tostrike a balance between these interests,providing that the Department wouldnot disclose such information, except asmay be necessary to enable theSecretary to ascertain compliance withthis subpart or in enforcementproceedings or as otherwise required bylaw.

2. Enforcement[Please label written comments about

this section with the subject:‘‘Enforcement.’’]

Congress established a two-prongedapproach to enforcement of all of therequirements established under part Cof title XI of the Act. First, section 1176grants the Secretary the authority toimpose civil monetary penalties againstthose covered entities which fail tocomply with the requirementsestablished under part C. Thesepenalties are to be imposed according tothe procedures established forimposition of civil monetary penaltiesin section 1128A of the Act. Second,section 1177 establishes criminalpenalties for certain wrongful

disclosures of individually identifiablehealth information.

The selection of the civil monetarypenalty process at section 1128A of theAct as the enforcement mechanism forthe Administrative Simplificationstandards and requirements indicatesthe type of process Congress believes isappropriate for civil enforcement ofthose standards and requirements. TheSecretary’s Recommendations call for aprivacy right of action to permitindividuals to enforce their privacyrights. However, the HIPAA does notprovide a private right of action, so theSecretary lacks the authority to providefor such a remedy. Accordingly, wewould provide that individuals couldfile complaints with the Secretary andthe Secretary could then, whenappropriate, investigate. The Secretarymay also conduct compliance reviews.See proposed § 164.522(b) and (c).

Under section 1177(a), the offense of‘‘wrongful disclosure’’ is a disclosurethat violates the standards orrequirements established under part C.These would include any disclosuresnot otherwise permitted under theprivacy standards or the parallelsecurity standards.

As we noted in the Notices ofProposed Rulemaking for the otherAdministrative Simplificationregulations, we will propose regulationsin the future to establish theseprocedures. Because such procedureswill not constitute ‘‘standards’’ withinthe meaning of part C, they would notbe subject to the delay in effective dateprovisions that apply to the variousAdministrative Simplificationregulations.

III. Small Business AssistanceThis rule is significant because it

establishes for the first time a federallyrequired regime of information practicesin the medical industry. The length, andat times complexity, of the preamblediscussion may impress smallbusinesses as creating overlyburdensome and costly requirements.We believe, however, that severalfeatures of the rule, combined withinitiatives by the Department andprofessional associations, will make therule easily administrable for the vastmajority of small businesses.

First, a significant portion of the ruleaddresses the topic of signed individualauthorization for disclosure of healthinformation—the information that theauthorization would include and whensuch an authorization would berequired. Importantly, no patientwritten authorization would be requiredwhen information is disclosed forpurposes of treatment and payment and

health care operations, or whendisclosure is mandated by law. In otherwords, doctors who disclose patienthealth information only to other doctorsfor treatment purposes, or to insurancecompanies to process payment, or foroperational purposes can continue to doso without any change in currentpractices under this proposal. Onlythose covered entities who disclosehealth information to marketers,reporters, private investigators,researchers, and others for purposesunrelated to treatment, payment, andhealth care operations are required toget the written consent of the patient inaccordance with this rule.

Second, the Department plans toengage in outreach and educationprograms to ease the implementation ofthis rule for small businesses. Already,this rule provides model forms forgetting patient authorization andprovides an example of a notice ofinformation practices (anotherrequirement in the rule, describedfurther below). We also expect thatprofessional associations will developforms tailored to specific groups’ needs.The Department pledges to work withprofessional associations to provide thegreatest possible guidance to smallbusinesses covered by this rule.

Third, in implementing this rule, wewill apply the principle of ‘‘scalability,’’so that a particular entity’scharacteristics—including its size, typeof business, and information practices—would be relevant to how that entityadopts procedures to comply with thisrule. Take one example—this rulerequires the designation of a ‘‘privacyofficial.’’ Large health plans dealingwith a vast range of information flowsmay well consider hiring a full timeperson to oversee compliance with therule, to assist in planning systemsdevelopment, and to draft contractswith business partners, among othertasks. A small doctor’s office, on theother hand, may instead determine thatan existing office manager could overseethe office’s privacy policies. Therewould be no expectation that this smalldoctor’s office hire a full-time privacyofficial. In each of these examples, thecovered entity would be complying withthe rule’s requirement that a privacyofficial be designated—but the ways thateach complies would reflect thedifferent circumstances of each entity’spractice.

It is important for small businesses tounderstand what their obligationswould be and to implement thenecessary procedures to comply, withthe help of Department’s model formsand other resources from professionalassociations. While most covered



entities would need to be in compliancewithin two years of the final publicationof the rule, small businesses would havean extra year to come into compliance.

Here, we set out the principal(although not exclusive) requirementsfor small businesses:

1. Notice to Individuals of InformationPractices (§ 164.512)

Each covered entity would have todevelop a notice of informationpractices, which, as described above,could be modeled on the form attachedto this proposal or on model forms thatwe expect professional associations todevelop. The notice must accuratelyreflect the entity’s practices and includethe elements listed in § 164.512.

Covered health care providers wouldhave to provide the notice toindividuals at first service after theeffective date of the rule. Providers arealso required to post a current copy ofthe notice in a clear and prominentlocation for individuals to see. Coveredhealth plans would have to provide thenotice to any individual covered by theplan when this rule becomes effective,at enrollment, and after any materialchange to the notice or at least onceevery three years.

2. Access of Individuals to ProtectedHealth Information (§ 164.514)

Covered plans and providers wouldbe required to allow individuals toinspect and copy their protected healthinformation. These plans or providerscould charge individuals a reasonablecost-based fee for copying.

3. Accounting for Uses and Disclosures(§ 164.515)

Covered plans and providers wouldhave to be able to provide an accountingfor uses and disclosures of protectedhealth information for purposes otherthan treatment, payment, or health careoperations. We expect that this burdenwill be very low for most smallbusinesses, given the nature of mostdisclosures by such businesses.

4. Amendment and Correction(§ 164.516)

Covered plans and providers wouldbe required to allow individuals torequest amendments or corrections totheir protected health information.

5. Designated Privacy Official(§ 164.518(a))

Each covered entity would designatea privacy official. As described above, ina small providers office, the officemanager may be the official in charge ofmaking sure that the office is

implementing its privacy policies andprocedures and taking complaints.

6. Training (§ 164.518(b))

All members of covered entities’workforces who have contact withprotected health information would berequired to have some sort of privacytraining about the entity’s policies andprocedures and to sign a certificateindicating that they had such training.For a small entity, this could simplymean the privacy official brieflydiscussing how they handle privacyconcerns and going over the entity’snotice of information practices.

7. Safeguards (§ 164.518(c))

A covered entity would have toestablish administrative, technical, andphysical safeguards to protect theprivacy of protected health informationfrom unauthorized access or use. For asmall provider, this may mean havingthe ability to securely lock up anyrecord that are not being used andensuring that records are not kept in anarea where anyone who is notauthorized could view them.

8. Complaints (§ 164.518(d))

Every covered entity would berequired to have policies andprocedures in place that allowindividuals to file complaints aboutpossible privacy violations. For a smallentity, this could mean simply that theykeep a specific file for complaints.

9. Sanctions (§ 164.518(e))

Covered entities would be required todevelop and apply sanctions when amember of a covered entity’s work forceor business partner fails to comply withthe entity’s policies and proceduresrelated to this rule. For a smallbusinesses, these could range fromrequiring a re-training on privacy, toplacing a notation of the violation in anemployee’s record, to dismissal orending a contract with a businesspartner.

10. Documentation of Policies andProcedures (§§ 164.520)

Covered entities would be required todocument policies and procedures foruse and disclosure of protected healthinformation relating to this regulation,including elements listed in § 164.520,and would need to maintain one copyof each version of its notice ofinformation practices, and authorizationforms. See § 164.520(f) for a full list ofrecordkeeping requirements.

11. Minimum Necessary (§ 164.506(b))

When using or disclosing protectedhealth information for treatment,

payment, healthcare operations, andother purposes, an entity would berequired to disclose only the amount ofprotected health information necessaryto accomplish the intended purpose ofthe use or disclosure.

12. Business Partners (§ 164.506(e))

For those small businesses that hire‘‘business partners’’ to assist them incarrying out their operations, this rulewould require that they take steps,including having certain terms in acontract, to ensure that their businesspartners are also protecting the privacyof individually identifiable healthinformation. We expect that modelcontracts will be developed by potentialbusiness partners and others that can beused to fulfill the requirements of thissection.

13. Special Disclosures That Do NotRequire Authorization—Public Health,Research, etc. (§ 164.510)

This proposed rule would also permitdisclosure of patients’ healthinformation in special cases and undercertain conditions. These disclosureswould be optional under this proposedrule but may be mandatory under otherlaws. The primary examples of suchpermissible disclosures are for: publichealth purposes, for health oversightpurposes, for judicial andadministrative proceedings, to coronersand medical examiners, to lawenforcement agencies, to next-of-kin, togovernmental health data systems, forresearch purposes, other disclosuresrequired by law, among others. Each ofthese disclosures and uses would besubject to specific conditions, describedin the proposed rule.

14. Verification (§ 164.518(c)(2))

Entities would be required to havereasonable procedures to verify theidentity or authority, as applicable, ofpersons requesting the disclosure ofprotected health information if theperson making the request is not alreadyknown to the entity. In most cases, thecovered entity could simply ask for aform of identification like a driverslicense.

IV. Preliminary Regulatory ImpactAnalysis

Section 804(2) of title 5, United StatesCode (as added by section 251 of PublicLaw 104–121), specifies that a ‘‘majorrule’’ is any rule that the Office ofManagement and Budget finds is likelyto result in—

• An annual effect on the economy of$100 million or more;

• A major increase in costs or pricesfor consumers, individual industries,



6 Janlori Goldman, Institute for Health CareResearch and Policy, Georgetown University:www.healthprivacy.org/resources.

Federal, State, or local governmentagencies, or geographic regions; or

• Significant adverse effects incompetition, employment, investmentproductivity, innovation, or on theability of Unites States based enterprisesto compete with foreign-basedenterprises in domestic and exportmarkets.

We estimate that the impact of thisfinal rule will be over $1 billion in thefirst year of implementation. Therefore,this rule is a major rule as defined inTitle 5, United States Code, section804(2).

DHHS has examined the impacts ofthis proposed rule under ExecutiveOrder 12866. Executive Order 12866directs agencies to assess all costs andbenefits of available regulatoryalternatives and, when regulation isnecessary, to select regulatoryapproaches that maximize net benefits(including potential economic,environmental, public health and safetyeffects; distributive impacts; andequity). According to Executive Order12866, a regulatory action is‘‘significant’’ if it meets any one of anumber of specified conditions,including having an annual effect on theeconomy of $100 million or adverselyaffecting in a material way a sector ofthe economy, competition, or jobs or ifit raises novel legal or policy issues.DHHS finds that this proposed rule is asignificant regulatory action as definedby Executive Order 12866. Also inaccordance with the provisions ofExecutive Order 12866, this proposedrule was reviewed by the Office ofManagement and Budget.

When this proposed rule becomes afinal rule, in accordance with the SmallBusiness Regulatory Enforcement andFairness Act (Pub. L. 104–121), theAdministrator of the Office ofInformation and Regulatory Affairs ofthe Office of Management and Budget(the Administrator) has determined thatthis proposed rule would be a majorrule for the purpose of congressionalreview. A major rule for this purpose isdefined in 5 U.S.C. 804(2) as one thatthe Administrator has determined hasresulted or is likely to result in anannual effect on the economy of $100million or more; a major increase incosts or prices for consumers,individual industries, federal State, orlocal government agencies, orgeographic regions; or significantadverse effects on competition,employment, investment, productivity,innovation, or on the ability of U.S.-based enterprises to compete withforeign-based enterprises in domestic orexport markets.

The Health Insurance Portability andAccountability Act of 1996 (HIPAA)projects a significant increase in thenumber of medical transactions that willbe conducted or transmittedelectronically. HIPAA notes the privacyneeds that result when individuallyidentifiable health information can betransmitted quickly through electronicinformation systems. While there is acompelling need to protect the privacyof health information in today’s healthcare system, the expected growth ofelectronic systems to aide medicaldiagnostics, claims processing andresearch makes it even more critical toimprove privacy protections.

A fundamental assumption of thisregulation is that the greatest benefits ofimproved privacy protection will berealized in the future as patients gainincreasing trust in health carepractitioners’ ability to maintain theconfidentiality of their healthinformation. Furthermore, our analysisrests on the principle that healthinformation privacy is a right, and assuch, cannot be valued solely by marketcosts. Because it is difficult to measurefuture benefits based on present data,our estimates of the costs and benefitsof this regulation are based on thecurrent business environment and donot include projections beyond fiveyears. As a result, we cannot accuratelyaccount for all of the regulation’s futurecosts and benefits, but the Departmentis confident that future benefits will behigher than those stated in this analysis.

In order to achieve a reasonable levelof privacy protection, we have threeobjectives for the proposed rule: (1) Toestablish baseline standards for healthcare privacy protection, (2) to establishprotection for all health informationmaintained or transmitted by coveredentities, and (3) to protect the privacy ofhealth information that is maintained inelectronic form, as well as healthinformation generated by electronicsystems.

Establishing minimum standards forhealth care privacy protection is anattempt to create a baseline level ofprivacy protection for patients acrossStates. The Health Privacy Project’sreport, The State of Health Privacy: AnUneven Terrain 6 makes it clear thatunder the current system of state laws,privacy protection is extremely variable.Our statutory authority under HIPAAallows us to preempt state laws whenstate law provides less stringent privacyprotection than the regulation. Only incases where state law does not protect

the patient’s health information asstringently as in this proposed rule, orwhen state law is more restrictive of apatient’s right to access their own healthcare information, will our rule preemptstate law. We discuss preemption ingreater detail in other parts of thepreamble (see the effects of the rule onstate laws, section 2 below).

Our second objective is to establish auniform base of protection for all healthinformation maintained or transmittedby covered entities. As discussed in thepreamble, HIPAA restricts the type ofentities covered by the proposed rule tothree broad categories: health careproviders, health care clearinghouses,and health plans. However, there aresimilar public and private entities thatwe do not have the authority to regulateunder HIPAA. For example, lifeinsurance companies are not covered bythis proposed rule but have access to alarge amount of protected healthinformation. State government agenciesnot directly linked to public healthfunctions or health oversight may alsohave access to protected healthinformation. Examples of this type ofagency include the motor vehicleadministration, which frequentlymaintains individual healthinformation, and welfare agencies thatroutinely hold health information abouttheir clients.

Our third objective is to protect theprivacy of health information that ismaintained in electronic form, as wellas health information generated byelectronic systems. Health informationis currently stored and transmitted inmultiple forms, including in electronic,paper, and oral formats. In order toprovide consistent protection toinformation that has been electronicallytransmitted or maintained, we proposethat this rule cover all personal,protected health information that hasever been maintained or transmittedelectronically. This type of informationincludes output such as computerprintouts, X-rays, magnetic tape, andother information that was originallymaintained or transmittedelectronically. For example, laboratorytests are often computer generated,printed out on paper, and then stored ina patient’s record. Because such labresults were originally maintainedelectronically, the post-electronic (i.e.printed) output of those lab resultswould also be covered under theproposed rule.

It is important to note that the use ofelectronic systems to maintain andtransmit health information is growingamong health care providers, and healthplans. Faulkner and Gray report thatprovider use of electronically processed



1 Health Data Directory, Faulkner & Gray; 1999Edition, pp 22–23.

health transactions grew from 47percent to 62 percent between 1994 and1998. Payer use of electronictransactions grew 17 percent between1996 and 1997. Once all of the HIPAAadministrative simplification standardsare implemented, we expect the numberof electronic transactions processed bypayers and providers to grow.

The variation in business practiceregarding use of paper records versuselectronic media for storing andtransmitting health information iscaptured by comparing the percentageof providers that submit paper claimswith those that submit electronicclaims. Faulkner & Gray’s Health DataDirectory 1 shows that only 40 percent ofnon-Medicare physician claims and 16percent of dental claims were submittedelectronically in 1998. In contrast, 88percent of all pharmacy claims weresubmitted electronically.

We believe that most physicianseither have, or will have in the nearfuture, the capacity to submit claimselectronically. Faulkner and Grayreported that 81 percent of physicianswith Medicare patients submitted theirMedicare claims electronically. Thedifference in the percent of electronicclams submitted to Medicare suggeststhat the physicians’ decisions to submitclaims electronically may be heavilyinfluenced by the administrativerequirements of the health planreceiving the claim. Since HIPAArequires all health plans to acceptelectronic transactions and, in order tocompete in the technologically drivenhealth care market, more health plansmay require electronic claimssubmissions, physicians will conductmany more electronic transactions inthe near future. Therefore, it isextremely important that adequateprivacy protections are implementednow.

A. Relationship of This Analysis toAnalyses in Other HIPAA Regulations

Historically, Congress has recognizedthat privacy standards must accompanythe electronic data interchangestandards and that the increased ease oftransmitting and sharing individuallyidentifiable health information must beaccompanied by an increase in theprivacy and confidentiality. In fact, themajority of the bulk of the firstAdministrative Simplification sectionthat was debated on the floor of theSenate in 1994 (as part of the HealthSecurity Act) was made up of privacyprovisions. Although the requirementfor the issuance of concomitant privacy

standards remained a part of the billpassed by the House of Representatives,the requirement for privacy standardswas removed in conference. Thissection was moved from the standard-setting authority of Title XI (section1173 of the Act) and placed in aseparate section of HIPAA, section 264.Subsection (b) of section 264 requiredthe Secretary of HHS to develop andsubmit to the Congressrecommendations for:

(1) The rights that an individual whois a subject of individually identifiablehealth information should have.

(2) The procedures that should beestablished for the exercise of suchrights.

(3) The uses and disclosures of suchinformation that should be authorizedor required.

The Secretary’s Recommendationswere submitted to the Congress onSeptember 11, 1997, and aresummarized below. Section 264(c)(1)provides that:

If legislation governing standards withrespect to the privacy of individuallyidentifiable health information transmitted inconnection with the transactions described insection 1173(a) of the Social Security Act (asadded by section 262) is not enacted by(August 21, 1999), the Secretary of Healthand Human Services shall promulgate finalregulations containing such standards notlater than (February 21, 2000). Suchregulations shall address at least the subjectsdescribed in subsection (b).

As the Congress did not enactlegislation governing standards withrespect to the privacy of individuallyidentifiable health information prior toAugust 21, 1999, HHS has now, inaccordance with this statutory mandate,developed proposed rules setting forthstandards to protect the privacy of suchinformation.

These privacy standards have been,and continue to be, an integral part ofthe suite of AdministrativeSimplification standards intended tosimplify and improve the efficiency ofthe administration of our health caresystem.

The proposed rule should beconsidered along with all of theadministrative simplification standardsrequired by HIPAA. We assessed severalstrategies for determining the impact ofthis proposed rule. We consideredwhether it would be accurate to viewthe impact as a subset of the overallHIPAA standards or whether thisprivacy component should be viewed asan addition to the earlier impactanalyses related to HIPAA. We decidedthat while this proposed rule isconsidered one of the HIPAA standards,any related costs or benefits should be

viewed as an addition to earlieranalyses. The original HIPAA analysesdid not incorporate the expected costsand benefits of privacy regulationbecause, at the time of the originalanalyses, we did not know whetherCongress would enact legislation orwhether privacy would need to beaddressed by regulation. Therefore,much of our cost analysis is based onthe expected incremental costs abovethose related to other HIPAAregulations.

B. Summary of Costs and Benefits.The Department has estimated the

costs and benefits of the proposed rulebased on several caveats. In general, itis difficult to estimate the costs andbenefits of improved privacy protection.The ability to measure costs of theproposed regulation is limited becausethere is very little data currentlyavailable on the cost of privacyprotection. The Department has notbeen able to estimate costs for a numberof requirements of the proposedregulation that we know will imposesome cost to covered entities. For thoseelements for which there are estimatedcosts, data and information limitationslimit the precision of the Department’sestimates; for those reasons we haveprovided an overall range of costs inaddition to point estimates, andwelcome further information from thepublic as part of the comment process.Furthermore, the number of newprivacy requirements that the regulationwill introduce to the health careindustry exacerbates difficultiesestimating the benefits of privacy.Benefits are difficult to measure becausewe conceive of privacy primarily as aright and secondarily as a commodity.As discussed below, the significantbenefits of the proposed regulation toindividuals and society can bedemonstrated by illustrating the seriousprivacy concerns raised by mentalhealth, substance abuse, cancerscreening, and HIV/AIDS patients andthe benefits that may be derived fromgreater privacy.

The estimated cost of compliancewith the proposed rule would be at least$3.8 billion over five years. The costincludes estimates for the majority ofthe requirements of the proposedregulation, but not all. These estimatesinclude costs to federal, State, and localgovernments. Federal, and State andlocal costs are therefore a subset of totalcosts. Based on a plausible range ofcosts for the key components of theanalysis, the cost of the regulationwould likely be in the range $1.8 to $6.3billion over five years (not includingthose elements of the regulation for



8 Health Care Finance Administration, Office ofthe Actuary, 1997.

which we could not make any costestimates).

The compliance costs are in additionto Administrative Simplificationestimates. The cost of complying withthe privacy regulation represents about0.09 percent of projected national healthexpenditures during the first yearfollowing the regulation’s enactment.The five-year cost of the proposedregulation also represents 1.0 percent ofthe increase in health care costs thatwill occur during the same five-yearperiod.8

The largest cost item is the amendingand correcting of records, which wouldrepresent over one-half of total costs.Provider and plan notices, which weestimate would cost $439 million, is thesecond largest cost, and inspection andcopying of records is estimated to be$405 million. The one-time costs forproviders to develop policies andprocedures represent somewhat lessthan 10 percent of the total cost, or $333million. Plans would bear asubstantially smaller cost—approximately $62 million. Othersystems changes would cost about $90million over the period. The cost ofadministering written authorizationswould total approximately $271 millionover five years.

The cost estimates include private-and public-sector costs. Many of thepublic-sector cost elements will be thesame as those in the private market.However, privacy notices are likely torepresent a smaller fraction of totalpublic-sector costs, while systemscompliance costs in the public sectormay be higher than in the private sectordue to oversight and administrativerequirements.

The costs presented in this documentare the Department’s best estimates ofthe cost of implementing the proposedregulation based on availableinformation and data. Because ofinadequate data, we have not made costestimates for the following componentsof the regulation: The principle ofminimum necessary disclosure; therequirement that entities monitorbusiness partners with whom they sharePHI; creation of de-identifiedinformation; internal complaintprocesses; sanctions; compliance andenforcement; the designation of aprivacy official and creation of a privacyboard; and additional requirements onresearch/optional disclosures that willbe imposed by the regulation. The costof these provisions may be significant insome cases, but it would be inaccurateto project costs for these requirements

given the fact that several of theseconcepts are new to the industry, andthere is little direct evidence on costs.We solicit comment regarding costs ofthe regulation that we have notquantified.

The privacy protections establishedby this regulation will provide majorsocial benefits. Establishing privacyprotection as a fundamental right is animportant goal and will have significant,non-quantifiable social benefits. A well-designed privacy standard can beexpected to build confidence among thepublic about the confidentiality of theirhealth information. Increasedconfidence in the privacy of anindividual’s health information can beexpected to increase the likelihood thatmany people will seek treatment forparticular classes of disease, particularlymental health conditions, sexuallytransmitted diseases such as HIV/AIDS,and earlier screening for certain cancers.The increased utilization of medicalservices that would result fromincreased confidence in privacy wouldlead to improved health for theindividuals involved, reduced costs tosociety associated with delayedtreatments, and improved public healthattributable to reduced transmission ofcommunicable diseases.

TABLE 1.—THE COST OF COMPLYING WITH THE PROPOSED PRIVACY REGULATION

[In dollars]

Provision Initial or first yearcost (2000)

Annual cost afterthe first year

Five year (2000–2004) cost

Development of Policies and Procedures—Providers (totaling 871,294) ........... $333,000,000 ................................ $333,000,000Development of Policies and Procedures—Plans (totaling 18,225) ................... 62,000,000 ................................ 62,000,000System Changes—All Entities ............................................................................. 90,000,000 ................................ 90,000,000Notice Development Cost—All Entities ............................................................... 20,000,000 ................................ 30,000,000Notice Issuance—Providers ................................................................................ 59,730,000 37,152,000 208,340,000Notice Issuance—Plans ....................................................................................... 46,200,000 46,200,000 231,000,000Inspection/Copying .............................................................................................. 81,000,000 81,000,000 405,000,000Amendment/Correction ........................................................................................ 407,000,000 407,000,000 2,035,000,000Written Authorization ........................................................................................... 54,300,000 54,300,000 271,500,000Paperwork/Training .............................................................................................. 22,000,000 22,000,000 110,000,000Other Costs* ........................................................................................................ **N/E N/E N/E

Total .............................................................................................................. $1,165,230,000 $647,652,000 $3,775,840,000

* Other Costs include: minimum necessary disclosure; monitoring business partners with whom entities share PHI; creation of de-identified in-formation; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacyboard; additional requirements on research/optional disclosures that will be imposed by the regulation.

**N/E = ‘‘Not estimated’’.

We promote the view that privacyprotection is an important personalright, and suggest that the greatest of thebenefits of the proposed regulation areimpossible to estimate based on themarket value of health informationalone. However, it is possible toevaluate some of the benefits that may

accrue to individuals as a result ofproposed regulation, and these benefits,alone, demonstrate that the regulation iswarranted.

These benefits are considered bothqualitatively and quantitatively. As aframework for the discussion, the cost ofthe provisions in the regulation that

have been quantified is $0.46 per healthcare encounter. Although the value ofprivacy cannot be fully calculated, it isworth noting that if individuals wouldbe willing to pay more than $0.46 perhealth care encounter to improve healthinformation privacy, the benefits of the



9 American Cancer Society. http://www.cancer.org/statistics/97cff/97facts.html

10 John Hornberger et al, ‘‘Early treatment withhighly active anti-retroviral therapy (HAART) iscost-effective compared to delayed treatment,’’ 12thWorld AIDS conference, 1998.

proposed regulation would outweighthe cost.

Several qualitative examples illustratethe benefits of the proposed regulation.In one case, medical privacy concernsmay prevent patients from obtainingearly testing and screening for certaintypes of cancer. Of types of cancer forwhich screening is available, survivalrates might increase to 95 percentdiagnosed in the early stages 9. For HIV/AIDS patients, new treatments forpatients who are diagnosed with HIV inthe early stages may save $23,700 perquality-adjusted year of life saved 10.Later in this document, the potential toreduce illness and disability associatedwith sexually transmitted diseases isdiscussed.

We recognize that many of the costsand benefits of health informationprivacy are difficult to quantify, but webelieve that our estimates represent areasonable range of the economic costsand benefits associated with theregulation.

C. Need for the Proposed Action.Privacy is a fundamental right. As

such, it has to be viewed differentlythan any ordinary economic good.Although the costs and benefits of aregulation need to be considered as ameans of identifying and weighingoptions, it is important not to lose sightof the inherent meaning of privacy: itspeaks to our individual and collectivefreedom.

A right to privacy in personalinformation has historically foundexpression in American law. All fiftystates today recognize in tort law acommon law or statutory right toprivacy. Many states specificallyprovide a remedy for public revelationof private facts. Some states, such asCalifornia and Tennessee, have a rightto privacy as a matter of stateconstitutional law. The multiplehistorical sources for legal rights toprivacy are traced in many places,including Chapter 13 of Alan Westin’sPrivacy and Freedom and in EllenAlderman & Caroline Kennedy, TheRight to Privacy (1995).

To take but one example, the FourthAmendment to the United StatesConstitution guarantees that ‘‘the rightof the people to be secure in theirpersons, houses, papers and effects,against unreasonable searches andseizures, shall not be violated.’’ Byreferring to the need for security of

‘‘persons’’ as well as ‘‘papers andeffects’’ the Fourth Amendment suggestsenduring values in American law thatrelate to privacy. The need for securityof ‘‘persons’’ is consistent with gettingpatient consent before performinginvasive medical procedures. The needfor security in ‘‘papers and effects’’underscores the importance ofprotecting information about the person,contained in sources such as personaldiaries, medical records, or elsewhere.As is generally true for the right ofprivacy in information, the right is notabsolute. The test instead is whatconstitutes an ‘‘unreasonable’’ search ofthe papers and effects.

The United States Supreme Court hasspecifically upheld the constitutionalprotection of personal healthinformation. In Whalen v. Roe, 429 U.S.589 (1977), the Court analyzed a NewYork statute that created a database ofpersons who obtained drugs for whichthere was both a lawful and unlawfulmarket. The Court, in upholding thestatute, recognized at least two differentkinds of interests within theconstitutionally protected ‘‘zone ofprivacy.’’ ‘‘One is the individual interestin avoiding disclosure of personalmatters,’’ such as this proposedregulation principally addresses. Thisinterest in avoiding disclosure,discussed in Whalen in the context ofmedical information, was found to bedistinct from a different line of casesconcerning ‘‘the interest inindependence in making certain kindsof important decisions.’’ In the recentcase of Jaffee v. Redmond, 116 S.Ct.1923 (1996), the Supreme Court heldthat statements made to a therapistduring a counseling session wereprotected against civil discovery underthe Federal Rules of Evidence. TheCourt noted that all fifty states haveadopted some form of thepsychotherapist-patient privilege. Inupholding the federal privilege, theSupreme Court stated that it ‘‘serves thepublic interest by facilitating theappropriate treatment for individualssuffering the effects of a mental oremotional problem. The mental healthof our citizenry, no less than its physicalhealth, is a public good of transcendentimportance.’’

Many writers have urged aphilosophical or common-sense right toprivacy in one’s personal information.Examples include Alan Westin, Privacyand Freedom (1967) and JannaMalamud Smith, Private Matters: InDefense of the Personal Life (1997).These writings emphasize the linkbetween privacy and freedom andprivacy and the ‘‘personal life,’’ or theability to develop one’s own personality

and self-expression. Smith, for instance,states:

The bottom line is clear. If we continually,gratuitously, reveal other people’s privacies,we harm them and ourselves, we underminethe richness of the personal life, and we fuela social atmosphere of mutual exploitation.Let me put it another way: Little in life is asprecious as the freedom to say and do thingswith people you love that you would not sayor do if someone else were present. And fewexperiences are as fundamental to liberty andautonomy as maintaining control over when,how, to whom, and where you disclosepersonal material. Id. at 240–241.

Individuals’ right to privacy ininformation about themselves is notabsolute. It does not, for instance,prevent reporting of public healthinformation on communicable diseasesor stop law enforcement from gettinginformation when due process has beenobserved. But many people believe thatindividuals should have some right tocontrol personal and sensitiveinformation about themselves.

Among different sorts of personalinformation, health information isamong the most sensitive. Many peoplebelieve that details about their physicalself should not generally be put ondisplay for neighbors, employers, andgovernment officials to see. Informedconsent laws place limits on the abilityof other persons to intrude physicallyon a person’s body. Similar concernsapply to intrusions on informationabout the person. Moving beyond thesefacts of physical treatment, there islikely a greater intrusion when themedical records reveal details about aperson’s mental state, such as duringtreatment for mental health. If, in JusticeBrandeis’ words, the ‘‘right to be letalone’’ means anything, then it likelyapplies to having outsiders have accessto one’s intimate thoughts, words, andemotions.

In addition to these arguments basedon the right to privacy in personalinformation, market failures will arise tothe extent that privacy is less wellprotected than the parties would haveagreed to, if they were fully informedand had the ability to monitor andenforce contracts. The chief marketfailures with respect to privacy concerninformation, negotiating, andenforcement costs. The informationcosts arise because of the informationasymmetry between the company andthe patient—the company typicallyknows far more than the patient abouthow the information will be used bythat company. A health care provider orplan, for instance, knows many detailsabout how protected health informationwill be generated, combined with otherdatabases, or sold to third parties.



Patients face at least two layers of costin learning about how their informationis used. First, as with many aspects ofhealth care, patients face the challengeof trying to understand technicalmedical terminology and practices. Itwill often be difficult for a patient tounderstand the medical records and theimplications of transferring variousparts of such records to a third party.Second, especially in the absence ofconsistent national rules, patients mayface significant costs in trying to learnand understand the nature of acompany’s privacy policies.

The costs of learning aboutcompanies’ policies are magnified bythe difficulty patients face in detectingwhether companies in fact arecomplying with those policies. Patientsmight try to adopt strategies formonitoring whether companies havecomplied with their announcedpolicies. For instance, if a personreceived health care from severalproviders that promised not to sell hername to third parties, she could reporta different middle initial to eachprovider. She could then identify theprovider that broke the agreement bynoticing the middle initials that laterappeared on an unsolicited marketingletter. These sorts of strategies, however,are both costly (in time and effort) andlikely to be ineffective. A companyusing the patient’s name, for instance,could cross-check her address with herreal name, and thereby insert the correctmiddle initial. In addition, modernhealth care often requires protectedhealth information to flow legitimatelyamong multiple entities for purposes oftreatment, payment, health careoperations, and other necessary uses.Even if the patient could identify theprovider whose data ultimately leaked,the patient could not easily tell whichof those multiple entities hadimpermissibly transferred herinformation.

The cost and ineffectiveness ofmonitoring logically leads to less thanoptimal protection of healthinformation. Consider the incentivesfacing a company that acquiresprotected health information. Thatcompany gains the full benefit of usingthe information, including in its ownmarketing efforts or in the fee it canreceive when it sells the information tothird parties. The company, however,does not suffer the full losses fromdisclosure of protected healthinformation. Because of imperfectmonitoring, customers often will notlearn of, and thus not be able to enforceagainst, that unauthorized use. Theywill not be able to discipline thecompany efficiently in the marketplace

for its less-than-optimal privacypractices. Because the companyinternalizes the gains from using theinformation, but does not bear asignificant share of the cost to patients(in terms of lost privacy), it will have asystematic incentive to over-useprotected health information. In marketfailure terms, companies will have anincentive to use protected healthinformation where the patient wouldnot have freely agreed to such use.

These difficulties in contractenforcement are made worse by thethird-party nature of many healthinsurance and payment systems. Evenwhere individuals would wish tobargain for privacy, they may lack thelegal standing to do so. For instance,employers often negotiate the terms ofhealth plans with insurers. Theemployee may have no voice in theprivacy or other terms of the plan,facing a take-it-or-leave-it choice ofwhether to be covered by insurance. Theincentive of employers may be contraryto the wishes of employees—employersmay in some cases inappropriatelyinsist on having access to sensitivemedical information in order to monitoremployees’ behavior and health status.In light of these complexities, there arelikely significant market failures in thebargaining on privacy protection. Manyprivacy-protective agreements thatpatients would wish to make, absentbarriers to bargaining, will not bereached. The economic, legal andphilosophical arguments become morecompelling as the medical system shiftsfrom predominantly paper topredominantly electronic records. Froman economic perspective, marketfailures will arise to the extent thatprivacy is less well protected than theparties would have agreed to, if theywere fully informed and had someequality of bargaining power. The chiefmarket failures with respect to privacyconcern information and bargainingcosts. The information costs arisebecause of the information asymmetrybetween the company and the patient—the company typically knows far morethan the patient about how theinformation will be used by thatcompany. A health care provider orplan, for instance, knows many detailsabout how protected health informationwill be generated, combined with otherdatabases, or sold to third parties.

Rapid changes in informationtechnology mean that the size of themarket failures will likely increasegreatly in the markets for personalhealth information. Improvements incomputers and networking mean thatthe costs of gathering, analyzing, anddisseminating electronic data are

plunging. Market forces are leadingmany medical providers and plans toshift from paper to electronic records,due both to lower cost and the increasedfunctionality provided by havinginformation in electronic form. Thesemarket changes will be accelerated bythe administrative simplificationimplemented by the other regulationspromulgated under HIPAA. A chief goalof administrative simplification, in fact,is to create a more efficient flow ofmedical information where appropriate.This proposed privacy regulation is anintegral part of the overall effort ofadministrative simplification; it createsa framework for more efficient flows forcertain purposes, including treatmentand payment, while restricting flows inother circumstances except whereappropriate institutional safeguardsexist.

If the medical system shifts topredominantly electronic records in thenear future, without use ofaccompanying privacy rules, then onecan imagine a near future where clericaland medical workers all over thecountry may be able to pull upprotected health information aboutindividuals—without meaningfulpatient consent and without effectiveinstitutional controls against furtherdissemination. In terms of the marketfailure, it will become more difficult forpatients to know how their healthprovider or plan is using their personalhealth information. It will become moredifficult to monitor the subsequentflows of protected health information, asthe number of electronic flows andpossible points of leakage both increase.Similarly, the costs and difficulties ofbargaining to get the patients’ desiredlevel of use will likely rise due thegreater number and types of entities thatreceive protected health information.

As the benefits section, below,discusses in more detail, the protectionof privacy and correcting the marketfailure have practical implications.Where patients are concerned about lackof privacy protections, they might fail toget medical treatment that they wouldotherwise seek. This failure to gettreatment may be especially likely forcertain conditions, including mentalhealth, substance abuse, and conditionssuch as HIV. Similarly, patients who areconcerned about lack of privacyprotections may report inaccurately totheir providers when they do seektreatment. For instance, they mightdecide not to mention that they aretaking prescription drugs that indicatethat they have an embarrassingcondition. These inaccurate reports maylead to mis-diagnosis and less-than-optimal treatment, including



inappropriate additional medications. Inshort, the lack of privacy safeguards canlead to efficiency losses in the form offoregone or inappropriate treatment.

The shift from paper to electronicrecords, with the accompanying greaterflows of sensitive health information,also strengthens the arguments forgiving legal protection to the right toprivacy in protected health information.In an earlier period where it was farmore expensive to access and usemedical records, the risk of harm toindividuals was relatively low. In thepotential near future, where technologymakes it almost free to send lifetimemedical records over the Internet, therisks may grow rapidly. It may becomecost-effective, for instance, forcompanies to offer services that allowpurchasers to obtain details of aperson’s physical and mentaltreatments. In addition to legitimatepossible uses for such services,malicious or inquisitive persons maydownload medical records for purposesranging from identity theft toembarrassment to prurient interest inthe life of a celebrity or neighbor. Ofadditional concern, such services mightextend to providing detailed geneticinformation about individuals, withouttheir consent. Many persons likelybelieve that they have a right to live insociety without having these details oftheir lives laid open to unknown andpossibly hostile eyes. Thesetechnological changes, in short, mayprovide a reason for institutionalizingprivacy protections in situations wherethe risk of harm did not previouslyjustify writing such protections intolaw.

States have, to varying degrees,attempted to enhance confidentialityand correct the market problems byestablishing laws governing at leastsome aspects of medical record privacy.This approach, though a step in theright direction, is inadequate. The statesthemselves have a patch quilt of lawsthat fail to provide a consistent orcomprehensive policy, and there isconsiderable variation among the statesin the scope of the protections provided.Moreover, health data is becomingincreasingly ‘‘national’’; as moreinformation becomes available inelectronic form, it can have value farbeyond the immediate communitywhere the patient resides. Neitherprivate action nor state laws provide asufficiently rigorous legal structure tocorrect the market failure now or in thefuture. Hence, a national policy withconsistent rules is a vital step towardcorrecting the market failure that exists.

In summarizing the need for theproposed regulation, the discussion here

has emphasized how the proposedregulation would address violations of aright to privacy in the information aboutoneself, market failures, and the needfor a national policy. These argumentsbecome considerably stronger with theshift from predominantly paper topredominantly electronic records. Otherarguments could supplement thesejustifications. As discussed in thebenefits section below, the proposedprivacy protections may prevent orreduce the risk of unfair treatment ordiscrimination against vulnerablecategories of persons, such as those whoare HIV positive, and thereby, fosterbetter health. The proposed regulationmay also help educate providers, plans,and the general public about howprotected health information is used.This education, in turn, may lead tobetter information practices in thefuture.

Clearly, the growing problem ofprotecting privacy is widely understoodand a major public concern. Over 80percent of persons surveyed in 1999agreed with the statement that they had‘‘lost all control over their personalinformation.’’ A Wall Street Journal/NBC poll on September 16, 1999 askedAmericans what concerned them mostin the coming century. ‘‘Loss of personalprivacy’’ topped the list, as the first orsecond concern of 29 percent ofrespondents. Other issues such asterrorism, world war, and globalwarming had scores of 23 percent orless. The regulation is a major steptoward addressing this public concern.

D. Baseline Privacy ProtectionsDetermining the impact of the rule on

covered entities requires us to establisha baseline for current privacy policies.We must first determine currentpractices and requirements related toprotected information—specifically,practices related to disclosure and use,notification of individuals ofinformation practices, inspection andcopying, amendment and correction,administrative policies, procedures, andrelated documentation.

Privacy practices are most oftenshaped by professional organizationsthat publish ethical codes of conductand by State law. On occasion, Statelaws defer to professional conductcodes. At present, where neitherprofessional organizations nor Stateshave developed guidelines for privacypractices, an entity may implementprivacy practices independently.

Professional codes of conduct orethical behavior generally can be foundas opinions and guidelines developedby organizations such as the AmericanMedical Association, the American

Hospital Association, and the AmericanDental Association. These are generallyissued though an organization’sgoverning body. The codes do not havethe force of law, but providers oftenrecognize them as binding rules.

