[Federal Register: March 27, 2002 (Volume 67, Number 59)]
[Proposed Rules]
[Page 14775-14815]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr27mr02-22]

[[Page 14775]]

-----------------------------------------------------------------------

Part II

Department of Health and Human Services

-----------------------------------------------------------------------

45 CFR Parts 160 and 164

Office of the Secretary; Standards for Privacy of Individually
Identifiable Health Information; Proposed Rule

[[Page 14776]]

-----------------------------------------------------------------------

DEPARTMENT OF HEALTH AND HUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991-AB14


Standards for Privacy of Individually Identifiable Health
Information

AGENCY: Office for Civil Rights, HHS.

ACTION: Proposed rule; modification.

-----------------------------------------------------------------------

SUMMARY: The Department of Health and Human Services (HHS) proposes to
modify certain standards in the Rule entitled "Standards for Privacy
of Individually Identifiable Health Information" (the "Privacy
Rule"). The Privacy Rule implements the privacy requirements of the
Administrative Simplification subtitle of the Health Insurance
Portability and Accountability Act of 1996.
    The purpose of this action is to propose changes that maintain
strong protections for the privacy of individually identifiable health
information while clarifying misinterpretations, addressing the
unintended negative effects of the Privacy Rule on health care quality
or access to health care, and relieving unintended administrative
burden created by the Privacy Rule.

DATES: To assure consideration, written comments mailed to the
Department as provided below must be postmarked no later than April 26,
2002, and written comments hand delivered to the Department and
comments submitted electronically must be received as provided below,
no later than 5 p.m. on April 26, 2002.

ADDRESSES: Comments will be considered only if provided through any of
the following means:
    1. Mail written comments (1 original and, if possible, 3 copies and
a floppy disk) to the following address: U.S. Department of Health and
Human Services, Office for Civil Rights, Attention: Privacy 2, Hubert
H. Humphrey Building, Room 425A, 200 Independence Avenue, SW.,
Washington, DC 20201.
    2. Deliver written comments (1 original and, if possible, 3 copies
and a floppy disk) to the following address: Attention: Privacy 2,
Hubert H. Humphrey Building, Room 425A, 200 Independence Avenue, SW.,
Washington, DC 20201.
    3. Submit electronic comments at the following Web site: https://
www.hhs.gov/ocr/hipaa/.
    See the SUPPLEMENTARY INFORMATION section for further information
on comment procedures, availability of copies, and electronic access.

FOR FURTHER INFORMATION CONTACT: Felicia Farmer 1-866-OCR-PRIV (1-866-
627-7748) or TTY 1-866-788-4989.

SUPPLEMENTARY INFORMATION: Comment procedures, availability of copies,
and electronic access.
    Comment Procedures: All comments should include the full name,
address, and telephone number of the sender or a knowledgeable point of
contact. Comments should address only those sections of the Privacy
Rule for which modifications are being proposed or for which comments
are requested. Comments on other sections of the Privacy Rule will not
be considered, except insofar as they pertain to the standards for
which modifications are proposed or for which comments are requested.
Each specific comment should specify the section of the Privacy Rule to
which it pertains.
    Written comments should include 1 original and, if possible, 3
copies and an electronic version of the comments on a 3\1/2\ inch DOS
format floppy disk in HTML, ASCII text, or popular word processor
format (Microsoft Word, Corel WordPerfect). All comments and content
must be limited to the 8.5 inches wide by 11.0 inches high vertical
(also referred to as "portrait") page orientation. Additionally, if
identical/duplicate comment submissions are submitted both
electronically at the specified Web site and in paper form, the
Department requests that each submission clearly indicate that it is a
duplicate submission.
    Because of staffing and resource limitations, the Department will
not accept comments by telephone or facsimile (FAX) transmission. Any
comments received through such media will be deleted or destroyed, as
appropriate, and not be considered as public comments. The Department
will accept electronic comments only as submitted through the Web site
identified in the ADDRESSES section above. No other form of electronic
mail will be accepted or considered as public comment. In addition,
when mailing written comments, the public is encouraged to submit
comments as early as possible due to potential delays in mail service.
    Inspection of Public Comments: Comments that are timely received in
proper form and at one of the addresses specified above will be
available for public inspection by appointment as they are received,
generally beginning approximately three weeks after publication of this
document, at 200 Independence Avenue, SW., Washington, DC on Monday
through Friday of each week from 9 a.m. to 4 p.m. Appointments may be
made by telephoning 1-866-OCR-PRIV (1-866-627-7748) or TTY 1-866-788-
4989.
    Copies: To order copies of the Federal Register containing this
document, send your request to: New Orders, Superintendent of
Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date
of the issue requested and enclose a check or money order payable to
the Superintendent of Documents, or enclose your Visa or Master Card
number and expiration date. Credit card orders can also be placed by
calling the order desk at (202) 512-1800 (or toll-free at 1-866-512-
1800) or by fax to (202) 512-2250. The cost for each copy is $10.00.
Alternatively, you may view and photocopy the Federal Register document
at most libraries designated as Federal Depository Libraries and at
many other public and academic libraries throughout the country that
receive the Federal Register.
    Electronic Access: This document is available electronically at the
OCR Privacy Web site at
https://www.hhs.gov/ocr/hipaa/, as well as at the Web site of the
Government Printing Office at https://www.access.gpo.gov/su_docs/aces/
aces140.html.

I. Background

A. Statutory Background

    Congress recognized the importance of protecting the privacy of
health information given the rapid evolution of health information
systems in the Health Insurance Portability and Accountability Act of
1996 (HIPAA), Public Law 104-191, which became law on August 21, 1996.
HIPAA's Administrative Simplification provisions, sections 261 through
264 of the statute, were designed to improve the efficiency and
effectiveness of the health care system by facilitating the electronic
exchange of information with respect to financial and administrative
transactions carried out by health plans, health care clearinghouses,
and health care providers who transmit information electronically in
connection with such transactions. To implement these provisions, the
statute directed HHS to adopt a suite of uniform, national standards
for transactions, unique health identifiers, code sets for the data
elements of the transactions, security of health information, and
electronic signature.
    At the same time, Congress recognized the challenges to the

[[Page 14777]]

confidentiality of health information presented by the increasing
complexity of the health care industry, and by advances in the health
information systems technology and communications. Thus, the
Administrative Simplification provisions of HIPAA authorized the
Secretary to promulgate regulations on standards for the privacy of
individually identifiable health information if Congress did not enact
health care privacy legislation by August 21, 1999. HIPAA also required
the Secretary of HHS to provide Congress with recommendations for
protecting the confidentiality of health care information. The
Secretary submitted such recommendations to Congress on September 11,
1997, but Congress was unable to act within its self-imposed deadline.
    With respect to these regulations, HIPAA provided that the
standards, implementation specifications, and requirements established
by the Secretary not supersede any contrary State law that imposes more
stringent privacy protections. Additionally, Congress required that HHS
consult with the National Committee on Vital and Health Statistics, a
Federal Advisory committee established pursuant to section 306(k) of
the Public Health Service Act (42 U.S.C. 242k(k)), and the Attorney
General in the development of HIPAA privacy standards.
    After a set of standards is adopted by the Department, HIPAA
provides HHS with authority to modify the standards as deemed
appropriate, but not more frequently than once every 12 months.
However, modifications are permitted during the first year after
adoption of the standard if the changes are necessary to permit
compliance with the standard. HIPAA also provides that compliance with
modifications to standards or implementation specifications must be
accomplished by a date designated by the Secretary, which may not be
earlier than 180 days from the adoption of the modification.

B. Regulatory and Other Actions to Date

    As Congress did not enact legislation regarding the privacy of
individually identifiable health information prior to August 21, 1999,
HHS published a proposed Rule setting forth such standards on November
3, 1999 (64 FR 59918). The Department received more than 52,000 public
comments in response to the proposal. After reviewing and considering
the public comments, HHS issued a final Rule (65 FR 82462) on December
28, 2000, establishing "Standards for Privacy of Individually
Identifiable Health Information" ("Privacy Rule").
    In an era where consumers are increasingly concerned about the
privacy of their personal information, the Privacy Rule creates for the
first time national protections for the privacy of their most sensitive
information--health information. Congress has passed other laws to
protect consumer's personal information contained in bank, credit card,
other financial records, and even video rentals. These health privacy
protections are intended to provide consumers with similar assurances
that their health information, including genetic information, will be
properly protected. Under the Privacy Rule, health plans, health care
clearinghouses, and certain health care providers must guard against
misuse of individuals' identifiable health information and limit the
sharing of such information, and consumers are afforded significant new
rights to understand and control how their health information is used
and disclosed.
    After publication of the Privacy Rule, HHS received many inquiries
and unsolicited comments through telephone calls, e-mails, letters, and
other contacts about the impact and operation of the Privacy Rule on
numerous sectors of the health care industry. Many of these commenters
exhibited substantial confusion over how the Privacy Rule will operate;
others expressed great concern over the complexity of the Privacy Rule.
In response to these communications and to ensure that the provisions
of the Privacy Rule would protect patients' privacy without creating
unanticipated consequences that might harm patients' access to health
care or quality of health care, the Secretary of HHS requested comment
on the Privacy Rule in March 2001 (66 FR 12738). After an expedited
review of the comments by the Department, the Secretary decided that it
was appropriate for the Privacy Rule to become effective on April 14,
2001, as scheduled (65 FR 12433). At the same time, the Secretary
directed the Department immediately to begin the process of developing
guidelines on how the Privacy Rule should be implemented and to clarify
the impact of the Privacy Rule on health care activities. In addition,
the Secretary charged the Department with proposing appropriate changes
to the Privacy Rule during the next year to clarify the requirements
and correct potential problems that could threaten access to, or
quality of, health care. The comments received during the comment
period, as well as other communications from the public and all sectors
of the health care industry, including letters, testimony at public
hearings, and meetings requested by these parties, have helped to
inform the Department's efforts to develop proposed modifications and
guidance on the Privacy Rule.
    On July 6, 2001, the Department issued its first guidance to answer
common questions and clarify certain of the Privacy Rule's provisions.
In the guidance, the Department also committed to proposing
modifications to the Privacy Rule to address problems arising from
unintended effects of the Privacy Rule on health care delivery and
access. The guidance is available on the HHS Office for Civil Rights
(OCR) Privacy Web site at https://www.hhs.gov/ocr/hipaa/.

II. Overview of the Proposed Rule

    As described above, through public comments, testimony at public
hearings, meetings at the request of industry and other stakeholders,
as well as other communications, the Department learned of a number of
concerns about the potential unintended effect certain provisions would
have on health care delivery and access. In response to these concerns,
and pursuant to HIPAA's provisions for modifications to the standards,
the Department is proposing modifications to the Privacy Rule.
    In addition, the National Committee for Vital and Health Statistics
(NCVHS), Subcommittee on Privacy and Confidentiality, held public
hearings on the implementation of the Privacy Rule on August 21-23,
2001, and January 24-25, 2002, and provided recommendations to the
Department based on these hearings. The NCVHS serves as the statutory
advisory body to the Secretary of HHS with respect to the development
and implementation of the Rules required by the Administrative
Simplification provisions of HIPAA, including the privacy standards.
Through the hearings, the NCVHS specifically solicited public input on
issues related to certain key standards in the Privacy Rule: consent,
minimum necessary, marketing, fundraising, and research. The resultant
public testimony and subsequent recommendations submitted to the
Department by the NCVHS also served to inform the development of these
proposed modifications.
    Based on the information received through the various sources
described above, the Department proposes to modify the following areas
or provisions of the Privacy Rule: consent, including other provisions
for uses and disclosures of protected health information for treatment,
payment, and health care operations; notice of privacy

[[Page 14778]]

practices for protected health information; minimum necessary uses and
disclosures, and oral communications; business associates; uses and
disclosures for marketing; parents as the personal representatives of
unemancipated minors; uses and disclosures for research purposes; uses
and disclosures of protected health information for which
authorizations are required; and de-identification of protected health
information. In addition to these key areas, the proposal includes
changes to certain other provisions where necessary to clarify the
Privacy Rule. The Department also includes in the proposed Rule a list
of technical corrections intended as editorial or typographical
corrections to the Privacy Rule.
    The proposed modifications collectively are designed to ensure that
protections for patient privacy are implemented in a manner that
maximizes the effectiveness of such protections while not compromising
either the availability or the quality of medical care. They reflect a
continuing commitment on the part of the Department to strong privacy
protections for medical records and the belief that privacy is most
effectively protected by requirements that are not exceptionally
difficult to implement. If there are any ways in which privacy
protections are unduly compromised by these modifications, the
Department welcomes comments and suggestions for alternative ways
effectively to protect patient privacy without adversely affecting
access to, or the quality of, health care.
    Given that the compliance date of the Privacy Rule for most covered
entities is April 14, 2003, and statutory requirements to ensure that
affected parties have sufficient time to come into compliance require
any revisions to become effective by October 13, 2002, the Department
is soliciting public comment on these proposed modifications for only
30 days. As stated above, the modifications address public concerns
already communicated to the Department through a wide variety of
sources since publication of the Privacy Rule in December 2000. For
these reasons, the Department believes that 30 days should be
sufficient for the public to state its views fully to the Department on
the proposed modifications to the Privacy Rule.