State laws are another importantmeans of protecting health information.While professional codes of conductusually only have slight variations, Statelaws vary dramatically. Some Statesdefer to the professional codes ofconduct, others provide generalguidelines for privacy protection, andothers provide detailed requirementsrelating to the protection of informationrelating to specific diseases or to entireclasses of information. In cases whereneither State law nor professionalethical standards exist, the only privacyprotection individuals have is limited tothe policies and standards that thehealth care entity adopts.

Before we can attempt to determinethe impact of the proposed rule oncovered entities, we must make an effortto establish the present level of privacyprotection. Current privacy protectionpractices are determined by thestandards and practices that theprofessional associations have adoptedfor their members and by State laws.

1. Professional Codes of Conduct andthe Protection of Health Information

We examined statements issued byfive major professional groups, onenational electronic network associationand a leading managed care association.There are a number of common themesthat all the organizations appear tosubscribe to:

• The need to maintain and protectan individual’s health information;

• Development of policies to ensurethe confidentiality of protected healthinformation;

• Only the minimum necessaryinformation should be released toaccomplish the purpose for which theinformation is sought.

Beyond these principles, the majorassociations differ with respect to themethods used to protect healthinformation. One critical area ofdifference is the extent to whichprofessional organizations shouldrelease protected health information. Amajor mental health associationadvocates the release of identifiablepatient information ‘‘* * * only whende-identified data are inadequate for thepurpose at hand.’’ A major associationof physicians counsels members whouse electronically maintained andtransmitted data to require that they andtheir patients know in advance who hasaccess to protected patient data, and thepurposes for which the data will be



11 Ibid, Goldman, p. 6.

used. In another document, theassociation advises physicians not to‘‘sell’’ patient information to datacollection companies without fullyinforming their patients of this practiceand receiving authorization in advanceto release of the information.

Only two of the five professionalgroups state that patients have the rightto review their medical records. Onegroup declares this as a fundamentalpatient right, while the secondassociation qualifies their position bystating that the physician has the finalword on a patient’s access to theirhealth information. This associationalso recommends that its membersrespond to requests for access to patientinformation within 10 days, andrecommends that entities allow for anappeal process when patients are deniedaccess. The association furtherrecommends that when a patientcontests the accuracy of the informationin their record and the entity refuses toaccept the patient’s change, the patient’sstatement should be included as apermanent part of the patient’s record.

In addition, three of the fiveprofessional groups endorse themaintenance of audit trails that cantrack the history of disclosures ofprotected health information.

The one set of standards that wereviewed from a health networkassociation advocated the protection ofprivate health information fromdisclosure without patient authorizationand emphasized that encryptinginformation should be a principalmeans of protecting patient information.The statements of a leading managedcare association, while endorsing thegeneral principles of privacy protection,were vague on the release of informationfor purposes other than treatment. Theysuggest allowing the use of protectedhealth information without the patient’sauthorization for what they term ‘‘healthpromotion.’’ It is possible that the use ofprotected health information for ‘‘healthpromotion’’ may be construed under theproposed rule as part of marketingactivities.

Based on the review of the leadingassociation standards, we believe thatthe proposed rule embodies all themajor principles expressed in thestandards. However, there are somemajor areas of difference between theproposed rule and the professionalstandards reviewed. These include thesubject individual’s right of access tohealth information in the coveredentity’s possession, relationshipsbetween contractors and coveredentities, and the requirement thatcovered entities make their privacypolicies and practices available to

patients through a notice and the abilityto respond to questions related to thenotice. Because the proposed regulationwould require that (with a fewexceptions) patients have access to theirhealth information that a covered entitypossesses, large numbers of providersmay have to modify their currentpractices in order to allow patientaccess, and to establish a review processif they deny a patient access. Also, noneof the privacy protection standardsreviewed require that providers or plansprepare a formal statement of privacypractices for patients (although themajor physician association urgesmembers to inform patients about whowould have access to their protectedhealth information and how their healthinformation would be used). Only oneHMO association explicitly madereference to information released forlegitimate research purposes, and noneof the other statements we revieweddiscuss release of information forresearch purposes. The proposed ruleallows for the release of protected healthinformation for research purposeswithout an individual’s authorization,but only for research that is supervisedby an institutional research board or anequivalent privacy board. This researchrequirement may cause some groups torevise their disclosure authorizationstandards.

2. State LawsThe second body of privacy

protections is found in a myriad of Statelaws and requirements. To determinewhether or not the proposed rule wouldpreempt a State law, we first identifiedthe relevant laws, and second,determined whether state or federal lawprovides individuals with greaterprivacy protection.

Identifying the relevant state statutes:Health privacy statutes can be found inlaws applicable to many issuesincluding insurance, worker’scompensation, public health, birth anddeath records, adoptions, education,and welfare. For example, Florida hasover 60 laws that apply to protectedhealth information. According to theGeorgetown Privacy Project 11, Florida isnot unique. Every State has laws andregulations covering some aspect ofmedical information privacy. In manycases, State laws were enacted toaddress a specific situation, such as thereporting of HIV/AIDS, or medicalconditions that would impair a person’sability to drive a car. Identifying everyState statute, regulation, and court casethat interprets statutes and regulationsdealing with patient medical privacy

rights is an important task but cannot becompleted in this discussion. For thepurpose of this analysis, we simplyacknowledge the complexity of Staterequirements surrounding privacyissues.

Lastly, we recognize that the privatesector will need to complete a State-by-State analysis to comply with the noticeand administrative procedures portionof this proposed rule. This comparisonshould be completed in the context ofindividual markets; therefore it is moreefficient for professional associations orindividual businesses to complete thistask.

Recognizing limits of our ability toeffectively summarize State privacylaws and our difficulty in determiningpreemption at the outset, we discussconclusions generated by theGeorgetown University Privacy Projectin Janlori Goldman’s report, The State ofHealth Privacy: An Uneven Terrain. Weconsider Georgetown’s report the bestand most comprehensive examination ofState privacy laws currently published.The report, which was completed inJuly 1999, is based on a 50-state survey.However, the author is quick to pointout that this study is not exhaustive.

The following analysis of Stateprivacy statutes and our attempt tocompare State laws to the proposed ruleis limited as a result of the large amountof State-specific data available. Tofacilitate discussion, we have organizedthe analysis into two sections: access tomedical information and disclosure ofmedical information. Our analysis isintended to suggest areas where theproposed rule appears to preemptvarious State laws; it is not designed tobe a definitive or wholly comprehensiveState-by-State comparison.

Access to Subject’s Information: Ingeneral, State statutes provideindividuals with access to their ownmedical records. However, only a fewStates allow individuals access tovirtually all entities that hold healthinformation. In 33 States, individualsmay access their hospital and healthfacility records. Only 13 Statesguarantee individuals access to theirHMO records, and 16 States provideindividuals access to their medicalinformation when it is held by insurers.Seven states have no statutory right ofpatient access; three States and theDistrict of Columbia have laws that onlyassure individuals’ right to access theirmental health records. Only one Statepermits individuals access to recordsheld by providers, but it excludespharmacists from the definition ofprovider. Thirteen States grantindividuals statutory right of access topharmacy records.



12 ‘‘Practice Briefs,’’ Journal of AHIMA; HarryRhodes, Joan C. Larson, Association of HealthInformation Outsourcing Service; January 1999.

13 Ibid, Goldman, p.20.14 Ibid, Goldman, p. 21.

The amount that entities are allowedto charge for copying of individuals’records varies widely from State toState. A study conducted by theAmerican Health InformationManagement Association 12 foundconsiderable variation in the amounts,structure, and combination of fees forsearch and retrieval, and the copying ofthe record.

In 35 States, there are laws orregulations that set a basis for chargingindividuals inspecting and copying fees.Charges vary not only by State, but alsoby whether the request is related to aworker’s compensation case or apatient-initiated request. Charges alsovary according to the setting. Forexample, States differentiate most oftenbetween clinics and hospitals. Also,charges vary by the number of pages andwhether the request is for X-rays or forstandard medical information.

Of the 35 States with laws regulatinginspection and copying charges, sevenStates either do not allow charges forretrieval of records or require that theentity provide the first copy free ofcharge. Some States may prohibithospitals from charging patients aretrieval and copying fee, but allowclinics to do so. It is noteworthy thatsome States that do not permit chargesfor retrieval sometimes allow entities tocharge per-page rates ranging between$0.50 and $0.75. In States that do allowa retrieval charge, the per-page charge isusually $0.25. Eleven states specify onlythat the record holder may charge‘‘reasonable/actual costs.’’

Of the States that allow entities tocharge for record retrieval and copying,charges range from a flat amount of$1.00 to $20.00. Other States allowentities to charge varying ratesdepending on the amount of materialcopied. For example, an entity maycharge $5.00 for the first five pages andthen a fixed amount per page. In thosecases, it appears that retrieval andcopying costs were actually combined.The remaining States have a variety ofcost structures: One State allows $0.25per page plus postage plus a $15.00retrieval charge. Another State allows a$1.00 charge per page for the first 25pages and $0.25 for each page above 25pages plus a $1.00 annual retrievalcharge. A third state allows a $1.00 perpage charge for the first 100 pages and$0.25 for each page thereafter.

According to the report by theGeorgetown Privacy Project, amongStates that do grant access to patientrecords, the most common basis for

denying individuals access is concernfor the life and safety of the individualor others. This proposed rule considersthe question of whether to deny patientaccess on the basis of concern for theindividual’s life or safety, concludingthat the benefits of patient access mostoften outweigh harm to the individual.This issue, which is discussed in greaterdetail in other sections, has beenresolved in favor of promoting patientaccess.

The amount of time an entity is givento supply the individual with his or herrecord varies widely. Many States allowindividuals to amend or correctinaccurate health information,especially information held by insurers.However, few States provide the right toinsert a statement in the recordchallenging the covered entity’sinformation when the individual andentity disagree.13

Disclosure of Health Information:State laws vary widely with respect todisclosure of identifiable healthinformation. Generally, States haveapplied restrictions on the disclosure ofhealth information either to specificentities or to specific health conditions.Just two states place broad limits ondisclosure of protected healthinformation without regard for policiesand procedures developed by coveredentities. Most States require patientauthorization before an entity maydisclose health information, but as theGeorgetown report points out, ‘‘In effect,the authorization may function more asa waiver of consent—the patient maynot have an opportunity to object to anydisclosures.’’ 14

It is also important to point out thatnone of the States appear to offerindividuals the right to restrictdisclosure of their protected healthinformation for treatment. Thus, theprovision of the proposed rule thatallows patients to restrict disclosure ofthe their protected information is notcurrently included in any State law.Because the ability to restrict disclosurecurrently is not a standard practice, theproposed rule would require entities toadd these capabilities to theirinformation systems.

State statutes often have exceptions torequiring authorization beforedisclosure. The most commonexceptions are for purposes oftreatment, payment, or auditing andquality assurance functions—which aresimilar to the definition we haveestablished for health care operations,are therefore not subject to priorauthorization requirements under the

proposed rule. Restrictions on re-disclosure of protected healthinformation also vary widely from Stateto State. Some States restrict the re-disclosure of health information, andothers do not. The Georgetown reportcites State laws that require providers toadhere to professional codes of conductand ethics with respect to disclosureand re-disclosure of protected healthinformation. What is not clear is thedegree to which individual informationis improperly released or used in theabsence of specific legal sanctions.

Most States have adopted specificmeasures to provide additionalprotections with regard to certainconditions or illnesses that have clearsocial or economic consequences.Although the Georgetown study doesnot indicate the number of States thathave adopted disease-specific measuresto protect information related tosensitive conditions and illnesses, theanalysis seems to suggest that nearly allStates have adopted some form ofadditional protection. The conditionsand illnesses most commonly affordedadded privacy protection are:

• Substance abuse;• Information derived from genetic

testing;• Communicable and sexually-

transmitted diseases;• Mental health; and• Abuse, neglect, domestic violence,

and sexual assault.We have included a specific

discussion of disclosures for researchpurposes because if an entity decides todisclose information for researchpurposes, it will incur costs thatotherwise would be associated withother disclosures under this rule. SomeStates place restrictions on releasingcondition-specific health informationfor research purposes, while othersallow release of information for researchwithout the patient’s authorization.States frequently require thatresearchers studying genetic diseases,HIV/AIDS, and other sexuallytransmitted diseases have differentauthorization and privacy controls thanthose used for other types of research.Some States require approval from anIRB or agreements that the data will bedestroyed or identifiers removed at theearliest possible time. Another approachhas been for States to requireresearchers to obtain sensitive,identifiable information from a Statepublic health department. One Statedoes not allow automatic release ofprotected health information forresearch purposes without notifying thesubjects that their health informationmay be used in research and allowing



15 ‘‘Medical records and privacy: empirical effectsof legislation; A memorial to Alice Hersh’;McCarthy, Douglas B; Shatin, Deborah; et al. HealthService Research: April 1, 1999; No. 1, Vol. 34; p.417. The article details the effects of the Minnesotalaw conditioning disclosure of protected healthinformation on patient authorization.

16 Source Book of Health Insurance Data: 1997–1998, Health Insurance Association of America,1998. p. 33.

them opportunity to object to the use oftheir information.15

Comparing State statutes to theproposed rule: A comparison of Stateprivacy laws with the proposed rulehighlights several of the proposed rule’skey implications:

• No State law requires coveredentities to make their privacy and accesspolicies available to patients. Thus, allcovered entities that have direct contactwith patients will be required to preparea statement of their privacy protectionand access policies. This necessarilyassumes that entities have to developprocedures if they do not already havethem in place.

• The proposed rule will affect moreentities than are affected under manyState laws. In the application of theproposed rule to providers, plans, andclearinghouses, the proposed rule willreach nearly all entities involved indelivering and paying for health care.Yet because HIPAA applies only toinformation that has been stored andtransmitted electronically, the extent towhich the proposed rule will reachinformation held by covered entities isunclear.

• State laws have not addressed theform in which health information isstored. We do not know whethercovered entities will choose to treatinformation that never has beenmaintained or transmitted electronicallyin the same way that they treat post-electronic information. We also do notknow what portion of information heldin non-electronic formats has ever beenelectronically maintained ortransmitted. Nevertheless, the proposedrule would establish a more level floorfrom which States could expand theprivacy protections to include bothelectronic information and non-electronic information.

• Among the three categories ofcovered entities, it appears that planswill be the most significantly affected bythe access provisions of the proposedrule. Based on the Health InsuranceAssociation of America (HIAA) data,16

there are approximately 94.7 millionnon-elderly persons who purchasehealth insurance in the 35 States that donot provide patients a legal right toinspect and copy their records. We donot have information on how many of

those people are in plans that grantpatients inspection and copying rightsalthough State law does not requirethem to do so. We discuss these pointsmore fully in the cost analysis section.

• Although the proposed rule wouldestablish a uniform disclosure and re-disclosure requirement for all coveredentities, the groups most likely to beaffected are health insurers, benefitsmanagement administrators, andmanaged care organizations. Thesegroups have the greatest ability andeconomic incentives to use protectedhealth information for marketingservices to both patients and physicianswithout individual authorization. Underthe proposed rule, covered entitieswould have to obtain the individual’sauthorization before they could use ordisclose their information for purposesother than treatment, payment, andhealth care operations—except in thesituations explicitly defined asallowable disclosures withoutauthorization.

• While our proposed rule appears toencompass many of the requirementsfound in current State laws, it also isclear that within State laws, there aremany provisions that cover specificcases and health conditions. Certainly,in States that have no researchdisclosure requirements, the proposedrule will establish a baseline standard.But in States that do place conditions onthe disclosure of protected healthinformation, the proposed rule mayplace additional requirements oncovered entities.

• State privacy laws do not alwaysapply to entities covered by theproposed rule. For example, State lawsmay provide strong privacy protectionfor hospitals and doctors but not fordentists or HMOs. State laws protectingparticular types of genetic testing orconditions may be similarly problematicbecause they protect some types ofsensitive information and not others. Insome instances, a patient’s right toinspect his or her medical record maybe covered under State laws andregulations when a physician has themedical information, but not underState requirements when theinformation being sought is held by aplan. Thus, the proposed rule wouldextend privacy requirements alreadyapplicable to some entities within aState to other entities that currently arenot subject to State privacyrequirements.

3. Federal LawsThe Privacy Act of 1974. Federal

agencies will be required to complywith both the Privacy Act of 1974 (5U.S.C. 552a) and the HIPAA regulation.

The Privacy Act provides Federalagencies with a framework and schemefor protecting privacy, and the HIPAAregulation will not alter that scheme.Basic organizational and managementfeatures, such as the provision ofsafeguards to protect the privacy ofhealth information and training foremployees—which are required by thisproposed rule—already are required bythe Privacy Act.

The proposed rule has been designedso that individuals will not have fewerrights than they have now under thePrivacy Act. It may require that agenciesobtain individual authorization for somedisclosures that they now make withoutauthorization under routine uses.

Private-sector organizations withcontracts to conduct personal datahandling activities for the Federalgovernment are subject to the PrivacyAct by virtue of performing a functionon behalf of a Federal agency. They toowill be required to comply with bothrules in the same manner as Federalagencies.

Substance Abuse ConfidentialityStatute. Organizations that operatespecialized substance abuse treatmentfacilities and that either receive Federalassistance or are regulated by a Federalagency are subject to confidentialityrules established by section 543 of thePublic Health Service Act (42 U.S.C.290dd–2) and implementing regulationsat 42 CFR part 2.

These organizations will be subjectboth to that statute and to the HIPAAregulation. The proposed rule shouldhave little practical effect on thedisclosure policies of theseorganizations, because the patientconfidentiality statute governinginformation about substance abuse isgenerally more restrictive than thisproposed rule. These organizations willcontinue to be subject to currentrestrictions on their disclosures. Thesubstance abuse confidentiality statutedoes not address patient access torecords; the proposed privacy rulemakes clear that patient access isallowed.

Federal agencies are subject to theserequirements, and currently theyadminister their records under boththese requirements and the Privacy Act.The Department of Veterans Affairs issubject to its own substance abuseconfidentiality statute, which isidentical in substance to the one of moregeneral applicability. It also coversinformation about HIV infection andsickle cell anemia (38 U.S.C. 7332).

Rules Regarding Protection of HumanSubjects. Health care delivered bycovered entities conducting clinicaltrials typically are subject to both the



17 We have used two different data sources for ourestimates of the number of entities. In the regulatoryimpact analysis (RIA), we chose to use the samenumber of entities cited in the other AdministrativeSimplification rules. In the regulatory flexibilityanalysis (RFA), we used the most recent dataavailable from the Small Business Administration(SBA).

We chose to use the AdministrativeSimplification estimates in the RIA because wewanted our analysis to be as consistent as possiblewith those regulations. We also believe that becausethe Administrative Simplification numbers arehigher than those in the SBA data, it was the moreconservative data source.

18 We have not included the 3.9 million ‘‘other’’employer health plans listed in HCFA’sadministrative simplification regulations becausethese plans that are administered by a third party.The proposed regulation will not regulate theemployer-plans but will regulate the third partyadministrators of the plans. Because planadministrators have already been included in ouranalysis, these other employer-sponsored plans willnot incur additional costs.

19 These costs only represent those of publicentities serving in the role of provider plan. Thefederal costs only reflect those incurred by aprovider and plan offering Medicaid or Medicare,and hospitals run by the federal governmentincluding those run by the Veteran’sAdministration and the militry. Federalenforcement and other costs are not included.These estimates do not reflect any larger systemschanges necessary to running federal programs.Likewise State costs are incorporated to the extentthat States serve as providers or plans (includingMedicaid).

proposed rule and to Federal regulationsfor protection of human re searchsubjects (The Federal Policy for theProtection of Human Subjects, codifiedfor the Department of Health andHuman Services in Title 45 CFR part 46,and/or the Food and DrugAdministration’s human subjectregulations for research in support ofmedical product applications to theFood and Drug Administration, orregulated by that agency, at 21 CFRparts 50 and 56).

Current human subjects rules imposeno substantive restrictions on disclosureof patient information. Institutionalreview boards must consider theadequacy of confiden tiality protectionsfor subjects, and researchers must tellsubjects to what extent their confidentiality will be protected. Thereshould be no conflict between theserequirements and the proposed rules.The proposed HIPAA regulation willexpand on the current human subjectsrequirements by requiring a moredetailed description of intended use ofpatient information. The proposedHIPAA rule also requires additionalcriteria for waiver of patientauthorization.

Medicaid. States may use informationthey obtain in the process ofadministering Medicaid only for thepurposes of administering the program,pursuant to a State plan condition insection 1902(a)(7) of the Social SecurityAct, 42 U.S.C. 1396a(a)(7). Theproposed HIPAA rule applies to StateMedicaid programs, which under therule are considered health plans. Therewill be no conflict in the substantiverequirements of current rules and thisproposed rule. Medicaid rules regardingdisclosure of patient information arestricter than provisions of the proposedrule; therefore, Medicaid agenciessimply will continue to follow theMedicaid rules.

ERISA. ERISA (29 U.S.C. 1002) wasenacted in 1974 to regulate pension andwelfare employee benefit plans that areestablished by private-sector employers,unions, or both, to provide benefits totheir workers and dependents. Anemployee welfare benefit plan providesbenefits—through insurance orotherwise—such as medical, surgicalbenefits, as well as benefits to coveraccidents, disability, death, orunemployment. In 1996, HIPAAamended ERISA to require portability,nondiscrimination, and renewability ofhealth benefits provided by grouphealth plans and group health insuranceissuers. Many, although not all, ERISAplans are covered under the proposedrule as health plans. We believe that theproposed rule does not conflict with

ERISA. Further discussion of ERISA canbe found in the preamble for thisproposed rule.

E. Costs

Affected entities will beimplementing the privacy proposedrules at the same time many of theadministrative simplification standardsare being implemented. As described inthe overall impact analysis for theadministrative simplification standardsin the Federal Register, Vol. 63, No. 88,May 7, 1998, page 25344, the datahandling changes occurring due to theother HIPAA standards will have bothcosts and benefits. To the extent thechanges required for the privacystandards implementations can be madeconcurrently with the changes requiredfor the other standards, costs for thecombined implementation should beonly marginally higher than for theadministrative simplification standardsalone. The extent of this additional costis uncertain, in the same way that thecosts associated with each of theindividual administrative simplificationstandards was uncertain.

The costs associated withimplementing the privacy standardswill be directly related to the number ofaffected entities and the number ofaffected transactions in each entity.17

We chose to use the SBA data in theRFA because we wanted our analysis tobe as consistent to SBA definitions aspossible to give the greatest accuracy forthe RFA purposes. As described in theoverall administrative simplificationimpact estimates (Tables 1 and 2, page25344), about 20,000 health plans(excluding non-self administeredemployer plans)18 and hundreds ofthousands of providers faceimplementation costs. In theadministrative simplification analysis,

the costs of provider system upgradeswere expected to be $3.6 billion over theperiod 1998–2002, and plan system costupgrades were expected to be $2.2billion. (In the aggregate, this $5.8billion cost is expected to be more thancompletely offset by $7.3 billion insavings during the 5 year periodanalyzed).

The relationship between the HIPAAsecurity and privacy standards isparticularly relevant. On August 12,1998, the Secretary published aproposed rule to implement the HIPAAstandards on security and electronicstandards. That rule specified thesecurity requirements for coveredentities that transmit and storeinformation specified in Part C, Title XIof the Act. In general, that rule wouldestablish the administrative andtechnical standards for protecting‘‘* * * any health informationpertaining to an individual that iselectronically maintained ortransmitted.’’ (63 FR 43243). Thesecurity rule is intended to spell out thesystem and administrative requirementsthat a covered entity must meet in orderto assure itself and the Secretary that theprotected health information is safefrom destruction and tampering frompeople without authorization for itsaccess.

By contrast, the privacy rule describesthe policies and procedures that wouldgovern the circumstances under whichprotected health information may beused and released with and withoutpatient authorization and when apatient may have access to his or herprotected medical information. Thisrule assumes that a covered entity willhave in place the appropriate securityapparatus to successfully carry out andenforce the provisions contained in thesecurity rule.

Although the vast majority of healthcare entities are privately owned andoperated, Federal, State, and localgovernment providers are reflected inthe total costs.19 Federal, state, andlocally funded hospitals representapproximately 26 percent of hospitals inthe United States. This is a significantportion of hospitals, but represents arelatively small proportion of all



20 Health Care Finance Administration, Office ofthe Actuary, 1997.

provider entities. The number ofgovernment providers who areemployed at locations other thangovernment hospitals is significantlysmaller (approximately 2 percent of allproviders). Weighting the relativenumber of government hospital andnon-hospital providers by the revenuethese types of providers generate, weestimate that health care servicesprovided directly by governmententities represent 3.4 percent of totalhealth care services. IHS and Tribalfacilities costs are included in the total,since the adjustments made to theoriginal private provider data to reflectfederal providers included them. Indrafting the proposed rule theDepartment consulted with States,representatives of the National Congressof American Indians, representatives ofthe National Indian Health Board, and arepresentative of the self-governancetribes. During the consultation wediscussed issues regarding theapplication of Title II of HIPAA to theStates and Tribes.

Estimating the costs associated withthe privacy proposed rule involves, foreach provision, consideration of boththe degree to which covered entitiesmust modify their records managementsystems and privacy policies under theproposed rule, and the extent to whichthere is a change in behavior of bothpatients and the covered entities as aresult of the proposed rule. In thefollowing sections we will examinethese provisions as they would apply tothe various covered entities as theyundertake to comply with the proposedrule. The major costs that coveredentities will incur are one time costsassociated with implementation of theproposed rules, and ongoing costs thatresult from changes in behavior thatboth the covered entities and patientswould make in response to the newproposed rules.

We have quantified the costs imposedby the proposed regulation to the extentthat we had adequate data. In someareas, however, there was too little datato support quantitative estimates. As aresult, the RIA does not include costestimates for all of the requirements ofthe regulation. The areas for whichexplicit cost estimates have not be madeare: The principle of minimumnecessary disclosure; the requirementthat entities monitor business partnerswith whom they share PHI; creation ofde-identified information; internalcomplaint processes; sanctions;compliance and enforcement; thedesignation of a privacy official andcreation of a privacy board; andadditional requirements on research/optional disclosures that will be

imposed by the regulation. The cost ofsome of these provisions may besignificant, but it would be inaccurate toproject costs for these requirementsgiven the fact that several of theseconcepts are new to the industry.

The one time costs are primarily inthe area of development andcodification of procedures. Specificactivities include: (1) Analysis of thesignificance of the federal regulations oncovered entity operation; (2)development and documentation ofpolicies and procedures (including newones or modification of existing ones);(3) dissemination of such policies andprocedures both inside and outside theorganization; (4) changing existingrecords management systems ordeveloping new systems; and (5)training personnel on the new policiesand system changes.

Covered entities will also incurongoing costs. These are likely to be theresult of: (1) Increased numbers ofpatient requests for access and copyingof their own records; (2) the need forcovered entities to obtain patientauthorization for uses of protectedinformation that had not previouslyrequired an authorization; (3) increasedpatient interest in limiting payer andprovider access to their records; (4)dissemination and implementation bothinternally and externally of changes inprivacy policies, procedures, andsystem changes; and (5) training on thechanges.

Compliance with the proposed rulewill cost $3.8 billion over five years.These costs are in addition to theadministrative simplification estimates.The cost of complying with theregulation represents 0.09 percent ofprojected national health expendituresthe first year the regulation is enacted.The five year costs of the proposedregulation also represents 1.0 percent ofthe increase in health care costsexperienced over the same five-yearperiod.20 Because of the uncertainty ofthe data currently available, theDepartment has made estimates on‘‘low’’ and ‘‘high’’ range assumptions ofthe key variables. These estimates showa range of $1.8 to $6.3 billion over fiveyears. It is important to note that theseestimates do not include the areas forwhich we have made no cost estimates(discussed above).

Initial Costs

Privacy Policies and ProceduresWith respect to the initial costs for

covered entities, the expectation thatmost of the required HIPAA procedures

will be implemented as a packagesuggests that additional costs for theprivacy standards should be small.Since the requirements for developingformal processes and documentation ofprocedures mirror what will alreadyhave been required under the securityregulations, the additional costs shouldbe small. The expectation is thatnational and state associations willdevelop guidelines or general sets ofprocesses and procedures and that thesewill generally be adopted by individualmember entities. Relatively fewproviders or entities are expected todevelop their own proceduresindependently or to modify significantlythose developed by their associations.Our estimates are based on assumedcosts for providers ranging from $300 to$3000, with the weighted average beingabout $375. The range correlates to thesize and complexity of the provider, andis a reasonable estimate of the cost ofcoordinating the policies andprocedures outlined in the proposedregulation. With fewer than 1 millionprovider entities, the aggregate costwould be on the order of $300 million.

For plans, our estimate assumes thatthe legal review and development ofwritten policies will be more costlybecause of the scope of their operations.They are often dealing with a largenumber of different providers and maybe dealing with requirements frommultiple states. Again, we expectassociations to do much of the basiclegal analysis but plans are more likelyto make individual adaptations. Webelieve this cost will range from $300for smaller plans and $15,000 for thelargest plans. Because there are very fewlarge plans in relation to the number ofsmall plans, the weighted averageimplementation costs will be about$3050.

The total cost of development ofpolicies and procedures for providersand plans is estimated to be $395million over five years.

System Compliance CostsWith respect to revisions to electronic

data systems, the specific refinementsneeded to fulfill the privacy obligationsought to be closely tied to therefinements needed for securityobligations. The overall administrativesimplification system upgrades(procedures, systems, and training) of$5.8 billion would certainly bedisproportionately associated with thesecurity standard, relative to the other11 elements. If in privacy it constitutes15 percent, then the security standardwould represent about $900 millionsystem cost. If the marginal cost of theprivacy elements is another 10 percent,



then the addition cost would be $90million.

Ongoing CostsThe recurrent costs may be more

closely related to total numbers ofpersons with claims than to the numberof covered entities. The number ofindividuals served by an entity will varygreatly. The number of persons withclaims will give a closer approximationof how many people entities will haveto interact with for various provisions.

Notice of Privacy PracticesNo State laws or professional

associations currently require entities toprovide patients ‘‘notice’’ of theirprivacy policies. Thus, we expect thatall entities will incur costs developingand disseminating privacy policynotices. Each entity will have a noticecost associated with each person towhom they provide services. Data fromthe 1996 Medical Expenditure PanelSurvey shows that there areapproximately 200 million ambulatorycare encounters per year, nearly 20million persons with a hospital episode,7 million with home-health episodes,and over 170 million with prescriptiondrug use (350 million total). For theremaining four years of the five yearperiod, we have estimated that, onaverage, a quarter of the remainingpopulation will enter the system, andthus receive a notice. If we account forgrowth in the number of people whomay enter the health care system overthe five year period of our analysis, weestimate that approximately 543 millionpatients will be seen at least once byone or more types of providers.

The development cost for notices isestimated to cost $30 million over fiveyears, though most of this is likely tooccur the first year. The first year costof providing notices to patients,customers and plan enrollees would be$106 million. The total five year cost ofproviding new and subsequent copies toall provider patients and customerswould be approximately $209 million.

The notice obligations of insurersapply on initial enrollment, withupdated notices at least every 3 years.However, given enrollment changes andthe sophistication of automation, webelieve many plans would find itcheaper and more efficient to provideannual notices.

The 1998 National Health InterviewSurvey (NHIS) from the Census Bureaushows about 174.1 million persons arecovered by private health insurance, onan unduplicated basis. NHIS calculatesthat persons who are privately insuredhold approximately 1.3 policies perperson. Based on information provided

by several plans, we believe most planswould provide an independent mailingthe first year, but in subsequent yearswould provide notices as an inclusionin other mailings. The cost for thiswould be $0.75 over five years. If weaccount for these duplicate policies andassume that the cost of sending thenotices to a policyholder is $0.75, thetotal cost to plans would be $231million over five years. This includesboth public and private plans.

We request comments regarding ourcost estimates for development anddistribution of notices.

The costs for more careful internaloperation of covered entities to executetheir formal privacy procedures arehighly dependent on the extent towhich current practice tracks the futureprocedures. Entities that already havestrict data sharing and confidentialityprocedures will incur minimal costs,since their activities need not changemuch. Entities that have not developedexplicit health information privacypolicies may be compelled to obtainpatient authorization in situationswhere they did not previously. Thesechanges will generate ongoing costs aswell as initial costs. We solicit commentwith respect to the way current costsdiffer from those projected by therequirements of the proposed privacyrule. An example of such an area is ‘‘theminimum necessary disclosureprinciple’’—because of differing currentpractices, we do not have data thatreliably indicate how much thisprovision will cost.

Inspection and CopyingThe Georgetown report on State

privacy laws indicates that 33 statescurrently give patients some right toaccess medical information. The mostcommon right of access granted by Statelaw is the right to inspect personalinformation held by physicians andhospitals. In the process of developingestimates for the cost of providingaccess and copying, we assumed thatmost providers currently haveprocedures for allowing patients toinspect and copying their own record.Thus, we expect that the economicimpact of requiring entities to allowindividuals to access and copy theirrecords should be relatively small.Copying costs, including labor, shouldbe a fraction of a dollar per page. Weexpect the cost to be passed on to theconsumer.

There are few studies that address thecost of providing medical records topatients. The most recent was a study in1998 by the Tennessee Comtroller of theTreasury. It found an average cost of$9.96 per request, with an average of 31

pages per request. The total cost perpage of providing copies was $0.32 perpage. This study was performed onhospitals only. The cost per request maybe lower for other types of providers,since those seeking hospital records aremore likely to be sick and have morecomplicated records than those in aprimary care or other type of office. Anearlier report showed much higher coststhan the Tennessee study. In 1992, RoseDunn published a report based on herexperience as a manager of medicalrecords. She estimated a 10 page requestwould cost $5.32 in labor costs only,equaling labor cost per page of $0.53.However, this estimate appears to reflectcosts before computerization. Theexpected time spent per search was 30.6minutes; 85 percent of this time couldbe significantly reduced withcomputerization (this includes timetaken for file retrieval, photocopying,and re-filing; file retrieval is the onlytime cost that would remain undercomputerization.) For subsequentestimates, we will use the Tennesseeexperience.

The proposed regulation states thatentities may charge patients areasonable fee to inspect and copy theirhealth information. For this reason, weexpect the cost of inspecting andcopying an individual medical record tobe passed on to consumers who requestthe service. Nonetheless, it is importantto provide an estimate of the potentialcosts associated with inspection andcopying. We assume that 1.5 percent ofpatients will request access to inspectand copy their medical record, and thatthe cost of accessing and copying arecord is approximately $10 (as cited inthe Tennessee study). The cost ofinspection and copying is $81 million ayear, or $405 million over five years.This cost is likely to be borne entirelyby the consumer.

Amendment and CorrectionWe have assumed that many

providers make provisions to helppatients expedite amendment andcorrection of their medical record whereappropriate. However, as withinspection and copying, the right torequest amendment and correction of anindividual’s medical record is notguaranteed by all States. Based on theseassumptions and our cost analysis, weconclude that the principal economiceffect of the proposed rule would be toexpand the right to request amendmentand correction to plans and providersthat are not covered by state laws orcodes of conduct. In addition, we expectthat the proposed rule may drawadditional attention to the issue ofrecord inaccuracies and stimulate



patient demand for access, amendment,and correction of medical records.

Our cost calculations assume thatpersons who request an opportunity toamend or correct their record havealready obtained a copy of their medicalrecord. Therefore, the administrativecost of amending and correcting thepatient’s record is completely separatefrom inspection and copying costs. Inthis section we have only addressed thecost of disputing a factual statementwithin the patient record, and do notcalculate the cost of appeals or thirdparty review.

Administrative review of factualstatements contained within a patient’srecord may be expensive. Most errorsmay be of a nature that a clerk or nursecan correct (e.g., the date of a procedureis incorrect) but some may requirephysician review. Thus, we haveestimated that the average cost ofamending and correcting a patientrecord may be $75 per instance.

If amendment and correction requestsare associated with two-thirds ofrequests for inspection and copying, andthe cost of correcting (or noting thepatient’s request for correction) is $75,the total cost of amending andcorrecting patient records will be $407million annually, or $2 billion over fiveyears. Comments on our estimate ofamendment and correction costs wouldbe helpful, particularly if they speak tocurrent amendment and correction costsor frequency in the health care industry.

Reconstructing a History of Disclosures(Other Than for Treatment andPayment)

To our knowledge, no current Statelaw or professional code requiresproviders and plans to maintain thecapability to reconstruct a patient’shealth information history. Therefore,the requirement in this rule to be ableto reconstruct the disclosure history ofprotected health information iscompletely new. Although it is likelythat some providers and plans havealready developed this capability, we

assume that all providers and planswould be required to invest indeveloping the capacity to generatedisclosure histories.

With respect to reconstruction ofdisclosure history, two sets of costswould exist. On electronic records,fields for disclosure reason, informationrecipient, and date would have to bebuilt into the data system. The fixedcost of the designing the system toinclude this would be a component ofthe $90 million additional costsdiscussed earlier. The ongoing costwould be the data entry time, whichshould be at de minimis levels.Comments would again be especiallyuseful with respect to the extent towhich recording the additionalinformation goes beyond currentpractice.

AuthorizationsAlthough many States have laws that

require entities to obtain patientauthorization before releasingindividually identified healthinformation to payers and other thirdparties, many of the authorizationrequirements either allow for blanketauthorizations that deprive the patientof meaningful control over the release oftheir health information, or theauthorization statutes are less stringentthan the provisions of the proposedrule. Therefore, for purposes ofestimating the economic impact of theNPRM, we are assuming that allproviders and plans will have todevelop new procedures to conform tothe proposed rule.

Written patient authorizationrequirements will generate costs, to theextent covered entities are currentlyreleasing information in the targetedcircumstances without specificauthority. Collecting such authorizationshould have costs on the order of thoseassociated with providing access torecords (not on a per page basis). Thefrequency of such collections isunknown. Since the requirement doesnot apply to treatment and payment,

assuming 1 percent of the 543 millionencounters over five years might bereasonable. At a cost of about $10 each,the aggregate cost would be about $54million annually, or $271 million overfive years. Comments would beespecially useful from entities currentlyfollowing such procedures.

Training

The ongoing costs associated withpaperwork and training are likely to beminimal. Because training happens as aregular business practice, and employeecertification connected to this training isalso the norm, we estimate that themarginal cost of paperwork and trainingis likely to be small. We assume a costof approximately $20 per provideroffice, and approximately $60–100 forhealth plans and hospitals. Thus, weestimate that the total cost of paperworkand training will be $22 million a year.

Conclusion

Overall, the five-year costs beyondthose already shown in theadministrative simplification estimateswould be about $3.8 billion over fiveyears, with an estimated range of $1.8 to$6.3 billion. Table 2 shows thecomponents described above. Thelargest cost item is for amendment andcorrection, which is over half of theestimated total cost of the regulation.Inspection and copying, at $405 millionover five years, and issuance of noticesby providers and plans, at $439 millionover five years, are the second biggestcomponents. The one-time costs ofdevelopment of policies and proceduresby providers would representapproximately 10 percent of the totalcost, or $333 million. Plans andclearinghouses would have asubstantially smaller cost, about $62million. Other systems changes areexpected to cost about $90 million overthe period. Finally, the estimates do notconsider all of the costs imposed by theregulation.

TABLE 2.—THE COST OF COMPLYING WITH THE PROPOSED PRIVACY REGULATION

[In Dollars]

ProvisionInitial or first

year cost(2000)

Annual costafter the first

year

Five year(2000–2004)

cost

Development of Policies and Procedures—Providers (totaling 871,294) ................................... $333,000,000 ........................ $333,000,000Development of Policies and Procedures—Plans (totaling 18,225) ........................................... 62,000,000 ........................ 62,000,000System Changes—All Entities ..................................................................................................... 90,000,000 ........................ 90,000,000Notice Development Cost—all entities ........................................................................................ 20,000,000 ........................ 30,000,000Notice Issuance—Providers ........................................................................................................ 59,730,000 37,152,000 208,340,000Notice Issuance—Plans ............................................................................................................... 46,200,000 46,200,000 231,000,000Inspection/Copying ...................................................................................................................... 81,000,000 81,000,000 405,000,000Amendment/Correction ................................................................................................................ 407,000,000 407,000,000 2,035,000,000Written Authorization ................................................................................................................... 54,300,000 54,300,000 271,500,000



TABLE 2.—THE COST OF COMPLYING WITH THE PROPOSED PRIVACY REGULATION—Continued[In Dollars]

ProvisionInitial or first

year cost(2000)

Annual costafter the first

year

Five year(2000–2004)

cost

Paperwork/Training ...................................................................................................................... 22,000,000 22,000,000 110,000,000Other Costs * ................................................................................................................................ **N/E N/E N/E

Total ...................................................................................................................................... 1,165,230,000 647,652,000 3,775,840,000

* Other Costs include: minimum necessary disclosure; monitoring business partners with whom entities share PHI; creation of de-identified in-formation; internal complaint processes; sanctions; compliance and enforcement; the designation of a privacy official and creation of a privacyboard; additional requirements on research/optional disclosures that will be imposed by the regulation.

** N/E = ‘‘Not estimated’’.

Costs to the Federal Government

The proposed rule will have a costimpact on various federal agencies thatadminister programs that require the useof individual health information.Federal agencies or programs clearlyaffected by the rule are those that meetthe definition of a covered entity. Thecosts when government entities areserving as providers are included in thetotal cost estimates. However, non-covered agencies or programs thathandle medical information, eitherunder permissible exceptions to thedisclosure rules or through anindividual’s expressed authorization,will likely incur some costs complyingwith provisions of this rule. A sampleof federal agencies encompassed by thebroad scope of this rule include the:Department of Health and HumanServices, Department of Defense,Department of Veterans Affairs,Department of State, and the SocialSecurity Administration.

The federal costs of complying withthe regulation are included in theestimates of total costs. The greatest costand administrative burden on thefederal government will fall to agenciesand programs that act as coveredentities, by virtue of being either ahealth plan or provider. Examplesinclude the Medicare, Medicaid,Children’s Health Insurance and IndianHealth Service programs at theDepartment of Health and HumanServices; the CHAMPVA health programat the Department of Veterans Affairs;and the TRICARE health program at theDepartment of Defense. These and otherhealth insurance or provider programsoperated by the federal government aresubject to requirements placed oncovered entities under this proposedrule, including, but not limited to, thoseoutlined in Section D of the impactanalysis. While many of these federalprograms already afford privacyprotections for individual healthinformation through the Privacy Act,this rule is expected to create additional

requirements beyond those covered byexisting Privacy Act rule. Further, weanticipate that most federal healthprograms will, to some extent, need tomodify their existing Privacy Actpractices to fully comply with this rule.

The cost to federal programs thatfunction as health plans will begenerally the same as those for theprivate sector. The primary difference isthe expectation that systems compliancecosts may be higher due to theadditional burden of compliance andoversight costs.

A unique cost to the federalgovernment will be in the area ofenforcement. The Office of Civil Rights(OCR), located at the Department ofHealth and Human Services, has theprimary responsibility to monitor andaudit covered entities. OCR will monitorand audit covered entities in both theprivate and government sectors, willensure compliance with requirements ofthis rule, and will investigatecomplaints from individuals allegingviolations of their privacy rights. Inaddition, OCR will be required torecommend penalties and otherremedies as part of their enforcementactivities. These responsibilitiesrepresent an expanded role for OCR.Beyond OCR, the enforcementprovisions of this rule will haveadditional costs to the federalgovernment through increasedlitigation, appeals, and inspector generaloversight.

Examples of other unique costs to thefederal government include suchactivities as public health surveillanceat the Centers for Disease Control andPrevention, health research projects atthe Agency for Health Care Policy andResearch, clinical trials at the NationalInstitutes of Health, and lawenforcement investigations andprosecutions by the Federal Bureau ofInvestigations. For these and otheractivities, federal agencies will incursome costs to ensure that protectedhealth information is handled andtracked in ways that comply with the

requirements of this title. A preliminaryanalysis of these activities suggests thatthe federal cost will be on the order of$31 million. We are currently in theprocess of refining these estimates andwill include better information on themin the final rule.

Costs to State GovernmentsThe proposed rule will also have a

cost effect on various state agencies thatadminister programs that require the useof individual health information. Stateagencies or programs clearly affected bythe rule are those that meet thedefinition of a covered entity. The costswhen government entities are serving asproviders are included in the total costestimates. However, non-coveredagencies or programs that handlemedical information, either underpermissible exceptions to the disclosurerules or through an individual’sexpressed authorization, will likelyincur some costs complying withprovisions of this rule. Samples of stateagencies encompassed by the broadscope of this rule include the: Medicaid,Children’s Health Insurance program atthe Department of Health and HumanServices.

We have included state costs in theestimation of total costs. The greatestcost and administrative burden on thestate government will fall to agenciesand programs that act as coveredentities, by virtue of being either ahealth plan or provider. Examplesinclude the Medicaid, Children’s HealthInsurance program at the Department ofHealth and Human Services. These andother health insurance or providerprograms operated by state governmentare subject to requirements placed oncovered entities under this proposedrule, including, but not limited to, thoseoutlined in Section D of the impactanalysis. While many of these stateprograms already afford privacyprotections for individual healthinformation through the Privacy Act,this rule is expected to create additionalrequirements beyond those covered by



21 Equifax-Harris Consumer Privacy Survey, 1994.

22 Consumer Privacy Survey, Harris-Equifax,1994, p. vi.

23 Promoting Health: Protecting Privacy,California Health Care Foundation and ConsumersUnion, January 1999, p. 12.

24 Health Information Privacy Survey, Harris-Equifax, 1993, pp. 49–50.

existing Privacy Act rule. Further, weanticipate that most state healthprograms will, to some extent, need tomodify their existing Privacy Actpractices to fully comply with this rule.

The cost to state programs thatfunction as health plans will bedifferent than the private sector, muchas the federal costs vary from privateplans. A preliminary analysis suggeststhat state costs will be on the order of$90 million over five years. We willrefine the estimates for the stategovernment costs for enforcement,research and other distinct stategovernment functions in the final rule.We welcome comment by state andlocal governments which will help theDepartment improve its analysis onthese state costs.

F. BenefitsAs we have discussed in the

preamble, there are important societalbenefits associated with improvinghealth information privacy.Confidentiality is a key component oftrust between patients and providers,and some studies indicate that a lack ofprivacy may deter patients fromobtaining preventive care andtreatment. 21 For these reasons,traditional approaches to estimating thevalue of a commodity cannot fullycapture the value of personal privacy. Itmay be difficult for individuals to assignvalue to privacy protection becausemost individuals view personal privacyas a right. Because we promote the viewthat privacy protection is an importantpersonal right, the benefits of theproposed regulation are impossible toestimate based on the market value ofhealth information alone. However, it ispossible to evaluate some of the benefitsthat may accrue to individuals as aresult of proposed regulation, and thesebenefits, alone, suggest that theregulation is warranted. Added to thesebenefits is the intangible value ofprivacy, the personal security that wemay feel when our records areconfidential, which is very real and verysignificant but for which there is noeconomic value or proxy.

There are a number of ways to discussthe expected benefits of this proposedregulation. The first option is to discussthe benefits qualitatively. We believethat this is necessary to give the readera basic understanding of how thisproposed regulation will benefit society.The second option that we have used isto quantify the benefits of the proposedrule as they would apply to a few illnesscategories that may be particularlyresponsive to privacy concerns. This

quantitative discussion is meant to beillustrative of the benefits rather than acomprehensive accounting of all of thebenefits of the proposed rule. Thecombination of the two approachesclearly illustrates that the benefits of theregulation are significant in relation tothe economic costs.

Before beginning our discussion of thebenefits, it is important to create aframework for how the costs andbenefits may be viewed in terms ofindividuals rather than societalaggregates. We have estimated the valuean insured individual would need toplace on increased privacy to make theproposed Privacy regulation a netbenefit to those who receive healthinsurance. Our estimates are derivedfrom data produced by the 1998 CurrentPopulation Survey from the CensusBureau, and report that 220 millionpersons are covered by either private orpublic health insurance. Joining theCensus Bureau data with costassumptions calculated in Section E, wehave estimated the cost of the proposedregulation is $3.41 per insuredindividual. If we assume thatindividuals who use the health caresystem will be willing to pay more than$3.41 per year (or approximately $0.28per month) to improve healthinformation privacy, the benefits of theproposed regulation will outweigh thecost.

This is a conservative estimate of thenumber of people who will benefit fromthe regulation because it assumes thatonly those individuals who have healthinsurance will use medical services orbenefit from the provisions of theproposed regulation. Currently, thereare 44 million Americans who do nothave any form of health care insurance.In addition, the estimates do not includethose who pay for medical care directly,without any insurance or governmentsupport. By lowering the number ofusers in the system, we have inflatedour estimate of the per-person cost ofthe regulation, therefore, we assume thatour estimate represents the highest costto an individual.

An alternative approach todetermining how people would have tovalue increased privacy for thisregulation to be beneficial is to look atthe costs divided by the number ofencounters with health careprofessionals annually. Data from theMedical Expenditure Panel Survey(MEPS) produced by the Agency forHealth Care Policy Research (AHCPR)report approximately 1.62 billion healthcare visits, or encounters annually (e.g.,office visits, hospital and nursing homestays, etc.). As with our calculation ofaverage annual cost per insured patient,

we have divided the total cost ofcomplying with the regulation ($751million per year) by the total annualnumber of health care encounters. Thecost of instituting requirements of theproposed regulation is $0.46 per healthcare encounter. If we assume thatindividuals would be willing to paymore than $0.46 per health careencounter to improve healthinformation privacy, the benefits of theproposed regulation will outweigh thecost.

Qualitative DiscussionA well designed privacy standard can

be expected to build confidence amongthe public about the confidentiality oftheir medical records. The seriousnessof public concerns about privacy ingeneral are shown in the 1994 Equifax-Harris Consumer Privacy Survey, where‘‘84 percent of Americans are either veryor somewhat concerned about threats totheir personal privacy.’’ 22 A 1999report, ‘‘Promoting Health andProtecting Privacy’’ notes ‘‘* * * manypeople fear their personal healthinformation will be used against them:to deny insurance, employment, andhousing, or to expose them to unwantedjudgements and scrutiny.’’ 23 Theseconcerns would be partly allayed by theprivacy standard. Further, increasedconfidence will increase the likelihoodof some people seeking treatment forparticular classes of disease. It will alsochange the dynamic of currentpayments. Insured patients currentlypaying out-of-pocket for confidentialityreasons will be more likely to file withtheir insurer. The increased utilizationthat would result from increasedconfidence in privacy could bebeneficial under many circumstances.For many medical conditions, earlytreatment can lead to lower costs.

Fear of disclosure of treatment is animpediment to health care for manyAmericans. In the 1993 Harris-EquifaxHealth Information Privacy Survey, 7percent of respondents said they or amember of their immediate family hadchosen not to seek medical services dueto fear of harm to job prospects or otherlife opportunities. About 2 percentreported having chosen not to file aninsurance claim because of concernswith privacy or confidentiality. 24

Increased confidence on the part ofpatients that their privacy would beprotected would lead to increased



25 American Cancer Society. http://4a2z.com/cgi/rfr.cgi?4CANCER-2-http://www.cancer.org/frames.html




29 Avon’s Breast Cancer Crusade. http://www.pmedia.com/Avon/library/faq.html

30 Ovarian Cancer National Alliance. http://www.ovariancancer.org/index.shtml

31 Cancer Statistics, 1999, Landis, Murray, Boldenand Wingo. CA: A Cancer Journal for Clinicians,Jan/Feb, 1999, Vol. 49, No. 1

32 Ovarian Cancer National Alliance. http://www.ovariancancer.org/index.shtml

33 Breast Cancer Information Service. http://trfn.clpgh.org/bcis/FAQ/facts2.html

34 Promoting Health: Protecting Privacy,California Health Care Foundation and ConsumersUnion, January 1999, p. 13.

35 For example, Roger Detels, M.D., et al., in‘‘Effectiveness of Potent Anti-Retroviral Therapy* * * ‘‘JAMA, 1998; 280: 1497–1503 note theimpact of therapy on HIV persons with respect tolengthening the time to development of AIDS, notjust delaying death in persons who already haveAIDS.

36 John Hornberger et al, ‘‘Early treatment withHighly Active Anti-Retroviral Therapy (HAART) iscost-effective compared to delayed treatment,’’ 12thWorld AIDS conference, 1998.

37 Sexually Transmitted Diseases in America,Kaiser Family Foundation, 1998. p. 12.

38 Standard Medical information; see http://www.mayohealth.org for examples.

treatment among people who delay ornever begin care, as well as amongpeople who receive treatment but paydirectly (to the extent that the ability touse their insurance benefits will reducecost barriers to more completetreatment).

The following are four examples ofareas where increased confidence inprivacy would have significant benefits.They were chosen both because they arerepresentative of widespread andserious health problems, and becausethey are areas where reliable andrelatively complete data are available forthis kind of analysis. The logic of theanalysis, however, applies to any healthcondition. Even for relatively minorconditions, an individual still might beconcerned with maintaining privacy,and even a person with no significanthealth problems is going to valueprivacy because of the possibility atsome time they will have a conditionthat they want to keep private.

Cancer. The societal burden of diseaseimposed by cancer is indisputable.Cancer is the second leading cause ofdeath in the US,25 exceeded only byheart disease. In 1999, 1.38 million newcancer cases will be diagnosed, as wellas 900,000 new basal and squamousskin cell cancers. 26 The National CancerInstitute estimates that the overall costof cancer is $104 billion; $35 billion indirect medical cost, $12 billion formorbidity costs (cost of lostproductivity) and $57 billion formortality costs.27

Among the most important elementsin the fight against cancer are screening,early detection and treatment of thedisease. However, however, manypatients are concerned that somescreening procedures will make themvulnerable to discrimination by insurersor employers. These privacy concernshave been cited as a reason patients donot seek early treatment for diseasessuch as cancer. As a result of forgoingearly screening, cancer patients mayultimately face a more severe illness.For example, half of new diagnosesoccur among types of cancer for whichscreening is available. Based on thisresearch, studies show that if Americansparticipated in regular cancer screening,the rate of survival among patients whohave screening-accessible cancers couldincrease to 95 percent.28

Approximately 184,300 women willbe diagnosed with breast cancer thisyear,29 and 25,000 women will bediagnosed with ovarian cancer.30 In thesame year, almost 44,000 women willdie of breast cancer,31 and 14,500 willdie from ovarian cancer.32 Earlydetection of these cancers could have asignificant impact on reducing loss dueto disability and death. For example,only 24 percent of ovarian cancers arediagnosed in the early stages. Of these,approximately 90 percent of patientssurvive treatment. The survival rate ofwomen who detect breast cancer early issimilarly high; more than 90 percent ofwomen who detect and treat breastcancer in its early stages will survive.33

Researchers have developed screeningtechniques to identify breast, ovarian,and colon cancers, and tests have beendeveloped to identify the presence orabsence of cellular abnormalities thatmay lead to cancer. Despite thesetechnological advances, the principle ofpatient autonomy requires that patientsmust decide for themselves if they willsubmit to screening procedures. Manyindividuals fear that employers andinsurers will use cancer screening todiscriminate against them. Severalstudies illustrate that persons with andwithout cancer fear discrimination.Thus, despite the potential benefits thatearly identification of cancer may yield,many researchers find that patientconcerns regarding the confidentiality ofcancer screening may prevent themfrom requesting the test, and result indisability or loss of life.

HIV/AIDS. Early detection is essentialfor the health and survival of an HIV(Human Immunodeficiency Virus)positive person. Concerns about theconfidentiality of HIV status mayprevent some people from getting tested.For this reason, each state has passedsome sort of legislation regarding theconfidentiality of HIV status. However,HIV status can be revealed indirectlythrough disclosure of HAART (HighlyActive Anti-Retroviral Therapy) orsimilar HIV treatment drug use. Inaddition, since HIV/AIDS (AcquiredImmune Deficiency Syndrome) is oftenthe only specially protected condition,‘‘blacked out’’ information on medicalcharts could indicate HIV positive

status.34 Strengthening privacyprotections beyond this disease couldincrease confidence in privacy regardingHIV as well. Drug therapy for HIVpositive persons has proven to be a life-extending, cost-effective tool. 35 A 1998study showed that beginning treatmentwith HAART in the early asymptomaticstage is more cost-effective thanbeginning it late. After five years, only15 percent of patients with earlytreatment are estimated to develop anADE (AIDS-defining event), whereas 29percent would if treatment began later.Early treatment with HAART prolongssurvival (adjusted for quality of life) by6.2 percent. The overall cost-effectiveness of early HAART treatmentis estimated at $23,700 per quality-adjusted year of life saved.36

Other Sexually Transmitted Diseases.It is difficult to know how many peopleare avoiding testing for STDs despitehaving a sexually transmitted disease. A1998 study by the Kaiser FamilyFoundation found that the incidence ofdisease was 15.3 million in 1996,though there is great uncertainty due tounder-reporting.37 For a potentiallyembarrassing disease such as an STD,seeking treatment requires trust in boththe provider and the health care systemfor confidentiality. Greater trust shouldlead to more testing and greater levelsof treatment. Earlier treatment forcurable STDs can mean a decrease inmorbidity and the costs associated withcomplications. These include expensivefertility problems, fetal blindness,ectopic pregnancies, and otherreproductive complications.38 Inaddition, there could be greater overallsavings if earlier treatment translatesinto reduced spread of infections.

Substance Abuse and Mental HealthTreatment. When individuals have abetter understanding of the privacypractices that we are requiring in thisproposed rule, some will be lessreluctant to seek substance abuse andmental health treatment. One way thatindividuals will receive this informationis through the notice requirement.



39 Disease-Specific Estimates of Direct andIndirect Costs of Illness and NIH Support; 1997Update, 1997.

Increased use of mental health serviceswould be expected to be beneficial tothe persons receiving the care, to theirfamilies, and to society at large. Theindividual direct benefit from treatmentwould include an improved quality oflife, reduced disability associated withthe mental conditions, and a reducedmortality rate. The benefit to familieswould include quality of lifeimprovements and reduced medicalcosts for other family membersassociated with abusive behavior by thetreated individual. The benefit tosociety would include reduced costs ofcrime and reduced future publicprogram treatment costs.

The 1998 Substance Abuse andMental Health Statistics Source Bookfrom SAMHSA reports cost-of-diseaseestimates from a range of studies,suggesting several hundred billiondollars of non-treatment costs associatedwith alcohol, drug, and mental (ADM)disorders. As an example of themagnitude of costs associated withmental health treatment, a 1997National Institutes of Health reportsuggests that the total economic cost ofmental health disorders such as anxiety,depressive (mood) disorders, eatingdisorders, and schizophrenia isapproximately $115.5 billionannually.39 Evidence suggests thatappropriate treatment of mental healthdisorders can result in 50–80 percent ofindividuals experiencing improvementsin these types of conditions.Improvements in patient functioningand reduced hospital stays could resultin hundreds of million of dollars in costsavings annually.

The potential additional economicbenefits associated with improvingpatient confidentiality and thusencouraging some unknown portion of

individuals to either seek initial mentalhealth treatment or increase service useare difficult to quantify well.Nevertheless, one can lay out a range ofpossible benefit levels to illustrate thepossibility of cost savings associatedwith an expansion of mental healthtreatment to individuals who, due toprotections offered by the privacyregulation, might seek mental healthtreatment that they otherwise would nothave absent this regulation. This can beillustrated by drawing upon existingdata on both the economic costs ofmental illness and the treatmenteffectiveness of mental healthinterventions.

Although figures on the number ofindividuals who avoid mental healthtreatment due to privacy concerns donot exist, some indirect evidence isavailable. A 1993 Harris-Equifax HealthInformation Privacy Survey (notedearlier) found that 7 percent ofrespondents reported that they or amember of their immediate family hadchosen not to seek services for aphysical or mental health condition dueto fear of harm to job prospects or otherlife opportunities. It should be notedthat this survey is somewhat dated andrepresents only one estimate. Moreover,given the wording of the question, thereare other reasons aside from privacyconcerns that led these individuals torespond positively.

For the purpose of an illustration,however, assumptions can be madeabout what proportion of the 7 percentresponding affirmatively to thisquestion may have avoided seekingmental health services due to privacyconcerns. Given the proportion ofmental health services that compromisetotal health care services in this country,a reasonable upper limit of the number

of individuals avoiding mental healthtreatment due to privacy concerns mightbe 1.8 percent (i.e., 25% of 7%), whilea reasonable lower limit might be 0.36percent (i.e., 5% of 7%). Taking thesefigures as upper and lower limits, it ispossible to estimate potential benefitsby multiplying these figures by theannual economic cost reductionsassociated with treatment effectivenessrates. For example, using the upperlimit of 1.8 percent, multiplying this bythe annual economic costs of mentalillness ($115.5 billion) and a treatmenteffectiveness rate of 80 percent, yieldsan estimate of potential annual benefitsof $1,663,200,000. Similarly, using theupper limit of 1.8 percent coupled witha treatment effectiveness rate of 50percent yields an estimate of potentialannual benefits of $1,039,500,000.Assuming a lower limit of 0.36 percentmore individuals seeking mental healthtreatment due to enhance privacyprotections, coupled with a treatmenteffectiveness rate of 80% yields anestimate of potential annual benefits of$332,640,000. Similarly, using the lowerlimit of 0.36 percent coupled with atreatment effectiveness rate of 50percent yields an estimate of potentialannual benefits of $207,900,000.Therefore, given the existing data on theannual economic costs of mental illnessand the rates of treatment effectivenessfor these disorders, coupled withassumptions regarding the percentage ofindividuals who might seek mentalhealth treatment under conditions ofgreater privacy protections, the potentialadditional economic benefit in this onetreatment area could range fromapproximately $208 million to $1.67billion annually.

TABLE 3.—POTENTIAL BENEFITS OF THE PROPOSED PRIVACY REGULATION FROM COST SAVINGS DUE TO EARLYTREATMENT OF MENTAL HEALTH DISORDERS

Illness

Total annual eco-nomic cost of ill-

ness(in billions)

Percent net costreduction if addi-tional care is re-

ceived

Mental Health—Anxiety Disorders ................................................................................................................... $46.6 70–90Mental Health—Depressive (Mood) Disorders ................................................................................................ 30.4 60–80Mental Health—Eating Disorders .................................................................................................................... 6.0 40–60Mental Health—Schizophrenia ........................................................................................................................ 32.5 60–85

Total .......................................................................................................................................................... 115.5 N/A



G. Examination of AlternativeApproaches

1. Creation of De-identified Information(164.506(d))

We considered defining ‘‘individuallyidentifiable health information’’ as anyinformation that is not anonymous, thatis, for which there is any possibility ofidentifying the subject. We rejected thisoption, for several reasons. First, thestatute suggests a different approach.The term ‘‘individually identifiablehealth information’’ is defined inHIPAA as health information that:* * * identifies the individual, or withrespect to which there is a reasonable basisto believe that the information can be usedto identify the individual.

By including the modifier ‘‘reasonablebasis,’’ Congress appears to reject theabsolute approach to defining‘‘identifiable.’’ Covered entities wouldnot always have the statisticalsophistication to know with certaintywhen sufficient identifying informationhas been removed so that the record isno longer identifiable. We believe thatcovered entities need more concreteguidance as to when information willand will not be ‘‘identifiable’’ forpurposes of this regulation.

Defining non-identifiable to meananonymous would require coveredentities to comply with the terms of thisregulation with respect to informationfor which the probability ofidentification of the subject is very low.We want to encourage covered entitiesand others to remove obvious identifiersor encrypt them whenever possible; useof the absolute definition of‘‘identifiable’’ would not promote thissalutary result.

For these reasons, we propose at§ 164.506(d)(2)(ii) that there be apresumption that, if specifiedidentifying information is removed andif the holder has no reason to believethat the remaining information can beused by the reasonably anticipatedrecipients alone or in combination withother information to identify anindividual, then the covered entitywould be presumed to have created de-identified information.

At the same time, in proposed§ 164.506(d)(2)(iii), we are leavingleeway for more sophisticated data usersto take a different approach. We areincluding a ‘‘reasonableness’’ standardso that entities with sufficient statisticalexperience and expertise could removeor code a different combination ofinformation, so long as the result is stilla low probability of identification. Withthis approach, our intent is to providecertainty for most covered entities,

while not limiting the options of moresophisticated data users.

In this rule we are proposing thatcovered entities and their businesspartners be permitted to use protectedhealth information to create de-identified health information. Coveredentities would be permitted to furtheruse and disclose such de-identifiedinformation in any way, provided thatthey do not disclose the key or othermechanism that would enable theinformation to be re-identified, andprovided that they reasonably believethat such use or disclosure of de-identified information will not result inthe use or disclosure of protected healthinformation. See proposed§ 164.506(d)(1). This means that acovered entity could not disclose de-identified information to a person if thecovered entity reasonably believes thatthe person would be able to re-identifysome or all of that information, unlessdisclosure of protected healthinformation to such person would bepermitted under this proposed rule. Inaddition, a covered entity could not useor disclose the key to coded identifiersif this rule would not permit the use ordisclosure of the identified informationto which the key pertains. If a coveredentity re-identifies the de-identifiedinformation, it may only use or disclosethe re-identified information consistentwith these proposed rules, as if it werethe original protected healthinformation.

We invite comment on the approachthat we are proposing and on whetheralternative approaches to standards forentities determining when healthinformation can reasonably beconsidered no longer individuallyidentifiable should be considered.

2. General Rules (§ 164.506)As a general rule, we are proposing

that protected health information not beused or disclosed by covered entitiesexcept as authorized by the individualwho is the subject of such informationor as explicitly provided this rule.Under this proposal, most uses anddisclosures of an individual’s protectedhealth information would not requireexplicit authorization by the individual,but would be restricted by theprovisions of the rule. Covered entitieswould be able to use or disclose anindividual’s protected healthinformation without authorization fortreatment, payment and health careoperations. See proposed§ 164.506(a)(1)(i). Covered entities alsowould be permitted to use or disclose anindividual’s protected healthinformation for specified public andpublic policy-related purposes,

including public health, research, healthoversight, law enforcement, and use bycoroners. Covered entities would bepermitted by this rule to use anddisclose protected health informationwhen required to do so by other law,such as a mandatory reportingrequirement under State law orpursuant to a search warrant. Seeproposed § 164.510. Covered entitieswould be required by this rule todisclose protected health informationfor only two purposes: to permitindividuals to inspect and copyprotected health information about them(see proposed § 164.514) and forenforcement of this rule (see proposed§ 164.522(d)).

Covered entities of all types and sizeswould be required to comply with theproposed privacy standards outlinedbelow. The proposed standards wouldnot impose particular mechanisms orprocedures that covered entities mustadopt to implement the standards.Instead, we would require that eachaffected entity assess its own needs anddevise, implement, and maintainappropriate privacy policies,procedures, and documentation toaddress its business requirements. Howeach privacy standard would besatisfied would be a business decisionthat each entity would have to make.This permits the privacy standards toestablish a stable baseline, yet remainflexible enough to take advantage ofdevelopments and methods forprotecting privacy that will evolve overtime.

Because the privacy standards wouldneed to be implemented by all coveredentities, from the smallest provider tothe largest, multi-state health plan, asingle approach to implementing thesestandards would be neithereconomically feasible nor effective insafeguarding health informationprivacy. For example, in a smallphysician practice the office managermight be designated to serve as theprivacy official as one of many duties(see proposed § 164.518(a)) whereas at alarge health plan, the privacy officialmay constitute a full time position andhave the regular support and advice ofa privacy staff or board.




3. Use and Disclosure for Treatment,Payment, and Health Care Operations(§ 164.506(a))

We are proposing that, subject tolimited exceptions for psychotherapynotes and research informationunrelated to treatment discussed below,a covered entity be permitted to use ordisclose protected health informationwithout individual authorization fortreatment, payment or health careoperations.

We are not proposing to requireindividual authorizations of uses anddisclosures for health care and relatedpurposes, although such authorizationsare routinely gathered today as acondition of obtaining health care orenrolling in a health plan. Althoughmany current disclosures of healthinformation are made pursuant toindividual authorizations, theseauthorizations provide individuals withlittle actual control over their healthinformation. When an individual isrequired to sign a blanket authorizationat the point of receiving care orenrolling for coverage, that consent isoften not voluntary because theindividual must sign the form as acondition of treatment or payment fortreatment. Individuals are also oftenasked to sign broad authorizations butare provided little or no informationabout how their health informationwould be or will in fact be used.Individuals cannot make a trulyinformed decision without knowing allthe possible uses, disclosures and re-disclosures to which their informationwill be subject. In addition, since theauthorization usually precedes creationof the record, the individual cannotpredict all the information the recordcould contain and therefore cannotmake an informed decision as to whatwould be released.

Our proposal is intended to make theexchange of protected healthinformation relatively easy for healthcare purposes and more difficult forpurposes other than health care. Forindividuals, health care treatment andpayment are the core functions of thehealth care system. This is what theyexpect their health information will beused for when they seek medical careand present their proof of insurance tothe provider. Consistent with thisexpectation, we considered requiring aseparate individual authorization forevery use or disclosure of informationbut rejected such an approach becauseit would not be realistic in anincreasingly integrated health caresystem. For example, a requirement forseparate patient authorization for eachroutine referral could impair care, by

delaying consultation and referral aswell as payment.

We therefore propose that coveredentities be permitted to use and discloseprotected health information withoutindividual authorization for treatmentand payment purposes, and for relatedpurposes that we have defined as healthcare operations. For example, providerscould maintain and refer to a medicalrecord, disclose information to otherproviders or persons as necessary forconsultation about diagnosis ortreatment, and disclose information aspart of referrals to other providers.Providers also could use a patient’sprotected health information forpayment purposes such as submitting aclaim to a payer. In addition, providerscould use a patient’s protected healthinformation for health care operations,such as use for an internal qualityoversight review. We would note that,in the case of an individual where theprovider has agreed to restrictions onuse or disclosure of the patient’sprotected health information, theprovider would be bound by suchrestrictions as provided in § 164.506(c).

We also propose to prohibit coveredentities from seeking individualauthorization for uses and disclosuresfor treatment, payment and health careoperations unless required by State orother applicable law. As discussedabove in section II.C, suchauthorizations could not providemeaningful privacy protections orindividual control and could in factcultivate in individuals erroneousunderstandings of their rights andprotections.

The general approach that we areproposing is not new. Some existingState health confidentiality laws permitdisclosures without individualauthorization to other health careproviders treating the individual, andthe Uniform Health-Care InformationAct permits disclosure ‘‘to a person whois providing health-care to the patient’’(9 Part I, U.L.A. 475, 2–104 (1988 andSupp. 1998)). We believe that thisapproach would be the most realisticway to protect individualconfidentiality in an increasingly data-driven, electronic and integrated healthcare system. We recognize, however,that particularly given the limited scopeof the authority that we have under thisproposed rule to reach some significantactors in the health care system, thatother approaches could be of interest.We invite comments on whether otherapproaches to protecting individuals’health information would be moreeffective.

4. Minimum Necessary Use andDisclosure (§ 164.506(b))

We propose that, except as discussedbelow, a covered entity must make allreasonable efforts not to use or disclosemore than the minimum amount ofprotected health information necessaryto accomplish the intended purpose ofthe use or disclosure, taking intoconsideration technological limitations.

Under this proposal, covered entitiesgenerally would be required to establishpolicies and procedures to limit theamount of protected health careinformation used or disclosed to theminimum amount necessary to meet thepurpose of the use or disclosure, and tolimit access to protected healthinformation only to those people whoneed access to the information toaccomplish the use or disclosure. Withrespect to use, if an entity consists ofseveral different components, the entitywould be required to create barriersbetween components so thatinformation is not used inappropriately.The same principle applies todisclosures.

A ‘‘minimum necessary’’determination would need to beconsistent with and directly related tothe purpose of the use or disclosure andtake into consideration the ability of acovered entity to delimit the amount ofinformation used or disclosed and therelative burden imposed on the entity.The proposed minimum necessaryrequirement is based on areasonableness standard: coveredentities would be required to makereasonable efforts and to incurreasonable expense to limit the use anddisclosure of protected healthinformation as provided in this section.

In our discussions of the minimumnecessary requirement, we consideredwhether or not this should apply to allentities and whether or not it should beapplied to all protected healthinformation. We decided that theprinciple of minimum necessarydisclosure is critical to the protection ofprivacy and that because small entitiesrepresent 83 percent of the health careindustry, we would not exempt themfrom this provision withoutundermining its effectiveness.

We understand that the requirementsoutlined in this section do not create abright line test for determining theminimum necessary amount ofprotected health informationappropriate for most uses or disclosures.Because of this lack of precision, weconsidered eliminating the requirementaltogether. We also considered merelyrequiring covered entities to address theconcept within their internal privacy



procedures, with no further guidance asto how each covered entity wouldaddress the issue. These approacheswere rejected because minimizing boththe amount of protected healthinformation used and disclosed withinthe health care system and the numberof persons who have access to suchinformation is vital if we are tosuccessfully enhance the confidentialityof people’s personal health information.We invite comments on the approachthat we have adopted and on alternativemethods of implementing the minimumnecessary principle.

5. Right To Restrict Uses andDisclosures (§ 164.506(c))

We propose to permit in § 164.506(c)that individuals be able to request thata covered entity restrict further uses anddisclosures of protected healthinformation for treatment, payment, orhealth care operations, and if thecovered entity agrees to the requestedrestrictions, the covered entity could notmake uses or disclosures for treatment,payment or health care operations thatare inconsistent with such restrictions,unless such uses or disclosures aremandated by law. This provision wouldnot apply to health care provided to anindividual on an emergency basis.

We should note that there is nothingin this proposed rule that would requirea covered entity to agree to a request torestrict, or to treat or provide coverageto an individual requesting a restrictionunder this provision. Covered entitieswho do not wish to, or due tocontractual obligations cannot, restrictfurther use or disclosure are notobligated to agree to a request under thisprovision.

We considered providing individualssubstantially more control over theirprotected health information byrequiring all covered entities to attemptto accommodate any restrictions on useand disclosure requested by patients.We rejected this option as unworkable.While industry groups have developedprinciples for requiring patientauthorizations, we have not foundwidely accepted standards forimplementing patient restrictions onuses or disclosures. Restrictions oninformation use or disclosure containedin patient consent forms are sometimesignored because they may not be read orare lost in files. Thus, it seems unlikelythat a requested restriction couldsuccessfully follow a patient’sinformation through the health caresystem—from treatment to payment,through numerous operations, andpotentially through certain permissibledisclosures. Instead we would limit the

provision to restrictions that have beenagreed to by the covered entity.

We recognize that the approach thatwe are proposing could be difficultbecause of the systems limitationsdescribed above. However, we believethat the limited right for patientsproposed in this proposed rule can beimplemented because it only applies ininstances in which the covered entityagrees to the restrictions. We assumethat covered entities would not agree torestrictions that they are unable toimplement.

We considered limiting the rightsunder this provision to patients whopay for their own health care (or forwhom no payment was made by ahealth plan). Individuals and providersthat engage in self-pay transactions haveminimal effect on the rights orresponsibilities or payers or otherproviders, and so there would be fewinstances when a restriction agreed to insuch a situation would have negativeimplications for the interests of otherhealth care actors. Limiting the right torestrict to self-pay patients also wouldreduce the number of requests thatwould be made under this provision.We rejected this approach, however,because the desire to restrict furtheruses and disclosures arises in manyinstances other than self-pay situations.For example, a patient could not wanthis or her records shared with aparticular physician because thatphysician is a family friend. Or anindividual could be seeking a secondopinion and may not want his or hertreating physician consulted.Individuals have a legitimate interest inrestricting disclosures in thesesituations. We solicit comment on theappropriateness of limiting thisprovision to instances in which nohealth plan payment is made on behalfof the individual.

6. Application to Business Partners(§ 164.506(e))

In § 164.506(e), we propose to requirecovered entities to take specific steps toensure that protected health informationdisclosed to a business partner remainsprotected. We intend these provisions toallow customary business relationshipsin the health care industry to continuewhile providing privacy protections tothe information shared in theserelationships. Business partners wouldnot be permitted to use or discloseprotected health information in waysthat would not be permitted of thecovered entity itself under these rules.

Other than for purposes ofconsultation or referral for treatment, wewould allow covered entities to discloseprotected health information to business

partners only pursuant to a writtencontract that would, among otherspecified provisions, limit the businesspartner’s uses and disclosures ofprotected health information to thosepermitted by the contract, and wouldimpose certain security, inspection andreporting requirements on the businesspartner. We would hold the coveredentity responsible for certain violationsof this proposed rule made by theirbusiness partners, and requireassignment of responsibilities when acovered entity acts as a business partnerof another covered entity.

Under this proposed rule, a businesspartner would be acting on behalf of acovered entity, and we propose that itsuse or disclosure of protected healthinformation be limited to the sameextent that the covered entity for whomthey are acting would be limited. Thus,a business partner could have no moreauthority to use or disclose protectedhealth information than that possessedby the covered entity from which thebusiness partner received theinformation. We would note that abusiness partner’s authority to use anddisclose protected health informationcould be further restricted by itscontract with a covered entity, asdescribed below.

We are not proposing to require thebusiness partners of covered entities todevelop and distribute a notice ofinformation practices, as provided inproposed § 164.512. A business partnerwould, however, be bound by the termsof the notice of the covered entity fromwhich it obtains protected healthinformation. See proposed § 164.506(e).We are proposing this approach so thatindividuals could rely on the noticesthat they receive from the coveredentities to which they disclose protectedhealth information. If the businesspartners of a covered entity were able tomake wider use or make moredisclosures than the covered entity, thepatients or enrollees of the coveredentity would have difficulty knowinghow their information was being usedand to whom it was being disclosed.

We are also proposing that a businesspartner’s use and disclosure of protectedhealth information be limited by theterms of the business partner’scontractual agreement with the coveredentity. We propose that a contractbetween a covered entity and a businesspartner could not grant the businesspartner authority to make uses ordisclosures of protected healthinformation that the covered entity itselfwould not have the authority to make.The contract between a covered entityand a business partner could furtherlimit the business partner’s authority to



use or disclose protected healthinformation as agreed to by the parties.Further, the business partner wouldhave to apply the same limitations to itssubcontractors (or persons with similararrangements) who assist with or carryout the business partner’s activities.

To help ensure that the uses anddisclosures of business partners arelimited to those recognized asappropriate by the covered entities fromwhom they receive protected healthinformation, subject to the exceptiondiscussed below, we are proposing thatcovered entities be prohibited fromdisclosing protected health informationto a business partner unless the coveredentity has entered into a writtencontract with the business partner thatmeets the requirements of thissubsection. See proposed§ 164.506(e)(2)(i).

The contract requirement that we areproposing would permit coveredentities to exercise control over theirbusiness partners’ activities andprovides documentation of therelationship between the parties,particularly the scope of the uses anddisclosures of protected healthinformation that business partners couldmake. The presence of a contract alsowould formalize the relationship, betterassuring that key questions such assecurity, scope of use and disclosure,and access by subject individuals areadequately addressed and that the rolesof the respective parties are clarified.Finally, a contract can bind the businesspartner to return any protected healthinformation from the covered entitywhen the relationship is terminated.

In lieu of a contracting requirement,we considered imposing onlyaffirmative duties on covered entities toensure that their relationships withbusiness partners conformed to thestandards discussed in the previousparagraph. Such an approach could beconsidered less burdensome andrestrictive, because we would be leavingit to the parties to determine how tomake the standards effective. Werejected this approach primarily becausewe believe that in the vast majority ofcases, the only way that the partiescould establish a relationship with theseterms would be through contract. Wealso determined that the value ofmaking the terms explicit through awritten contract would better enable theparties to know their roles andresponsibilities, as well as better enablethe Secretary to exercise her oversightrole. In addition, we understand thatmost covered entities already enter intocontracts in these situations andtherefore this proposal would notdisturb general business practice. We

invite comment on whether there areother contractual or non-contractualapproaches that would afford anadequate level of protection toindividuals’ protected healthinformation. We also invite comment onthe specific provisions and terms of theproposed approach.

We are proposing one exception to thecontracting requirement: when acovered entity consults with or makes areferral to another covered entity for thetreatment of an individual, we wouldpropose that the sharing of protectedhealth information pursuant to thatconsultation or referral not be subject tothe contracting requirement describedabove. See proposed § 164.506(e)(1)(i).Unlike most business partnerrelationships, which involve thesystematic sharing of protected healthinformation under a businessrelationship, consultation and referralsfor treatment occur on a more informalbasis among peers, and are specific to aparticular individual. Such exchanges ofinformation for treatment also appear tobe less likely to raise concerns aboutfurther impermissible use or disclosure,because providers receiving suchinformation are unlikely to have acommercial or other interest in using ordisclosing the information. We invitecomment on the appropriateness of thisexception, and whether there areadditional exceptions that should beincluded in the final regulation.

We note that covered health careproviders receiving protected healthinformation for consultation or referralpurposes would still be subject to thisrule, and could not use or disclose suchprotected health information for apurpose other than the purpose forwhich it was received (i.e., theconsultation or referral). Further, wenote that providers making disclosuresfor consultations or referrals should becareful to inform the receiving providerof any special limitations or conditionsto which the disclosing provider hasagreed to impose (e.g., the disclosingprovider has provided notice to itspatients that it will not makedisclosures for research).

We are proposing that covered entitiesbe accountable for the uses anddisclosures of protected healthinformation by their business partners.A covered entity would be in violationof this rule if the covered entity knewor reasonably should have known of amaterial breach of the contract by abusiness partner and it failed to takereasonable steps to cure the breach orterminate the contract. See proposed§ 164.506(e)(2)(iii). A covered entity thatis aware of impermissible uses anddisclosures by a business partner would

be responsible for taking such steps asare necessary to prevent furtherimproper use or disclosures and, to theextent practicable, for mitigating anyharm caused by such violations. Thiswould include, for example, requiringthe business partner to retrieveinappropriately disclosed information(even if the business partner must payfor it) as a condition of continuing to dobusiness with the covered entity. Acovered entity that knows or shouldknow of impermissible use of protectedhealth information by its businesspartner and fails to take reasonable stepsto end the breach would be in violationof this rule.