III. Description of Proposed Modifications

A. Uses and Disclosures for Treatment, Payment, and Health Care
Operations

1. Consent
    Treatment and payment for health care are core functions of the
health care industry, and uses and disclosures of individually
identifiable health information for such purposes are critical to the
effective operation of the health care system. Health care providers
and health plans must also use individually identifiable health
information for certain health care operations, such as administrative,
financial, and legal activities, to run their businesses, and to
support the essential health care functions of treatment and payment.
Equally important are health care operations designed to maintain and
improve the quality of health care. In developing the Privacy Rule, the
Department considered the privacy implications of uses and disclosures
for treatment, payment, and health care operations in connection with
the need for these activities to continue. In balancing the need for
these activities and the privacy interests involved in using and
disclosing protected health information for these purposes, the
Department considered the fact that many individuals expect that their
health information will be used and disclosed as necessary to treat
them, bill for treatment, and, to some extent, operate the covered
entity's health care business. Due to individual expectations with
respect to the use or disclosure of information for such activities and
so as not to interfere with an individual's access to quality health
care or efficient payment for such health care, the Department's goal
is to permit these activities to occur with little or no restriction.
    Consistent with this view, the Privacy Rule generally provides
covered entities with permission to use and disclose protected health
information as necessary for treatment, payment, and health care
operations. For certain health care providers that have a direct
treatment relationship with individuals, such as many physicians,
hospitals, and pharmacies, the Privacy Rule requires such providers to
obtain an individual's written consent prior to using or disclosing
protected health information for these purposes.
    To implement the consent standard, the Privacy Rule requires a
covered health care provider with a direct treatment relationship with
the individual to obtain a single, one-time, general permission from
the individual prior to using or disclosing protected health
information about him or her for treatment, payment, and health care
operations. An individual may revoke his or her consent at any time,
except to the extent that the covered entity has taken action in
reliance on the consent. The Privacy Rule contains exceptions to the
consent requirements, under which a provider may use or disclose
protected health information without prior consent when there is an
emergency treatment situation, when a provider is required by law to
treat the individual, or when there are substantial communication
barriers. Additionally, because the Department realizes that a health
care provider cannot treat a patient without being able to use and
disclose his or her protected health information for treatment
purposes, the Privacy Rule permits a covered health care provider to
refuse to treat a patient who refuses to provide consent. Finally, the
Privacy Rule permits other covered entities to voluntarily obtain
consent, in accordance with these consent provisions.
    The consent requirement for health care providers with direct
treatment relationships was a significant change from the Department's
initial proposal published in November 1999. At that time, the
Department proposed to permit all covered entities to use and disclose
protected health information to carry out treatment, payment, and
health care operations without any requirement that the covered
entities obtain an individual's consent for such uses and disclosures,
subject to a few limited exceptions. Further, the Department had
proposed to prohibit covered entities from obtaining an individual's
consent for uses and disclosures of protected health information for
these purposes, unless required by other applicable law. Instead, the
Department relied on the principle of fair notice, coupled with
regulatory limits on the use and disclosure of health information, to
balance the individual's privacy interests against the need not to
impede the delivery of quality health care. Providing individuals with
fair notice about the information practices and responsibilities of
their plans and providers, and their rights with respect to information
about them, is a privacy principle as important as the principle of
consent. Indeed, consents often provide individuals with little actual
control over information. When an individual is required to sign a
blanket consent at the point of treatment as a condition of treatment
or payment, that

[[Page 14779]]

consent is often not voluntary. Instead, therefore, the Department
proposed to require most covered entities to create and provide to
individuals a notice describing all of the entity's information
practices, including their practices with respect to uses and
disclosures of protected health information to carry out treatment,
payment, and health care operations.
    The Department received a strong public response opposing this
proposal. Health care providers and patients argued that consent
provides individuals with a sense of control over how their information
will be used and disclosed, is a current practice of many health care
providers, and is expected by patients. Providers explained that they
would face an ethical conflict from a prohibition on obtaining consent.
The consent requirement for direct treatment providers was a direct
response to these comments.
Public Comments
    The Department received many comments in March 2001, as well as
recommendations from the NCVHS based on public testimony, about the
consent provisions in the Privacy Rule. There were some proponents of
consent that urged the Department to retain, expand, or strengthen the
consent provisions. There were also many opponents of consent that
raised a number of issues and serious concerns that the consent
requirements will impede access to, and the delivery of, quality health
care. Most significantly, many covered entities described an array of
circumstances when they need to use or disclose protected health
information for treatment, payment, or health care operations purposes
prior to the initial face-to-face contact with the patient, and
therefore, prior to obtaining consent.
    Consistent with the comments that the Department received after the
initial notice of proposed rulemaking (NPRM), proponents of the consent
requirement argued that consent is integral to providing individuals
the opportunity to be active participants in their own health care and
can bolster patient trust in providers. One of the most significant
values that proponents placed on consent was that it defines an
"initial moment" when patients can focus on information practices and
raise questions about privacy concerns. Some proponents recommended
that the consent requirement be extended to health plans because these
entities may not have the same duty and legal obligation as health care
providers to maintain confidentiality.
    Others urged the Department to strengthen consent by eliminating
the ability of providers to condition treatment on the receipt of
consent. There were also some commenters that thought that consent
should be required more frequently. They claimed that the consent
provisions will be ineffective to provide individuals with control over
how their information will be used or disclosed because it is general
and only must be obtained one time. They argued that an individual may
have differing degrees of concern about the privacy of health
information, depending on the nature of the information raised in the
particular encounter with the provider, and that an initial, one-time
consent cannot account for such variation.
    At the same time, most covered entities were concerned about
significant practical problems that resulted from the consent
requirements in the Privacy Rule. Commenters raised numerous examples
of obstacles that the prior consent provisions will pose to timely
access to health care. Health care providers commented that they often
use health information about an individual for necessary treatment,
payment, and health care operations activities prior to the first face-
to-face contact with the individual. Under the Privacy Rule, these
routine and often essential activities are not permitted unless the
provider first obtains consent from the individual. Although the
consent only needs to be obtained one time, there may be problems for
new patients who have not yet provided consent, for existing patients
who have not yet provided consent after the compliance date of the
Privacy Rule, for patients who have revoked consent, and for patients
who may have provided consent, but the provider cannot find such
documentation.
    These concerns were primarily raised by pharmacists and pharmacies,
but the same issue exists in any referral or new patient situation.
Pharmacists informed us that they typically use individually
identifiable health information, received from a physician, to fill a
prescription, search for potential drug interactions, and determine
eligibility and obtain authorization for payment, before the individual
arrives at the pharmacy to pick up the prescription. The consent
requirement would delay such activity for any first-time customers and
for many more customers immediately following the compliance date of
the Privacy Rule. Tracking consents in large, multi-state pharmacy
chains can result in delays as well. At best, an individual will
experience significant delays in obtaining his or her prescription if a
pharmacist cannot fill the prescription until the individual is present
to sign a consent. Even greater delays may be experienced by
individuals too ill to pick up their own prescriptions. Although the
Privacy Rule permits a friend or neighbor to pick up the prescription,
that person may not have the legal authority to sign a consent on the
individual's behalf. Thus, a number of trips back and forth to the
pharmacy may be needed to obtain the prior consent. This problem is
greatly magnified in rural areas, where persons may travel much longer
distances to see health care providers, including pharmacists.
    Similarly, a hospital receives information about a patient from a
referring physician and routinely uses this information to schedule and
prepare for procedures before the individual presents at the hospital
for such procedure. The Privacy Rule's requirement that a covered
entity obtain an individual's consent prior to using or disclosing
their information is an impediment to these activities and could
require an individual to make an additional trip to the hospital simply
to provide consent. The Department did not intend that the Privacy Rule
interfere with such activities.
    Commenters also raised concerns that providers who do not provide
treatment in person may be unable to provide care because they are
unable to obtain prior written consent to use protected health
information at the first service delivery. This was a special concern
with respect to providers who care for individuals over the telephone.
For example, providers who cover for other providers during non-
business hours or providers who had not yet had the opportunity to
obtain a patient's consent were concerned that they would not be able
to respond to telephone calls from individuals in need of treatment
because they were not able to obtain consent over the telephone. Nurses
who staff telephone centers that provide health care assessment and
advice, but who never see patients, had similar concerns.
    Other concerns related to treatment were expressed about the
limitations of the exceptions to the consent requirement in the Privacy
Rule. For example, emergency medical providers were unclear as to
whether all activities in which they engage qualify for the emergency
treatment exception to the consent requirement. As a result of this
confusion, they were concerned that, if a situation was urgent, they
would have to try to obtain consent to comply with the Privacy Rule
even if that would be inconsistent with current practice of emergency
medicine. These providers