We considered requiring coveredentities to terminate relationships withbusiness partners if the business partnercommitted a serious breach of contactterms required by this subpart or if thebusiness partner exhibited a pattern orpractice of behavior that resulted inrepeated breaches of such terms. Werejected that approach because of thesubstantial disruptions in businessrelationships and customer servicewhen terminations occur. We insteadrequire the covered entity to takereasonable steps to end the breach andmitigate its effects. We would expectcovered entities to terminate thearrangement if it becomes clear that abusiness partner cannot be relied uponto maintain the privacy of protectedhealth information provided to it. Weinvite comments on our approach hereand whether requiring automatictermination of business partnercontracts would be warranted in anycircumstances.

We also considered imposing morestrict liability on covered entities for theactions of their business partners, just asprincipals are strictly liable for theactions of their agents under commonlaw. We decided, however, that thiscould impose too great a burden oncovered entities, particularly smallproviders. We are aware that, in somecases, the business partner will be largerand more sophisticated with respect toinformation handling than the coveredentity. Therefore we instead opted topropose that covered entities monitoruse of protected health information bybusiness partners, and be heldresponsible only when they knew orshould have known of improper use ofprotected health information.

Our intention in this section is torecognize the myriad of businessrelationships that currently exist and toensure that when they involve theexchange of protected healthinformation, the roles andresponsibilities of the different partieswith respect to the protected health



information are clear. We do notpropose to fundamentally alter the typesof business relationships that exist inthe health care industry or the mannerin which they function. We requestcomments on the extent to which ourproposal would disturb existingcontractual or other arrangementsamong covered entities and businesspartners.

7. Application to Information AboutDeceased Persons (§ 164.506(f))

We are proposing that informationotherwise protected by these regulationsretain that protection for two years afterthe death of the subject of theinformation. The only exception that weare proposing is for uses and disclosuresfor research purposes.

HIPAA includes no temporallimitations on the application of theprivacy protections. Although we havethe authority to protect individuallyidentifiable health informationmaintained by a covered entityindefinitely, we are proposing that therequirements of this rule generallyapply for only a limited period, asdiscussed below. In traditional privacylaw, privacy interests, in the sense ofthe right to control use or disclosure ofinformation about oneself, cease atdeath. However, good arguments existin favor both of protecting and notprotecting information about thedeceased. Considering that one of theunderlying purposes of healthinformation confidentiality is toencourage a person seeking treatment tobe frank in the interest of obtaining care,there is good reason for protectinginformation even after death. Federalagencies and others sometimes withholdsensitive information, such as healthinformation, to protect the privacy ofsurviving family members. At the sametime, perpetual confidentiality hasserious drawbacks. If information isneeded for legitimate purposes, theconsent of a living person legallyauthorized to grant such consent mustbe obtained, and the further from thedate of death, the more difficult it maybe to identify the person. Theadministrative burden of perpetualprotection may eventually outweigh theprivacy interests served.

While various State laws have beenpassed specifically addressing privacyof genetic information, there is currentlyno federal legislation that deals withthese issues. We considered extendingthe two-year period for genetic andhereditary information, but were unableto construct criteria for protecting thepossible privacy interests of livingchildren without creating extensiveburden for information holders and

hampering health research. We invitecomments on whether further action isneeded in this area and what types ofpractical provisions may be appropriateto protect genetic and hereditary healthinformation.

8. Uses and Disclosures With IndividualAuthorization (§ 164.508)

Covered entities would be required toobtain individual authorization to useindividually identifiable healthinformation for purposes other thanthose allowed under the rule. Activitiesrequiring authorization include, forexample, marketing. Costs will beongoing for staffing and administrativeactivities related to obtainingauthorization from individuals.

Our proposal is based on the preceptthat a combination of strict limits onhow covered entities can use anddisclose protected health information,adequate notice to individuals abouthow their information will be used, andguaranteeing individuals’ rights toinspect, copy and amend their healthrecords will provide patients with betterprivacy protection and more effectivecontrol over their information thanalternative approaches to privacyprotection.

This section addresses therequirements that we are proposingwhen protected health information isdisclosed pursuant to the individual’sexplicit authorization. The regulationwould require that covered entities haveauthorization from individuals beforeusing or disclosing their protectedhealth information for any purpose nototherwise recognized by this regulation.Circumstances where an individual’sprotected health information could beused or disclosed without authorizationare discussed in connection withproposed §§ 164.510 and 164.522 below.

This section proposes differentconditions governing suchauthorizations in two situations inwhich individuals commonly authorizecovered entities to disclose information:

• Where the individual initiates theauthorization because he or she wants acovered entity to disclose his or herrecord, and

• Where a covered entity asks anindividual to authorize it to disclose oruse information for purposes other thantreatment, payment or health careoperations.

The requirements proposed in thissection are not intended to interferewith normal uses and disclosures ofinformation in the health care deliveryor payment process, but only to allowcontrol of uses extraneous to healthcare. The restrictions on disclosure thatthe regulation would apply to covered

entities may mean that some existinguses and disclosures of informationcould take place only if the individualexplicitly authorized them under thissection.

We considered requiring a uniform setof requirements for all authorizations,but concluded that it would beappropriate to treat authorizationsinitiated by the individual differentlyfrom authorizations sought by coveredentities. There are fundamentaldifferences, in the uses of informationand in the relationships andunderstandings among the parties, inthese two situations. When individualsinitiate authorizations, they are morelikely to understand the purpose of therelease and to benefit themselves fromthe use or disclosure. When a coveredentity asks the individual to authorizedisclosure, we believe the entity shouldmake clear what the information will beused for, what the individual’s rightsare, and how the covered entity wouldbenefit from the requested disclosure.

We are proposing severalrequirements that would have to be metin the authorization process when theindividual has initiated theauthorization. We understand that therequirements that we are imposing herewould make it quite unlikely that anindividual could actually initiate acompleted authorization, because fewindividuals would know to include allof these elements in a request forinformation. In most instances,individuals authorize a use ordisclosure by completing a formprovided by a third party, either theultimate recipient of the information(who may have a form authorizing themto obtain the records from the recordholders) or a health care provider orhealth plan holding the records (whomay have a form that documents arequest for the release of records to athird party). For this reason, we do notbelieve that our proposal would createsubstantial new burdens on individualsor covered entities in cases when anindividual is initiating an authorizedrelease of information. We invitecomment on whether we are placingnew burdens on individuals or coveredentities. We also invite comment onwhether the approach that we haveproposed provides sufficient protectionto individuals who seek to have theirprotected health information used ordisclosed.

We are proposing that when coveredentities initiate the authorization byasking individuals to authorizedisclosure, the authorization be requiredto include all of the items requiredabove as well as several additionalitems. We are proposing additional



requirements when covered entitiesinitiate the request for authorization,because in many cases it could be thecovered entity, and not the individual,that achieves the primary benefit of thedisclosure. We considered permittingcovered entities to requestauthorizations with only the basicfeatures proposed for authorizationsinitiated by the individual, for the sakeof simplicity and consistency. However,we believe that additional protectionsare merited when the entity thatprovides or pays for health care requestsauthorizations to avert possiblecoercion.

We also acknowledge that there willbe costs related to moving away from ablanket authorization system. Thesecosts will be discussed more explicitlyin the sections on allowable disclosures(both with and without authorization).

Covered entities and third parties thatwish to have information disclosed tothem will prepare forms for individualsto use to authorize use or disclosure. Amodel authorization form is displayedin Appendix A to this proposed rule.We considered presenting separatemodel forms for the two different typesof authorizations (initiated by theindividual and not initiated by theindividual). However, this approachcould be subject to misuse and beconfusing to covered entities andindividuals, who may be unclear as towhich form is appropriate in specificsituations. The model in the appendixaccordingly is a unitary model, whichincludes all of the requirements for bothtypes of authorization. By followingsuch a model, covered entities,particularly small entities, could avoidthe legal and administrative expensesthat would be necessary to develop anauthorization form that complies withthe rule’s requirements. The proposedrule does not prevent entities fromdeveloping or modifying their ownauthorization forms. The alternative toproviding this model was to simplystate that an authorization would berequired and allow entities to developthe authorization independently. Whilewe would specify some informationrequired in the authorization in thisalternative, we would not give an actualform. This was considered to be anunnecessary burden for entities.

Finally, we are proposing that anindividual be permitted to revoke anauthorization at any time except to theextent that action has been taken inreliance on the authorization. Seeproposed § 164.508(e).

9. Uses and Disclosures PermittedWithout Individual Authorization(§ 164.510)

This section describes uses anddisclosures of protected healthinformation that covered entities couldmake for purposes other than treatment,payment, and health care operationswithout individual authorization, andthe conditions under which such usesand disclosures could be made. Wepropose to allow covered entities to useor disclose protected health informationwithout individual authorization forsuch purposes if the use or disclosurewould comply with the applicablerequirements of this section.

Covered entities could need toreevaluate and modify their operatingprocedures to comply with the proposedrule’s prohibition on disclosingindividually identifiable healthinformation without patientauthorization for any purpose other thantreatment, payment, health careoperations, or those situations explicitlyidentified as permissible disclosuresunder this proposed rule. Many entitiescould already do this. Entities that donot do this would need to alterinformation management systems andimplement administrative policies andprocedures to prevent inappropriatedisclosures. Entities would also have todetermine whether or not anauthorization is necessary for eachdisclosure beyond treatment, payment,and health care operations that is notexplicitly defined as a permissibledisclosure under this proposed rule. Itshould be noted that the minimumnecessary principle is an importantcomponent of the costs related to anydisclosure. We expect that there wouldbe significant initial and ongoing costs.

If an entity chooses to discloseprotected health information withoutauthorization from individuals, therewould be a number of new provisionsthat it would have to comply with. Forexample, if a disclosure is to researchersoutside of the organization, the entitymust obtain written documentationindicating that the research has beenapproved by an institutional reviewboard (IRB) or equivalent process by aprivacy board. This requirement isassociated with ongoing administrativecosts. We note that any such costs areoptional unless other requirements(state laws, mandatory reportingsystems, etc.) mandate thesedisclosures. In order to minimize theburden of these costs for mandatorydisclosures, we have tried to apply asfew business partner requirements aspossible in areas where these mandatorydisclosures are possible. However, in

cases where the disclosure is optional,entities would have higher costs if theychoose to use these disclosures. Weexpect that entities would considerthese costs before making any suchdisclosure and determine if the benefitsto their business of disclosure aregreater than the costs related to makingthe disclosure. Additionally, other thanthe new requirements for disclosures forresearch, most of the disclosures aresimply recognizing current practicesand would not require large new costs.

We considered permitting uses anddisclosures only where lawaffirmatively requires the covered entityto use or disclose protected healthinformation. However, because theactivities described below are soimportant to the population as a whole,we decided to permit a covered entityto use or disclose information topromote those activities even whensuch activities are not legally mandated.In some cases, however, we wouldpermit a use or disclosure only whensuch use or disclosure is authorized byother law. The requirements forverification of legal authority arediscussed in section II.G.3.

Disclosures that are required bycurrent law would only require minimaladditional costs to entities. The onlycost directly attributable to thisproposed requirement would be theadditional cost of noting thesedisclosures on the accounting of usesand disclosures.

However, disclosures required by thisproposed regulation should beconsidered new costs. These mandatorydisclosures would be extremely rare.For example, we expect that theDepartment would limit the number ofcompliance audits conducted. In thesecases, some of the more expensiveactivities, including the minimumnecessary principle and determiningwhether or not to make the disclosure,would not be applicable.

We would restrict the discussion ofdiscretionary disclosures to the generalprinciples behind such disclosuresrather than a detailed description ofeach allowable disclosure. Moreelaborate discussion of options forindividual classes of disclosures can befound in the preamble. Thesedisclosures are optional disclosures andtherefore, any costs related to makingthese disclosures would incur optionalcosts. We do not have a completeunderstanding of how often thesedisclosures are currently made, nor dowe understand what procedures arecurrently in place. We also do notunderstand how often these disclosureswould be made given the new costsassociated with such disclosures. Note



that the degree of new costs imposed ifan entity opts to use a disclosure variesdramatically depending on the type ofdisclosure. For example, a disclosure ofdirectory information in a hospitalwould probably not involve significantadditional costs, while research that isnot subject to the common could wouldhave significant new costs involved.These disclosures, and thus these costs,are optional under this proposed rule.While they may be mandated underother law, such mandated disclosuresare already being made, so there wouldbe no additional costs. In this case thereare only marginal new costs related tothese disclosures.

10. Clearinghouses and the Rights ofIndividuals

The rights described below wouldapply with respect to protected healthinformation held by health careproviders and health plans. We areproposing that clearinghouses not besubject to all of these requirements. Webelieve that as business partners ofcovered plans and providers,clearinghouses would not usuallyinitiate or maintain direct relationshipswith individuals. The contractualrelationship between a clearinghouse (asa business partner) and a covered planor provider would bind theclearinghouse to the notice ofinformation practices developed by theplan or provider and it would includespecific provisions regarding inspection,copying, amendment and correction.Therefore, we do not believe thatclearinghouses should be required toprovide a notice or provide access forinspection, copying, amendment orcorrection. We would requireclearinghouses to provide an accountingof any disclosures for purposes otherthan treatment, payment and health careoperations to individuals upon request.See proposed § 164.515. It is ourunderstanding that the vast majority ofthe clearinghouse function falls withinthe scope of treatment, payment, andhealth care operations and therefore wedo not believe providing this importantright to individuals would impose asignificant burden on the industry. Weinvite comment on whether or not weshould require clearinghouses tocomply with all of the provisions of theindividual rights section.

11. Rights and Procedures for a WrittenNotice of Information Practices(§ 164.512)

We are proposing that individualshave a right to an adequate notice of theinformation practices of covered plansand providers. The notice would beintended to inform individuals about

what is done with their protected healthinformation and about any rights theymay have with respect to thatinformation. Federal agencies mustadhere to a similar notice requirementpursuant to the Privacy Act of 1974 (5U.S.C. 552a(e)(3)).

We are not proposing that businesspartners (including health careclearinghouses) be required to develop anotice of information practices because,under this proposed rule, they would bebound by the information practices ofthe health plan or health care providerwith whom they are contracting.

The rule requires covered entities toprepare and make available a notice thatinforms patients about their privacyrights and the entity’s actions to protectprivacy. Entities that do not alreadycomply with the rule’s requirementswould incur one-time legal andadministrative costs in preparing andmaking the notice available. In addition,plans would incur ongoing costs relatedto the dissemination of the notice atleast once every three years, and allcovered entities would have ongoingcosts related to preparation of newnotices as disclosure practices change,dissemination to new individuals whoreceive services, and requests for copiesof the notice. Entities would also incurongoing costs related to answeringquestions stemming from the notice. Inaddition to requiring a basic notice, weconsidered requiring a longer moredetailed notice, that would be availableto individuals on request. However, wedecided that making informationavailable on request, and letting thecovered entity decide how best toprovide such information, is a morebalanced approach. We felt that itwould be overly burdensome to allentities, especially small entities, torequire two notices.

We considered requiring coveredplans or providers to obtain a signedcopy of the notice form (or some othersigned indication of receipt) when theygive the form to individuals. There areadvantages to including such arequirement. A signed acknowledgmentwould provide evidence that the noticeform has been provided to theindividual. Further, the request to theindividual to formally acknowledgereceipt would highlight the importanceof the notice, providing additionalencouragement for the individual toread it and ask questions about itscontent.

We are concerned, however, thatrequiring a signed acknowledgmentwould significantly increase theadministrative and paperwork burden ofthis provision. We also are unsure of thebest way for health plans to obtain a

signed acknowledgment because plansoften do not have face-to-face contactwith enrollees. It may be possible tocollect an acknowledgment at initialenrollment, for example by adding anadditional acknowledgment to theenrollment form, but it is less clear howto obtain it when the form is revised.We solicit comment on whether weshould require a signedacknowledgment. Comments thataddress the relative advantages andburdens of such a provision would bemost useful. We also solicit comment onthe best way to obtain signedacknowledgments from health plans ifsuch a provision is included in the finalrule. We also solicit comments on otherstrategies, not involving signedacknowledgments, to ensure thatindividuals are effectively informedabout the information practices ofcovered plans or providers.

We believe that the proposed ruleappropriately balances a patient’s needfor information and assurancesregarding privacy with the coveredentities’ need for flexibility indescribing their operations andprocedures to protect patient privacy.Instead of a model notice, we haveincluded a sample notice to guide thedevelopment of notices. We felt that thiswould be an appropriate way to reducethe burden on all entities includingthose classified as small.

In § 164.512, we propose thecategories of information that would berequired in each notice of informationpractices, the specific types ofinformation that would have to beincluded in each category, and generalguidance as to the presentation ofwritten materials. A sample notice isprovided at Appendix A of thispreamble.

In a separate section of this proposedrule, we would require covered plans orproviders to develop and documentpolicies and procedures relating to use,disclosure, and access to protectedhealth information. See proposed§ 164.520. We intend for thedocumentation of policies andprocedures to be a tool for educating theentity’s personnel about its policies andprocedures. In addition, thedocumentation would be the primarysource of information for the notice ofinformation practices. We intend for thenotice to be a tool for educatingindividuals served by the covered planor provider about the informationpractices of that entity. The informationcontained in the notice would not be ascomprehensive as the documentation,but rather would provide a clear andconcise summary of relevant policiesand procedures.



We considered prescribing specificlanguage that each covered plan orprovider would include in its notice.The advantages of this approach wouldbe that the recipient would get exactlythe same information from each coveredplan or provider in the same format, andthat it would be convenient for coveredplans or providers to use a uniformmodel notice.

There are, however, severaldisadvantages to this approach. First,and most important, no model noticecould fully capture the informationpractices of every covered plan orprovider. Large entities would havedifferent information practices thansmall entities. Some health careproviders, for example academicteaching hospitals, may routinelydisclose identifiable health informationfor research purposes. Other health careproviders may rarely or never makesuch disclosures. To be useful toindividuals, each entity’s notice ofinformation practices should reflect itsunique privacy practices.

Another disadvantage of prescribingspecific language is that it would limiteach covered plan or provider’s abilityto distinguish itself in the area ofprivacy protections. We believe that ifinformation on privacy protections werereadily available, individuals mightcompare and select plans or providersbased on their information practices. Inaddition, a uniform model notice couldeasily become outdated. As newcommunication methods ortechnologies are introduced, the contentof the notices might need to reflect thosechanges.

In proposed § 164.512, we wouldrequire each covered plan and providerto include in the notice an explanationof how it uses and discloses protectedhealth information. The explanationmust be provided in sufficient detail asto put the individual on notice of theuses and disclosures expected to bemade of his or her protected healthinformation. As explained above insection II.C.7, covered plans andproviders may only use and discloseprotected health information forpurposes stated in this notice.

We considered requiring the notice toinclude not only a discussion of theactual disclosure practices of thecovered entity, but also a listing ordiscussion of all additional disclosuresthat are authorized by law. Weconsidered this approach because,under this proposed rule, covered plansor providers would be permitted tochange their information practices atany time, and therefore individualswould not be able to rely on the entity’scurrent policies alone to understand

how their protected health informationmay be used in the future. We recognizethat in order to be fully informed,individuals need to understand whentheir information could be disclosed.

We rejected this approach because wewere concerned that a notice with sucha large amount of information could beburdensome to both the individualsreceiving the notices and the entitiesrequired to prepare and distribute them.There are a substantial number ofrequired and permitted disclosuresunder State or other applicable law, andthis rule generally would permit them tobe made.

Alternatively, we consideredrequiring that the notice include all ofthe types of permissible disclosuresunder this rule (e.g., public health,research, next-of-kin). We rejected thatapproach for two reasons. First, we feltthat providing people with notice of theintended or likely disclosures of theirprotected health information was moreuseful than describing all of thepotential types of disclosures. Second,in many States and localities, differentlaws may affect the permissibledisclosures that an entity may make, inwhich case a notice only discussingpermissible disclosures under thefederal rule would be misleading. Whileit would be possible to require coveredplans or providers to develop noticesthat discuss or list disclosures thatwould be permissible under this ruleand other law, we were concerned thatsuch a notice may be very complicatedbecause of the need to discuss theinterplay of federal, State or other lawfor each type of permissible disclosure.We invite comments on the bestapproach to provide most usefulinformation to the individuals withoutoverburdening either covered plans orproviders or the recipients of thenotices.

In § 164.520, we are proposing torequire all covered entities to developand document policies and proceduresfor the use of protected healthinformation. The notice would simplysummarize those documented policiesand procedures and therefore wouldentail little additional burden.

It is critical to the effectiveness of thisproposed rule that individuals be giventhe notice often enough to remind themof their rights, but withoutoverburdening covered plans orproviders. We propose that all coveredplans and providers would be requiredto make their notice available to anyindividual upon request, regardless ofwhether the requestor is already apatient or enrollee. We believe thatbroad availability would encourageindividuals or organizations to compare

the privacy practices of plans orproviders to assist in making enrollmentor treatment choices. We also proposeadditional distribution requirements forupdating notices, which would bedifferent for health plans and healthcare providers. The requirements forhealth plans and health care providersare different because we recognize thatthey have contact with individuals atdifferent points in time in the healthcare system.

We considered a variety ofcombinations of distribution practicesfor health plans and are proposing whatwe believe is the most reasonableapproach. We would require healthplans to distribute the notice by theeffective date of the final rule, atenrollment, within 60 days of a materialchange to the plan’s informationpractices, and at least once every threeyears.

We considered requiring health plansto post the notice either in addition toor instead of distribution. Because mostindividuals rarely visit the office of theirhealth plan, we do not believe that thiswould be an effective means ofcommunication. We also consideredeither requiring distribution of thenotice more or less frequently thanevery three years. As compared to mosthealth care providers, we believe thathealth plans often are larger and haveexisting administrative systems to costeffectively provide notification toindividuals. Three years was chosen asa compromise between the importanceof reminding individuals of their plans’information practices and the need tokeep the burden on health plans to theminimum necessary to achieve thisobjective. We are soliciting comment onwhether requiring a notice every threeyears is reasonable for health plans.

We propose to require that coveredhealth care providers provide a copy ofthe notice to every individual served atthe time of first service delivery, thatthey post the notice in a clear andprominent location where it isreasonable to expect individuals seekingservice from the provider to be able toread the notice, and that copies beavailable on-site for individuals to takewith them. In addition, we propose torequire that covered health careproviders provide a copy of the noticeto individuals they are currently servingat their first instances of service deliverywithin a year of the effective date of thefinal rule.

We would not require providers tomail or otherwise disseminate theirnotices after giving the notice toindividuals at the time of the firstservice delivery. Providers’ patient listsmay include individuals they have not



served in decades. It would be difficultfor providers to distinguish between‘‘active’’ patients, those who are seenrarely, and those who have moved todifferent providers. While someindividuals would continue to beconcerned with the informationpractices of providers who treated themin the distant past, overall the burden ofan active distribution requirementwould not be outweighed by improvedindividual control and privacyprotection.

If a provider wishes to make amaterial change in the informationpractices addressed in the notice, itwould be required to revise its notice inadvance. After making the revision, theprovider would be required to post thenew notice promptly. We believe thatthis approach creates the minimumburden for providers consistent withgiving individuals a clear source ofaccurate information.

12. Rights and Procedures for Access forInspection and Copying (§ 164.514)

In § 164.514, we are proposing that,with very limited exceptions,individuals have a right to inspect andcopy protected health information aboutthem maintained by a covered healthplan or health care provider in adesignated record set. Individualswould also have a right of access toprotected health information in adesignated record set that is maintainedby a business partner of a covered planor provider when such information isnot a duplicate of the information heldby the plan or provider, including whenthe business partner is the only holderof the information or when the businesspartner has materially altered theprotected health information that hasbeen provided to it.

In § 164.506(e), we are proposing thatcovered plans and providers includespecific terms in their contract witheach business partner. One of therequired terms would be that thebusiness partner must provide forinspection and copying of protectedhealth information as provided in thissection. Because our authority is limitedby HIPAA to the covered entities, wemust rely upon covered plans andproviders to ensure that all of thenecessary protected health informationprovided by the individual to the planor provider is available for inspectionand copying. We would require coveredplans and providers to provide access toinformation held in the custody of abusiness partner when it is differentfrom information maintained by thecovered plan or provider. We identifiedtwo instances where this seemedappropriate: when the protected health

information is only in the custody of abusiness partner and not in the custodyof the covered plan or provider; andwhen protected health information hasbeen materially altered by a businesspartner. We are soliciting comment onwhether there are other instances whereaccess should be provided to protectedhealth information in the custody of abusiness partner.

Other than in their capacity asbusiness partners, we are not proposingto require clearinghouses to provideaccess for inspection and copying. Asexplained above in section II.C.5,clearinghouses would usually bebusiness partners under this proposedrule and therefore they would be boundby the contract with the covered plan orprovider. See proposed § 164.506(e). Wecarefully considered whether to requireclearinghouses to provide access forinspection and copying above andbeyond their obligations as a businesspartner, but determined that the typicalclearinghouse activities of translatingrecord formats and batchingtransmissions do not involve setting updesignated record sets on individuals.Although the data maintained by theclearinghouse is protected healthinformation, it is normally not accessedby individual identifier and anindividual’s records could not be foundexcept at great expense. In addition,although clearinghouses processprotected health information anddiscover errors, they do not create thedata and make no changes in theoriginal data. They, instead, refer theerrors back to the source for correction.Thus, individual access toclearinghouse records provides no newinformation to the individual but couldimpose a significant burden on theindustry.

We are proposing that covered plansand providers be required to provideaccess for as long as the entity maintainsthe protected health information. Weconsidered requiring covered plans andproviders to provide access for aspecific period or defining a specificretention period. We rejected thatapproach because many laws andprofessional standards already designatespecific retention periods and we didnot want to create unnecessaryconfusion. In addition, we concludedthat individuals should be permitted tohave access for as long as theinformation is maintained by thecovered plan or provider. We aresoliciting comments on whether weshould include a specific durationrequirement in this proposed rule.

Proposed § 164.514 would permitdenial of inspection and copying undervery limited circumstances. The

categories of denials would not bemandatory; the entity could always electto provide all of the requested healthinformation to the individual. For eachrequest by an individual, the entitycould provide all of the informationrequested or it could evaluate therequested information, consider thecircumstances surrounding theindividual’s request, and make adetermination as to whether that requestshould be granted or denied. We intendto create narrow exceptions to the statedrule of open access and we wouldexpect covered plans and providers toemploy these exceptions rarely, if at all.

We considered whether entitiesshould be permitted to deny access toinformation based on a number offactors. For more specific discussion ofaccess denials, please refer to earlierpreamble text. For the purposes of theeconomic impacts, it is important tonote that these denials are optional and,therefore, any costs associated withutilizing these denials are optional.

In § 164.514(c) and (d), we areproposing that covered plans andproviders be required to haveprocedures that enable individuals toexercise their rights to inspect andobtain a copy of protected healthinformation as explained above.

We considered whether this proposedrule should include detailed proceduresgoverning a individual’s request forinspection and copying. Because thisproposed rule would affect such a widerange of entities, we concluded that itshould only provide general guidelinesand that each entity should have thediscretion to develop proceduresconsistent with its own size, systems,and operations.

In § 164.514(d)(2), we are proposingthat the covered plans and providerswould take action upon the request assoon as possible but not later than 30days following receipt of the request.We considered the possibility of notincluding a time limitation but ratherimposing a ‘‘reasonableness’’requirement on the covered plans orproviders. We concluded that theindividual is entitled to know when toexpect a response. This is particularlyimportant in the context of healthinformation, where an individual couldneed access to his or her information inorder to make decisions about care.Therefore, in order to determine whatwould be ‘‘reasonable,’’ we examinedthe time limitations provided in thePrivacy Act, the Freedom of InformationAct (FOIA), and several State laws.

The Privacy Act requires that uponreceipt of a request for amendment (notaccess), the agency would send anacknowledgment to the individual



within 10 working days. (5 U.S.C. 552a(d)(2)). We considered several optionsthat included such an acknowledgmentrequirement. An acknowledgmentwould be valuable because it wouldassure the individual that their requestwas received. Despite the potentialvalue of requiring an acknowledgment,we concluded that it could impose asignificant administrative burden onsome of the covered plans andproviders. This proposed rule wouldcover a wide range of entities withvarying capacities and therefore, we arereluctant to create requirements thatwould overwhelm smaller entities orinterfere too much with proceduresalready in place. We would encourageplans and providers to have anacknowledgment procedure in place,but would not require it at this point.We are soliciting comment on whetherthis proposed rule should require suchan acknowledgment.

We also considered whether toinclude specific procedures governing‘‘urgent’’ or ‘‘emergency’’ requests. Suchprocedures would require covered plansand providers to respond in a shortertime frame. We recognize thatcircumstances could arise where anindividual would request inspectionand copying on an expedited basis andwe encourage covered plans orproviders to have procedures in placefor handling such requests. We are notproposing additional regulatory timelimitations to govern in thosecircumstances. The 30-day timelimitation is intended to be an outsidedeadline, rather than an expectation.Rather, we would expect a plan orprovider to always be attentive to thecircumstances surrounding each requestand respond in an appropriate timeframe, not to exceed 30 days.

Finally, we considered including asection governing when and how anentity could have an extension forresponding to a request for inspectionand copying. For example, the FOIAprovides that an agency could requestadditional time to respond to a requestif the agency needs to search for andcollect the requested records fromfacilities that are separate from theoffice processing the request; to searchfor, collect, and appropriately examinea voluminous amount of separate anddistinct records; and to consult withanother entity or component having asubstantial interest in the determinationof the request. We determined that thecriteria established in the FOIA aretailored to government informationsystems and therefore could not beappropriate for plans and providerscovered by this proposed rule.Furthermore, we determined that the

30-day time period would be sufficientfor responding to requests for inspectionand copying and that extensions shouldnot be necessary. We are solicitingcomments on whether a structuredextension procedure should be includedin this proposed rule.

In § 164.514(d)(3), we are proposingthat covered plans or providers berequired to notify the individual of thedecision to provide access and of anysteps necessary to fulfill the request. Inaddition we propose that the entityprovide the information requested in theform or format requested if it is readilyproducible in such form or format.Finally, if the covered plan or provideraccepts an individual’s request, it wouldbe required to facilitate the process ofinspection and copying.

In proposed § 164.514(d)(3)(iv), wewould permit a covered plan orprovider to charge a reasonable, cost-based fee for copying health informationprovided pursuant to this section. Weconsidered whether we should followthe practice in the FOIA and include astructured fee schedule. We concludedthat the FOIA was developed to reflectthe relatively uniform government costsand that this proposed rule would applyto a broader range of entities. Dependingon the size of the entity, copying costscould vary significantly. Therefore, wepropose that the entity simply charge areasonable, cost-based fee.

In § 164.514(d)(4), we propose that acovered plan or provider that denies anindividual’s request for inspection andcopying in whole or in part be requiredto provide the individual with a writtenstatement in plain language explainingthe reason for the denial. The statementcould include a direct reference to thesection of the regulation relied upon forthe denial, but the regulatory citationalone would not sufficiently explain thereason for the denial. The statementwould need to include the name andnumber of the contact person or officewithin the entity who is responsible forreceiving complaints. In addition, thestatement would need to includeinformation regarding the submission ofa complaint with the Departmentpursuant to § 164.522(b).

We considered proposing that coveredplans and providers provide amechanism for appealing a denial ofinspection and copying. We believe,however, that the requirement proposedin § 164.518(d) that covered plans andproviders have complaint procedures toaddress patient and enrollee privacyissues generally would allow theindividual to raise the issue of a denialwith the covered plan or provider. Wewould expect the complaint proceduresto be scalable; for example, a large plan

might develop a standard complaintprocess in each location where itoperates whereas, a small practice mightsimply refer the original request anddenial to the clinician in charge forreview. We would encourage coveredplans and providers to institute a systemof appeals, but would not require it byregulation. In addition, the individualwould be permitted to file a complaintwith the Department pursuant to§ 164.522(b).

13. Rights and Procedures With Respectto an Accounting of Disclosures(§ 164.515)

In this proposed rule, we propose thatindividuals have a right to receive anaccounting of all instances whereprotected health information about themis disclosed by a covered entity forpurposes other than treatment, payment,and health care operations, subject tocertain time-limited exceptions fordisclosures to law enforcement andoversight agencies as discussed below.Providing such an accounting wouldallow individuals to understand howtheir health information is sharedbeyond the basic purposes of treatment,payment and health care operations.

We considered whether to requirecovered entities to account for alldisclosures, including those fortreatment, payment and health careoperations. We rejected this approachbecause it would be burdensome andbecause it would not focus on thedisclosures of most interest toindividuals. Upon entering the healthcare system, individuals are generallyaware that their information would beused and shared for the purpose oftreatment, payment and health careoperations. They have the greatestinterest in an accounting ofcircumstances where the informationwas disclosed for other purposes thatare less easy to anticipate. For example,an individual might not anticipate thathis or her information would be sharedwith a university for a research project,or would be requested by a lawenforcement agency.

We are not proposing that coveredentities include uses and disclosures fortreatment, payment and health careoperations in the accounting. Webelieve that it is appropriate for coveredentities to monitor all uses anddisclosures for treatment, payment andhealth care operations, and they wouldbe required to do so for electronicallymaintained information by the SecurityStandard. However, we do not believethat covered entities should be requiredto provide an accounting of the uses anddisclosures for treatment payment andhealth care operations.



This proposed rule would not specifya particular form or format for theaccounting. In order to satisfy theaccounting requirement, a coveredentity could elect to maintain asystematic log of disclosures or it couldelect to rely upon detailed recordkeeping that would permit the entity toreadily reconstruct the history when itreceives a request from an individual.We would require that covered entitiesbe able to respond to a request foraccounting within a reasonable timeperiod. In developing the form or formatof the accounting, covered entitiesshould adopt policies and proceduresthat would permit them to respond torequests within the 30-day time periodin this proposed rule.

We also considered whether or notthe disclosure history should be aformal document that is constantlymaintained or whether we should givemore flexibility to entities in this regard.We decided that since our ultimate goalis that individuals have access to adisclosure history of their records uponrequest, it would be reasonable torequire only that they be able to do this.We are not prescribing how they fulfillthe requirement. We also believe that itis less burdensome to require that theybe able to create a disclosure historythan to require that they have a specificformat for maintaining a disclosurehistory.

We are proposing that the accountinginclude all disclosures for purposesother than treatment, payment, andhealth care operations, subject to certainexceptions for disclosures to lawenforcement and oversight agencies,discussed below. This would alsoinclude disclosures that are authorizedby the individual. The accountingwould include the date of eachdisclosure; the name and address of theorganization or person who received theprotected health information; and a briefdescription of the informationdisclosed. For all disclosures that areauthorized by the individual, we areproposing that the covered entitymaintain a copy of the authorizationform and make it available to theindividual with the accounting.

We considered whether theaccounting of disclosures shouldinclude the name of the person whoauthorized the disclosure ofinformation. The proposed SecurityStandard would require covered entitiesto have an audit mechanism in place tomonitor access by employees. Weconcluded that it would be unnecessaryand inappropriate to require the coveredentity to include this additionalinformation in the accounting. If theindividual identifies an improper

disclosure by an entity, he or she shouldhold the entity not the employee of theentity accountable. It is theresponsibility of the entity to train itsworkforce about its policies andprocedures for the disclosure ofprotected health information and toimpose sanctions if such policies andprocedures are violated.

14. Rights and Procedures forAmendment and Correction(§ 164.516)

This proposed rule would provide anindividual with the right to request acovered plan or provider to amend orcorrect protected health informationrelating to the individual. A coveredplan or provider would be required toaccommodate requests with respect toany information that the covered plan orprovider determines to be erroneous orincomplete, that was created by the planor provider, and that would be availablefor inspection and copying underproposed § 164.514.

We are concerned about the burdenthat requests for amendment orcorrection could place on covered plansand providers and have tried to limit theprocess to those situations whereamendment or correction would appearto be most important. We invitecomment on whether our approachreasonably balances burden withadequately protecting individualinterests.

We propose to require a covered planor provider to accommodate a requestfor amendment or correction if the planor provider created the information indispute. We considered requiringcovered plans and providers to amendor correct any erroneous or incompleteinformation it maintains, regardless ofwhether it created the information.Under this approach, if the plan orprovider did not create the information,then it would have been required totrace the information back to theoriginal source to determine accuracyand completeness. We rejected thisoption because we concluded that itwould not be appropriate to require theplan or provider that receives a requestto be responsible for verifying theaccuracy or completeness of informationthat it did not create. We also wereconcerned about the burden that wouldbe imposed on covered plans andproviders if they were required to tracethe source of any erroneous orincomplete information transmitted tothem.

We would rely on a combination ofthree other requirements to ensure thatprotected health information remains asaccurate as possible as it travels throughthe health care system. First, we are

proposing that a covered plan orprovider that makes an amendment orcorrection be required to notify anyrelevant persons, organizations, or otherentities of the change or addition.Second, we are proposing that othercovered plans or providers that receivesuch a notification be required toincorporate the necessary amendment orcorrection. Finally, we are proposingthat covered plans or providers requiretheir business partners who receivesuch notifications to incorporate anynecessary amendments or corrections.See the discussion in section II.F.4. Weare soliciting comments whether thisapproach would effectively ensure thatamendments and corrections arecommunicated appropriately.

We are proposing that covered plansand providers be required toaccommodate requests for amendmentor correction for as long as the entitymaintains the protected healthinformation. We considered requiringcovered plans and providers toaccommodate requests for a specificperiod or defining a specific retentionperiod. We rejected that approachbecause many laws and professionalstandards already designate specificretention periods and we did not wantto create confusion. In addition, weconcluded that individuals should bepermitted to request amendments orcorrections for as long as theinformation is maintained by thecovered plan or provider. We aresoliciting comments on whether weshould include a specific durationrequirement in this proposed rule.

In § 164.516, we are proposing thatcovered plans and providers be requiredto have procedures that enableindividuals to exercise their rights torequest amendment or correction,including a means by which individualscould request amendment or correctionof protected health information aboutthem. We considered whether thisproposed rule should include detailedprocedures governing an individual’srequest. But as with the procedures forrequesting inspection and copying, weare only providing a generalrequirement and permitting each plan orprovider to develop procedures inaccordance with its needs. Once theprocedures are developed, the plan orprovider would document them inaccordance with section § 164.520 andinclude a brief explanation in the noticethat is provided to individuals pursuantto section § 164.512.

We are proposing that the coveredplan or provider would take action ona request for amendment or correctionas quickly as the circumstances require,but not later than 60 days following the



request. The justification forestablishing a time limitation foramendment and correction is virtuallyidentical to that provided for the timelimitation for inspection and copying.We concluded that the entity should beprovided with some additionalflexibility in this context. Depending onthe nature of the request, an amendmentor correction could require significantlymore time than a request for inspectionand copying. If a covered plan orprovider needed more than 30 days tomake a decision, we would encourage,but not require, it to send anacknowledgment of receipt to theindividual including an explanation ofthe reasons for the delay and a datewhen the individual could expect afinal decision.

In § 164.516(c)(3), we are proposingthat, upon accepting an amendment orcorrection, the covered plan or providerwould be required to make reasonableefforts to notify relevant persons,organizations, or other entities of thechange or addition. An entity would berequired to notify such persons that theindividual identifies, or that the coveredplan or provider identifies as (1) arecipient of the erroneous or incompleteinformation, and (2) a person who:

• Has relied upon that information tothe detriment of the individual; or

• Is a person who could foreseeablyrely on such erroneous or incompleteinformation to the detriment of theindividual.

We are concerned about the potentialburden that this notificationrequirement would impose on coveredplans and providers. We do not,however, anticipate that a significantnumber of requests would be submittedto any entity and therefore the need forsuch notifications would be rare. Inaddition, we determined that becausehealth information can travel so quicklyand efficiently in the modern healthcare system, the need for notificationoutweighed the potential burden. It isimportant to note that a reasonablenessstandard should be applied to thenotification process—if the recipient hasnot relied upon the erroneous orincomplete information to the detrimentof the individual or if it is notforeseeable that the recipient would doso, then it would not be reasonable forthe covered plan or provider to incurthe time and expense of notification. If,however, if the incorrect information isreasonably likely to be used to thedetriment of the individual, the entityshould make every effort to notify therecipients of the information of thechanges as quickly as possible.

We discussed a number of optionsregarding the notification of other

entities. We considered only requiringthat the entity provide the individualwith a listing of who else could havereceived the information. This wouldplace the burden of notification in thehands of the individual rather than theentity. Because individuals would nothave the same contacts and relationshipwith other entities as the originalcovered entity, we decided that placingthe burden on individuals would bemore cumbersome for both individualsand the secondary entities receiving therequests. We also considered notincluding a notification requirement.However, this would mean thatindividuals would need to both figureout where the information had gone toand make separate requests foramendment or correction to everyentity. This also appeared to be overlydifficult. We believe that the option weare proposing is fair to both individualsand covered entities.

In proposed § 164.516(c)(4), we wouldrequire a covered plan or provider toprovide the individual with a writtenstatement in plain language of thereason for the denial and permit theindividual to file a written statement ofdisagreement with the decision to denythe request.

If the individual chooses to file astatement of disagreement, then thecovered plan or provider must retain acopy of the statement with the protectedhealth information in dispute. Thecovered plan or provider could requirethat the statement be a reasonablelength, provided that the individual hasreasonable opportunity to state thenature of the disagreement and offer hisor her version of accurate and completeinformation. In all subsequentdisclosures of the information requestedto be amended or corrected, the coveredplan or provider would be required toinclude a copy of its statement of thebasis for denial and, if provided by theindividual, a copy of his or herstatement of disagreement. If thestatement submitted by the individual isunreasonably long, the covered plan orprovider could include a summary insubsequent disclosures whichreasonably explains the basis of theindividual’s position. The covered planor provider would also be permitted toprovide a rebuttal to the individual’sstatement of disagreement and includethe rebuttal statement in any subsequentdisclosures.

We considered requiring the coveredplan or provider to provide amechanism for appealing denials ofamendment or correction but concludedthat it would be too burdensome. We aresoliciting comment on whether theapproach we have adopted reasonably

balances the burdens on covered plansor providers with the rights ofindividuals.

If a covered plan or provider receivesa notification of erroneous orincomplete protected health informationas provided in proposed § 164.516(d),we are proposing that the covered planor provider or be required to make thenecessary amendment or correction toprotected health information in itscustody that would be available forinspection and copying. This affirmativeduty to incorporate amendments andcorrections would be necessary toensure that individuals’ protectedhealth information is as accurate andcomplete as possible as it travelsthrough the health care system.

15. Administrative Requirements(§ 164.518)

We propose that covered entities berequired to implement five basicadministrative requirements tosafeguard protected health information:Designation of a privacy official, theprovision of privacy training,establishment of safeguards, a complaintprocess, and establishment of sanctions.Implementation of these requirementswould vary depending on a variety ofdifferent factors such as type of entity(e.g., provider or plan), size of entity(e.g., number of employees, number ofpatients), the level of automation withinthe entity (e.g., electronic medicalrecords), and organization of the entity(e.g., existence of an office ofinformation systems, affiliation with amedical school).

a. Designation of a Privacy Official(§ 164.518(a))

In proposed § 164.518(a), we wouldrequire covered entities to designate anemployee or other person to serve as theofficial responsible for the developmentof policies and procedures for the useand disclosure of protected healthinformation. The designation of anofficial would focus the responsibilityfor development of privacy policy.

We considered whether coveredentities should be required to designatea single official or an entire board. Weconcluded that a single official wouldbetter serve the purposes of focusing theresponsibility and providingaccountability within the entity. Theimplementation of this requirementwould depend on the size of the entity.For example, a small physician’spractice might designate the officemanager as the privacy official, and heor she would assume this as one of hisor her broader administrativeresponsibilities. A large entity mightappoint a person whose sole



responsibility is privacy policy, and heor she might choose to convene acommittee representing several differentcomponents of the entity to develop andimplement privacy policy.

b. Training (§ 164.518(b))In proposed § 164.518(b), we would

require covered entities to providetraining on the entities policies andprocedures with respect to protectedhealth information. Each entity wouldbe required to provide initial training bythe date on which this proposed rulebecomes applicable. After that date,each covered entity would have toprovide training to new members of theworkforce within a reasonable timeperiod after joining the entity. Inaddition, we are proposing that when acovered entity makes material changesin its privacy policies or procedures, itwould be required to retrain thosemembers of the workforce whose dutiesare directly affected by the changewithin a reasonable time of making thechange.

The entities would be required totrain all members of the workforce (e.g.,all employees, volunteers, trainees, andother persons under the direct control ofall persons working on behalf of thecovered entity on an unpaid basis whoare not business partners) who are likelyto have contact with protected healthinformation.

Upon completion of the training, theperson would be required to sign astatement certifying that he or shereceived the privacy training and wouldhonor all of the entity’s privacy policiesand procedures. Entities woulddetermine the most effective means ofcommunicating with their workforce.For example, in a small physicianpractice, the training requirement couldbe satisfied by providing each newmember of the workforce with a copy ofthe practice’s information policies andrequiring members of the workforce toacknowledge that they have reviewedthe policies. A large health plan couldprovide for a training program with liveinstruction, video presentations orinteractive software programs. Thesmall physician practice’s solutionwould not protect the large plan’s data,and the plan’s solution would be neithereconomically feasible nor necessary forthe small physician practice.

At least once every three years afterthe initial training, covered entitieswould be required to have each memberof the workforce sign a new statementcertifying that he or she would honor allof the entity’s privacy policies andprocedures. The initial certificationwould be intended to make members ofthe workforce aware of their duty to

adhere to the entity’s policies andprocedures. By requiring arecertification every three years, theywould be reminded of this duty.

We considered several differentoptions for recertification. Weconsidered proposing that members ofthe workforce be required to recertifyevery six months, but concluded thatsuch a requirement would be tooburdensome. We considered proposingthat recertification be required annuallyconsistent with the recommendations ofThe American Health InformationManagement Association (Brandt, MaryD., Release and Disclosure: GuidelinesRegarding Maintenance and Disclosureof Health Information, 1997). Weconcluded that annual recertificationcould also impose a significant burdenon covered entities.

We also considered requiring that thecovered entity provide ‘‘refresher’’training every three years in addition tothe recertification. We concluded thatour goals could be achieved by onlyrequiring recertification once everythree years, and retraining in the eventof material changes in policy. We aresoliciting comment on this approach.

c. Safeguards (§ 164.518(c))In proposed § 164.518(c), we would

require covered entities to put in placeadministrative, technical, and physicalsafeguards to protect against anyreasonably anticipated threats orhazards to the privacy of theinformation, and unauthorized uses ordisclosures of the information. Weproposed similar requirements forcertain electronic information in theNotice of Proposed Rulemaking entitledthe Security and Electronic SignatureStandards (HCFA–0049–P), which canbe found at 63 FR 43241. We areproposing parallel and consistentrequirements for safeguarding theprivacy of protected health information.

i. Verification procedures.As noted in section II.E., for many

permitted disclosures the covered entitywould be responding to a request fordisclosure of protected healthinformation. For most categories ofpermitted disclosures, when the requestfor disclosure of protected healthinformation is from a person with whomthe covered entity does not routinely dobusiness, we would require the coveredentity to verify the identity of therequestor. In addition, for certaincategories of disclosures, coveredentities would also be required to verifythe requestor’s legal authority to makethe request.

Under § 164.514, a covered entitywould be required to give individualsaccess to protected health information

about them (under most circumstances).The covered entity would also berequired to take reasonable steps toverify the identity of the individualmaking the request for access. We donot propose to mandate particularidentification requirements (e.g., driverslicence, photo ID, etc), but rather wouldleave this to the discretion of thecovered entity.

We considered specifying the type ofdocumentation or proof that would beacceptable, but decided that the burdenof such specific regulatory requirementson covered entities would beunnecessary. Therefore, we proposeonly a general requirement forreasonable verification of identity andlegal authority.

d. Internal Complaint Process(§ 164.518(d))

In proposed § 164.518(d), we wouldrequire covered plans and providers tohave some mechanism for receivingcomplaints from individuals regardingthe covered plan’s or provider’scompliance with the requirements ofthis proposed rule. The covered plan orprovider would be required to acceptcomplaints about any aspect of theirpractices regarding protected healthinformation. We would not require thatthe entity develop a formal appealsmechanism, nor that ‘‘due process’’ orany similar standard be applied. Wewould not require that covered entitiesrespond in any particular manner ortime frame. We are proposing two basicrequirements for the complaint process.First, the covered plan or providerwould be required to identify a contactperson or office in the notice ofinformation practices for receivingcomplaints. This person or office couldeither be responsible for handling thecomplaints or could put the individualin touch with the appropriate personwithin the entity to handle theparticular complaint. See proposed§ 164.512. This person could, but wouldnot have to be, the entity’s privacyofficial. See proposed § 164.518(a)(2).Second, the covered plan or providerwould be required to maintain a recordof the complaints that are filed and abrief explanation of the resolution, ifany.

We considered requiring coveredplans and providers to provide a formalinternal appeal mechanism, but rejectedthat option as too costly andburdensome for some entities. We alsoconsidered eliminating this requiremententirely, but rejected that optionbecause a complaint process would givecovered plans or providers a way tolearn about potential problems withprivacy policies or practices, or training



issues. We also hope that providing anavenue for covered plans or providers toaddress complaints would lead toincreased consumer satisfaction. Webelieve this approach strikes areasonable balance between allowingcovered plans or providers flexibilityand accomplishing the goal ofpromoting attention to improvement inprivacy practices. If an individual and acovered plan or provider are able toresolve the individual’s complaint, therecould be no need for the individual tofile a complaint with the Secretaryunder proposed § 164.522(b). However,an individual has the right to file acomplaint with the Secretary at anytime. An individual could file acomplaint with the Secretary before,during, after, or concurrent with filing acomplaint with the covered plan orprovider or without filing a complaintwith the covered plan or provider.

We are considering whethermodifications of these complaintprocedures for intelligence communityagencies could be necessary to addressthe handling of classified informationand solicit comment on the issue.

e. Sanctions (§ 164.518(e))

In proposed § 164.518(e), we wouldrequire all covered entities to developand apply when appropriate sanctionsfor failure to comply with policies orprocedures of the covered entity or withthe requirements of this proposed rule.All members of the workforce who haveregular contact with protected healthinformation should be subject tosanctions, as would the entity’s businesspartners. Covered entities would berequired to develop and imposesanctions appropriate to the nature ofthe issue. The type of sanction appliedwould vary depending on factors suchas the severity of the violation, whetherthe violation was intentional orunintentional, and whether theviolation indicates a pattern or practiceof improper use or disclosure ofprotected health information. Sanctionscould range from a warning totermination.

We considered specifying particularsanctions for particular kinds ofviolations of privacy policy, but rejectedthis approach for several reasons. First,the appropriate sanction would varywith the entity’s particular policies.Because we cannot anticipate everykind of privacy policy in advance, wecannot predict the response that wouldbe appropriate when that policy isviolated. In addition, it is important toallow covered entities to develop thesanctions policies appropriate to theirbusiness and operations.

We expect that sanctions would bemore formally described andconsistently carried out in larger, moresophisticated entities. Smaller, lesssophisticated entities would be givenmore latitude and flexibility. For suchsmaller entities and less sophisticatedentities, we would not expect aprescribed sanctions policy, but wouldexpect that actions be taken if repeatedinstances of violations occur.

f. Sanctions (§ 164.518(f))We propose in § 164.518(f) that

covered entities be required to haveprocedures for mitigating, to the extentpracticable, any deleterious effect of ause or disclosure of protected healthinformation by their members of theirworkforce or business partners. Withrespect to business partners, we alsopropose that covered entities have anaffirmative duty to take reasonable stepsin response to breaches of contractterms.

16. Development and Documentation ofPolicies and Procedures (§ 164.520)

In proposed § 164.520, we wouldrequire covered entities to develop anddocument their policies and proceduresfor implementing the requirements ofthis proposed rule. This requirement isintended as a tool to facilitate coveredentities’ efforts to develop appropriatepolicies to implement this proposedrule, to ensure that the members of itsworkforce and business partnersunderstand and carry out expectedprivacy practices, and to assist coveredentities in developing a notice ofinformation practices.

The scale of the policies developedshould be consistent with the size of thecovered entity. For example, a smalleremployer could develop policiesrestricting access to health planinformation to one designatedemployee, empowering that employee todeny release of the information tocorporate executives and managersunless required for health planadministration. Larger employers couldhave policies that include usingcontractors for any function thatrequires access to protected healthinformation or requiring all reports theyreceive for plan administration to be de-identified unless individualauthorization is obtained.

We are proposing general guidelinesfor covered entities to develop anddocument their own policies andprocedures. We considered a moreuniform, prescriptive approach butconcluded that a single approach wouldbe neither effective in safeguardingprotected health information norappropriate given the vast differences

among covered entities in size, businesspractices and level of sophistication. Itis important that each covered entity’sinternal policies and procedures forimplementing the requirements of thisregulation are tailored to the nature andnumber of its business arrangements,the size of its patient population, itsphysical plant and computer system, thesize and characteristics of its workforce,whether it has one or many locations,and similar factors. The internal policiesand procedures appropriate for aclearinghouse would not be appropriatefor a physician practice; the internalpolicies and procedures appropriate fora large, multi-state health plan wouldnot be appropriate for a smaller, localhealth plan.

After evaluating the requirements offederal, State, or other applicable laws,covered entities should develop policiesand procedures that are appropriate fortheir size, type, structure, and businessarrangements. Once a covered plan orprovider has developed anddocumented all of the policies andprocedures as required in this section, itwould have compiled all of theinformation needed to develop thenotice of information practices requiredin § 164.512. The notice is intended toinclude a clear and concise summary ofmany of the policies and proceduresdiscussed in this section. Further, if anindividual has any questions about theentity’s privacy policies that are notaddressed by the notice, a representativeof the entity could easily refer to thedocumented policies and procedures foradditional information.

Before making a material change in apolicy or procedure, the covered entitywould, in most instances, be required tomake the appropriate changes to thedocumentation required by this sectionbefore implementing the change. Inaddition, covered plans and providerswould be required to revise their noticeof information practices in advance.Where the covered entity determinesthat a compelling reason exists to takean action that is inconsistent with itsdocumentation or notice before makingthe necessary changes, it could takesuch action if it documents the reasonssupporting the action and makes thenecessary changes within 30 days oftaking such action.

In an attempt to ensure that largeentities develop coordinated andcomprehensive policies and proceduresas required by this section, weconsidered proposing that entities withannual receipts greater than $5



40 The Small Business Administration definessmall businesses in the health care field as thosegenerating less than $5 million annually. Smallbusinesses represent approximately 85% of healthcare entities.

41 We have used two different data sources for ourestimates of the number of entities. In the regulatoryimpact analysis (RIA), we chose to use the samenumbers as we used in other AdministrativeSimplification rules. In the regulatory flexibilityanalysis (RFA), we used the most recent dataavailable from the Small Business Administration(SBA).

We chose to use the AdministrativeSimplification estimates in the RIA because wewanted our analysis to be as consistent as possiblewith those regulations and also believe that becauseit is higher than the more recent SBA data, it wasthe more conservative data source.

We chose to use the SBA data in the RFA becausewe wanted our analysis to be as consistent to SBAdefinitions as possible to give the greatest accuracyfor the RFA purposes.

42 Establishments are the physical location wherean enterprise conducts business. An entrprise mayconduct business in more than one establishment.

million 40 be required to have a privacyboard review and approve thedocumentation of policies andprocedures. As originally conceived, theprivacy board would only serve toreview research protocols as describedin § 164.510(j). We believe that such aboard could also serve as ‘‘privacyexperts’’ for the covered entity andcould review the entity’s documentedpolicies and procedures. In thiscapacity, the overriding objective of theboard would be to foster development ofup-to-date, individualized policies thatenable the organization to protect healthinformation without unnecessarilyinterfering with the treatment andpayment functions or business needs.This type of review is particularlyimportant for large entities who wouldhave to coordinate policies andprocedures among a large staff, butsmaller organizations would beencouraged, but not required, to take asimilar approach (i.e., have a widelyrepresentative group participate in thedevelopment and/or review of theorganization’s internal privacy policiesand the documentation thereof). Wesolicit comment on this proposal.

We also considered requiring thecovered entity to make itsdocumentation available to personsoutside the entity upon request. Werejected this approach because coveredentities should not be required to sharetheir operating procedures with thepublic, or with their competitors.

We recognize that the documentationrequirement in this proposed rulewould impose some paperwork burdenon covered plans and providers.However, we believe that it is necessaryto ensure that covered plans andproviders establish privacy policies andprocedures in advance of any requestsfor disclosure, authorization, or subjectaccess. It is also necessary to ensure thatcovered entities and members of theirworkforce have a clear understanding ofthe permissible uses and disclosures ofprotected health information and theirduty to protect the privacy of suchinformation under specificcircumstances.

17. Compliance and EnforcementThe rules proposed below at § 164.522

would establish several requirements

designed to enable the Secretary tomonitor and seek to ensure compliancewith the provisions of this subpart. Thegeneral philosophy of this section is toprovide a cooperative approach toobtaining compliance, including use oftechnical assistance and informal meansto resolve disputes. However, inrecognition of the fact that it would notalways be possible to achievecompliance through cooperation, thesection also would provide theSecretary with tools for carrying out herstatutory mandate to achievecompliance.

Proposed § 164.522(a) would establishthe principle that the Secretary wouldseek the cooperation of covered entitiesin obtaining compliance. Section164.522(a)(2) provides that the Secretarycould provide technical assistance tocovered entities to help them come intocompliance with this subpart. It isclearly in the interests of both thecovered entities and the individualsthey serve to minimize the costs ofcompliance with the privacy standards.To the extent that the Department couldfacilitate this by providing technicalassistance, it would endeavor to do so.

V. Initial Regulatory FlexibilityAnalysis

A. Introduction

Pursuant to the Regulatory FlexibilityAct 5 U.S.C. 601 et. seq., HHS mustprepare a regulatory flexibility analysisif the Secretary certifies that a proposedrule would have a significant economicimpact on a substantial number of smallentities.

This analysis addresses six issues: (1)Reasons for promulgating the rule; (2)the proposed rule’s objectives and legalbasis; (3) the number and types of smallentities affected by the proposed rule;(4) the specific activities and costsassociated with compliance; (5) optionsthat HHS considered to minimize therule’s economic burdens or increase itsbenefits for small entities; and (6) therelevant Federal rules that couldduplicate, overlap, or conflict with theproposed rule. The following sectionsprovide details on each of these issues.

Reasons for Promulgating the Rule

This proposed rule is beingpromulgated primarily because we havebeen statutorily mandated to do sounder section 264 of Public Law 104–191. Additional information on thereasons for promulgating the rule can be

found in earlier preamble discussions(section I.).

Objectives and Legal Basis

This information can be found inearlier preamble discussions (section I.).

Relevant Federal Provisions

This information can be found inearlier preamble discussions (sectionI.B.)

B. Economic Effects on Small Entities

1. Number and Types of Small EntitiesAffected

The Small Business Administrationdefines small entities in the health caresector as those organizations with lessthan $5 million in annual revenues. 41

Nonprofit organizations are alsoconsidered small entities; however,individuals and States are not includedin the definition of a small entity.Similarly, small governmentjurisdictions with a population of lessthan 50,000 are considered smallentities.

Small health entities affected include:Nonprofit health plans, hospitals, andskilled nursing facilities (SNFs); smallbusinesses providing health coverage;small physician practices; pharmacies;laboratories; and durable medicalequipment (DME) suppliers; health careclearinghouses; billing companies; andvendors that supply softwareapplications to health care entities.

The U.S. Small BusinessAdministration reports that as of 1996,there were 1,078,020 small health careestablishments 42 classified within theSIC codes we have designated (Table A).



43 Office of Advocacy, U.S. Small BusinessAdministration, from data provided by the Bureauof the Census, Statistics of U.S. Businesses, 1996.

44 Op. cit. 199645 Office of Advocacy, U.S. Small Business

Administration, from data provided by the Bureauof the Census, Statistics of U.S. Businesses, 1996.

46 Op.cit., 1996

TABLE A.—NUMBER OF HEALTH CARE ENTITIES THAT MEET SBA SIZE STANDARDS, 1996 1

Standard Industrial Code (SIC) Industry

Total Num-ber of

Health CareEntities

Number of En-tities that Meet

SBA SizeStandards 2

Percent of En-tities that Meet

SBA SizeStandards 2

5910 ........................................... Drug Stores & Proprietary Stores ........................................... 44,062 23,771 53.96320 ........................................... Accident & Health Insurance & Medical Service Plans (Acci-

dent & Health Insurance and Hospital & Medical ServicePlans).

3,346 428 12.8

8010 ........................................... Offices & Clinics of Doctors of Medicine ................................ 188,508 171,750 91.18020 ........................................... Offices & Clinics of Dentists ................................................... 113,965 113,141 99.38030 ........................................... Offices & Clinics of Doctors of Osteopathy ............................ 9,168 9,000 98.28040 ........................................... Offices & Clinics of Other Health Practitioners ....................... 85,326 83,563 97.98050 ........................................... Nursing & Personal Care Facilities ......................................... 24,246 11,736 48.48060 ........................................... Hospitals .................................................................................. 7,284 837 11.58070 ........................................... Medical & Dental Laboratories ................................................ 15,354 12,322 80.38080 ........................................... Home Health Care Services ................................................... 16,218 9,238 57.08090 ........................................... Miscellaneous Health & Allied Services ................................. 20,986 12,712 60.6

N/A ............................................. Total ........................................................................................ 528,463 448,498 84.9

1 Source: Office of Advocacy, U.S. Small Business Administration, from data provided by the Bureau of the Census, Statistics of U.S. Busi-nesses, 1996.

2 Less than $5,000,000 in annual revenue.

These small businesses represent83.8% of all health care entities we haveexamined.43 Small businesses representa significant portion of the total numberof health care entities but a smallportion of the revenue stream for allhealth care entities. In 1996, the smallbusinesses represented generated

approximately $235 million in annualreceipts, or 22.2% of the total revenuegenerated by small health care entities(Table B). 44 The following sectionsprovide estimates of the number ofsmall health care entities that will berequired to comply with the rule. Weshould note, however, that the SBA’s

published annual receipts of health careindustries differs substantially from theNational health expenditure data thatthe Health Care Finance Administration(HCFA) maintains. HCFA’s data aregenerally considered more accuratebecause the data are validated by severalsources.

TABLE B.—ANNUAL RECEIPTS OF HEALTH CARE ENTITIES, 1996 1

Standard Industrial Code (SIC) Industry Total revenueRevenue gen-

erated bysmall entities 2

Percent oftotal revenuegenerated bysmall entities

5910 ................................................. Drug Stores & Proprietary Stores ................................. $91,701,331 $23,762,195 25.96320 ................................................. Accident & Health Insurance & Medical Service Plans

(Accident & Health Insurance and Hospital & Med-ical Service Plans).

225,866,321 657,074 0.3

8010 ................................................. Offices & Clinics of Doctors of Medicine ...................... 186,598,097 102,355,549 54.98020 ................................................. Offices & Clinics of Dentists ......................................... 46,131,244 44,811,866 97.18030 ................................................. Offices & Clinics of Doctors Of Osteopathy ................. 4,582,835 3,992,558 87.18040 ................................................. Offices & Clinics of Other Health Practitioners ............ 25,053,745 21,891,338 87.4

Other Health Practitioners (8030 and 8040) ................ 29,636,580 25,883,896 87.38050 ................................................. Nursing & Personal Care Facilities ............................... 63,625,522 14,672,710 23.18060 ................................................. Hospitals ....................................................................... 343,314,509 2,021,845 0.68070 ................................................. Medical & Dental Laboratories ..................................... 16,543,625 4,976,094 30.18080 ................................................. Home Health Care Services ......................................... 27,690,537 7,960,035 28.78090 ................................................. Miscellaneous Health & Allied Services ....................... 26,036,633 7,697,264 29.6




46 Op.cit., 199647 Health Care Finance Administration, OSCAR48 Faulkner & Gray’s Health Data Directory, 199949 International Billing Association, 1999

TABLE B.—ANNUAL RECEIPTS OF HEALTH CARE ENTITIES, 1996 1—Continued

Standard Industrial Code (SIC) Industry Total revenueRevenue gen-

erated bysmall entities 2

Percent oftotal revenuegenerated bysmall entities

Other Health Care Services (8070,8080,8090) ............ 70,270,795 20,633,393 29.4

N/A ................................................... Total Receipts ............................................................... 1,057,144,399 234,798,528 22.2

1 Source: Office of Advocacy, U.S. Small Business Administration, from data provided by the Bureau of the Census, Statistics of U.S. Busi-nesses, 1996.

2 The SBA defines a small business as those businesses with less than $5,000,000 in annual revenue. For consistency with the Regulation,we employ the term ‘‘entity’’ in place of ‘‘business’’.

The Small Business Administrationreports that approximately 80 percent ofthe 15,000 medical laboratories anddental laboratories in the U.S. are smallentities.45 Furthermore, based on HCFAdata, we estimate that 98 percent of the160,000 durable medical equipmentsuppliers in the U.S. are small entities.Over 90 percent of health practitioneroffices are small businesses.46 Doctoroffices (91%), dentist offices (99%),osteopathy (98%) and other healthpractitioner offices (98%) are primarilyconsidered small businesses.

There are also a small number ofhospitals, home health agencies, non-profit nursing facilities, and skillednursing facilities that will be affected bythe proposed rule. According to theAmerican Hospital Association, thereare approximately 3,131 nonprofithospitals nationwide. Additionally,there are 2,788 nonprofit home healthagencies in the U.S. The Health CareFinance Administration reports thatthere are 591 nonprofit nursing facilitiesand 4,280 nonprofit skilled nursingfacilities.47

While it is difficult to calculate thenumber of clearinghouses that meet thedefinition of a small business, webelieve that a significant portion of the80 health care clearinghouses thatprocess health care claims in the U.S.have annual revenues of less than $5million annually.48 We believe that allof the 4,500 billing companies 49 thatprovide administrative and billingservices for physicians’ offices haveannual revenues below $5 million peryear.

Some contractors that work withhealth care entities will be required toadopt policies and procedures to protectinformation. We do not expect that theadditional burden placed on contractorswill be significant. We have not

estimated the effect of the proposed ruleon these entities because we cannotreasonably anticipate the number ortype of contracts affected by theproposed rule. We also do not know theextent to which contractors would berequired to modify their policy practicesas a result of the rule’s implementation.

2. Activities and Costs Associated withCompliance

For a summary of the basic activitiesthat a small entity would need to do tocomply with this rule, please refer tosection III of the preamble. Thisdiscussion summarizes some of thespecific activities that covered entitiesmust undertake to comply with theproposed rule’s provisions and optionsconsidered that would reduce theburden to small entities. In developingthis proposed rule, we considered avariety of alternatives for minimizingthe economic burden that it will createfor small entities. We could not exemptsmall businesses from the entireproposed rule because they representsuch a large and critical proportion ofthe health care industry (84 percent).

The guiding principle in ourconsiderations of how to address theburden on small entities has been tomake provisions scalable. To the extentpossible, we have allowed for entities todetermine how extensively they willaddress certain issues. This ability toadapt provisions to minimize burdenhas been addressed in earlier preamblelanguage and will be briefly discussedagain in the following section.

Before discussing specific provisions,it is important to note some of thebroader questions that were addressedin formulating this proposed rule. Weconsidered extending the complianceperiod for small entities but decidedthat because they represent such a largeportion of the health care market, suchan extension would be inappropriate.However, HIPAA does create anextended compliance time of 36 monthsfor small plans. For all other time limitquestions, we also considered givingsmall entities the same sort of

extensions. For example, entities arerequired to either approve or deny arequest to inspect and copy informationwithin 20 days. We considered allowingsmall entities a longer response time.Rather than giving small entitiesextensions, we decided to establish timelimits that we believe are reasonable foraffected entities of all sizes, with theunderstanding that larger entities maynot need as much time as they havebeen allocated in certain situations.

While we considered the needs ofsmall entities during our discussions ofprovisions for this proposed rule, we arehighlighting the most significantdiscussions in the following sections:

a. Scalability. Covered entities of alltypes and sizes would be required tocomply with the proposed privacystandards outlined below. The proposedstandards would not impose particularmechanisms or procedures that coveredentities must adopt to implement thestandards. Instead, we would requirethat each affected entity assess its ownneeds and devise, implement, andmaintain appropriate privacy policies,procedures, and documentation toaddress its business requirements. Howeach privacy standard would besatisfied would be business decisionsthat each entity would have to make.This allows the privacy standards toestablish a stable baseline, yet remainflexible enough to take advantage ofdevelopments and methods forprotecting privacy that will evolve overtime.

Because the privacy standards wouldneed to be implemented by all coveredentities, from the smallest provider tothe largest, multi-state health plan, asingle approach to implementing thesestandards would be neithereconomically feasible nor effective insafeguarding health informationprivacy. For example, in a smallphysician practice the office managermight be designated to serve as theprivacy official as one of many duties(see proposed § 164.518(a)) whereas at alarge health plan, the privacy officialmay constitute a full time position and



have the regular support and advice ofa privacy staff or board.


We decided to use this scaledapproach to minimize the burden on allentities with an emphasis on smallentities.

b. Minimum necessary use anddisclosure. The decisions called for indetermining what would be theminimum necessary information toaccomplish an allowable purposeshould include both a respect for theprivacy rights of the subjects of themedical record and the reasonableability of covered entities to delimit theamount of individually identifiablehealth information in otherwisepermitted uses and disclosures. Forexample, a large enterprise that makesfrequent electronic disclosures ofsimilar data would be expected toremove identifiers or to limit the datafields that are disclosed to fit thepurpose of the disclosure. An individualphysician’s office would not beexpected to have the same capabilitiesto limit the amount of informationdisclosed, although, in the cases ofdisclosures involving a small number ofrecords, such an office could beexpected to hide identifiers or to limitdisclosures to certain pages of themedical record that are relevant to thepurpose of the disclosure.

We understand that the requirementsoutlined in this section do not create abright line test for determining theminimum necessary amount ofprotected health informationappropriate for most uses or disclosures.Because of this lack of precision, weconsidered eliminating the requirementaltogether. We also considered merelyrequiring covered entities to address theconcept within their internal privacyprocedures, with no further guidance asto how each covered entity wouldaddress the issue. These approacheswere rejected because minimizing boththe amount of protected healthinformation used and disclosed withinthe health care system and the numberof persons who have access to suchinformation is vital if we are tosuccessfully enhance the confidentialityof people’s personal health information.We invite comments on the approachthat we have adopted and on alternative

methods of implementing the minimumnecessary principle.

c. Right to restrict. We propose topermit in § 164.506(c) that individualsbe able to request that a covered entityrestrict further uses and disclosures ofprotected health information fortreatment, payment, or health careoperations, and if the covered entityagrees to the requested restrictions, thecovered entity may not make uses ordisclosures for treatment, payment orhealth care operations that areinconsistent with such restrictions,unless such uses or disclosures aremandated by law. This provision wouldnot apply to health care provided to anindividual on an emergency basis.

It should be noted that there isnothing in this proposed rule thatrequires a health care provider to agreeto a request to restrict uses ordisclosures for treatment, payment, orhealth care operations. Providers whodo not wish to, or due to contractualobligations cannot, restrict further useor disclosure are not obligated to treatan individual making a request underthis provision.

If small entities view this proposedprovision as overly burdensome, theywould not have to provide treatment toindividuals requesting restrictions. Weconsidered requiring that providersconform to requests to restrict use ordisclosures. We rejected this approachdue to the potential ethical conflictsthese restrictions could pose to healthcare professionals and the possibleburden to providers. Providers comprisea large proportion of the smallbusinesses covered under this proposedregulation.

d. Creation of de-identifiedinformation. In this rule we areproposing that covered entities and theirbusiness partners be permitted to useprotected health information to createde-identified health information.Covered entities would be permitted tofurther use and disclose such de-identified information in any way,provided that they do not disclose thekey or other mechanism that wouldenable the information to be re-identified, and provided that theyreasonably believe that such use ordisclosure of de-identified informationwill not result in the use or disclosureof protected health information. Thismeans that a covered entity could notdisclose de-identified information to aperson if the covered entity reasonablybelieves that the person would be ableto re-identify some or all of thatinformation, unless disclosure ofprotected health information to suchperson would be permitted under thisproposed rule. In addition, a covered

entity could not use or disclose the keyto coded identifiers if this rule wouldnot permit the use or disclosure of theidentified information to which the keypertains. If a covered entity re-identifiesthe de-identified information, it mayonly use or disclose the re-identifiedinformation consistent with theseproposed rules, as if it were the originalprotected health information. Seeproposed § 164.506(d)(1).

As with other components of thisproposed rule, removal of identifiersfrom data could be scaled. Small entitieswithout the resources to determine atwhat point information is truly de-identified could remove the full list ofpossible identifiers listed in thisregulation. Unless they have reason tobelieve that the information could stillbe linked to an individual, thisproposed requirement would befulfilled. However, larger, moresophisticated entities, could choose todetermine independently whatinformation needs to be removed.

Furthermore, efforts to removeidentifiers from information would beoptional. If an entity believes thatremoving identifiers would beexcessively burdensome, it couldchoose not to release the information orto obtain an authorization fromindividuals before releasing anyinformation.

e. Uses and disclosures withindividual authorization. Coveredentities must obtain individualauthorization to use protected healthinformation for purposes other thanthose allowed under the proposed rule.Activities requiring authorization wouldinclude, for example, marketing andeligibility determinations for healthcoverage or employment. Costs wouldbe ongoing for staffing andadministrative activities related toobtaining authorization fromindividuals.

In establishing the requirement forcovered entities to obtain patientauthorization to use individuallyidentifiable health information forpurposes other than those allowedunder the proposed rule, we decided toinclude in the proposed rule a model‘‘request for authorization.’’ Byfollowing such a model, coveredentities, particularly small entities,could avoid the legal and administrativeexpenses that would be necessary todevelop an authorization form thatcomplies with the proposed rule’sstandards. The proposed rule would notprevent entities from developing theirown patient authorization forms or frommodifying existing forms in a mannerconsistent with the model.



The alternative to providing thismodel would be to state that anauthorization would be required andallow entities to develop theauthorization. We believe that providingno guidance in this area would havecaused unnecessary difficulties andburdens for small entities.

f. Uses and disclosures permittedwithout authorization. This proposedrule would not require any uses orauthorizations other than to the subjectindividual and to the Secretary forcompliance. If small entities believe thatthe costs of making such discretionarydisclosures are considered too high,they could choose not to make suchdisclosures. We would allow all coveredentities, but particularly small entities,to base their decisions about thesedisclosures on any criteria that theybelieve to be important. We expect thatthe additional costs related to thesedisclosures would be factored into theirdecisions.

In cases where uses or disclosureswithout authorization are required byother law, we would attempt tominimize costs by not requiringapplication of the minimum necessaryprinciple.

g. Notice to individuals of rights andprocedures. The proposed rule wouldrequire covered entities to prepare andmake available a notice that informspatients about their privacy rights andthe entity’s actions to protect privacy.Entities that do not already comply withthe proposed rule’s requirements wouldincur one-time legal and administrativecosts. In addition, plans would incurongoing costs related to thedissemination of the notice at least onceevery three years, and all coveredentities would have ongoing costsrelated to dissemination to newindividuals requesting services andrequests for copies of the notice. Entitieswould also incur ongoing costs relatedto answering questions that areassociated with the notice.

In discussing the requirement forcovered entities to prepare and makeavailable a notice regarding patientprivacy rights and the entity’s privacypractices, we considered exemptingsmall businesses. Because this wouldexempt 84 percent of firms, we decidednot to create this exemption. The secondoption would be to exempt extremelysmall entities. One discussion definedsmall entities as those with fewer than10 employees. We decided thatinforming consumers of their privacyrights and of the activities of coveredentities with which they conductbusiness was too important to exemptany entities.

In addition to requiring a basic notice,we considered requiring a longer moredetailed notice that would be availableto individuals on request. However, wedecided that making informationavailable on request and allowing thecovered entity to decide how best toprovide such information represents amore balanced approach. We believethat it would be overly burdensome toall entities, especially small entities, torequire two notices.

We considered prescribing specificlanguage that each covered plan orprovider would include in its notice.The advantages of this approach wouldbe that the recipient would receiveexactly the same information from eachcovered plan or provider in the sameformat and that it would be convenientfor covered entities to use a uniformmodel notice.

There are, however, severaldisadvantages to this approach. First,and most importantly, no model noticecould fully capture the informationpractices of every covered plan orprovider. Large entities will haveinformation practices different fromthose of small entities. Some health careproviders, for example, academicteaching hospitals, might routinelydisclose identifiable health informationfor research purposes. Other health careproviders might rarely or never makesuch disclosures. To be useful toindividuals, each entity’s notice ofinformation practices should reflect itsunique privacy practices.

Another disadvantage of prescribingspecific language is that it would limiteach covered plan or provider’s abilityto distinguish itself in the area ofprivacy protections. We believe that ifinformation on privacy protectionsbecomes readily available, individualsmight compare and select plans orproviders based on their informationpractices. In addition, a uniform modelnotice could easily become outdated. Asnew communication methods ortechnologies are introduced, the contentof the notices might need to reflect thosechanges.

We believe that the proposed ruleappropriately balances a patient’s needfor information and assurancesregarding privacy with the coveredentities’ need for flexibility indescribing their operations andprocedures to protect patient privacy.Instead of a model notice, we haveincluded a sample notice to guide thedevelopment of notices. We believe thatthis is an appropriate way to reduce theburden on all entities including thoseclassified as small.

h. Administrative requirements forcovered entities. We propose that

covered entities be required toimplement five basic administrativerequirements to safeguard protectedhealth information: designation of aprivacy official, the provision of privacytraining, establishment of safeguards, acomplaint process, and establishment ofsanctions. Implementation of theserequirements would vary depending ona variety of different factors such as typeof entity (e.g., provider or plan), size ofentity (e.g., number of employees,number of patients), the level ofautomation within the entity (e.g.,electronic medical records), andorganization of the entity (e.g., existenceof an office of information systems,affiliation with a medical school).

In proposed § 164.518(a), we wouldrequire covered plans and providers todesignate a privacy official to beresponsible for the development ofpolicies for the use and disclosure ofprotected health information and for thesupervision of personnel with respect touse and disclosure of protected healthinformation. The designation of aprivacy official would focus theresponsibility for development ofprivacy policy.

The implementation of thisrequirement would depend on the sizeof the entity. For example, a smallphysician’s practice might designate theoffice manager as the privacy official,and he or she would assume this as oneof his or her broader administrativeresponsibilities. A large entity mightappoint an individual whose soleresponsibility is privacy policy, and thatindividual could choose to convene acommittee representing several differentcomponents of the entity to develop andimplement privacy policy.

In proposed § 164.518(b), we wouldrequire covered entities to providetraining on the their policies andprocedures with respect to protectedhealth information. Entities woulddetermine the most effective means ofcommunicating with their workforce.For example, in a small physicianpractice, the training requirement couldbe satisfied by providing each newmember of the workforce with a copy ofthe practice’s information policies andrequiring members of the workforce toacknowledge that they have reviewedthe policies. A large health plan couldprovide for a training program with liveinstruction, video presentations orinteractive software programs. Thesmall physician practice’s solutionwould not protect the large plan’s data,and the plan’s solution would be neithereconomically feasible nor necessary forthe small physician practice.

In proposed § 164.518(c), we wouldrequire covered entities to put in place



administrative, technical, and physicalsafeguards to protect against anyreasonably anticipated threats orhazards to the privacy of theinformation, and unauthorized uses ordisclosures of the information.

In proposed § 164.518(d), we wouldrequire covered plans and providers tohave some mechanism for receivingcomplaints from individuals regardingthe covered plan’s or provider’scompliance with the requirements ofthis proposed rule. We consideredrequiring covered plans and providersto provide a formal internal appealmechanism, but rejected that option astoo costly and burdensome for someentities. We also considered eliminatingthis requirement entirely, but rejectedthat option because a complaint processwould give covered plans or providersa way to learn about potential problemswith privacy policies or practices, ortraining issues. We also hope thatproviding an avenue for covered plansor providers to address complaintswould lead to increased consumersatisfaction. We believe this approachstrikes a reasonable balance betweenallowing covered plans or providersflexibility and accomplishing the goal ofpromoting attention to improvement inprivacy practices.

We expect that sanctions would bemore formally described andconsistently carried out in larger, moresophisticated entities. Smaller, lesssophisticated entities would be givenmore latitude and flexibility. For suchsmaller entities and less sophisticatedentities, we would not expect aprescribed sanctions policy, but wouldexpect that actions be taken if repeatedinstances of violations occur. Inproposed § 164.518(e), we wouldrequire all covered entities to developand apply when appropriate sanctionsfor failure to comply with policies orprocedures of the covered entity or withthe requirements of this proposed rule.

i. Documentation requirements forcovered entities. We are proposing thatcovered entities be required todocument policies and procedures inseveral important areas. These areaswould include use within the entity;informing business partners; disclosureswith and without authorization;limitations on use and disclosure forself-pay; inspection and copying;amendment or correction; accountingfor uses and disclosures; noticedevelopment, maintenance, anddissemination; sanctions; and complaintprocedures. We considered whetherformal documentation of these policieswould be necessary. A key factor inmaking this decision was determiningthe burden on entities, particularly the

burden on small entities. We alsoconsidered whether it would bereasonable to exempt very small entitiesfrom this provision. For example,entities with fewer than ten employeescould be able to effectivelycommunicate policies and proceduresverbally. We decided that we needed toinclude all entities in the provisionbecause these documentationrequirements are intended as tools toeducate the management, employees,and business partners about theconsideration that should be given toprotecting the privacy of healthinformation.

3. The Burden on a Typical SmallBusiness.

We expect that small entities will facea cost burden as a result of complyingwith the proposed regulation. Weestimate that the burden of developingprivacy policies and procedures is lowerin dollar terms for small businesses thanfor large businesses, but we recognizethat the cost of implementing privacyprovisions will be a larger burden tosmall entities as a proportion of totalrevenue. Due to these concerns, we relyon the principle of scalability stated inthe proposed rule, and have based ourcost estimates on the expectation thatsmall entities will develop lessexpensive and less complex privacymeasures than large entities.