[[Page 14780]]

also were concerned about the requirement that a provider must attempt
to obtain consent as soon as reasonably practicable after an emergency.
Emergency medical providers explained that they typically do not have
ongoing relationships with individuals and that the requirement to
attempt to obtain consent after the emergency would require significant
efforts and administrative burden on their part, and would be viewed as
harassment by individuals.
    Providers who do not provide emergency care and who are not likely
meet one of the consent exceptions were concerned that they may be put
in the untenable position of having to decide whether to withhold
treatment when an individual does not provide consent or proceed to use
information to treat the individual in violation of the consent
requirements.
    Covered entities were also concerned that the difficultly in
tracking consents may hamper treatment. The Privacy Rule permits an
individual to revoke his or her consent. Large institutional providers
claimed that, since tracking of patient consents and revocations would
be very difficult and expensive, in practice, they would need to obtain
consent for each patient encounter, rather than just one-time as
allowed by the Privacy Rule. Covered entities were concerned that, if
an individual revokes consent, they would have to eliminate all
protected health information about that individual from their systems
in order to ensure that it was not used inadvertently for routine
health care operations purposes, which would hinder their quality
improvement activities and other health care operations. Additionally,
testimony before the NCVHS revealed a concern that the ability of a
patient to revoke consent might prevent health care providers from
accessing protected health information that is critical for the
treatment of an individual in an emergency treatment situation where a
new consent is not obtained.
    The Department also heard many concerns about the transition
provisions related to the use and disclosure of protected health
information for treatment, payment, or health care operations. The
Privacy Rule permits covered health care providers that are required to
obtain consent for treatment, payment, or health care operations to
continue, after the compliance date of the Privacy Rule, to use and
disclose protected health information they created or received prior to
the compliance date of the Privacy Rule for these purposes if they have
obtained consent, authorization, or other express legal permission to
use or disclose such information for any of these purposes, even if
such permission does not meet the consent requirements under the
Privacy Rule. Many providers informed the Department that they
currently were not required to obtain consent for these purposes, that
these transition provisions would result in significant operational
problems, and the inability to access health records would have an
adverse effect on quality activities.
    Concerns also were raised regarding the exception to the consent
requirement for cases where a provider is required by law to treat an
individual. For example, providers that are required by law to treat
were concerned about the mixed messages to patients and interference
with the physician-patient relationship that would result when they are
required to ask for consent to use or disclose protected health
information for treatment, payment, or health care operations, but if
the patient says "no," they are permitted to use or disclose the
information for such purposes anyway.
    There also was confusion about the interaction of the consent
provisions and the provisions regarding parents and minors. Testimony
received by the NCVHS indicated uncertainty as to the validity of a
consent signed by a parent for his or her minor child once the child
reaches the age of majority. The NCVHS requested clarification
regarding whether a child must sign a new consent upon reaching the age
of majority.
    The NCVHS hearings and recommendations focused on practical
implementation issues, including the unintended consequences of the
consent provisions, but did not address whether the Privacy Rule should
or should not require consent. The NCVHS generally recommended that the
Department consider circumstances in which protected health information
could be used and disclosed without an individual's prior written
consent and modify the Privacy Rule accordingly. The Committee
specifically recommended that the Privacy Rule should be amended to
include provisions for allowing covered entities to use and disclose
protected health information prior to the initial face-to-face contact
with an individual.
Proposed Modifications
    The Department is concerned by the multitude of comments and
examples demonstrating that the consent requirements result in
unintended consequences that impede the provision of health care in
many critical circumstances and that other such unintended consequences
may exist which have yet to be brought to its attention. However, the
Department understands that the opportunity to discuss privacy
practices and concerns is an important component of privacy, and that
the confidential relationship between a patient and a health care
provider includes the patient's ability to be involved in discussions
and decisions related to the use and disclosure of any protected health
information about him or her.
    Accordingly, the Department proposes an approach that protects
privacy interests by affording patients the opportunity to engage in
important discussions regarding the use and disclosure of their health
information, while allowing activities that are essential to provide
access to quality health care to occur unimpeded. Specifically, the
Department proposes to make optional the obtaining of consent to use
and disclose protected health information for treatment, payment, or
health care operations on the part of all covered entities, including
providers with direct treatment relationships. Under this proposal,
health care providers with direct treatment relationships with
individuals would no longer be required to obtain an individual's
consent prior to using and disclosing information about him or her for
treatment, payment, and health care operations. They, like other
covered entities, would have regulatory permission for such uses and
disclosures.
    In order to preserve flexibility and the valuable aspects of the
consent requirement, the Department proposes changes that would: (1)
Permit all covered entities to obtain consent if they choose, (2)
strengthen the notice requirements to preserve the opportunity for
individuals to discuss privacy practices and concerns with providers,
and (3) enhance the flexibility of the consent process for those
covered entities that choose to obtain consent. See section III.B. of
the preamble below for the related discussion of proposed modifications
to the Privacy Rule's notice requirements.
    Other individual rights would not be affected by this proposal.
Although covered entities would not be required to obtain an
individual's consent, any uses or disclosures of protected health
information for treatment, payment, or health care operations would
still need to be consistent with the covered entity's notice of privacy
practices. Also, the removal of the consent requirement only applies to
consent for treatment, payment, and health care operations; it does not
alter the