In many cases, we have specificallyconsidered the impact that the proposedrule may have on solo practitioners orrural providers. Where these providersdo not have large technical systems, itis possible that the regulation may notapply to small providers, or that smallproviders will not be required to changetheir business practices other thanadhering to the basic requirements thatthey state their privacy policies andnotify patients of their privacy rights.For both activities, the proposedregulation accounts for the activitiesand size of the practice. Scalabilityimplies that in developing policies andprocedures to comply with the proposedregulation, businesses should considertheir basic functions and the amount ofhealth information exchangedelectronically. All covered entities musttake appropriate steps to addressprivacy concerns, and in determiningthe scope and extent of their complianceactivities, businesses should weigh thecosts and benefits of alternativeapproaches and should scale theircompliance activities to their structure,functions, and capabilities.

Our analysis of the costs to smallbusinesses is divided into threesections: (1) Initial start-up costsassociated with development of privacy

policy; (2) initial start-up costsassociated with system change; and (3)ongoing costs, including notification ofprivacy policies.

Overall, our analysis suggests that theaverage start-up cost of complying withthe proposed rule is $396 per entity.This includes the cost of developingprivacy policies and systemscompliance changes (Table C). Theongoing costs of privacy compliance areapproximately $337 per entity in thefirst year and $343 every year thereafter(Table D). The total cost ofimplementing initial and ongoing costsof the proposed regulation in the firstyear is $733 per entity. After the firstyear, the total compliance cost to theentity is $343 per year. We estimate thatthe relative average cost of initialcompliance is approximately 0.12percent of a small entity’s annualexpenditures in the first year. Therelative average cost of ongoing privacycompliance is approximately 0.05percent of a small entity’s annualexpenditures.

Our cost calculations are based onseveral assumptions. The cost ofdeveloping privacy policies is based onfigures from the regulatory impactanalysis that accompanied the HIPAANational Provider Identifier (63 FR25320). The cost of initial systemscompliance is based on currentassumptions about market behavior;including the assumption that arelatively small proportion of the totalcost of system compliance (20%) will beabsorbed by small covered entities. Weevaluated the ongoing costs of anentity’s privacy protection bycalculating that privacy protection costsshould be proportional to the number ofpatients served by the business. Forexample, the cost of notifying patientsof privacy practices will be directlyproportional to the number of patientsserved. We then multiplied theproportion of small entities by the totalongoing costs of privacy compliance.

Initial CostsTable C shows the results of our

calculations of the cost of initialcompliance. We calculated initialprivacy policy costs separate frominitial system compliance costs becausewe made different assumptions aboutthe cost of each. To calculate initialprivacy policy costs per small entity, wemultiplied the estimated cost ofdeveloping privacy policies (per entity)by the number of establishments. Wethen averaged these costs and computedthat the average cost of developingprivacy policies is $334.31 per smallentity. The average cost ofimplementing privacy policies is greater



50 We are not suggesting that these investmentsare exclusively computer-related. They may alsoinclude costs for personnel training, reorganization,and contract negotiations with outside entities.

51 Health Care Finance Administration, 1996http://www.hcfa.gov/stats/nheoact/tables/t10.htm

than the $300 cost we assume mosthealth care provider offices will pay,because we assume that small healthplans, hospitals, and nursing andpatient care services will spend between$500–$1,000 to implement privacy

policies. Calculating the cost of systemcompliance per entity required us toestimate the percent of total systemcosts that each type of entity wouldincur. We used the $90 million figure(cited in the RIA) as the basis for

distributing system compliance costsacross various types of entities affectedby the proposed rule. We estimated howthis cost would be divided betweensmall and large entities, and amongplans, providers and clearinghouses.

TABLE C.—ANNUAL COST OF IMPLEMENTING PROVISIONS OF THE PROPOSED PRIVACY REGULATION IN THE FIRST YEAR

Industry

Initial costs Ongoing costs Total costs

Initial pri-vacy policy

costs in-curred bysmall enti-

ties, per en-tity

Initial sys-tem compli-ance cost

incurred bysmall enti-ties 1, per

entity

Notice de-velopmentcost, per

small entity

Total initialcompliance

cost, persmall enti-

ty 2

First yearnotice

issuancecosts for

small enti-ties, per

small entity

Annualamendmentand correc-tion cost tosmall enti-ties, per

small entity

Annual writ-ten author-ization costto small en-

tities, persmall entity

Total annualongoing

cost in thefirst year,per small

entity

Total annualinitial andongoing

cost in thefirst year,per small

entity

Drug Stores & Proprietary Stores 3 ....................................... $300 $131.19 $59.40 $490.58 $118.26 $768.64 $102.55 $989.45 $1,480.03Accident & Health Insurance & Medical Service Plans 3

(Accident & Health Insurance and Hospital & MedicalService Plans) ................................................................... 1,000 1,939.86 203.91 3,143.77 314.02 127.60 17.02 458.65 3,602.41

Offices & Clinics Of Doctors Of Medicine ............................. 300 21.04 21.20 342.24 42.21 260.93 34.81 337.96 680.20Offices & Clinics Of Dentists ................................................. 300 7.43 13.25 320.68 26.39 163.11 21.76 211.26 531.94Offices & Clinics Of Other Health Practitioners .................... 300 11.10 17.82 328.92 35.47 219.29 29.26 284.02 612.94Nursing & Personal Care Facilities ....................................... 1,500 117.15 49.63 1,666.79 98.82 610.88 81.50 791.20 2,457.99Hospitals ................................................................................ 1,500 7,362.22 79.65 8,941.87 158.59 980.36 130.80 1,269.75 10,211.62Home Health Care Services ................................................. 300 58.06 30.66 388.72 61.05 377.38 50.35 488.77 877.49Other Health Care Services including Lab Services ............ 300 19.83 10.84 330.68 21.59 133.47 17.81 172.87 503.55

Average Cost ................................................................. 334.31 40.13 21.17 395.61 42.05 260.23 34.72 337.00 732.61

1 The SBA defines small health care entities as those with annual revenue under $5,000,000.2 Total Initial Compliance Cost includes policy implementation and systems compliance costs.3 Includes some entities not covered by this regulation. Pharmacies are the only component of Drug Stores and Proprietary Stores covered by the regulation. Accident and workers compensa-

tion insurance are not covered by the regulation.

TABLE D.—ANNUAL COST OF IMPLEMENTING PROVISIONS OF THE PROPOSED PRIVACY REGULATION, AFTER THE FIRSTYEAR

Industry

Ongoing Costs

Annual no-tice

issuancecosts after

the firstyear, per

small entity

Annualamendmentand correc-tion cost tosmall enti-ties, per

small entity

Annual writ-ten author-ization costto small en-

tities, persmall entity

Annual on-going costsfor paper-work and

training, persmall entity

Total annualongoing

cost afterthe first

year, persmall entity

Drug Stores & Proprietary Stores 1 .......................................................... 73.26 768.64 102.55 20 964.45Accident & Health Insurance & Medical Service Plans 2 (Accident &

Health Insurance and Hospital & Medical Service Plans) ................... 314.02 127.60 17.02 60 518.65Offices & Clinics Of Doctors Of Medicine ............................................... 26.15 260.93 34.81 20 341.90Offices & Clinics Of Dentists ................................................................... 16.35 163.11 21.76 20 221.22Offices & Clinics Of Other Health Practitioners ....................................... 21.97 219.29 29.26 20 290.52Nursing & Personal Care Facilities .......................................................... 61.22 610.88 81.50 100 853.59Hospitals .................................................................................................. 98.24 980.36 130.80 100 1,309.40Home Health Care Services .................................................................... 37.82 377.38 50.35 20 485.54Other Health Care Services including Lab Services ............................... 13.38 133.47 17.81 20 184.65

Average Cost .................................................................................... 26.16 260.23 34.72 22.28 343.39

1 The SBA defines small health care entities as those with annual revenue under $5,000,000.2 Includes some entities not covered by this regulation. Pharmacies are the only component of Drug Stores and Proprietary Stores covered by

the regulation. Accident and workers compensation insurance are not covered by the regulation.

Our calculations regarding division ofcosts are based on two assumptions: (1)System costs are principally fixed costsassociated with the purchase ofhardware and software 50; and (2) largeentities will continue to invest moreheavily in hardware and softwareexpenditures than small entities. Weestimate that 80 percent of the systemcosts will be born by large entities. Theremaining 20 percent of total systems

costs will be absorbed by small entities.To calculate the effect on smallbusinesses, we multiplied the systemcompliance costs cited in the RIA by theproportion of the costs we expect smallentities to incur (20 percent of total). Wethen multiplied the total cost of systemcompliance for small entities by thepercentage of health care revenue byindustry and calculated a cost perentity.

We used HCFA’s estimate of totalnational health expenditures tocalculate the percent of total health carebusiness that is represented by types of

health care entities. We calculated theproportion of business transacted by atype of health care entity (by SIC code)and multiplied this by the totalexpenditures ($1.084 billion total) 51.National expenditure data is a usefulmeasure for allocating systemcompliance costs for two reasons. Eventhough system compliance costs areprimarily fixed costs, we assume thatthey bear some relationship to the sizeand level of the activity of the entity.



Similarly, national expenditures varyaccording to both size and level ofactivity. Second, in contrast to theannual receipts compiled by theBusiness Census Survey, nationalexpenditure information compares itsdata to other sources in order to validateits results. Thus, we decided that thenational expenditure data are a morereliable source of overall businessactivity for our purposes. Based on theseassumptions, we believe that the totalcost of system compliance for all smallhealth care entities will beapproximately 18 million. Dividingcosts by the number of small entitiessuggests that the average cost of systemcompliance is $40.13 per entity.

The cost of notice development isapproximately $21 per small entity. Weassume that many small providers willreceive assistance developing theirnotice policies from professionalassociations. Thus, the overall cost ofdeveloping compliant notices issignificant, but the cost per entity issmall. The cost to small entities ofdeveloping notices is based on theproportion of expenditures generated bysmall entities. We recognize that thismay not adequately capture the costs ofdeveloping a provider or plan’s notice oftheir privacy policies, and invitecomment on our approach.

We added the per-entity cost ofprivacy policy implementation to thecost of systems compliance to determine

the total average cost of start-upcompliance. Our figures indicate thatinitial compliance will cost an averageof $396 per small entity. These costsvary across entity type (Table C). Forexample, small hospitals have a muchhigher cost of compliance than theaverage cost for all small entities,whereas dentists’ offices tend to haveinitial compliance costs that are lowerthan the average for small entities. Mostsmall practitioner offices have low costs($320 per dentist office), whereas smallhospitals ($8,942 per entity) and smallinsurance companies have much highercosts ($3,144 per entity) than otherhealth care entities.

Finally, we attempted to estimate theimpact of compliance costs on smallentities by comparing the cost ofcomplying with the proposed rule to anentity’s annual expenditures (Table E).We computed the percent of smallentity expenditures as a percent ofnational expenditures by calculating theproportion of small business receipts(from census data compiled for the SBA)that apply to segments of the health caremarket. Although we believe that theSBA data understates the amount ofannual receipts, we assumed that theunderestimates are consistent across allentities. Thus, although the dollaramounts reported by the SBA areincorrect, our assumption is that theproportion of small entity receipts

relative to total annual receipts iscorrect.

Applying the percent of small entityreceipts to the national expenditure dataallows us to estimate the percent ofnational expenditures represented bysmall entities. We then considered thetotal compliance cost (initial andongoing cost) as a percent of smallbusiness expenditures. Our estimatessuggest that the cost of complying withthe proposed rule representapproximately 0.12 percent of totalannual expenditures for a small healthcare entity in the first year. The relativecost of complying with the proposedrule is substantially lower in subsequentyears, representing 0.04 percent of anentity’s annual expenditures. Therelative cost of complying with theproposed regulation cost of complyingis highest for small health insurers (1.03percent of expenditures). These costswill be higher due to the volume andcomplexity of health plan billingsystems; health plans are required toimplement more policies andprocedures to protect health informationbecause they handle so much personallyidentifiable information. Because healthplan costs are higher and there is asmaller number of plans than other typeof entities affected by the regulation,these costs result in a higher annual costper small health plan. Table E furtherillustrates the cost impact by type ofentity in the first year.

TABLE E.—SMALL ENTITY BUSINESS EXPENDITURES AND PROPORTION OF ANNUAL EXPENDITURES REPRESENTED BYINITIAL AND ONGOING COMPLIANCE COSTS IN THE FIRST YEAR *

Industry

Total annualinitial and on-going costs inthe first year,per small enti-

ty

Annual ex-penditure persmall entity 1

Compliancecost as a per-centage of asmall entity’s

annualexpenditures

Drug Stores & Proprietary Stores 2 ............................................................................................. $1,480.03 $2,046,199 0.07Accident & Health Insurance & Medical Service Plans 2 (Accident & Health Insurance and

Hospital & Medical Service Plans) ........................................................................................... 3,602.41 350,467 1.03Offices & Clinics Of Doctors Of Medicine ................................................................................... 680.20 695,560 0.10Offices & Clinics Of Dentists ....................................................................................................... 531.94 434,260 0.12Offices & Clinics Of Other Health Practitioners .......................................................................... 612.94 583,805 0.10Nursing & Personal Care Facilities ............................................................................................. 2,457.99 1,629,755 0.15Hospitals ...................................................................................................................................... 10,211.62 2,660,215 0.38Home Health Care Services ........................................................................................................ 877.49 1,003,475 0.09Other Health Care Services including Lab Services ................................................................... 503.55 351,146 0.14

Average Cost ........................................................................................................................ 732.61 625,992 0.12

* The SBA defines small health care entities as those with annual revenue under $5,000,000.** Total Initial Compliance Cost includes policy implementation and systems compliance costs1 Based on the assumption that the proportion of revenue generated by small businesses approximates the proportion of expenditures faced by

small businesses2 Includes some entities not covered by this regulation. Pharmacies are the only component of Drug Stores and Proprietary Stores covered by

the regulation. Accident and workers compensation insurance are not covered by the regulation.

Ongoing Costs

In this section, we evaluate theongoing costs of providing patient

notices, the annual cost of amendingand correcting medical information, thecost of providing written authorizations,

and the ongoing cost of paperwork andtraining. We estimated the ongoing costsof compliance through calculations




similar to those used for our systemscompliance estimates. Ongoing costs aremost heavily influenced by the size ofthe business. Therefore, we assume thatthe number of patients an entity servesis directly proportional to its ongoingcompliance costs.

We estimated market share usingSmall Business Administration dataestimating total receipts.52 We dividedthe small entity receipts by total receiptsand arrived at an estimate that 22percent of the revenue generated by thehealth care classifications we examinedis from small businesses. Using annualreceipts to estimate cost burden is moreaccurate than using information on thenumber of health care entities. The sizeof the small entity is more likely to becorrelated with the number of patientsserved than the number of businesses,and therefore, the amount of businessconducted by an entity. Because it isdifficult to find a single good estimateof market share, we consideredestimating market share over a range,using the proportion of annual receiptsas a lower bound and number of entitiesas the higher bound. We concluded thateven if the SBA data does not capturethe total amount of health care receiptsaccurately, estimating market share byexamining receipts would be muchmore accurate than using the number ofentities.

We multiplied the percent totalreceipts by the total ongoing costs (byentity type) to obtain a range of ongoingcosts for small entities. We were thenable to divide these costs by the numberof small entities by type of entity. Weestimated ongoing costs in the first yearthat the proposed rule takes effectseparately from our estimate of ongoingcost in the following years. Theestimates were approximately the same;$337 and $343 respectively.

We estimate that the ongoing cost ofcompliance will be approximately 0.05percent of a small entity’s annualexpenditures. This cost burden is fairlyconsistent across all types of entities.

Clearinghouses and Nonprofit Entities

We should note that the abovediscussion does not consider health careclearinghouses, nonprofit hospitals,home health agencies, or nursing andskilled nursing facilities. To the extentthat clearinghouses and nonprofitfacilities have annual receipts of lessthan $5 million, they were included inthe preceding analysis.

Although we do not have preciseinformation on the number of

clearinghouses that qualify as smallentities under the RFA, we believe thatapproximately half would meet thecriteria. As noted in the regulatoryimpact analysis, as long asclearinghouses perform the function ofmerely reformatting information theyreceive and transmitting the data toother entities, the cost of complyingwith the proposed rule should beminimal.

A similar logic applies for nonprofithealth plans and hospitals. We do knowhow many nonprofit organizationscurrently exist in the U.S., but do nothave reliable revenue and expendituredata for these entities. In the absence ofsuch data, we assume that nonprofitentities have a similar ratio of revenuesto expenditures as the for-profit entitieswe have examined. Thus, we believethat the impact of complying with theproposed rule should be similar to thatdescribed for-profit plans and hospitals.

The preceding analysis indicates thatthe expected burden on small entities ofimplementing the proposed rule wouldbe minimal. However, by necessity, theanalysis is based on average costs, andas such, they may not reflect the actualburden on some or even a substantialnumber of small entities. Therefore, theSecretary does not certify that theproposed rule will not have a significantimpact on a substantial number of smallentities.

VI. Unfunded Mandates

The Unfunded Mandates Reform Actof 1995 (Pub. L. 104–4) requires cost-benefit and other analyses for rules thatwould cost more than $100 million ina single year. The proposed rulequalifies as a significant rule under thestatute. DHHS has carried out the cost-benefit analysis in sections D and E ofthis document, which includes adiscussion of unfunded costs to thestates resulting from this regulation.

A. Future Costs

DHHS estimates some of the futurecosts of the proposed rule in Section Eof the Preliminary Regulatory ImpactAnalysis of this document. The reportedcosts include costs incurred during thecompliance period and up to 5 yearsafter the effective date. The same sectionalso includes some qualitativediscussion of costs that would occurbeyond that time period. Most of thecosts of the proposed rule, however,would occur in the years immediatelyafter the publication of a final rule.Future costs beyond the five year periodwill continue but will not be as great asthe initial compliance costs.

B. Particular Regions, Communities, orIndustrial Sectors.

The proposed rule applies to thehealth care industry and would,therefore, affect that industrydisproportionately. Any long-runincrease in the costs of health careservices would largely be passed on tothe entire population of consumers.

C. National Productivity and EconomicGrowth

The proposed rule is not expected tosubstantially affect productivity oreconomic growth. It is possible thatproductivity and growth in certainsectors of the health care industry couldbe slightly lower than otherwise becauseof the need to divert research anddevelopment resources to complianceactivities. The diversion of resources tocompliance activities would betemporary. Moreover, DHHS anticipatesthat, because the benefits of privacy arelarge, both productivity and economicgrowth would be higher than in theabsence of the proposed rule. In sectionI.A. of this document, DHHS discussesits expectation that this proposed rulewould increase communication amongconsumers, health plans, and providersand that implementation of privacyprotections will lead more people toseek health care. The increased health ofthe population will lead to increasedproductivity and economic growth.

D. Full Employment and Job Creation.Some of the human resources devoted

to delivery of health care services wouldbe redirected by the proposed rule. Theproposed rule could lead to some short-run changes in employment patterns asa result of the structural changes withinthe health care industry. The growth ofemployment (job creation) for the rolestypically associated with the health careprofession could also be temporarilychange but be balanced by an increasedneed for those who can assist entitieswith complying with this proposed rule.Therefore, while there could be atemporary slowing of growth intraditional health care professions, thatwill be offset by a temporary increase ingrowth in fields that may assist withcompliance with this proposed rule (e.g.legal professionals, and managementconsultants).

E. ExportsBecause the proposed rule does not

mandate any changes in products,current export products will not berequired to change in any way.

VII. Environmental ImpactThe Department has determined

under 21 CFR 25.30(K) that this action



is of a type that does not individuallyor cumulatively have a significant effecton the human environment. Therefore,neither an environmental assessmentnor an environmental impact statementis required.

VIII. Collection of InformationRequirements

Under the Paperwork Reduction Actof 1995 (PRA), agencies are required toprovide a 60-day notice in the FederalRegister and solicit public commentbefore a collection of informationrequirement is submitted to the Office ofManagement and Budget (OMB) forreview and approval. In order to fairly

evaluate whether an informationcollection should be approved by OMB,section 3506(c)(2)(A) of the PRArequires that we solicit comment on thefollowing issues:

• Whether the information collectionis necessary and useful to carry out theproper functions of the agency;

• The accuracy of the agency’sestimate of the information collectionburden;

• The quality, utility, and clarity ofthe information to be collected; and

• Recommendations to minimize theinformation collection burden on theaffected public, including automatedcollection techniques.

Under the PRA, the time, effort, andfinancial resources necessary to meetthe information collection requirementsreferenced in this section are to beconsidered. Due to the complexity ofthis regulation, and to avoidredundancy of effort, we are referringreaders to Section IV (Regulatory ImpactAnalysis) above, to review the detailedcost assumptions associated with thesePRA requirements. We explicitly seek,and will consider public comment onour cost assumptions, as they relate tothe PRA requirements summarized inthis section.

SUMMARY PRA BURDEN HOURS

Provision Burden (in hours)

§ 160.204 Process for requesting exceptions. .............................................................................................................................. 160§ 164.506 General standards and implementation specifications for uses and disclosures of protected health information. .... * TBD§ 164.508 Standards and implementation specifications for uses and disclosures for which individual authorization would be

required. ....................................................................................................................................................................................... 3,561,076§ 164.510 Standards and implementation specifications for uses and disclosures for which individual authorization would not

be required. .................................................................................................................................................................................. 8,903§ 164.512 Notice of privacy practices; rights and procedures. ..................................................................................................... 7,273,952§ 164.514 Access to protected health information; rights and procedures. ................................................................................. * TBD§ 164.515 Accounting for uses and disclosures of protected health information ......................................................................... * TBD§ 164.516 Amendment and correction; rights and procedures .................................................................................................... *TBD§ 164.520 Development and documentation of policies and procedures ..................................................................................... 2,927,000§ 164.522 Compliance and Enforcement ...................................................................................................................................... 2,500

Total Hours ............................................................................................................................................................................... 13,773,591

* Burden to be determined based upon public comment.

Section 160.204 Process for RequestingExceptions.

Section 160.204 would require Statesto: (1) Submit a written request, thatmeets the requirements of this section,to the Secretary to except a provision ofState law from preemption under§ 160.203; (2) submit a new request tothe Secretary, should there be anychanges to the standard, requirement, orimplementation specification orprovision of State law upon which anexception previously was granted, and(3) submit a written request for anextension of the exception prior to theend of the three-year approval period fora given exception. In addition, § 160.204would require a State to submit awritten request for an advisory opinionto the Secretary that meets therequirements of § 160.204.

The burden associated with theserequirements is the time and effortnecessary for a State to prepare andsubmit the written request forpreemption or advisory opinion toHCFA for approval. On an annual basisit is estimated that it will take 10 States16 hours each to prepare and submit arequest. The total annual burden

associated with this requirement is 160hours.

Section 164.506 General Standardsand Implementation Specifications forUses and Disclosures of ProtectedHealth Information

Given that the burden associated withthe following information collectionrequirements will differ significantly, bythe type and size of plan or provider, weare explicitly soliciting comment on theburden associated with the followingrequirements:

• Except for disclosures of protectedhealth information by a covered entitythat is a health care provider to anotherhealth care provider for treatmentpurposes, § 160.204(e) would require acovered entity to maintaindocumentation demonstrating that theyhave entered into a contract that meetsthe requirements of this part with eachof their business partners;

• A covered entity would have tomake all reasonable efforts not to use ordisclose more than the minimumamount of protected health informationnecessary to accomplish the intendedpurpose of the use or disclosure;

• A covered entity could useprotected health information to createde-identified information if theindividually identifiable informationhas been removed, coded, encrypted, orotherwise eliminated or concealed.

Section 164.508 Standards andImplementation Specifications for Usesand Disclosures for Which IndividualAuthorization Would Be Required

Pursuant to the conditions set forth inthis section, a covered entity wouldneed to obtain a written request from anindividual, before it uses or disclosesprotected health information of anindividual. A copy of the model formwhich appears in Appendix to SubpartE of Part 164, or a form that contains theelements listed in paragraphs (c) or (d)of this section, as applicable, wouldneed to be accepted by the coveredentity.

The burden associated with theseproposed requirements is the time andeffort necessary for a covered entity toobtain written authorization prior to thedisclosure of identifiable information.On an annual basis it is estimated thatit will take 890,269 entities, a range of0 to 80 hours per entity to obtain and



maintain authorization documentationon an annual basis. Given that webelieve the majority of the coveredentities will be minimally affected bythis requirement, we estimate theannual average burden per entity to be4 hours for a total annual burden of3,561,076 hours. Collecting suchauthorization should have costs on theorder of those associated with providingaccess to records (not on a per pagebasis). Since the proposed requirementdoes not apply to treatment andpayment, assuming 1% of the 543million health care encounters might bereasonable. At a cost of about $10 each,the aggregate cost would be about $54million. Therefore, on average the costper entity would be about $60, withmany entities receiving no requests andthus having no costs.

Section 164.510 Standards andImplementation Specifications for Usesand Disclosures for Which IndividualAuthorization Would Not Be Required

A covered entity could discloseprotected health information to a healthresearcher for health research purposessubject to 45 CFR part 46 and purposesother than those subject to 45 CFR part46, provided that the covered entity hasobtained written documentationdemonstrating that the applicablerequirements proposed in this sectionhave been met.

The burden associated with theseproposed requirements is the time andeffort necessary for a covered entity tomaintain documentation demonstratingthat they have obtained institutionalreview board or privacy board approval,which meet the requirements of thissection. On an annual basis it isestimated that this proposedrequirement will affect 1 % or 8,903 ofcovered entities. We further estimatethat it will take an average of 1 hour perentity to meet these proposedrequirements on an annual basis.Therefore, the total estimated annualburden associated with this proposedrequirement is 8,903 hours.

Section 164.512 Notice of PrivacyPractices; Rights and Procedures

Section 164.512 would requirecovered entities to provide writtennotice of the entities’ privacy practices,rights, and procedures that meet therequirements of this section to affectedparties upon request and as summarizedbelow.

Health plans would provide a copy ofthe notice to an individual covered bythe plan at enrollment and wheneverthe content of the notice is significantlyaltered thereafter, but no less frequentlythan once every three years. Total notice

counts are estimated to be about 230million, assuming plans choose to sendthem out annually rather than keepingtrack of duration since last notice. Theaverage number of notices per plan peryear would be about 1,200. For theapproximately 19,000 plans issuingnotices, the number of notices can be asfew as 1,000 for a small self-insuredself-administered employer, or as manyas a million or more for a largecommercial insurer or HMO. We furtherestimate that it will require each plan,on average, 8 hours to disseminate therequired notices. This estimate is basedupon the assumption that the requirednotice will be incorporated anddisseminated with a plan’s annualpolicy materials. The total burdenassociated with this requirement iscalculated to be 151,800 hours.

Health care providers would providea copy of the notice to an individual atthe time of first service delivery to theindividual, provide as promptly aspossible a copy of the notice to anindividual served by the providerwhenever the content of the notice issignificantly altered, post a copy of thenotice in a location where it isreasonable to expect individuals seekingservices from the provider to be able toread the notice, and date each versionof the notice. Total notices in the firstyear are estimated to be about 700million (based on annual patientcontacts with hospitals, physicians, andother providers), with subsequent yearcounts of 350 million. Small providerscould be providing 400 or fewer notices(based on 150 million persons withambulatory physician contacts per yearand approximately 370,000 physicianoffices). The overall average will also beclose to that amount, since the bulk ofproviders are small entities. Largeproviders could be sending out 3,000 ormore notices (based on 20 millionpersons with hospitalizations andapproximately 6600 hospitals). Wefurther estimate that it will require eachprovider, on average, 8 hours todisseminate the required notices. Thisestimate is based upon the assumptionthat the required notice will beincorporated into and disseminatedwith other patient materials. The totalburden associated with this requirementis calculated to be 7,122,152 hours.

Section 164.514 Access of Individualsto Protected Health Information

Given that the burden associated withthe following information collectionrequirements will differ significantly, bythe type and size of plan or provider, weare explicitly soliciting comment on theburden associated with the followingproposed requirements:

• An individual has a right of accessto, which includes a right to inspect andobtain a copy of, his or her protectedhealth information in a designatedrecord set of a covered entity that is ahealth plan or a health care provider,including such information in abusiness partner’s designated record setthat is not a duplicate of the informationheld by the provider or plan, for so longas the information is maintained;

• Where the request is denied inwhole or in part, the health plan or ahealth care provider would provide theindividual with a written statement ofthe basis for the denial and adescription of how the individual maycomplain to the covered entity pursuantto the complaint procedures establishedin § 164.518 or to the Secretary pursuantto the procedures established in§ 164.522 of this subpart.

Section 164.515 Accounting for Usesand Disclosures of Protected HealthInformation

Given that the burden associated withmaintaining records to facilitate therecreation of disclosures will differsignificantly, be the type and size ofplan or provider, we are explicitlysoliciting comment on the burdenassociated with the following proposedrecord keeping requirement:

• A covered entity that is a plan orprovider would need to be able to giveindividuals an accurate accounting ofall uses and disclosures that are forpurposes other than treatment, payment,and health care operations; except thatsuch procedures would provide for theexclusion from such accounting ofprotected health information which isdisclosed to a health oversight or lawenforcement agency, if the healthoversight or law enforcement agencyprovides a written request stating thatthe exclusion is necessary becausedisclosure would be reasonably likely toimpede the agency’s activities andspecifies the time for which suchexclusion is required.

Section 164.516 Amendment andCorrection

Given that burden will associatedwith the following informationcollection requirements will differsignificantly, by the type and size ofplan or provider, we are explicitlysoliciting comment on the burdenassociated with the following proposedrequirements:

• An individual would have the rightto request amendment or correction ofhis or her protected health informationin designated records created by acovered entity that is a health plan orhealth care provider, where the



individual asserts that the informationis not accurate or complete and wherethe error or omission may have anadverse effect on the individual.

• Where the request is denied ,provide the individual with a writtenstatement of the basis for the denial, adescription of how the individual mayfile a statement of disagreement with thedenial, a description of how theindividual may file a complaint with thecovered entity, including the name andtelephone number of a contact personwithin the covered entity who cananswer questions concerning the denialand the complaint process; and adescription of how the individual mayfile a complaint with the Secretarypursuant to § 164.522 of this subpart.

Section 164.520 Internal PrivacyPractices; Standards and Procedures

A covered entity would need toensure that all employees who haveaccess to protected health informationhave received appropriate training aboutthe entity’s policies for use anddisclosure of such information. Uponcompletion of the training and at leastonce every three years thereafter,covered entities would require eachemployee to sign a statement that he orshe received the privacy training andwill honor all of the entity’s privacypolicies and procedures.

The burden associated with theserequirements is the time and effortnecessary for a covered entity to obtainand maintain certificationdocumentation demonstrating thatapplicable employees have receivedprivacy training and will honor all ofthe entity’s privacy policies andprocedures. It is estimated that it willtake 890,269 entities, a range of 1 hourto 40 hours per entity to obtain andmaintain documentation on an annualbasis. Given that we believe the majorityof the covered entities will be minimallyaffected by this requirement, weestimate the annual average burden tobe 3 hours per entity for a total annualburden of 2,700,000 hours. Usingprevious calculations, 900,000(rounded) entities break down to about95% small, 5% various types of large,and 1 burden hour for 95%, and 40burden hours for 5%, the averageburden would be 3 hours.

In addition, this section wouldrequire a covered entity that is a healthplan or health care provider to developand document its policies andprocedures for implementing therequirements of this proposed rule, andamend the documentation to reflect anychange to a policy or procedure.

The burden associated with theserequirements is the time and effort

necessary for a covered entity tomaintain documentation demonstratingthat they have implemented proceduresthat meet the requirements of thisproposed rule. It is estimated that it willtake 890,269 entities a range of 15minutes to 1 hour per entity to maintainprocedural documentation on an annualbasis. We believe the majority (95%) ofthe covered entities will be minimallyaffected by this requirement. Using the95% small/5% large, the average burdenis 17 minutes. Multiplying by 890,269,results in a total annual burden of256,000 hours (see discussion below).

Since the requirements for developingformal processes and documentation ofprocedures mirror what will alreadyhave been required under the HIPAAsecurity regulations, the burden andadditional costs should be small. To theextent that national or state associationswill develop guidelines or general setsof processes and procedures which willbe reviewed by individual memberentity, the costs would be primarilythose of the individual reviewers.Assuming this process occurs, webelieve that entities will reviewinformation from associations in eachstate and prepare a set of writtenpolicies to meet their needs. Ourestimates are based on assumed costs forproviders ranging from $300 to $3000,with the average being about $375. Therange correlates to the size andcomplexity of the provider. With lessthan 1 million provider entities, theaggregate cost would be on the order of$300 million. For plans andclearinghouses, our estimate assumesthat the legal review and developmentof written policies will be more costlybecause of the scope of their operations.They are often dealing with a largenumber of different providers and maybe dealing with requirements frommultiple states. We believe the costs forthese entities will range from $300 forsmaller plans to $15,000 for the largestplans. Because there are very few largeplans in relation to the number of smallplans, the average implementation costswill be about $3050.

Section 164.522 Compliance andEnforcement

An individual who believes that acovered entity is not complying with therequirements of this subpart may file acomplaint with the Secretary within 180days from the date of the alleged non-compliance, unless the time for filing isextended by the Secretary. Thecomplaint would describe in detail theacts or omissions believed to be inviolation of the requirements of thissubpart.

The burden associated with theserequirements is the time and effortnecessary for an individual to prepareand submit a written complaint to theSecretary. On an annual basis it isestimated that 10,000 complaints will befiled on an annual basis. We furtherestimate that it will take an average of15 minutes per individual to submit acomplaint. Therefore, the totalestimated annual burden associatedwith this requirement is 2,500 hours.

A covered entity would need tomaintain documentation necessary forthe Secretary to ascertain whether thecovered entity has complied or iscomplying with the requirements of thissubpart. While this section is subject tothe PRA, the burden associated withthis requirement is addressed undersections referenced above, whichdiscuss specific record keepingrequirements.

We have submitted a copy of thisproposed rule to OMB for its review ofthe information collection requirementsin §§ 160.204, 164.506, 164.508,164.510, 164.512, 164.514, 164.515,164.516, 164.520, and § 164.522. Theserequirements are not effective until theyhave been approved by OMB.

If you comment on any of theseinformation collection and recordkeeping requirements, please mailcopies directly to the following:Health Care Financing Administration,

Office of Information Services,Information Technology InvestmentManagement Group, Division ofHCFA Enterprise Standards, RoomC2–26–17, 7500 Security Boulevard,Baltimore, MD 21244–1850. ATTN:John Burke HIPAA Privacy-P

Office of Information and RegulatoryAffairs, Office of Management andBudget, Room 10235, New ExecutiveOffice Building, Washington, DC20503. ATTN: Allison Herron Eydt,HCFA Desk Officer.

IX. Executive Order 12612: Federalism

The Department has examined theeffects of provisions in the proposedprivacy regulation on the relationshipbetween the Federal government andthe States, as required by ExecutiveOrder 12612 on ‘‘Federalism.’’ Theagency concludes that preempting Stateor local proposed rules that provide lessstringent privacy protectionrequirements than Federal law isconsistent with this Executive Order.Overall, the proposed rule attempts tobalance both the autonomy of the Stateswith the necessity to create a Federalbenchmark to preserve the privacy ofpersonally identifiable healthinformation.



It is recognized that the Statesgenerally have laws that relate to theprivacy of individually identifiablehealth information. The HIPAA statutedictates the relationship between Statelaw and this proposed rule. Except forlaws that are specifically exempted bythe HIPAA statute, State laws continueto be enforceable, unless they arecontrary to Part C of Title XI of thestandards, requirements, orimplementation specifications adoptedor pursuant to subpart x. However,under section 264(c)(2), not all contraryprovisions of State privacy laws arepreempted; rather, the law provides thatcontrary provisions that are also ‘‘morestringent’’ than the federal regulatoryrequirements or implementationspecifications will continue to beenforceable.

Section 3(b) of Executive Order 12612recognizes that Federal action limitingthe discretion of State and localgovernments is appropriate ‘‘whereconstitutional authority for the action isclear and certain and the nationalactivity is necessitated by the presenceof a problem of national scope.’’Personal privacy issues are widelyidentified as a national concern byvirtue of the scope of interstate healthcommerce. HIPAA’s provisions reflectthis position. HIPAA attempts tofacilitate the electronic exchange offinancial and administrative health plantransactions while recognizingchallenges that local, national, andinternational information sharing raiseto confidentiality and privacy of healthinformation.

Section 3(d)(2) of the Executive Order12612 requires that the Federalgovernment refrain from ‘‘establishinguniform, national standards forprograms and, when possible, defer tothe States to establish standards.’’HIPAA requires HHS to establishstandards, and we have done soaccordingly. This approach is a keycomponent of the proposed privacyrule, and it adheres to Section 4(a) ofExecutive Order 12612, which expresslycontemplates preemption when there isa conflict between exercising State andFederal authority under Federal statute.Section 262 of HIPAA enacted Section1178 of the Social Security Act,developing a ‘‘general rule’’ that Statelaws or provisions that are contrary tothe provisions or requirements of Part Cof Title XI, or the standards orimplementation specifications adopted,or established thereunder arepreempted. Several exceptions to thisrule exist, each of which is designed tomaintain a high degree of Stateautonomy.

Moreover, Section 4(b) of theExecutive Order authorizes preemptionof State law in the Federal rule makingcontext when there is ‘‘firm andpalpable evidence compelling theconclusion that the Congress intendedto delegate to the * * * agency theauthority to issue regulationspreempting State law.’’ Section 1178(a)(2)(B) of HIPAA specifically preemptsState laws related to the privacy ofindividually identifiable healthinformation unless the State law is morestringent. Thus, we have interpretedState and local laws and regulations thatwould impose less stringentrequirements for protection ofindividually identifiable healthinformation as undermining theagency’s goal of ensuring that allpatients who receive medical servicesare assured a minimum level of personalprivacy. Particularly where the absenceof privacy protection undermines anindividual’s access to health careservices, both the personal and publicinterest is served by establishing Federalrules.

The proposed rule would establishnational minimum standards withrespect to the collection, maintenance,access, transfer, and disclosure ofpersonally identifiable healthinformation. The Federal law willpreempt State law only where State andFederal laws are ‘‘contradictory’’ andthe Federal regulation is judged toestablish ‘‘more stringent’’ privacyprotections than State laws.

As required by the Executive Order,States and local governments will begiven, through this notice of proposedrule making, an opportunity toparticipate in the proceedings topreempt State and local laws (section4(e) of Executive Order 12612).However, it should be noted that thepreemption of state law is based on theHIPAA statute. The Secretary will alsoprovide a review of preemption issuesupon requests from States. In addition,under the Order, appropriate officialsand organizations will be consultedbefore this proposed action isimplemented (section 3(a) of ExecutiveOrder 12612).

Finally, we have considered the costburden that this proposed rule wouldimpose on State-operated health careentities, Medicaid, and other Statehealth benefits programs. We do nothave access to reliable information onthe number of State-operated entitiesand programs, nor do we have access todata on the costs these entities andprograms would incur in order tocomply with the proposed rule. Adiscussion of possible compliance coststhat covered entities may incur is

contained in the Unfunded Mandatessection above. We believe that requiringState health care entities covered by theproposed rule to comply with theproposed rule would cost less than onepercent of a State’s annual budget.

The agency concludes that the policyproposed in this document has beenassessed in light of the principles,criteria, and requirements in ExecutiveOrder 12612; that this policy is notinconsistent with that Order; that thispolicy will not impose significantadditional costs and burdens on theStates; and that this policy will notaffect the ability of the States todischarge traditional State governmentalfunctions.

During our consultation with theStates, representatives from variousState agencies and offices expressedconcern that the proposed regulationwould pre-empt all State privacy laws.As explained in this section, theregulation would only pre-empt statelaws where there is a direct conflictbetween state laws and the regulation,and where the regulation provides morestringent privacy protection than Statelaw. We discussed this issue during ourconsultation with State representatives,who generally accepted our approach tothe preemption issue. During theconsultation, we requested furtherinformation from the States aboutwhether they currently have lawsrequiring that providers have a ‘‘duty towarn’’ family members or third partiesabout a patient’s condition other than inemergency circumstances. Since theconsultation, we have not receivedadditional comments or questions fromthe States.

X. Executive Order 13086: Consultationand Coordination with Indian TribalGovernments

In drafting the proposed rule, theDepartment consulted withrepresentatives of the National Congressof American Indians and the NationalIndian Health Board, as well as with arepresentative of the self-governanceTribes. During the consultation, wediscussed issues regarding theapplication of Title II of HIPAA to theTribes, and potential variations basedon the relationship of each Tribe withthe IHS for the purpose of providinghealth services. Participants raisedquestions about the status of Tribal lawsregarding the privacy of healthinformation.

List of Subjects in 45 CFR Parts 160 and164

Employer benefit plan, Health, Healthcare, Health facilities, Health insurance,Health records, Medicaid, Medical



research, Medicare, Privacy, Reportingand recordkeeping requirements,security measures.