[[Page 14781]]

requirement to obtain an authorization under Sec. 164.508 for uses and
disclosures of protected health information not otherwise permitted by
the Privacy Rule. The functions of treatment, payment, and health care
operations were all given carefully limited definitions in the Privacy
Rule, and the Department intends to enforce strictly the requirement
for obtaining an individual's authorization, in accordance with
Sec. 164.508, for uses and disclosure of protected health information
for other purposes not otherwise permitted or required by the Privacy
Rule. Furthermore, individuals would retain the right to request
restrictions, in accordance with Sec. 164.522(a).
    Although consent for use and disclosure of protected health
information for treatment, payment, and health care operations would no
longer be mandated, the Department is proposing to allow covered
entities to have a consent process if they wish to do so. The
Department heard from some commenters that obtaining consent was an
integral part of the ethical and other practice standards for many
health care professionals. The Department, therefore, would not
prohibit covered entities from obtaining consent.
    Under this proposal, a consent could apply only to uses and
disclosures that are otherwise permitted by the Privacy Rule. A consent
obtained through this voluntary process would not be sufficient to
permit a use or disclosure which, under the Privacy Rule, requires an
authorization or is otherwise expressly conditioned. For example, a
consent could not be obtained in lieu of an authorization or a waiver
of authorization by an IRB or Privacy Board to disclose protected
health information for research purposes.
    The Department proposes to allow covered entities that choose to
have a consent process complete discretion in designing this process.
The comments have informed the Department that one consent process and
one set of principles will likely be unworkable. As a result, these
proposed standards would leave complete flexibility to each covered
entity. Covered entities that chose to obtain consent could rely on
industry practices to design a voluntary consent process that works
best for their practice area and consumers.
    To effectuate these changes to the consent standard, the Department
proposes to replace the consent provisions in Sec. 164.506 with a new
provision at Sec. 164.506(a) that would provide regulatory permission
for covered entities to use or disclose protected health information
for treatment, payment, and health care operations, and a new provision
at Sec. 164.506(b) that would allow covered entities to obtain consent
if they choose to, and make clear that such consent may not permit a
use or disclosure of protected health information not otherwise
permitted or required by the Privacy Rule. Additionally, the Department
proposes a number of conforming modifications throughout the Privacy
Rule to accommodate the proposed approach. The most substantive
corresponding changes are proposed at Secs. 164.502 and 164.532.
Section 164.502(a)(1) provides a list of the permissible uses and
disclosures of protected health information, and refers to the
corresponding section of the Privacy Rule for the detailed
requirements. The Department collapses the provisions at
Secs. 164.502(a)(1)(ii) and (iii) that address uses and disclosures of
protected health information for treatment, payment, and health care
operations and modifies the language to eliminate the consent
requirement for these purposes.
    Section 164.532 consists of the transition provisions. In
Sec. 164.532, the Department deletes references to Sec. 164.506 and to
consent, authorization, or other express legal permission obtained for
uses and disclosures of protected health information for treatment,
payment, and health care operations prior to the compliance date of the
Privacy Rule. The proposal to permit a covered entity to use or
disclose protected health information for these purposes without
consent or authorization would apply to any protected health
information held by a covered entity whether created or received before
or after the compliance date. Therefore, transition provisions would
not be necessary.
    The Department also proposes conforming changes to the definition
of "more stringent" in Sec. 160.202, Sec. 164.500(b)(1)(v),
Secs. 164.508(a)(2)(i) and (b)(3)(i), the introductory text of
Secs. 164.510 and 164.512, the title of Sec. 164.512, and
Sec. 164.520(b)(1)(ii)(B) to reflect that consent is no longer
required.
2. Disclosures for Treatment, Payment, or Health Care Operations of
Another Entity
    The Privacy Rule permits a covered entity to use and disclose
protected health information for treatment, payment, or health care
operations (subject to a consent in some cases). Uses and disclosures
for treatment are broad because the definition of treatment
incorporates the interaction among more than one entity; specifically,
coordination and management of health care among health care providers
or by a health care provider with a third party, consultations between
health care providers, and referrals of a patient for health care from
one health care provider to another. As a result, covered entities are
permitted to disclose protected health information for treatment
regardless of to whom the disclosure is made, as well as to disclose
protected health information for the treatment activities of another
health care provider.
    However, for payment and health care operations, the Privacy Rule
generally limits a covered entity's uses and disclosures of protected
health information to those that are necessary for its own payment and
health care operations activities. This limitation is explicitly stated
in the preamble discussions in the Privacy Rule of the definitions of
"payment" and "health care operations." The Privacy Rule also
provides that a covered entity must obtain authorization to disclose
protected health information for the payment or health care operations
of another entity. The Department intended these requirements to be
consistent with individuals' privacy expectations. See
Secs. 164.506(a)(5) and 164.508(e).
Public Comments
    A number of commenters raised specific concerns with the
restriction that a covered entity is permitted to use and disclose
protected health information only for its own payment and health care
operations activities. These commenters presented a number of examples
where such a restriction would impede the ability of certain covered
entities to obtain reimbursement for health care, to conduct certain
quality assurance or improvement activities, such as accreditation, or
to monitor fraud and abuse.
    With regard to payment, the Department received specific concerns
about the difficultly that the Privacy Rule will place on certain
providers trying to obtain information needed for reimbursement for
health care. Specifically, ambulance service providers explained that
they normally receive the information they need to seek payment for
treatment from the hospital emergency departments to which they
transport their patients, since it is usually not possible at the time
the service is rendered for the ambulance service provider to obtain
such information directly from the individual. Nor is it practicable or

[[Page 14782]]

feasible in all cases for the hospital to obtain the individual's
authorization to provide payment information to the ambulance service
provider after the fact. This disclosure of protected health
information from the hospital to the ambulance service provider is not
permitted under the Privacy Rule without an authorization from the
patient because it is a disclosure by the hospital for the payment
activities of the ambulance service provider.
    In addition, commenters stated that physicians and other covered
entities outsource their billing, claims, and reimbursement functions
to accounts receivable management companies. These collectors often
attempt to recover payments from a patient for care rendered by
multiple health care providers. Commenters were concerned that the
Privacy Rule will prevent these collectors, as business associates of
multiple providers, from using a patient's demographic information
received from one provider in order to facilitate collection for
another provider's payment purposes.
    With regard to health care operations, the Department also received
comments about the difficultly that the Privacy Rule will place on
health plans trying to obtain information needed for quality assessment
activities. Health plans informed the Department that they need to
obtain individually identifiable health information from health care
providers for the plans' own quality-related activities, accreditation,
and performance measures, e.g., Health Plan Employer Data and
Information Set (HEDIS). Commenters explained that the information
provided to plans for payment purposes (e.g., claims or encounter
information) may not be sufficient for quality assessment or
accreditation purposes. Plans may receive even less information from
their capitated providers.
    The NCVHS also received specific public testimony with regard to
this issue as part of public hearings held in August 2001. The NCVHS
subsequently recommended to the Department that the Privacy Rule be
amended to allow for uses and disclosures for quality-related
activities among covered entities without individual written
authorization.
Proposed Modifications
    Based on concerns raised by comments, the Department proposes to
modify Sec. 164.506 to permit a covered entity to disclose protected
health information for the payment activities of another covered entity
or health care provider, and for certain health care operations of
other covered entities. This proposal would broaden the uses and
disclosures that are permitted as part of treatment, payment, and
health care operations so as not to interfere inappropriately with
access to quality and effective health care, while limiting this
expansion in order to continue to protect the privacy expectations of
individuals. It would be a limited expansion of the information that is
allowed to flow between entities, without an authorization, as part of
treatment, payment, and certain health care operations.
    The Department proposes the following. First, the Department
explicitly includes in Sec. 164.506(c)(1) language stating that a
covered entity may use or disclose protected health information for its
own treatment, payment, or health care operations without prior consent
or authorization.
    Second, in Sec. 164.506(c)(2), the Department includes language to
clarify its intent that a covered entity may share protected health
information for the treatment activities of another health care
provider. For example, a primary care provider, who is a covered entity
under the Privacy Rule, may send a copy of an individual's medical
record to a specialist who needs the information to treat the same
individual. No authorization would be required.
    Third, with respect to payment, the Department proposes, in
Sec. 164.506(c)(3), to explicitly permit a covered entity to disclose
protected health information to another covered entity or health care
provider for the payment activities of that entity. The Department
recognizes that not all health care providers who need protected health
information to obtain payment are covered entities, and therefore,
proposes to allow disclosures of protected health information to both
covered and non-covered health care providers. The Department is
unaware of any similar barrier with respect to plans that are not
covered under the Privacy Rule to obtain the protected health
information they need for payment purposes, but solicits comment on
whether such barriers exist. Therefore, the Department proposes to
limit disclosures under this provision to those health plans that are
covered by the Privacy Rule.
    Fourth, in Sec. 164.506(c)(4), the Department proposes to permit a
covered entity to disclose protected health information about an
individual to another covered entity for certain health care operations
purposes of the covered entity that receives the information. The
proposal would permit such disclosures only for the activities
described in paragraphs (1) and (2) of the definition of "health care
operations," as well as for health care fraud and abuse detection and
compliance programs (as provided for in paragraph (4) of the definition
of "health care operations"). The activities that fall into
paragraphs (1) and (2) of the definition of "health care operations"
include quality assessment and improvement activities, population-based
activities relating to improving health or reducing health care costs,
case management, conducting training programs, and accreditation,
certification, licensing, or credentialing activities. This provision
is intended to allow information to flow from one covered entity to
another for activities important to providing quality and effective
health care.
    The proposed expansion for permissible disclosures for health care
operations without authorization is more limited than the permissible
disclosures for treatment and payment in two ways. First, in contrast
to treatment and payment, the proposal limits the types of health care
operations that are covered by this expansion. The Department proposes
this limitation because it recognizes that "health care operations"
is a broad term and that individuals are less aware of the business-
related activities that involve the use and disclosure of protected
health information. In addition, many commenters and the NCVHS focused
their comments on covered entities' needs to share protected health
information for quality-related health care operations activities.
    Second, in contrast to the treatment and payment provisions in this
section, the proposal for disclosures of protected health information
for health care operations of another entity limits disclosures to
other covered entities. By limiting disclosure for such purposes to
entities that are required to comply with the Privacy Rule, the
protected health information would continue to be protected. The
Department believes that this would create the appropriate balance
between meeting an individual's privacy expectations and meeting a
covered entity's need for information for quality-related health care
operations.
    These proposed modifications to allow disclosures for health care
operations of another entity are permitted only to the extent that each
entity has, or has had, a relationship with the individual who is the
subject of the information being requested. Where the relationship
between the individual and the covered entity has ended, a disclosure
of protected health information about the individual only would be
allowed if related to the past

[[Page 14783]]

relationship. The Department believes that this limitation is necessary
in order to protect the privacy expectations of the individual. An
individual should expect that two providers that are providing
treatment to the individual, and the health plan that pays for the
individual's health care, would have protected health information about
the individual for health care operations purposes. However, an
individual would not expect a health plan with which the individual has
no relationship to be able to obtain identifiable information from his
or her health care provider. Therefore, this proposed limitation would
minimize the effect on privacy interests, while not interfering with
covered entities' ability to continue to provide access to quality and
effective health care.
    These provisions do not eliminate a covered entity's responsibility
to apply the Privacy Rule's minimum necessary provisions to both the
disclosure of and request for information for payment and health care
operations purposes. In addition, the Department continues to strongly
encourage the use of de-identified information wherever feasible.
    The Department, however, is aware that the above proposal could
pose barriers to disclosures for quality-related health care operations
to plans and health care providers that are not covered entities, or to
entities that do not have a relationship with the individual. For
example, the proposal could be a problem for hospitals that share
aggregated but identifiable information with other hospitals for health
care operations purposes, when the recipient hospital does not have a
relationship with the individual who is the subject of the information
being disclosed. While the Department believes the proposed
modification strikes the right balance between privacy expectations and
covered entities' need for information for such purposes, the
Department is considering permitting the disclosure of information that
is not facially identifiable for quality-related purposes, subject to a
data use or similar agreement. This would permit uses and disclosures
for such purposes of a limited data set that does not include facially
identifiable information, but in which certain identifiers remain. The
Department is requesting comment on whether this approach would strike
a proper balance. See section III.I of the preamble regarding de-
identification of protected health information for a detailed
discussion of this proposed approach.
    Related to the above modifications, and in response to comments
evidencing confusion on this matter, the Department proposes in
Sec. 164.506(c)(5) to make it clear that covered entities participating
in an organized health care arrangement (OHCA) may share protected
health information for the health care operations of the OHCA. The
Privacy Rule allows legally separate covered entities that are
integrated clinically or operationally to be considered an OHCA for
purposes of the Privacy Rule if protected health information must be
shared among the covered entities for the joint management and
operations of the arrangement. See the definition of "organized health
care arrangement" in Sec. 164.501. Additionally, the Privacy Rule, in
the definition of "health care operations," permits the sharing of
protected health information in an OHCA for such activities. The
Department proposes to remove the language regarding OHCAs from the
definition of "health care operations" as unnecessary because such
language now would appear in Sec. 164.506(c)(5).
    In addition, the Department proposes a conforming change to delete
the word "covered" in paragraph (1)(i) of the definition of
"payment." This change would be necessary because the proposal would
permit disclosures to non-covered providers for their payment
activities.