Note to reader: This proposed rule is oneof several proposed rules that are beingpublished to implement the AdministrativeSimplification provisions of the HealthInsurance Portability and Accountability Actof 1996. We propose to establish a new 45CFR subchapter C, parts 160 through 164.Part 160 will consist of general provisions,part 162 will consists of the variousAdministrative Simplification regulationsrelating to transactions and identifiers, andpart 164 will consists of the regulationsimplementing the security and privacyrequirements of the legislation. Proposed part160, consisting of two subparts (Subpart AGeneral Provisions, and Subpart B—Preemption of State Law) will be exactly thesame in each rule, unless we add newsections or definitions to incorporateadditional general information in the laterrules.

Dated: October 26, 1999.Donna Shalala,Secretary.

Appendix to the Preamble: Sample Contactof Provider Notice

PROVIDER NOTICE OF INFORMATIONPRACTICES (as of 1/1/1999)

Uses and Disclosures of Health Information

We use health information about you fortreatment, to obtain payment for treatment,for administrative purposes, and to evaluatethe quality of care that you receive.

We may use or disclose identifiable healthinformation about you without yourauthorization for several other reasons.Subject to certain requirements, we may giveout health information without yourauthorization for public health purposes, forauditing purposes, for research studies, andfor emergencies. We provide informationwhen otherwise required by law, such as forlaw enforcement in specific circumstances.In any other situation, we will ask for yourwritten authorization before using ordisclosing any identifiable healthinformation about you. If you choose to signan authorization to disclose information, youcan later revoke that authorization to stopany future uses and disclosures.

We may change our policies at any time.Before we make a significant change in ourpolicies, we will change our notice and postthe new notice in the waiting area and ineach examination room. You can also requesta copy of our notice at any time. For moreinformation about our privacy practices,contact the person listed below.

Individual Rights

In most cases, you have the right to lookat or get a copy of health information aboutyou that we use to make decisions about you.If you request copies, we will charge you$0.05 (5 cents) for each page. You also havethe right to receive a list of instances wherewe have disclosed health information aboutyou for reasons other than treatment,payment or related administrative purposes.If you believe that information in your record

is incorrect or if important information ismissing, you have the right to request that wecorrect the existing information or add themissing information.

You may request in writing that we not useor disclose your information for treatment,payment and administrative purposes exceptwhen specifically authorized by you, whenrequired by law, or in emergencycircumstances. We will consider your requestbut are not legally required to accept it.

Complaints

If you are concerned that we have violatedyour privacy rights, or you disagree with adecision we made about access to yourrecords, you may contact the person listedbelow. You also may send a writtencomplaint to the U.S. Department of Healthand Human Services. The person listedbelow can provide you with the appropriateaddress upon request.

Our Legal Duty

We are required by law to protect theprivacy of your information, provide thisnotice about our information practices, andfollow the information practices that aredescribed in this notice.

If you have any questions or complaints,please contact: Office Administrator, 111Main Street, Suite 101, Anytown, OH 41111.Phone: (111) 555–6789, Email:[email protected].

For the reasons set forth in thepreamble, it is proposed to amend 45CFR subtitle A by adding a newsubchapter C, consisting of parts 160through 164, to read as follows:

SUBCHAPTER C—ADMINISTRATIVE DATASTANDARDS AND RELATEDREQUIREMENTS

Part

160—GENERAL ADMINISTRATIVEREQUIREMENTS

161–163—[RESERVED]164—SECURITY AND PRIVACY

PART 160—GENERALADMINISTRATIVE REQUIREMENTS

Subpart A—General ProvisionsSec.160.101 Statutory basis and purpose160.102 Applicability160.103 Definitions160.104 Effective dates of a modification to

a standard or implementationspecification

Subpart B—Preemption of State Law

160.201 Applicability160.202 Definitions160.203 General rule and exceptions160.204 Process for requesting exception

determinations or advisory opinionsAuthority: 42 U.S.C. 1320d–2 and 1320d–

4.

Subpart A—General Provisions

§ 160.101 Statutory basis and purpose.The requirements of this subchapter

implement sections 1171 through 1179

of the Social Security Act, as amended,which require HHS to adopt nationalstandards to enable the electronicexchange of health information in thehealth care system. The requirements ofthis subchapter also implement section264 of Pub. L 104–191, which requiresthat HHS adopt national standards withrespect to the privacy of individuallyidentifiable health informationtransmitted in connection with thetransactions described in section1173(a)(1) of the Social Security Act.The purpose of these provisions is topromote administrative simplification.

§ 160.102 Applicability.Except as otherwise provided, the

standards, requirements, andimplementation specifications adoptedor designated under the parts of thissubchapter apply to any entity that is:

(a) A health plan;(b) A health care clearinghouse; and(c) A health care provider who

transmits any health information inelectronic form in connection with atransaction covered by this subchapter.

§ 160.103 Definitions.Except as otherwise provided, the

following definitions apply to thissubchapter:

Act means the Social Security Act, asamended.

Covered entity means an entitydescribed in § 160.102.

Health care means the provision ofcare, services, or supplies to a patientand includes any:

(1) Preventive, diagnostic,therapeutic, rehabilitative, maintenance,or palliative care, counseling, service, orprocedure with respect to the physicalor mental condition, or functionalstatus, of a patient or affecting thestructure or function of the body;

(2) Sale or dispensing of a drug,device, equipment, or other itempursuant to a prescription; or

(3) Procurement or banking of blood,sperm, organs, or any other tissue foradministration to patients.

Health care clearinghouse means apublic or private entity that processes orfacilitates the processing of nonstandarddata elements of health information intostandard data elements. The entityreceives health care transactions fromhealth care providers or other entities,translates the data from a given formatinto one acceptable to the intendedpayer or payers, and forwards theprocessed transaction to appropriatepayers and clearinghouses. Billingservices, repricing companies,community health managementinformation systems, community healthinformation systems, and ‘‘value-added’’



networks and switches are considered tobe health care clearinghouses forpurposes of this part, if they perform thefunctions of health care clearinghousesas described in the preceding sentences.

Health care provider means aprovider of services as defined insection 1861(u) of the Act, a provider ofmedical or health services as defined insection 1861(s) of the Act, and any otherperson or organization who furnishes,bills, or is paid for health care servicesor supplies in the normal course ofbusiness.

Health information means anyinformation, whether oral or recorded inany form or medium, that:

(1) Is created or received by a healthcare provider, health plan, public healthauthority, employer, life insurer, schoolor university, or health careclearinghouse; and

(2) Relates to the past, present, orfuture physical or mental health orcondition of an individual, theprovision of health care to anindividual, or the past, present, orfuture payment for the provision ofhealth care to an individual.

Health plan means an individual orgroup plan that provides, or pays thecost of, medical care. Such termincludes, when applied to governmentfunded or assisted programs, thecomponents of the government agencyadministering the program. ‘‘Healthplan’’ includes the following, singly orin combination:

(1) A group health plan, defined as anemployee welfare benefit plan (ascurrently defined in section 3(1) of theEmployee Retirement Income andSecurity Act of 1974, 29 U.S.C. 1002(1)),including insured and self-insuredplans, to the extent that the planprovides medical care (as defined insection 2791(a)(2) of the Public HealthService Act, 42 U.S.C. 300gg–91(a)(2)),including items and services paid for asmedical care, to employees or theirdependents directly or throughinsurance or otherwise, that:

(i) Has 50 or more participants; or(ii) Is administered by an entity other

than the employer that established andmaintains the plan.

(2) A health insurance issuer, definedas an insurance company, insuranceservice, or insurance organization that islicensed to engage in the business ofinsurance in a State and is subject toState or other law that regulatesinsurance.

(3) A health maintenanceorganization, defined as a federallyqualified health maintenanceorganization, an organization recognizedas a health maintenance organizationunder State law, or a similar

organization regulated for solvencyunder State law in the same manner andto the same extent as such a healthmaintenance organization.

(4) Part A or Part B of the Medicareprogram under title XVIII of the Act.

(5) The Medicaid program under titleXIX of the Act.

(6) A Medicare supplemental policy(as defined in section 1882(g)(1) of theAct, 42 U.S.C. 1395ss).

(7) A long-term care policy, includinga nursing home fixed-indemnity policy.

(8) An employee welfare benefit planor any other arrangement that isestablished or maintained for thepurpose of offering or providing healthbenefits to the employees of two or moreemployers.

(9) The health care program for activemilitary personnel under title 10 of theUnited States Code.

(10) The veterans health care programunder 38 U.S.C. chapter 17.

(11) The Civilian Health and MedicalProgram of the Uniformed Services(CHAMPUS), as defined in 10 U.S.C.1072(4).

(12) The Indian Health Serviceprogram under the Indian Health CareImprovement Act (25 U.S.C. 1601, etseq.).

(13) The Federal Employees HealthBenefits Program under 5 U.S.C. chapter89.

(14) An approved State child healthplan for child health assistance thatmeets the requirements of section 2103of the Act.

(15) A Medicare Plus Choiceorganization as defined in 42 CFR 422.2,with a contract under 42 CFR part 422,subpart K.

(16) Any other individual or grouphealth plan, or combination thereof, thatprovides or pays for the cost of medicalcare.

Secretary means the Secretary ofHealth and Human Services and anyother officer or employee of theDepartment of Health and HumanServices to whom the authorityinvolved has been delegated.

Small health plan means a healthplan with annual receipts of $5 millionor less.

Standard means a prescribed set ofrules, conditions, or requirementsconcerning classification ofcomponents, specification of materials,performance or operations, ordelineation of procedures, in describingproducts, systems, services or practices.

State includes the 50 States, theDistrict of Columbia, theCommonwealth of Puerto Rico, theVirgin Islands, and Guam.

Transaction means the exchange ofinformation between two parties to

carry out financial or administrativeactivities related to health care. Itincludes the following:

(1) Health claims or equivalentencounter information;

(2) Health care payment andremittance advice;

(3) Coordination of benefits;(4) Health claims status;(5) Enrollment and disenrollment in a

health plan;(6) Eligibility for a health plan;(7) Health plan premium payments;(8) Referral certification and

authorization;(9) First report of injury;(10) Health claims attachments; and(11) Other transactions as the

Secretary may prescribe by regulation.

§ 160.104 Effective dates of a modificationto a standard or implementationspecification.

The Secretary may modify a standardor implementation specification afterthe first year in which the standard orimplementation specification isrequired to be used, but not morefrequently than once every 12 months.If the Secretary adopts a modification toa standard or implementationspecification, the implementation dateof the modified standard orimplementation specification may be noearlier than 180 days following theadoption of the modification. TheSecretary will determine the actual date,taking into account the time needed tocomply due to the nature and extent ofthe modification. The Secretary mayextend the time for compliance for smallhealth plans.

Subpart B—Preemption of State Law

§ 160.201 Applicability.The provisions of this subpart apply

to determinations and advisory opinionsissued by the Secretary pursuant to 42U.S.C. 1320d–7.

§ 160.202 Definitions.For the purpose of this subpart, the

following terms have the followingmeanings:

Contrary, when used to compare aprovision of State law to a standard,requirement, or implementationspecification adopted under thissubchapter, means:

(1) A party would find it impossibleto comply with both the State andfederal requirements; or

(2) The provision of State law standsas an obstacle to the accomplishmentand execution of the full purposes andobjectives of part C of title XI of the Actor section 264 of Pub. L. 104–191, asapplicable.

More stringent means, in the contextof a comparison of a provision of State



law and a standard, requirement, orimplementation specification adoptedunder subpart E of part 164 of thissubchapter, a law which meets one ormore of the following criteria, asapplicable:

(1) With respect to a use or disclosure,provides a more limited use ordisclosure (in terms of the number ofpotential recipients of the information,the amount of information to bedisclosed, or the circumstances underwhich information may be disclosed).

(2) With respect to the rights ofindividuals of access to or amendmentof individually identifiable healthinformation, permits greater rights oraccess or amendment, as applicable,provided, however, that nothing in thissubchapter shall be construed topreempt any State law to the extent thatit authorizes or prohibits disclosure ofprotected health information regarding aminor to a parent, guardian or personacting in loco parentis of such minor.

(3) With respect to penalties, providesgreater penalties.

(4) With respect to information to beprovided to an individual about aproposed use, disclosure, rights,remedies, and similar issues, providesthe greater amount of information.

(5) With respect to form or substanceof authorizations for use or disclosure ofinformation, provides requirements thatnarrow the scope or duration, increasethe difficulty of obtaining, or reduce thecoercive effect of the circumstancessurrounding the authorization.

(6) With respect to recordkeeping oraccounting requirements, provides forthe retention or reporting of moredetailed information or for a longerduration.

(7) With respect to any other matter,provides greater privacy protection forthe individual.

Relates to the privacy of individuallyidentifiable health information means,with respect to a State law, that theState law has the specific purpose ofprotecting the privacy of healthinformation or the effect of affecting theprivacy of health information in adirect, clear, and substantial way.

State law means a law, decision, rule,regulation, or other State action havingthe effect of law.

§ 160.203 General rule and exceptions.

General rule. A standard,requirement, or implementationspecification adopted under or pursuantto this subchapter that is contrary to aprovision of State law preempts theprovision of State law. This general ruleapplies, except where one or more of thefollowing conditions is met:

(a) A determination is made by theSecretary pursuant to § 160.204(a) thatthe provision of State law:

(1) Is necessary:(i) To prevent fraud and abuse;(ii) To ensure appropriate State

regulation of insurance and healthplans;

(iii) For State reporting on health caredelivery or costs; or

(iv) For other purposes related toimproving the Medicare program, theMedicaid program, or the efficiency andeffectiveness of the health care system;or

(2) Addresses controlled substances.(b) The provision of State law relates

to the privacy of health information andis more stringent than a standard,requirement, or implementationspecification adopted under subpart E ofpart 164 of this subchapter.

(c) The provision of State law, or theState established procedures, areestablished under a State law providingfor the reporting of disease or injury,child abuse, birth, or death, or for theconduct of public health surveillance,investigation, or intervention.

(d) The provision of State law requiresa health plan to report, or to provideaccess to, information for the purpose ofmanagement audits, financial audits,program monitoring and evaluation,facility licensure or certification, orindividual licensure or certification.

§ 160.204 Process for requestingexception determinations or advisoryopinions.

(a) Determinations. (1) A State maysubmit a written request to the Secretaryto except a provision of State law frompreemption under § 160.203(a). Therequest must include the followinginformation:

(i) The State law for which theexception is requested;

(ii) The particular standard(s),requirement(s), or implementationspecification(s) for which the exceptionis requested;

(iii) The part of the standard or otherprovision that will not be implementedbased on the exception or the additionaldata to be collected based on theexception, as appropriate;

(iv) How health care providers, healthplans, and other entities would beaffected by the exception;

(v) The length of time for which theexception would be in effect, if less thanthree years;

(vi) The reasons why the State lawshould not be preempted by the federalstandard, requirement, orimplementation specification, includinghow the State law meets one or more ofthe criteria at § 160.203(a); and

(vii) Any other information theSecretary may request in order to makethe determination.

(2) Requests for exception under thissection must be submitted to theSecretary at an address which will bepublished in the Federal Register. Untilthe Secretary’s determination is made,the standard, requirement, orimplementation specification under thissubchapter remains in effect.

(3) The Secretary’s determinationunder this paragraph will be made onthe basis of the extent to which theinformation provided and other factorsdemonstrate that one or more of thecriteria at § 160.203(a) has been met. Ifit is determined that the federalstandard, requirement, orimplementation specificationaccomplishes the purposes of thecriterion or criteria at § 160.203(a) aswell as or better than the State law forwhich the request is made, the requestwill be denied.

(4) An exception granted under thisparagraph is effective for three years orfor such lesser time as is specified in thedetermination granting the request.

(5) If an exception is granted underthis paragraph, the exception has effectonly with respect to transactions takingplace wholly within the State for whichthe exception was requested.

(6) Any change to the standard,requirement, or implementationspecification or provision of State lawupon which an exception was grantedrequires a new request for an exception.Absent such a request and a favorabledetermination thereon, the standard,requirement, or implementationspecification remains in effect. Theresponsibility for recognizing the needfor and making the request lies with theoriginal requestor.

(7) The Secretary may seek changes toa standard, requirement, orimplementation specification based onrequested exceptions or may urge therequesting State or other organizationsor persons to do so.

(8) Determinations made by theSecretary pursuant to this paragraphwill be published annually in theFederal Register.

(b) Advisory opinions.—(1) TheSecretary may issue advisory opinionsas to whether a provision of State lawconstitutes an exception under§ 160.203(b) to the general rule ofpreemption under that section. TheSecretary may issue such opinions atthe request of a State or at theSecretary’s own initiative.

(2) A State may submit a writtenrequest to the Secretary for an advisoryopinion under this paragraph. The



request must include the followinginformation:

(i) The State law for which theexception is requested;

(ii) The particular standard(s),requirement(s), or implementationspecification(s) for which the exceptionis requested;

(iii) How health care providers, healthplans, and other entities would beaffected by the exception;

(iv) The reasons why the State lawshould not be preempted by the federalstandard, requirement, orimplementation specification, includinghow the State law meets the criteria at§ 160.203(b); and

(v) Any other information theSecretary may request in order to issuethe advisory opinion.

(3) The requirements of paragraphs(a)(2), (a)(5)–(a)(7) of this section applyto requests for advisory opinions underthis paragraph.

(4) The Secretary’s decision underthis paragraph will be made on the basisof the extent to which the informationprovided and other factors demonstratethat the criteria at § 160.203(b) are met.

(5) Advisory opinions made by theSecretary pursuant to this paragraphwill be published annually in theFederal Register.

PARTS 161–163—[RESERVED]

PART 164—SECURITY AND PRIVACY


Sec.164.102 Statutory basis164.104 Applicability

Subparts B–D—[Reserved]

Subpart E—Privacy of IndividuallyIdentifiable Health Information

164.502 Applicability164.504 Definitions164.506 Uses and disclosures of protected

health information: general rules164.508 Uses and disclosures for which

individual authorization is required164.510 Uses and disclosures for which

individual authorization is not required164.512 Notice to individuals of

information practices164.514 Access of individuals to protected

health information164.515 Accounting for disclosures of

protected health information164.516 Amendment and correction164.518 Administrative requirements164.520 Documentation of policies and

procedures164.522 Compliance and enforcement164.524 Effective dateAppendix to Subpart E of Part 164—Model

Authorization FormAuthority: 42 U.S.C. 1320d–2 and 1320d–

4.


§ 164.102 Statutory basis.The provisions of this part are

adopted pursuant to the Secretary’sauthority to prescribe standards,requirements, and implementationstandards under part C of title XI of theAct and section 264 of Public Law 104–191.

§ 164.104 Applicability.Except as otherwise provided, the

provisions of this part apply to coveredentities: health plans, health careclearinghouses, and health careproviders who transmit healthinformation in electronic form inconnection with any transactionreferred to in section 1173(a)(1) of theAct.

Subpart B–D—[Reserved]

Subpart E—Privacy of IndividuallyIdentifiable Health Information

§ 164.502 Applicability.In addition to the applicable

provisions of part 160 of this subchapterand except as otherwise hereinprovided, the requirements, standards,and implementation specifications ofthis subpart apply to covered entitieswith respect to protected healthinformation.

§ 164.504 Definitions.As used in this subpart, the following

terms have the following meanings:Business partner means, with respect

to a covered entity, a person to whomthe covered entity discloses protectedhealth information so that the personcan carry out, assist with theperformance of, or perform on behalf of,a function or activity for the coveredentity. ‘‘Business partner’’ includescontractors or other persons who receiveprotected health information from thecovered entity (or from another businesspartner of the covered entity) for thepurposes described in the previoussentence, including lawyers, auditors,consultants, third-party administrators,health care clearinghouses, dataprocessing firms, billing firms, andother covered entities. ‘‘Businesspartner’’ excludes persons who arewithin the covered entity’s workforce,as defined in this section.

Designated record set means a groupof records under the control of a coveredentity from which information isretrieved by the name of the individualor by some identifying number, symbol,or other identifying particular assignedto the individual and which is used bythe covered entity to make decisionsabout the individual. For purposes of

this paragraph, the term record meansany item, collection, or grouping ofprotected health informationmaintained, collected, used, ordisseminated by a covered entity.

Disclosure means the release, transfer,provision of access to, or divulging inany other manner of information outsidethe entity holding the information.

Health care operations means thefollowing activities undertaken by or onbehalf of a covered entity that is a healthplan or health care provider for thepurpose of carrying out the managementfunctions of such entity necessary forthe support of treatment or payment:

(1) Conducting quality assessmentand improvement activities, includingoutcomes evaluation and developmentof clinical guidelines;

(2) Reviewing the competence orqualifications of health careprofessionals, evaluating practitionerand provider performance, health planperformance, conducting trainingprograms in which undergraduate andgraduate students and trainees in areasof health care learn under supervision topractice as health care providers,accreditation, certification, licensing orcredentialing activities;

(3) Insurance rating and otherinsurance activities relating to therenewal of a contract for insurance,including underwriting, experiencerating, and reinsurance, but only whenthe individuals are already enrolled inthe health plan conducting suchactivities and the use or disclosure ofprotected health information relates toan existing contract of insurance(including the renewal of such acontract);

(4) Conducting or arranging formedical review and auditing services,including fraud and abuse detection andcompliance programs; and

(5) Compiling and analyzinginformation in anticipation of or for usein a civil or criminal legal proceeding.

Health oversight agency means anagency, person or entity, including theemployees or agents thereof,

(1) That is:(i) A public agency; or(ii) A person or entity acting under

grant of authority from or contract witha public agency; and

(2) Which performs or oversees theperformance of any audit; investigation;inspection; licensure or discipline; civil,criminal, or administrative proceedingor action; or other activity necessary forappropriate oversight of the health caresystem, of government benefit programsfor which health information is relevantto beneficiary eligibility, or ofgovernment regulatory programs forwhich health information is necessary



for determining compliance withprogram standards.

Individual means the person who isthe subject of protected healthinformation, except that:

(1) ‘‘Individual’’ includes:(i) With respect to adults and

emancipated minors, legalrepresentatives (such as court-appointedguardians or persons with a power ofattorney), to the extent to whichapplicable law permits such legalrepresentatives to exercise the person’srights in such contexts.

(ii) With respect to unemancipatedminors, a parent, guardian, or personacting in loco parentis, provided thatwhen a minor lawfully obtains a healthcare service without the consent of ornotification to a parent, guardian, orother person acting in loco parentis, theminor shall have the exclusive right toexercise the rights of an individualunder this subpart with respect to theprotected health information relating tosuch care.

(iii) With respect to deceased persons,an executor, administrator, or otherperson authorized under applicable lawto act on behalf of the decedent’s estate.

(2) ‘‘Individual’’ excludes:(i) Foreign military and diplomatic

personnel and their dependents whoreceive health care provided by or paidfor by the Department of Defense orother federal agency, or by an entityacting on its behalf, pursuant to acountry-to-country agreement or federalstatute; and

(ii) Overseas foreign nationalbeneficiaries of health care provided bythe Department of Defense or otherfederal agency, or by a non-governmental organization acting on itsbehalf.

Individually identifiable healthinformation is information that is asubset of health information, includingdemographic information collected froman individual, and that:

(1) Is created by or received from ahealth care provider, health plan,employer, or health care clearinghouse;and

(2) Relates to the past, present, orfuture physical or mental health orcondition of an individual, theprovision of health care to anindividual, or the past, present, orfuture payment for the provision ofhealth care to an individual, and

(i) Which identifies the individual, or(ii) With respect to which there is a

reasonable basis to believe that theinformation can be used to identify theindividual.

Law enforcement official means anofficer of an agency or authority of theUnited States, a State, a territory, a

political subdivision of a State orterritory, or an Indian tribe, who isempowered by law to conduct:

(1) An investigation or officialproceeding inquiring into a violation of,or failure to comply with, any law; or

(2) A criminal, civil, or administrativeproceeding arising from a violation of,or failure to comply with, any law.

Payment means:(1) The activities undertaken by or on

behalf of a covered entity that is:(i) A health plan, or by a business

partner on behalf of a health plan, toobtain premiums or to determine orfulfill its responsibility for coverageunder the health plan and for provisionof benefits under the health plan; or

(ii) A health care provider or healthplan, or a business partner on behalf ofsuch provider or plan, to obtainreimbursement for the provision ofhealth care.

(2) Activities that constitute paymentinclude:

(i) Determinations of coverage,improving methods of paying orcoverage policies, adjudication orsubrogation of health benefit claims;

(ii) Risk adjusting amounts due basedon enrollee health status anddemographic characteristics;

(iii) Billing, claims management, andmedical data processing;

(iv) Review of health care serviceswith respect to medical necessity,coverage under a health plan,appropriateness of care, or justificationof charges; and

(v) Utilization review activities,including precertification andpreauthorization of services.

Protected health information meansindividually identifiable healthinformation that is or has beenelectronically transmitted orelectronically maintained by a coveredentity and includes such information inany other form.

(1) For purposes of this definition,(i) ‘‘Electronically transmitted’’

includes information exchanged with acomputer using electronic media, suchas the movement of information fromone location to another by magnetic oroptical media, transmissions over theInternet, Extranet, leased lines, dial-uplines, private networks, telephone voiceresponse, and ‘‘faxback’’ systems.

(ii) ‘‘Electronically maintained’’means information stored by a computeror on any electronic medium fromwhich information may be retrieved bya computer, such as electronic memorychips, magnetic tape, magnetic disk, orcompact disc optical media.

(2) ‘‘Protected health information’’excludes:

(i) Individually identifiable healthinformation in education records

covered by the Family EducationalRight and Privacy Act, as amended, 20U.S.C. 1232g; and

(ii) Individually identifiable healthinformation of inmates of correctionalfacilities and detainees in detentionfacilities.

Public health authority means anagency or authority of the United States,a State, a territory, a politicalsubdivision of a State or territory, or anIndian tribe that is responsible forpublic health matters as part of itsofficial mandate.

Research means a systematicinvestigation, including researchdevelopment, testing and evaluation,designed to develop or contribute togeneralizable knowledge.‘‘Generalizable knowledge’’ isknowledge related to health that can beapplied to populations outside of thepopulation served by the covered entity.

Treatment means the provision ofhealth care by, or the coordination ofhealth care (including health caremanagement of the individual throughrisk assessment, case management, anddisease management) among, healthcare providers; the referral of a patientfrom one provider to another; or thecoordination of health care or otherservices among health care providersand third parties authorized by thehealth plan or the individual.

Use means the employment,application, utilization, examination, oranalysis of information within an entitythat holds the information.

Workforce means employees,volunteers, trainees, and other personsunder the direct control of a coveredentity, including persons providinglabor on an unpaid basis.

§ 164.506 Uses and disclosures ofprotected health information: general rules.

(a) Standard. A covered entity maynot use or disclose an individual’sprotected health information, except asotherwise permitted or required by thispart or as required to comply withapplicable requirements of thissubchapter.

(1) Permitted uses and disclosures. Acovered entity is permitted to use ordisclose protected health information asfollows:

(i) Except for research informationunrelated to treatment, to carry outtreatment, payment, or health careoperations;

(ii) Pursuant to an authorization bythe individual that complies with§ 164.508; or

(iii) As permitted by and incompliance with this section or§ 164.510.



(2) Required disclosures. A coveredentity is required to disclose protectedhealth information:

(i) To an individual, when a requestis made under § 164.514; or

(ii) When required by the Secretaryunder § 164.522 to investigate ordetermine the entity’s compliance withthis part.

(b)(1) Standard: Minimum necessary.A covered entity must make allreasonable efforts not to use or disclosemore than the minimum amount ofprotected health information necessaryto accomplish the intended purpose ofthe use or disclosure. This requirementdoes not apply to uses or disclosuresthat are:

(i) Made in accordance with§§ 164.508(a)(1), 164.514, or § 164.522;

(ii) Required by law and permittedunder § 164.510;

(iii) Required for compliance withapplicable requirements of thissubchapter; or

(iv) Made by a covered health careprovider to a covered health plan, whenthe information is requested for auditand related purposes.

(2) Implementation specification:Procedures. To comply with thestandard in this paragraph, a coveredentity must have procedures to:

(i) Identify appropriate persons withinthe entity to determine whatinformation should be used or disclosedconsistent with the minimum necessarystandard;

(ii) Ensure that the persons identifiedunder paragraph (b)(2)(i) of this sectionmake the minimum necessarydeterminations, when required;

(iii) Within the limits of the entity’stechnological capabilities, provide forthe making of such determinationsindividually.

(3) Implementation specification:Reliance. When making disclosures topublic officials that are permitted under§ 164.510 but not required by other law,a covered entity may reasonably rely onthe representations of such officials thatthe information requested is theminimum necessary for the statedpurpose(s).

(c)(1) Standard: Right of an individualto restrict uses and disclosures. (i) Acovered entity that is a health careprovider must permit individuals torequest that uses or disclosures ofprotected health information fortreatment, payment, or health careoperations be restricted, and, if therequested restrictions are agreed to bythe provider, not make uses ordisclosures inconsistent with suchrestrictions.

(ii) This requirement does not apply:

(A) To uses or disclosures permittedunder § 164.510;

(B) When the health care servicesprovided are emergency services or theinformation is requested pursuant to§ 164.510(k) and

(C) To disclosures to the Secretarypursuant to § 164.522.

(iii) A provider is not required toagree to a requested restriction.

(2) Implementation specifications. Acovered entity must have proceduresthat:

(i) Provide individuals an opportunityto request a restriction on the uses anddisclosures of their protected healthinformation;

(ii) Provide that restrictions that areagreed to by the entity are reduced towriting or otherwise documented;

(iii) Enable the entity to honor suchrestrictions; and

(iv) Provide for the notification ofothers to whom such information isdisclosed of such restriction.

(d)(1) Standard: use or disclosure ofde-identified protected healthinformation. The requirements of thissubpart do not apply to protected healthinformation that a covered entity has de-identified, provided, however, that:

(i) Disclosure of a key or other devicedesigned to enable coded or otherwisede-identified information to be re-identified constitutes disclosure ofprotected health information; and

(ii) If a covered entity re-identifies de-identified information, it may use ordisclose such re-identified informationonly in accordance with this subpart.

(2) Implementation specifications. (i)A covered entity may use protectedhealth information to create de-identified information by removing,coding, encrypting, or otherwiseeliminating or concealing theinformation that makes suchinformation individually identifiable.

(ii) Information is presumed not to beindividually identifiable (de-identified),if:

(A) The following identifiers havebeen removed or otherwise concealed:

(1) Name;(2) Address, including street address,

city, county, zip code, and equivalentgeocodes;

(3) Names of relatives;(4) Name of employers;(5) Birth date;(6) Telephone numbers;(7) Fax numbers;(8) Electronic mail addresses;(9) Social security number;(10) Medical record number;(11) Health plan beneficiary number;(12) Account number;(13) Certificate/license number;(14) Any vehicle or other device serial

number;

(15) Web Universal Resource Locator(URL);

(16) Internet Protocol (IP) addressnumber;

(17) Finger or voice prints;(18) Photographic images; and(19) Any other unique identifying

number, characteristic, or code that thecovered entity has reason to believe maybe available to an anticipated recipientof the information; and

(B) The covered entity has no reasonto believe that any anticipated recipientof such information could use theinformation, alone or in combinationwith other information, to identify anindividual.

(iii) Notwithstanding paragraph(d)(2)(ii) of this section, entities withappropriate statistical experience andexpertise may treat information as de-identified, if they include informationlisted in paragraph (d)(2)(ii) of thissection and they determine that theprobability of identifying individualswith such identifying informationretained is very low, or may removeadditional information, if they have areasonable basis to believe suchadditional information could be used toidentify an individual.

(e)(1) Standards: Business partners. (i)Except for disclosures of protectedhealth information by a covered entitythat is a health care provider to anotherhealth care provider for consultation orreferral purposes, a covered entity maynot disclose protected healthinformation to a business partnerwithout satisfactory assurance from thebusiness partner that it willappropriately safeguard the information.

(ii) A covered entity must takereasonable steps to ensure that eachbusiness partner complies with therequirements of this subpart withrespect to any task or other activity itperforms on behalf of the entity, to theextent the covered entity would berequired to comply with suchrequirements.

(2) Implementation specifications. (i)For the purposes of this section,satisfactory assurance means a contractbetween the covered entity and thebusiness partner to which suchinformation is to be disclosed thatestablishes the permitted and requireduses and disclosures of suchinformation by the partner. The contractmust provide that the business partnerwill:

(A) Not use or further disclose theinformation other than as permitted orrequired by the contract;

(B) Not use or further disclose theinformation in a manner that wouldviolate the requirements of this subpart,if done by the covered entity;



(C) Use appropriate safeguards toprevent use or disclosure of theinformation other than as provided forby its contract;

(D) Report to the covered entity anyuse or disclosure of the information notprovided for by its contract of which itbecomes aware;

(E) Ensure that any subcontractors oragents to whom it provides protectedhealth information received from thecovered entity agree to the samerestrictions and conditions that apply tothe business partner with respect tosuch information;

(F) Make available protected healthinformation in accordance with§ 164.514(a);

(G) Make its internal practices, books,and records relating to the use anddisclosure of protected healthinformation received from the coveredentity available to the Secretary forpurposes of determining the coveredentity’s compliance with this subpart;

(H) At termination of the contract,return or destroy all protected healthinformation received from the coveredentity that the business partner stillmaintains in any form and retain nocopies of such information; and

(I) Incorporate any amendments orcorrections to protected healthinformation when notified pursuant to§ 164.516(c)(3).

(ii) The contract required byparagraph (e)(2)(i) of this section must:

(A) State that the individuals whoseprotected health information isdisclosed under the contract areintended third party beneficiaries of thecontract; and

(B) Authorize the covered entity toterminate the contract, if the coveredentity determines that the businesspartner has violated a material term ofthe contract required by this paragraph.

(iii) A material breach by a businesspartner of its obligations under thecontract required by paragraph (e)(2)(i)of this section will be considered to benoncompliance of the covered entitywith the applicable requirements of thissubpart, if the covered entity knew orreasonably should have known of suchbreach and failed to take reasonablesteps to cure the breach or terminate thecontract.

(f) Standard: Deceased individuals. Acovered entity must comply with therequirements of this subpart withrespect to the protected healthinformation of a deceased individual fortwo years following the death of suchindividual. This requirement does notapply to uses or disclosures for researchpurposes.

(g) Standard: uses and disclosuresconsistent with notice. Except as

provided by § 164.520(g)(2), a coveredentity that is required by § 164.512 tohave a notice may not use or discloseprotected health information in amanner inconsistent with such notice.

§ 164.508 Uses and disclosures for whichindividual authorization is required.

(a) Standard. An authorizationexecuted in accordance with thissection is required in order for thecovered entity to use or discloseprotected health information in thefollowing situations:

(1) Request by individual. Where theindividual requests the covered entity touse or disclose the information.

(2) Request by covered entity. (i)Where the covered entity requests theindividual to authorize the use ordisclosure of the information. Thecovered entity must request and obtainan authorization from the individual forall uses and disclosures that are not:

(A) Except as provided in paragraph(a)(3) of this section, compatible with ordirectly related to treatment, payment,or health care operations;

(B) Covered by § 164.510;(C) Covered by paragraph (a)(1) of this

section; or(D) Required by this subpart.(ii) Uses and disclosures of protected

health information for which individualauthorization is required include, butare not limited to, the following:

(A) Use for marketing of health andnon-health items and services by thecovered entity;

(B) Disclosure by sale, rental, orbarter;

(C) Use and disclosure to non-healthrelated divisions of the covered entity,e.g., for use in marketing life or casualtyinsurance or banking services;

(D) Disclosure, prior to anindividual’s enrollment in a health plan,to the health plan or health careprovider for making eligibility orenrollment determinations relating tothe individual or for underwriting orrisk rating determinations;

(E) Disclosure to an employer for usein employment determinations; and

(F) Use or disclosure for fundraisingpurposes.

(iii) A covered entity may notcondition the provision to an individualof treatment or payment on theprovision by the individual of arequested authorization for use ordisclosure, except where theauthorization is requested in connectionwith a clinical trial.

(iv) Except where required by law, acovered entity may not require anindividual to sign an authorization foruse or disclosure of protected healthinformation for treatment, payment, orhealth care operations purposes.

(3) Authorization required: Specialcases. (i) Except as otherwise requiredby this subpart or permitted under§ 164.510, a covered entity must obtainthe authorization of the individual forthe following uses and disclosures ofprotected health information about theindividual:

(A) Use by a person other than thecreator, or disclosure, of psychotherapynotes; and

(B) Use or disclosure of researchinformation unrelated to treatment.

(ii) The requirements of paragraphs(b) through (e) of this section apply tosuch authorizations, as appropriate.

(iii) A covered entity may notcondition treatment, enrollment in ahealth plan, or payment on arequirement that the individualauthorize use or disclosure ofpsychotherapy notes relating to theindividual.

(iv) For purposes of this section:(A) Psychotherapy notes means notes

recorded (in any medium) by a healthcare provider who is a mental healthprofessional documenting or analyzingthe contents of conversation during aprivate counseling session or a group,joint, or family counseling session. Forpurposes of this definition,‘‘psychotherapy notes’’ excludesmedication prescription andmonitoring, counseling session start andstop times, the modalities andfrequencies of treatment furnished,results of clinical tests, and anysummary of the following items:diagnosis, functional status, thetreatment plan, symptoms, prognosisand progress to date.

(B) Research information unrelated totreatment means health information thatis received or created by a coveredentity in the course of conductingresearch, for which there is insufficientscientific and medical evidenceregarding the validity or utility of theinformation such that it should not beused for the purpose of providing healthcare, and with respect to which thecovered entity has not requestedpayment from a third party payor.

(b) General implementationspecifications for authorizations.—(1)General requirements. A copy of themodel form which appears in AppendixA hereto, or a document that containsthe elements listed in paragraphs (c) or(d) of this section, as applicable, mustbe accepted by the covered entity.

(2) Defective authorizations. There isno ‘‘authorization’’ within the meaningof this section, if the submitted form hasany of the following defects:

(i) The expiration date has passed;(ii) The form has not been filled out

completely;



(iii) The authorization is known bythe covered entity to have been revoked;

(iv) The form lacks an elementrequired by paragraph (c) or (d) of thissection, as applicable;

(v) The information on the form isknown by the covered entity to be false.

(3) Compound authorizations. Exceptwhere authorization is requested inconnection with a clinical trial, anauthorization for use or disclosure ofprotected health information forpurposes other than treatment orpayment may not be in the samedocument as an authorization for orconsent to treatment or payment.

(c) Implementation specifications forauthorizations requested by anindividual.—(1) Required elements.Before a covered entity may use ordisclose protected health information ofan individual pursuant to a request fromthe individual, it must obtain acompleted authorization for use ordisclosure executed by the individualthat contains at least the followingelements:

(i) A description of the information tobe used or disclosed that identifies theinformation in a specific andmeaningful fashion;

(ii) The name of the covered entity, orclass of entities or persons, authorizedto make the requested use or disclosure;

(iii) The name or other specificidentification of the person(s) orentity(ies), which may include thecovered entity itself, to whom thecovered entity may make the requesteduse or disclosure;

(iv) An expiration date;(v) Signature and date;(vi) If the authorization is executed by

a legal representative or other personauthorized to act for the individual, adescription of his or her authority to actor relationship to the individual;

(vii) A statement in which theindividual acknowledges that he or shehas the right to revoke the authorization,except to the extent that information hasalready been released under theauthorization; and

(viii) A statement in which theindividual acknowledges thatinformation used or disclosed to anyentity other than a health plan or healthcare provider may no longer beprotected by the federal privacy law.

(2) Plain language requirement. Themodel form at appendix A to thissubpart may be used. If the model format appendix A to this subpart is notused, the authorization form must bewritten in plain language.

(d) Implementation specifications forauthorizations for uses and disclosuresrequested by covered entities.—(1)Required elements. Before a covered

entity may use or disclose protectedhealth information of an individualpursuant to a request that it has made,it must obtain a completedauthorization for use or disclosureexecuted by the individual that meetsthe requirements of paragraph (c) of thissection and contains the followingadditional elements:

(i) Except where the authorization isrequested for a clinical trial, a statementthat it will not condition treatment orpayment on the individual’s providingauthorization for the requested use ordisclosure;

(ii) A description of the purpose(s) ofthe requested use or disclosure;

(iii) A statement that the individualmay:

(A) Inspect or copy the protectedhealth information to be used ordisclosed as provided in § 164.514; and

(B) Refuse to sign the authorization;and

(iv) Where use or disclosure of therequested information will result infinancial gain to the entity, a statementthat such gain will result.

(2) Required procedures. In requestingauthorization from an individual underthis paragraph, a covered entity must:

(i) Have procedures designed toenable it to request only the minimumamount of protected health informationnecessary to accomplish the purpose forwhich the request is made; and

(ii) Provide the individual with a copyof the executed authorization.

(e) Revocation of authorizations. Anindividual may revoke an authorizationto use or disclose his or her protectedhealth information at any time, exceptto the extent that the covered entity hastaken action in reliance thereon.

§ 164.510 Uses and disclosures for whichindividual authorization is not required.

A covered entity may use or discloseprotected health information, forpurposes other than treatment, payment,or health care operations, without theauthorization of the individual, in thesituations covered by this section andsubject to the applicable requirementsprovided for by this section.