B. Notice of Privacy Practices for Protected Health Information

    The Privacy Rule requires most covered entities to provide
individuals with adequate notice of the uses and disclosures of
protected health information that may be made by the covered entity,
and of the individual's rights, and the covered entity's
responsibilities, with respect to protected health information. See
Sec. 164.520. Content requirements for the notice are specified in the
Privacy Rule. There are also specific requirements, which vary based on
the type of covered entity, for providing such notice to individuals.
    For example, a covered health care provider that has a direct
treatment relationship with an individual must provide the notice by
the date of the first service delivery and, if such provider maintains
a physical service delivery site, must post the notice in a clear and
prominent location. In addition, whenever the notice is revised, the
provider must make the notice available upon request. If the covered
provider maintains a website, the notice must also be available
electronically on the web site. If the first service delivery to an
individual is electronic, the covered provider must furnish electronic
notice automatically and contemporaneously in response to the
individual's first request for service.
Proposed Modifications
    In order to preserve some of the most important benefits of the
consent requirement, the Department proposes to modify the notice
requirements at Sec. 164.520(c)(2) to require that a covered health
care provider with a direct treatment relationship make a good faith
effort to obtain an individual's written acknowledgment of receipt of
the provider's notice of privacy practices. Other covered entities,
such as health plans, would not be required to obtain this
acknowledgment from individuals, but could do so if they chose.
    The Department believes that promoting individuals' understanding
of privacy practices is an essential component of providing notice to
individuals. In addition, the Department believes it is just good
business practice to provide individuals with fair notice about how
their information will be used, disclosed, and protected. This proposal
would strengthen the notice process by incorporating into the notice
process the "initial moment" between a covered health care provider
and an individual, where individuals may focus on information practices
and privacy rights and discuss any concerns related to the privacy of
their protected health information. This express acknowledgment would
also provide the opportunity for an individual to make a request for
additional restrictions on the use or disclosure of his or her
protected health information or for additional confidential treatment
of communications, as permitted under Sec. 164.522.
    The Department intends the proposed notice acknowledgment
requirement to be simple and not impose a significant burden on either
the covered health care provider or the individual. First, the
requirement for good faith efforts to obtain a written acknowledgment
only applies to covered providers with direct treatment relationships.
This is the same group of covered entities that would have been
required to obtain consent under the Privacy Rule. The Department
believes that these are the covered entities that have the most direct
relationships with individuals, and therefore, the entities for which
the requirement will provide the greatest privacy benefit to
individuals with the least burden to covered entities.
    Second, the Department designed the timing of the proposed good
faith acknowledgment requirement to limit the burden on covered
entities by generally making it consistent with the

[[Page 14784]]

timing for notice distribution. Therefore, with one exception, a
covered health care provider would be required to make good faith
efforts to obtain a written acknowledgment of the notice at the time of
first service delivery--the same time that the notice must be provided.
The Department understands, however, that providing notice and
obtaining an acknowledgment is not practicable during emergency
treatment situations. In these situations, the Department proposes in
Sec. 164.520(c)(2) to delay the requirement for provision of notice
until reasonably practicable after the emergency treatment situation,
and exempt health care providers from having to make a good faith
effort to obtain the acknowledgment in emergency treatment situations.
    Third, the proposal does not prescribe in detail the form the
acknowledgment must take. Rather, the Department proposes to require
only that the acknowledgment be in writing, and intends to allow each
covered health care provider to choose the form and other details of
the acknowledgment that are best suited to the entity's practices and
that will not pose an impediment to the delivery of timely, quality
health care. While the Department believes that requiring the
individual's signature is preferable because an individual is likely to
pay more attention or more carefully read a document that he or she
signs, the proposal does not require an individual's signature on the
notice. An acknowledgment under this proposed modification also may be
obtained, for example, by having the individual sign a separate list or
simply initial a cover sheet of the notice to be retained by the
covered entity. The proposal would not limit the manner in which a
covered entity obtains the individual's acknowledgment of receipt of
the notice.
    Most importantly, the proposed modification would require only the
good faith effort of the provider to obtain the individual's
acknowledgment. The Department understands that an individual may
refuse to sign or otherwise fail to provide his or her acknowledgment.
Unlike the Privacy Rule's consent requirement, an individual's failure
or refusal to acknowledge the notice, despite a covered entity's good
faith efforts to obtain such signature, would not interfere with the
provider's ability to deliver timely and effective treatment. Failure
by a covered entity to obtain an individual's acknowledgment, assuming
it otherwise documented its good faith effort, would not be considered
a violation of the Privacy Rule. Compliance with this requirement would
be achieved in a particular case if the provider with a direct
treatment relationship either: (1) Obtained a written acknowledgment,
or (2) made a good faith effort to obtain such acknowledgment and
documented such efforts and the reason for failure. Such reason for
failure simply may be, for example, that the individual refused to sign
after being requested to do so. In addition to the individual's failure
or refusal to acknowledge receipt of the notice, this proposed
provision is intended to allow covered health care providers
flexibility to deal with a variety of circumstances in which obtaining
an acknowledgment is problematic.
    The requirement for a good faith effort to obtain the individual's
acknowledgment would apply, except in emergency treatment situations,
to the provision of notice on the first delivery of service, regardless
of whether such service is provided in person or electronically. When
electronic notice is provided as part of the first service delivery,
the system should be capable of capturing the individual's
acknowledgment of receipt electronically. The Department does not
anticipate that a notification of receipt would be difficult or costly
to design.
    Documentation requirements under this proposal would be required to
comply with the documentation requirements in Sec. 164.530(j). In
addition, nothing in the proposed requirements described above would
relieve any covered entity from its duty to provide the notice in plain
language so that the average reader can understand the notice. As
stated in the preamble to the Privacy Rule, the Department encourages
covered entities to consider alternative means of communicating with
certain populations, such as with individuals who cannot read or who
have limited English proficiency.

C. Minimum Necessary and Oral Communications

    The Privacy Rule at Sec. 164.502(b) generally requires covered
entities to make reasonable efforts to limit the use or disclosure of,
and requests for, protected health information to the minimum necessary
to accomplish the intended purpose. Protected health information
includes individually identifiable health information in any form,
including information transmitted orally, or in written or electronic
form. See the definition of "protected health information" at
Sec. 164.501. The minimum necessary standard is intended to make
covered entities evaluate their practices and enhance protections as
needed to limit unnecessary or inappropriate access to, and disclosures
of, protected health information.
    The Privacy Rule sets forth requirements at Sec. 164.514(d) for
implementing the minimum necessary standard with regard to a covered
entity's uses, disclosures, and requests. Essentially, a covered entity
is required to develop and implement policies and procedures
appropriate to the entity's business practices and workforce that
reasonably minimize the amount of protected health information used,
disclosed, and requested; and, for uses of protected health
information, that also limit who has access to such information.
Specifically, for uses of protected health information, the policies
and procedures must identify the persons or classes of persons within
the covered entity who need access to the information to carry out
their job duties, the categories or types of protected health
information needed, and conditions appropriate to such access. For
routine or recurring requests and disclosures, the policies and
procedures may be standard protocols. Non-routine requests for and
disclosures of protected health information must be reviewed
individually.
    With regard to disclosures, the Privacy Rule permits a covered
entity to rely on the judgment of certain parties requesting the
disclosure as to the minimum amount of information that is needed. For
example, a covered entity is permitted to reasonably rely on
representation from a public health official that the protected health
information requested is the minimum necessary for a public health
purpose. Similarly, a covered entity is permitted to reasonably rely on
the judgment of another covered entity requesting a disclosure that the
information requested is the minimum amount of information reasonably
necessary to fulfill the purpose for which the request has been made.
See Sec. 164.514(d)(3)(iii).
    The Privacy Rule contains some exceptions to the minimum necessary
standard. The minimum necessary requirements do not apply to uses or
disclosures that are required by law, disclosures made to the
individual or pursuant to an authorization initiated by the individual,
disclosures to or requests by a health care provider for treatment
purposes, uses or disclosures that are required for compliance with the
regulations implementing the other administrative simplification
provisions of HIPAA, or disclosures to the Secretary of HHS for
enforcement purposes. See Sec. 164.502(b)(2).