(a) General requirements. In using ordisclosing protected health informationunder this section:

(1) Verification. A covered entity mustcomply with any applicable verificationrequirements under § 164.518(c).

(2) Health care clearinghouses. Ahealth care clearinghouse that uses ordiscloses protected health information itmaintains as a business partner of acovered entity may not make uses ordisclosures otherwise permitted underthis section that are not permitted by theterms of its contract with the coveredentity under § 164.506(e).

(b) Disclosures and uses for publichealth activities.—(1) Permitteddisclosures. A covered entity maydisclose protected health informationfor the public health activities andpurposes described in this paragraph to:

(i) A public health authority that isauthorized by law to collect or receivesuch information for the purpose ofpreventing or controlling disease,injury, or disability, including, but notlimited to, the reporting of disease,injury, vital events such as birth ordeath, and the conduct of public healthsurveillance, public healthinvestigations, and public healthinterventions;

(ii) A public health authority or otherappropriate authority authorized by lawto receive reports of child abuse orneglect;

(iii) A person or entity other than agovernmental authority that candemonstrate or demonstrates that it isacting to comply with requirements ordirection of a public health authority; or

(iv) A person who may have beenexposed to a communicable disease ormay otherwise be at risk of contractingor spreading a disease or condition andis authorized by law to be notified asnecessary in the conduct of a publichealth intervention or investigation.

(2) Permitted use. Where the coveredentity also is a public health authority,the covered entity is permitted to useprotected health information in all casesin which it is permitted to disclose suchinformation for public health activitiesunder paragraph (b)(1) of this section.

(c) Disclosures and uses for healthoversight activities.—(1) Permitteddisclosures. A covered entity maydisclose protected health information toa health oversight agency for oversightactivities authorized by law, includingaudit, investigation, inspection, civil,criminal, or administrative proceedingor action, or other activity necessary forappropriate oversight of:

(i) The health care system;(ii) Government benefit programs for

which health information is relevant tobeneficiary eligibility; or

(iii) Government regulatory programsfor which health information isnecessary for determining compliancewith program standards.

(2) Permitted use. Where a coveredentity is itself a health oversight agency,the covered entity may use protectedhealth information for health oversightactivities described by paragraph (c)(1)of this section.

(d) Disclosures and uses for judicialand administrative proceedings.—(1)Permitted disclosures. A covered entitymay disclose protected health



information in the course of any judicialor administrative proceeding:

(i) In response to an order of a courtor administrative tribunal; or

(ii) Where the individual is a party tothe proceeding and his or her medicalcondition or history is at issue and thedisclosure is pursuant to lawful processor otherwise authorized by law.

(2) Permitted use. Where the coveredentity is itself a government agency, thecovered entity may use protected healthinformation in all cases in which it ispermitted to disclose such informationin the course of any judicial oradministrative proceeding underparagraph (d)(1) of this section.

(3) Additional restriction. (i) Wherethe request for disclosure of protectedhealth information is accompanied by acourt order, the covered entity maydisclose only that protected healthinformation which the court orderauthorizes to be disclosed.

(ii) Where the request for disclosure ofprotected health information is notaccompanied by a court order, thecovered entity may not disclose theinformation requested unless a requestauthorized by law has been made by theagency requesting the information or bylegal counsel representing a party tolitigation, with a written statementcertifying that the protected healthinformation requested concerns alitigant to the proceeding and that thehealth condition of such litigant is atissue at such proceeding.

(e) Disclosures to coroners andmedical examiners. A covered entitymay disclose protected healthinformation to a coroner or medicalexaminer, consistent with applicablelaw, for the purposes of identifying adeceased person or determining a causeof death.

(f) Disclosures for law enforcementpurposes. A covered entity may discloseprotected health information to a lawenforcement official if:

(1) Pursuant to process. (i) The lawenforcement official is conducting orsupervising a law enforcement inquiryor proceeding authorized by law and thedisclosure is:

(A) Pursuant to a warrant, subpoena,or order issued by a judicial officer thatdocuments a finding by the judicialofficer;

(B) Pursuant to a grand jury subpoena;or

(C) Pursuant to an administrativerequest, including an administrativesubpoena or summons, a civilinvestigative demand, or similar processauthorized under law, provided that:

(1) The information sought is relevantand material to a legitimate lawenforcement inquiry;

(2) The request is as specific andnarrowly drawn as is reasonablypracticable; and

(3) De-identified information couldnot reasonably be used.

(ii) For the purposes of this paragraph,‘‘law enforcement inquiry orproceeding’’ means:

(A) An investigation or officialproceeding inquiring into a violation of,or failure to comply with, law; or

(B) A criminal, civil, or administrativeproceeding arising from a violation of,or failure to comply with, law.

(2) Limited information for identifyingpurposes. The disclosure is for thepurpose of identifying a suspect,fugitive, material witness, or missingperson, provided that, the covered entitymay disclose only the followinginformation:

(i) Name;(ii) Address;(iii) Social security number;(iv) Date of birth;(v) Place of birth;(vi) Type of injury or other

distinguishing characteristic; and(vii) Date and time of treatment.(3) Information about a victim of

crime or abuse. The disclosure is of theprotected health information of anindividual who is or is suspected to bea victim of a crime, abuse, or otherharm, if the law enforcement officialrepresents that:

(i) Such information is needed todetermine whether a violation of law bya person other than the victim hasoccurred; and

(ii) Immediate law enforcementactivity that depends upon obtainingsuch information may be necessary.

(4) Intelligence and national securityactivities. The disclosure is:

(i) For the conduct of lawfulintelligence activities conductedpursuant to the National Security Act(50 U.S.C. 401, et seq.);

(ii) Made in connection withproviding protective services to thePresident or other persons pursuant to18 U.S.C. 3056; or

(iii) Made pursuant to 22 U.S.C.2709(a)(3).

(5) Health care fraud. The coveredentity believes in good faith that theinformation disclosed constitutesevidence of criminal conduct:

(i) That arises out of and is directlyrelated to:

(A) The receipt of health care orpayment for health care, including afraudulent claim for health care;

(B) Qualification for or receipt ofbenefits, payments, or services based ona fraudulent statement or materialmisrepresentation of the health of theindividual;

(ii) That occurred on the premises ofthe covered entity; or

(iii) Was witnessed by a member ofthe covered entity’s workforce.

(5) Urgent circumstances. Thedisclosure is of the protected healthinformation of an individual who is oris suspected to be a victim of a crime,abuse, or other harm, if the lawenforcement official represents that:

(i) Such information is needed todetermine whether a violation of law bya person other than the victim hasoccurred; and

(ii) Immediate law enforcementactivity that depends upon obtainingsuch information may be necessary.

(g) Disclosures and uses forgovernmental health data systems.—(1)Permitted disclosures. A covered entitymay disclose protected healthinformation to a government agency, orprivate entity acting on behalf of agovernment agency, for inclusion in agovernmental health data system thatcollects health data for analysis insupport of policy, planning, regulatory,or management functions authorized bylaw.

(2) Permitted uses. Where a coveredentity is itself a government agency thatcollects health data for analysis insupport of policy, planning, regulatory,or management functions, the coveredentity may use protected healthinformation in all cases in which it ispermitted to disclose such informationfor government health data systemsunder paragraph (g)(1) of this section.

(h) Disclosures of directoryinformation. (1) Individuals withcapacity. For individuals with thecapacity to make their own health caredecisions, a covered entity that is ahealth care provider may discloseprotected health information fordirectory purposes, provided that, theindividual has agreed to suchdisclosure.

(2) Incapacitated individuals. Forindividuals who are incapacitated, acovered entity that is a health careprovider may, at its discretion andconsistent with good medical practiceand any prior expressions of preferenceof which the covered entity is aware,disclose protected health informationfor directory purposes.

(3) Information to be disclosed. Theinformation that may be disclosed fordirectory purposes pursuant toparagraphs (h)(1) and (2) of this section,is limited to:

(i) Name of the individual;(ii) Location of the individual in the

health care provider’s facility; and(iii) Description of the individual’s

condition in general terms that do not



communicate specific medicalinformation about the individual.

(i) Disclosures for banking andpayment processes. A covered entitymay disclose, in connection withroutine banking activities or payment bydebit, credit, or other payment card, orother payment means, the minimumamount of protected health informationnecessary to complete a banking orpayment activity to:

(1) Financial institutions. An entityengaged in the activities of a financialinstitution (as defined in section 1101 ofthe Right to Financial Privacy Act of1978); or

(2) Entities acting on behalf offinancial institutions. An entity engagedin authorizing, processing, clearing,settling, billing, transferring,reconciling, or collecting payments, foran entity described in paragraph (i)(1) ofthis section.

(j) Uses and disclosures for researchpurposes. A covered entity may use ordisclose protected health informationfor research, regardless of the source offunding of the research, provided that,the covered entity has obtained writtendocumentation of the following:

(1) Waiver of authorization. A waiver,in whole or in part, of authorization foruse or disclosure of protected healthinformation that has been approved byeither:

(i) An Institutional Review Board,established in accordance with 7 CFR1c.107, 10 CFR 745.107, 14 CFR1230.107, 15 CFR 27.107, 16 CFR1028.107, 21 CFR 56.107, 22 CFR225.107, 28 CFR 46.107.32 CFR 219.107,34 CFR 97.107, 38 CFR 16.107, 40 CFR26.107.45 CFR 46.107, 45 CFR 690.107,or 49 CFR 11.107; or

(ii) A privacy board that:(A) Has members with varying

backgrounds and appropriateprofessional competency as necessary toreview the research protocol;

(B) Includes at least one member whois not affiliated with the entityconducting the research or related to aperson who is affiliated with suchentity; and

(C) Does not have any memberparticipating in a review of any projectin which the member has a conflict ofinterest.

(2) Date of approval. The date ofapproval of the waiver, in whole or inpart, of authorization by an InstitutionalReview Board or privacy board.

(3) Criteria. The Institutional ReviewBoard or privacy board has determinedthat the waiver, in whole or in part, ofauthorization satisfies the followingcriteria:

(i) The use or disclosure of protectedhealth information involves no morethan minimal risk to the subjects;

(ii) The waiver will not adverselyaffect the rights and welfare of thesubjects;

(iii) The research could notpracticably be conducted without thewaiver;

(iv) Whenever appropriate, thesubjects will be provided withadditional pertinent information afterparticipation;

(v) The research could not practicablybe conducted without access to and useof the protected health information;

(vi) The research is of sufficientimportance so as to outweigh theintrusion of the privacy of theindividual whose information is subjectto the disclosure;

(vii) There is an adequate plan toprotect the identifiers from improperuse and disclosure; and

(viii) There is an adequate plan todestroy the identifiers at the earliestopportunity consistent with conduct ofthe research, unless there is a health orresearch justification for retaining theidentifiers.

(4) Required signature. The writtendocumentation must be signed by thechair of, as applicable, the InstitutionalReview Board or the privacy board.

(k) Uses and disclosures in emergencycircumstances.—(1) Permitteddisclosures. A covered entity may,consistent with applicable law andstandards of ethical conduct and basedon a reasonable belief that the use ordisclosure is necessary to prevent orlessen a serious and imminent threat tothe health or safety of an individual orthe public, use or disclose protectedhealth information to a person orpersons reasonably able to prevent orlessen the threat, including the target ofthe threat.

(2) Presumption of reasonable belief.A covered entity that makes a disclosurepursuant to paragraph (k)(1) of thissection is presumed to have acted undera reasonable belief, if the disclosure ismade in good faith based upon acredible representation by a person withapparent knowledge or authority (suchas a doctor or law enforcement or othergovernment official).

(l) Disclosures to next-of-kin.—(1)Permitted disclosures. A covered entitymay disclose protected healthinformation to a person who is a next-of-kin, other family member, or closepersonal friend of an individual whopossesses the capacity to make his orher own health care decisions, if:

(i) The individual has verbally agreedto the disclosure; or

(ii) In circumstances where suchagreement cannot practicably orreasonably be obtained, only theprotected health information that isdirectly relevant to the person’sinvolvement in the individual’s healthcare is disclosed, consistent with goodhealth professional practices and ethics.

(2) Next-of-kin defined. For purposesof this paragraph, ‘‘next-of-kin’’ isdefined as defined under applicablelaw.

(m) Uses and disclosures forspecialized classes.—(1) Militarypurposes. A covered entity that is ahealth care provider or health planproviding health care to individualswho are Armed Forces personnel mayuse and disclose protected healthinformation for activities deemednecessary by appropriate militarycommand authorities to assure theproper execution of the militarymission, where the appropriate militaryauthority has published by notice in theFederal Register the followinginformation:

(i) Appropriate military commandauthorities;

(ii) The circumstances for which useor disclosure without individualauthorization would be required; and

(iii) Activities for which such use ordisclosure would occur in order toassure proper execution of the militarymission.

(2) Department of Veterans Affairs.The Department of Veterans Affairs mayuse and disclose protected healthinformation among components of theDepartment that determine eligibility foror entitlement to, or that provide,benefits under laws administered by theSecretary of Veterans Affairs.

(3) Intelligence community. A coveredentity may disclose protected healthinformation of an individual who is anemployee of the intelligencecommunity, as defined in section 4 ofthe National Security Act, 50 U.S.C.401a, and his or her dependents, if suchdependents are being considered forposting abroad, to intelligencecommunity agencies, where authorizedby law.

(4) Department of State. TheDepartment of State may use protectedhealth information about the followingindividuals for the following purposes:

(i) As to applicants to the ForeignService, for medical clearancedeterminations about physical fitness toserve in the Foreign Service on aworldwide basis, including aboutmedical and mental conditions limitingassignability abroad; determinations ofconformance to occupational physicalstandards, where applicable; anddeterminations of suitability.



(ii) As to members of the ForeignService and other United StatesGovernment employees assigned toserve abroad under Chief of Missionauthority, for medical clearancedeterminations for assignment to postsabroad, including medical and mentalconditions limiting such assignment;determinations of conformance tooccupational physical standards, whereapplicable; determinations aboutcontinued fitness for duty, suitability,and continuation of service at post(including decisions on curtailment);separation medical examinations; anddeterminations of eligibility of membersof the Foreign Service for disabilityretirement (whether on application ofthe employee or the Secretary of State).

(iii) As to eligible family members ofForeign Service or other United StatesGovernment employees, for medicalclearance determinations as describedin paragraph (m)(4)(ii) of this section topermit eligible family members toaccompany employees to posts abroadon Government orders; determinationsregarding family members remaining atpost; and separation medicalexaminations.

(n) Uses and disclosures otherwiserequired by law. A covered entity mayuse or disclose protected healthinformation where such use ordisclosure is required by law and theuse or disclosure meets all relevantrequirements of such law. Thisparagraph does not apply to uses ordisclosures that are covered byparagraphs (b) through (m) of thissection.

§ 164.512 Notice to individuals ofinformation practices.

(a) Standard. An individual has aright to adequate notice of the policiesand procedures of a covered entity thatis a health plan or a health care providerwith respect to protected healthinformation.

(b) Standard for notice procedures. Acovered entity that is a health plan orhealth care provider must haveprocedures that provide adequate noticeto individuals of their rights and theprocedures for exercising their rightsunder this subpart with respect toprotected health information aboutthem.

(c) General implementationspecification. A covered entity that hasand follows procedures that meet therequirements of this section will bepresumed to have provided adequatenotice under this section.

(d) Implementation specifications:content of notice.—(1) Requiredelements. Notices required to beprovided under this section must

include in plain language a statement ofeach of the following elements:

(i) Uses and disclosures. The uses anddisclosures, and the entity’s policiesand procedures with respect to suchuses and disclosures, must be describedin sufficient detail to put the individualon notice of the uses and disclosuresexpected to be made of his or herprotected health information. Suchstatement must:

(A) Describe the uses and disclosuresthat will be made without individualauthorization; and

(B) Distinguish between those usesand disclosures the entity makes thatare required by law and those that arepermitted but not required by law.

(ii) Required statements. State that:(A) Other uses and disclosures will be

made only with the individual’sauthorization and that suchauthorization may be revoked;

(B) An individual may request thatcertain uses and disclosures of his orher protected health information berestricted, and the covered entity is notrequired to agree to such a request;

(C) An individual has the right torequest, and a description of theprocedures for exercising, the followingwith respect to his or her protectedhealth information:

(1) Inspection and copying;(2) Amendment or correction; and(3) An accounting of the disclosures

of such information by the coveredentity;

(D) The covered entity is required bylaw to protect the privacy of itsindividually identifiable healthinformation, provide a notice of itspolicies and procedures with respect tosuch information, and abide by theterms of the notice currently in effect;

(E) The entity may change its policiesand procedures relating to protectedhealth information at any time, with adescription of how individuals will beinformed of material changes; and

(F) Individuals may complain to thecovered entity and to the Secretary ifthey believe that their privacy rightshave been violated.

(iii) Contact. The name and telephonenumber of a contact person or officerequired by § 164.518(a)(2).

(iv) Date. The date the version of thenotice was produced.

(2) Revisions. A covered health planor health care provider may change itspolicies or procedures required by thissubpart at any time. When a coveredhealth plan or health care providermaterially revises its policies andprocedures, it must update its notice asprovided for by § 164.520(g).

(e) Implementation specifications:Provision of notice. A covered entity

must make the notice required by thissection available:

(1) General requirement. On request;and

(2) Specific requirements. As follows:(i) Health plans. Health plans must

provide a copy of the notice to anindividual covered by the plan:

(A) As of the date on which the healthplan is required to be in compliancewith this subpart;

(B) After the date described inparagraph (e)(2)(i)(A) of this section, atenrollment;

(C) After enrollment, within 60 daysof a material revision to the content ofthe notice; and

(D) No less frequently than once everythree years.

(ii) Health care providers. A healthcare provider must:

(A) During the one year periodfollowing the date by which theprovider is required to come intocompliance with this subpart, provide acopy to individuals currently served bythe provider at the first service deliveryto such individuals during such period,provided that, where service is notprovided through a face-to-face contact,the provider must provide the notice inan appropriate manner within areasonable period of time following firstservice delivery;

(B) After the one year period providedfor by paragraph (e)(2)(ii)(A) of thissection, provide a copy to individualsserved by the provider at the firstservice delivery to such individuals,provided that, where service is notprovided through a face-to-face contact,the provider must provide the notice inan appropriate manner within areasonable period of time following firstservice delivery; and

(C) Post a copy of the notice in a clearand prominent location where it isreasonable to expect individuals seekingservice from the provider to be able toread the notice. Any revision to thenotice must be posted promptly.

§ 164.514 Access of individuals toprotected health information

(a) Standard: Right of access. Anindividual has a right of access to,which includes a right to inspect andobtain a copy of, his or her protectedhealth information in designated recordsets of a covered entity that is a healthplan or a health care provider, includingsuch information in a business partner’sdesignated record set that is not aduplicate of the information held by theprovider or plan, for so long as theinformation is maintained.

(b) Standard: denial of access toprotected health information.—(1)Grounds. Except where the protected



health information to which access isrequested is subject to 5 U.S.C. 552a, acovered entity may deny a request foraccess under paragraph (a) of thissection where:

(i) A licensed health care professionalhas determined that, in the exercise ofreasonable professional judgment, theinspection and copying requested isreasonably likely to endanger the life orphysical safety of the individual oranother person;

(ii) The information is about anotherperson (other than a health careprovider) and a licensed health careprofessional has determined that theinspection and copying requested isreasonably likely to cause substantialharm to such other person;

(iii) The information was obtainedunder a promise of confidentiality fromsomeone other than a health careprovider and such access would belikely to reveal the source of theinformation;

(iv) The information was obtained bya covered entity that is a health careprovider in the course of a clinical trial,the individual has agreed to the denialof access when consenting to participatein the trial (if the individual’s consentto participate was obtained), and theclinical trial is in progress; or

(v) The information was compiled inreasonable anticipation of, or for use in,a legal proceeding.

(2) Other information available.Where a denial of protected healthinformation is made pursuant toparagraph (b)(1) of this section, thecovered entity must make any otherprotected health information requestedavailable to the individual to the extentpossible consistent with the denial.

(c) Standard: procedures to protectrights of access. A covered entity that isa health plan or a health care providermust have procedures that enableindividuals to exercise their rightsunder paragraph (a) of this section.

(d) Implementation specifications:Access to protected health information.The procedures required by paragraph(c) of this section must:

(1) Means of request. Provide a meansby which an individual can requestinspection or a copy of protected healthinformation about him or her.

(2) Time limit. Provide for takingaction on such requests as soon aspossible but not later than 30 daysfollowing receipt of the request.

(3) Request accepted. Where therequest is accepted, provide:

(i) For notification of the individual ofthe decision and of any steps necessaryto fulfill the request;

(ii) The information requested in theform or format requested, if it is readilyproducible in such form or format;

(iii) For facilitating the process ofinspection and copying; and

(iv) For a reasonable, cost-based feefor copying health information providedpursuant to this paragraph, if deemeddesirable by the entity.

(4) Request denied. Where the requestis denied in whole or in part, providethe individual with a written statementin plain language of:

(i) The basis for the denial; and(ii) A description of how the

individual may complain to the coveredentity pursuant to the complaintprocedures established in§ 164.518(d)(2) or to the Secretarypursuant to the procedures establishedin § 164.522(b). The description mustinclude:

(A) The name and telephone numberof the contact person or office requiredby § 164.518(a)(2) of this subpart; and

(B) Information relevant to filing acomplaint with the Secretary under§ 164.522(b).

§ 164.515 Accounting for disclosures ofprotected health information.

(a) Standard: Right to an accountingof disclosures of protected healthinformation. An individual has a rightto receive an accounting of alldisclosures of protected healthinformation made by a covered entity aslong as such information is maintainedby the entity, except for disclosures:

(1) For treatment, payment and healthcare operations; and

(2) To health oversight or lawenforcement agencies, if the healthoversight or law enforcement agency hasprovided a written request stating thatthe exclusion is necessary becausedisclosure would be reasonably likely toimpede the agency’s activities andspecifying the time for which suchexclusion is required.

(b) Standard: Procedures foraccounting. A covered entity must haveprocedures to give individuals anaccurate accounting of disclosures forwhich an accounting is required byparagraph (a) of this section.

(c) Implementation specifications:Accounting procedures. The proceduresrequired by paragraph (b) of this sectionmust:

(1) Provide for an accounting of thefollowing:

(i) The date of each disclosure;(ii) The name and address of the

organization or person who received theprotected health information;

(iii) A brief description of theinformation disclosed;

(iv) For disclosures other than thosemade at the request of the individual,

the purpose for which the informationwas disclosed; and (v) Provision ofcopies of all requests for disclosure.

(2) Provide the accounting to theindividual as soon as possible, but nolater than 30 days of receipt of therequest therefor.

(3) Provide for a means of accountingfor as long as the entity maintains theprotected health information.

(4) Provide for a means of requiringbusiness partners to provide such anaccounting upon request of the coveredentity.

§ 164.516 Amendment and correction.(a) Standard: right to request

amendment or correction.—(1) Right torequest. An individual has the right torequest a covered entity that is a healthplan or health care provider to amendor correct protected health informationabout him or her in designated recordsets of the covered entity for as long asthe covered entity maintains theinformation.

(2) Grounds for denial of request. Acovered entity may deny a request foramendment or correction of theindividual’s protected healthinformation, if it determines that theinformation that is the subject of therequest:

(i) Was not created by the coveredentity;

(ii) Would not be available forinspection and copying under § 164.514or

(iii) Is accurate and complete.(b) Standard: Amendment and

correction procedures. A covered entitythat is a health plan or health careprovider must have procedures toenable individuals to requestamendment or correction, to determinewhether the requests should be grantedor denied, and to disseminateamendments or corrections to itsbusiness partners and others to whomerroneous information has beendisclosed.

(c) Implementation specifications:Procedures. The procedures required byparagraph (b) of this section mustprovide that the covered entity will:

(1) Means of request. Provide a meansby which an individual can requestamendment or correction of his or herprotected health information.

(2) Time limit. Take action on suchrequest within 60 days of receipt of therequest;

(3) Request accepted. Where therequest is accepted in whole or in part:

(i) As otherwise required by this part,make the appropriate amendments orcorrections;

(ii) As otherwise required by this part,identify the challenged entries as



amended or corrected and indicate theirlocation;

(iii) Make reasonable efforts to notify:(A) Persons, organizations, or other

entities the individual identifies asneeding to be notified; and (B) Persons,organizations, or other entities,including business partners, who thecovered entity knows have received theerroneous or incomplete informationand who may have relied, or couldforeseeably rely, on such information tothe detriment of the individual; and (iv)Notify the individual of the decision tocorrect or amend the information.

(4) Request denied. Where the requestis denied in whole or in part:

(i) Provide the individual with awritten statement in plain language of:

(A) The basis for the denial;(B) A description of how the

individual may file a written statementof disagreement with the denial; and

(C) A description of how theindividual may complain to the coveredentity pursuant to the complaintprocedures established in § 164.518(d)or to the Secretary pursuant to theprocedures established in § 164.522(b).The description must include:

(1) The name and telephone numberof the contact person or office requiredby § 164.518(a)(2); and

(2) Information relevant to filing acomplaint with the Secretary under§ 164.522(b).

(ii) The procedures of the coveredentity must:

(A) Permit the individual to file astatement of the individual’sdisagreement with the denial and thebasis of such disagreement.

(B) Provide for inclusion of thecovered entity’s statement of denial andthe individual’s statement ofdisagreement with any subsequentdisclosure of the information to whichthe disagreement relates, provided,however, that the covered entity mayestablish a limit to the length of thestatement of disagreement, and maysummarize the statement ofdisagreement if necessary.

(C) Permit the covered entity toprovide a rebuttal to the statement ofdisagreement in subsequent disclosuresunder paragraph (c)(4)(ii)(B) of thissection.

(d) Standard: Effectuating a notice ofamendment or correction. Any coveredentity that receives a notice ofamendment or correction must haveprocedures in place to make theamendment or correction in any of itsdesignated record sets and to notify itsbusiness partners, as appropriate, ofnecessary amendments or corrections ofprotected health information.

(e) Implementation specification:effectuating a notice of amendment orcorrection. The procedures required byparagraph (d) of this section mustspecify the process for correction oramendment of information in allappropriate designated record setsmaintained by the covered entity and itsbusiness partners.

§ 164.518 Administrative requirements.Except as otherwise provided, a

covered entity must meet therequirements of this section.

(a) Designated privacy official:standard.—(1) Responsibilities ofdesignated privacy official. A coveredentity must designate a privacy officialwho is responsible for the developmentand implementation of the privacypolicies and procedures of the entity.

(2) Contact person or office. Acovered entity must designate a contactperson or office who is responsible forreceiving complaints under this sectionand who is able to provide furtherinformation about matters covered bythe notice required by § 164.512. If acovered entity designates a contactperson, it may designate the privacyofficial as the contact person.

(b) Training.—(1) Standard. Allmembers of the covered entity’sworkforce who, by virtue of theirpositions, are likely to obtain access toprotected health information mustreceive training on the entity’s policiesand procedures required by this subpartthat are relevant to carrying out theirfunction within the entity.

(2) Implementation specification. Acovered entity must train all members ofits workforce who, by virtue of theirpositions, are likely to obtain access toprotected health information. Suchtraining must meet the followingrequirements:

(i) The training must occur:(A) For members of the covered

entity’s workforce as of the date onwhich this subpart becomes applicableto such entity, by such date; and

(B) For persons joining the coveredentity’s workforce after the date inparagraph (b)(2)(i)(A) of this section,within a reasonable period after theperson joins the workforce.

(ii) The covered entity must requiremembers of its workforce trained asrequired by this section to sign, uponcompleting training, a certification. Thecertification must state:

(A) The date of training; and(B) That the person completing the

training will honor all of the entity’spolicies and procedures required by thissubpart.

(iii) The covered entity must requiremembers of its workforce trained as

required by this section to sign, at leastonce every three years, a statementcertifying that the person will honor allof the entity’s policies and proceduresrequired by this subpart.

(iv) The covered entity must provideall members of its workforce with accessto protected health information withinthe entity with further training, asrelevant to their function within theentity, whenever the entity materiallychanges its privacy policies orprocedures.

(c) Safeguards.—(1) Standard. Acovered entity must have in placeappropriate administrative, technical,and physical safeguards to protect theprivacy of protected health information.

(2) Implementation specification:Verification procedures. A coveredentity must have administrative,technical, and physical procedures inplace to protect the privacy of protectedhealth information. Such proceduresmust include adequate procedures forverification of the identity and/orauthority, as required by this subpart, ofpersons requesting such information,where such identity or authority is notknown to the entity, as follows:

(i) The covered entity must useprocedures that are reasonably likely toestablish that the individual or personmaking the request has the appropriateidentity for the use or disclosurerequested, except for uses anddisclosures that are:

(A) Permitted by this subpart andmade on a routine basis to persons orother entities with which the coveredentity interacts in the normal course ofbusiness or otherwise known to thecovered entity; or

(B) Covered by paragraphs (c)(2)(ii),(iii), or (iv) of this section.

(ii) When the request for informationis made by a government agency under§ 164.510(b), § 164.510(c), § 164.510(e),§ 164.510(f), § 164.510(g), § 164.510(m),§ 164.510(n), or § 164.522, and theidentity and/or authority are not knownto the covered entity, the covered entitymay not disclose such informationwithout reasonable evidence of identityand/or authority to obtain theinformation.

(A) For purposes of this paragraph,‘‘reasonable evidence of identity’’means:

(1) A written request on the agency’sletterhead;

(2) Presentation of an agencyidentification badge or officialcredentials; or

(3) Similar proof of governmentstatus.

(B) For purposes of this paragraph,reasonable evidence of authority means:



(1) A written statement of the legalauthority under which the informationis requested; a request for disclosuremade by official legal process issued bya grand jury or a judicial oradministrative body is presumed toconstitute reasonable legal authority; or

(2) Where the request is made orally,an oral statement of such authority.

(iii) When the request for informationis made by a person or entity acting onbehalf of a government agency under§ 164.510(b), § 164.510(c), § 164.510(g),or § 164.510(n), and the identity and/orauthority are not known to the coveredentity, the covered entity may notdisclose such information withoutreasonable evidence of identity and/orauthority to obtain the information.

(A) For the purposes of thisparagraph, reasonable evidence ofidentity means:

(1) A written statement from thegovernment agency, on the agency’sletterhead, that the person or entity isacting under the agency’s authority; or

(2) Other evidence or documentation,such as a contract for services,memorandum of understanding, orpurchase order, that establishes that theperson or entity is acting on behalf of orunder the agency’s authority.

(B) For the purposes of this paragraph,‘‘reasonable evidence of authority’’means a statement that complies withparagraph (c)(ii)(B) of this section.

(iv) For uses and disclosures under§ 164.510(d), § 164.510(h), or§ 164.510(j), compliance with theapplicable requirements of thosesections constitutes adequateverification under this section.

(v)(A) A covered entity mayreasonably rely on evidence of identityand legal authority that meets therequirements of this paragraph.

(B) Where presentation of particulardocumentation or statements arerequired by this subpart as a conditionof disclosure, a covered entity mayreasonably rely on documentation orstatements that on their face meet theapplicable requirements.

(3) Implementation specification:Other safeguards. A covered entity musthave safeguards to ensure thatinformation is not used in violation ofthe requirements of this subpart or bymembers of its workforce orcomponents of the entity or employeesand other persons associated with, orcomponents of, its business partnerswho are not authorized to access theinformation.

(4) Implementation specification:Disclosures by whistleblowers. Acovered entity is not considered to haveviolated the requirements of this subpartwhere a member of its workforce or an

employee or other person associatedwith a business partner disclosesprotected health information that suchmember or other person believes isevidence of a violation of law to:

(i) The law enforcement official oroversight agency authorized to enforcesuch law; or

(ii) An attorney, for the purpose ofdetermining whether a violation of lawhas occurred or assessing what remediesor actions at law may be available to theemployee.

(d) Complaints to the covered entity—(1) Standard. A covered entity that is ahealth plan or health care provider mustprovide a process whereby individualsmay make complaints concerning theentity’s compliance with therequirements established by thissubpart.

(2) Implementation specifications. Acovered entity that is a health plan orhealth care provider must develop andimplement procedures under which anindividual may file a complaint allegingthat the covered entity failed to complywith one or more requirements of thissubpart. Such procedures must providefor:

(i) The identification of the contactperson or office required by paragraph(a)(2) of this section; and

(ii) Maintenance by the covered entityof a record of all complaints and theirdisposition, if any.

(e) Sanctions: Standard. A coveredentity must develop and apply whenappropriate sanctions against membersof its workforce who fail to comply withthe policies and procedures of thecovered entity or the requirements ofthis subpart in connection withprotected health information held by thecovered entity or its business partners.

(f) Duty to mitigate: standard. Acovered entity must have procedures formitigating, to the extent practicable, anydeleterious effect of a use or disclosureof protected health information inviolation of this subpart.

§ 164.520 Documentation of policies andprocedures.

(a) Standard. A covered entity mustadequately document its compliancewith the applicable requirements of thissubpart.

(b) Implementation specification:General. A covered entity mustdocument its policies and proceduresfor complying with the applicablerequirements of this subpart. Suchdocumentation must include, but is notlimited to, documentation that meetsthe requirements of paragraphs (c)through (g) of this section.

(c) Implementation specification: Usesand disclosures. With respect to uses by

the covered entity or its businesspartners of protected healthinformation, a covered entity mustdocument its policies and proceduresregarding:

(1) Uses and disclosures of suchinformation, including:

(i) Uses and disclosures withauthorization, including for revocationof authorizations; and

(ii) Uses and disclosures withoutauthorization, including:

(A) For treatment, payment, andhealth care operations;

(B) For disclosures to businesspartners, including monitoring andmitigation; and

(C) For uses and disclosures pursuantto § 164.510.

(2) For implementation of theminimum necessary requirement of§ 164.506(b).

(3) For implementation of the right torequest a restriction under § 164.506(c),including:

(A) Who, if anyone, in the coveredentity is authorized to agree to such arequest; and

(B) How restrictions agreed to areimplemented.

(4) For creation of de-identifiedinformation in accordance with§ 164.506(d).

(d) Implementation specification:Individual rights. A covered entity mustdocument its policies and proceduresunder §§ 164.512, 164.514, 164.515, and164.516, as applicable, including:

(1) How notices will be disseminatedin accordance with § 164.512;

(2) Designated record sets to whichaccess will be granted under § 164.514;

(3) Grounds for denying requests foraccess under § 164.514;

(4) Copying fees, if any;(5) Procedures for providing

accounting pursuant to § 164.515;(6) Procedures for accepting or

denying requests for amendment orcorrection under § 164.516;

(7) How other entities will be notifiedof amendments or corrections acceptedunder § 164.516; and

(8) Identification of personsresponsible for making decisions orotherwise taking action, includingserving as a contact person, under§§ 164.512, 164.514, 164.515, and164.516.

(e) Implementation specification:Administrative requirements. A coveredentity must provide documentation ofits procedures for complying with§ 164.518, including:

(1) Identification of the persons oroffices required by § 164.518(a) andtheir duties;

(2) Training provided as required by§ 164.518(b);



(3) How access to protected healthinformation is regulated by the coveredentity and its business partners,including safeguards required by§ 164.518(c);

(4) For a covered entity that is ahealth plan or health care provider, forreceiving complaints under§ 164.518(d);

(5) Sanctions, and the applicationthereof, required by § 164.518(e); and

(6) Procedures for mitigation under§ 164.518(f).

(f) Implementation specification:Specific documentation required. Acovered entity must retaindocumentation of the following for sixyears from when the documentation iscreated, unless a longer period appliesunder this subpart:

(1) Restrictions agreed to pursuant to§ 164.506(c);

(2) Contracts pursuant to § 164.506(e);(3) Authorization forms used pursuant

to § 164.508;(4) Samples of all notices issued

pursuant to § 164.512;(5) Written statements required by

§ 164.514;(6) The accounting required by

§ 164.515;(7) Documents relating to denials of

requests for amendment and correctionpursuant to § 164.516;

(8) Certifications under § 164.518(b);and

(9) Complaints received and anyresponses thereto pursuant to§ 164.518(d).

(g) Implementation specification:Change in policy or procedure. (1)Except as provided in paragraph (g)(2)of this section, a covered entity may notimplement a change to a policy orprocedure required or permitted underthis subpart until it has made theappropriate changes to thedocumentation required by this sectionand the notice required by § 164.512.

(2) Where the covered entitydetermines that a compelling reasonexists to make a use or disclosure ortake another action permitted under thissubpart that its notice and policies andprocedures do not permit, it may makethe use or disclosure or take the otheraction if:

(1) It documents the reasonssupporting the use, disclosure, or otheraction; and

(2) Within 30 days of the use,disclosure, or other action, changes itsnotice, policies and procedures topermit such use, disclosure, or otheraction.

§ 164.522 Compliance and enforcement.(a) Principles for achieving

compliance.—(1) Cooperation. The

Secretary will, to the extent practicable,seek the cooperation of covered entitiesin obtaining compliance with therequirements established under thissubpart.

(2) Assistance. The Secretary mayprovide technical assistance to coveredentities to help them comply voluntarilywith this subpart.

(b) Individual complaints to theSecretary. An individual who believesthat a covered entity is not complyingwith the requirements of this subpartmay file a complaint with the Secretary,provided that, where the complaintrelates to the alleged failure of a coveredentity to amend or correct protectedhealth information pursuant to§ 164.516, the Secretary may determinewhether the covered entity has followedprocedures that comply with § 164.516,but will not determine whether theinformation involved is accurate,complete, or whether errors oromissions might have an adverse effecton the individual.

(1) Requirements for filingcomplaints. Complaints under thissection must meet the followingrequirements:

(i) A complaint must be filed inwriting, either on paper orelectronically.

(ii) A complaint should name theentity that is the subject of thecomplaint and describe in detail the actsor omissions believed to be in violationof the requirements of this subpart.

(iii) The Secretary may prescribeadditional requirements for the filing ofcomplaints, as well as the place andmanner of filing, by notice in theFederal Register.

(2) Investigation. The Secretary mayinvestigate complaints filed under thissection. Such investigation may includea review of the pertinent policies,practices, and procedures of the coveredentity and of the circumstancesregarding any alleged acts or omissionsconcerning compliance.

(c) Compliance reviews. The Secretarymay conduct compliance reviews todetermine whether covered entities arecomplying with this subpart.

(d) Responsibilities of coveredentities.—(1) Provide records andcompliance reports. A covered entitymust keep such records and submitsuch compliance reports, in such timeand manner and containing suchinformation, as the Secretary maydetermine to be necessary to enable theSecretary to ascertain whether thecovered entity has complied or iscomplying with the requirements of thissubpart.

(2) Cooperate with periodiccompliance reviews. The covered entity

shall cooperate with the Secretary if theSecretary undertakes a review of thepolicies, procedures, and practices of acovered entity to determine whether itis complying with this subpart.

(3) Permit access to information. Acovered entity must permit access bythe Secretary during normal businesshours to its books, records, accounts,and other sources of information,including protected health information,and its facilities, that are pertinent toascertaining compliance with thissubpart. Where any informationrequired of a covered entity under thissection is in the exclusive possession ofany other agency, institution, or personand the other agency, institution, orperson fails or refuses to furnish theinformation, the covered entity must socertify and set forth what efforts it hasmade to obtain the information.Protected health information obtainedin connection with a compliance reviewor investigation under this subpart willnot be disclosed by the Secretary, exceptwhere necessary to enable the Secretaryto ascertain compliance with thissubpart, in formal enforcementproceedings, or where otherwiserequired by law.

(4) Refrain from intimidating orretaliatory acts. A covered entity maynot intimidate, threaten, coerce,discriminate against, or take otherretaliatory action against any individualfor the filing of a complaint under thissection, for testifying, assisting,participating in any manner in aninvestigation, compliance review,proceeding or hearing under this Act, oropposing any act or practice madeunlawful by this subpart.

(e) Secretarial action regardingcomplaints and compliance reviews.—(1) Resolution where noncompliance isindicated. (i) If an investigationpursuant to paragraph (b)(2) of thissection or a compliance review pursuantto paragraph (c) of this section indicatesa failure to comply, the Secretary will soinform the covered entity and, wherethe matter arose from a complaint, theindividual, and resolve the matter byinformal means whenever possible.

(ii) If the Secretary determines thatthe matter cannot be resolved byinformal means, the Secretary may issuewritten findings documenting the non-compliance to the covered entity and,where the matter arose from acomplaint, to the complainant. TheSecretary may use such findings as abasis for initiating action under section1176 of the Act or initiating a criminalreferral under section 1177.

(2) Resolution where no violation isfound. If an investigation or compliancereview does not warrant action pursuant



to paragraph (e)(1) of this section, theSecretary will so inform the coveredentity and, where the matter arose froma complaint, the individual in writing.

§ 164.524 Effective date.A covered entity must be in

compliance with this subpart not laterthan 24 months following the effectivedate of this rule, except that a covered

entity that is a small health plan mustbe in compliance with this subpart notlater than 36 months following theeffective date of the rule.



Appendix to Subpart E of Part 164—Model Authorization Form

[FR Doc. 99–28440 Filed 10–28–99; 4:45 pm]BILLING CODE 4150–04–C