[[Page 14785]]

    The Department received much, varied commentary both on the minimum
necessary provisions, as well as on the Privacy Rule's protections of
oral communications. The following discussion addresses the concerns
identified by commenters that were common to both the Privacy Rule's
standards for minimum necessary as well as protecting oral
communications, and describes the Department's proposal for modifying
the Privacy Rule in response to these concerns. In addition, the
Department proposes to modify certain other paragraphs within
Sec. 164.514(d) to clarify the Department's intent with respect to
these provisions. The Department also discusses some of the other
concerns that have been received, which the Department attempted to
address in its July 6 guidance on the Privacy Rule. Lastly, the
Department describes the recommendations provided to the Department by
the NCVHS as a result of public testimony received on implementation of
the minimum necessary standard, as well as the Department's response to
these recommendations.
Public Comments--Incidental Uses and Disclosures
    During the March 2001, comment period on the Privacy Rule, the
Department received a number of comments raising concerns and questions
as to whether the Privacy Rule's restrictions on uses and disclosures
will prohibit covered entities from engaging in certain common and
essential health care communications and practices in use today.
Commenters were concerned that the Department is imposing through the
Privacy Rule absolute, strict standards that would not allow for the
incidental or unintentional disclosure that could occur as a by-product
of engaging in these health care communications and practices. It was
argued that the Privacy Rule will, in effect, prohibit such practices
and, therefore, impede many activities and communications essential to
effective and timely treatment of patients.
    These concerns were raised both in the context of applying the
Privacy Rule's protections to oral communications, as well as in
implementing the minimum necessary standard. For example, with regard
to oral communications, commenters expressed concern over whether
health care providers may continue to engage in confidential
conversations with other providers or with patients, if there were a
possibility that they could be overheard. As examples, commenters
specifically questioned whether health care staff can continue to:
coordinate services at hospital nursing stations orally; discuss a
patient's condition over the phone with the patient or another
provider, if other people are nearby; discuss lab test results with a
patient or other provider in a joint treatment area; call out a
patient's name in a waiting room; or discuss a patient's condition
during training rounds in an academic or training institution.
    Many covered entities also expressed confusion and concern that the
Privacy Rule will stifle or unnecessarily burden many of their current
health care practices. For example, commenters questioned whether they
will be prohibited from using sign-in sheets in waiting rooms or
maintaining patient charts at bedside, or whether they will need to
isolate X-ray lightboards or destroy empty prescription vials. These
concerns seemed to stem from a perception that covered entities will be
required to prevent any incidental disclosure such as those that may
occur when a visiting family member or other person not authorized to
access protected health information happens to walk by medical
equipment or other material containing individually identifiable health
information, or when individuals in a waiting room sign their name on a
log sheet and glimpse the names of other patients.
Proposed Modifications--Incidental Uses and Disclosures
    The Department, in its July 6 guidance, clarified that the Privacy
Rule is not intended to impede customary and necessary health care
communications or practices, nor to require that all risk of incidental
use or disclosure be eliminated to satisfy its standards. So long as
reasonable safeguards are employed, the burden of impeding such
communications are not outweighed by any benefits that may accrue to
individuals' privacy interests. The guidance assured that the Privacy
Rule would be modified to clarify that such communications and
practices may continue, if reasonable safeguards are taken to minimize
the chance of incidental disclosure to others.
    Accordingly, the Department proposes to modify the Privacy Rule to
add a new provision at Sec. 164.502(a)(1)(iii) which explicitly permits
certain incidental uses and disclosures that occur as a result of an
otherwise permitted use or disclosure under the Privacy Rule. An
incidental use or disclosure would be a secondary use or disclosure
that cannot reasonably be prevented, is limited in nature, and that
occurs as a by-product of an otherwise permitted use or disclosure
under the Privacy Rule. The Department proposes that an incidental use
or disclosure be permissible only to the extent that the covered entity
has applied reasonable safeguards as required by Sec. 164.530(c), and
implemented the minimum necessary standard, where applicable, as
required by Secs. 164.502(b) and 164.514(d).
    Under this proposal, an incidental use or disclosure that occurs as
a result of a failure to apply reasonable safeguards or the minimum
necessary standard, as appropriate, is not a permissible use or
disclosure and is, therefore, a violation of the Privacy Rule. For
example, a covered entity that asks for a patient's health history on
the waiting room sign-in sheet is not abiding by the minimum necessary
requirements and, therefore, any incidental disclosure of such
information that results from this practice would be an unlawful
disclosure under the Privacy Rule.
    Further, this proposed modification is not intended to excuse
erroneous uses or disclosures or those that result from mistake or
neglect. The Department would not consider such uses and disclosures to
be incidental as they do not occur as a by-product of an otherwise
permissible use or disclosure. For example, an impermissible disclosure
would occur when a covered entity mistakenly sends protected health
information via electronic mail to the wrong recipient or when
protected health information is erroneously made accessible to others
through the entity's web site.
Proposed Modifications to the Minimum Necessary Standard
    Section 164.502(b)(2) sets forth the exceptions to the minimum
necessary standard in the Privacy Rule. The Department proposes to
separate Sec. 164.502(b)(2)(ii) into two subparagraphs
(Sec. 164.502(b)(2)(ii) and (iii)) to eliminate confusion regarding the
exception to the minimum necessary standard for uses or disclosures
made pursuant to an authorization under Sec. 164.508 and those for
disclosures made to the individual. Additionally, to conform to the
proposal to eliminate the special authorizations required by the
Privacy Rule at Sec. 164.508(d), (e), and (f) (see section III.H for
the relevant preamble discussion regarding authorization), the
Department proposes to expand the exception for authorizations to apply
generally to any authorization executed pursuant to Sec. 164.508.
Therefore, the proposal would exempt from the minimum necessary
standard any uses or disclosures for which the covered entity

[[Page 14786]]

has received an authorization that meets the requirements of
Sec. 164.508.
    The Privacy Rule at Sec. 164.514(d) lists the standard and the
specific requirements for implementing the minimum necessary standard.
The Department proposes to modify Sec. 164.514(d)(1) to delete the term
"reasonably ensure" in response to concerns that the term connotes an
absolute, strict standard and, therefore, is inconsistent with how the
Department has described the minimum necessary requirements as being
reasonable and flexible to the unique circumstances of the covered
entity. In addition, the Department generally revises the language to
be more consistent with the description of standards elsewhere in the
Privacy Rule.
    The Privacy Rule at Sec. 164.514(d)(4) consists of the
implementation specifications for applying the minimum necessary
standard to a request for protected health information. The Department
intended these provisions to be consistent with the requirements set
forth in Sec. 164.514(d)(3) for applying the minimum necessary standard
to disclosures of protected health information, so that covered
entities would be able to address requests and disclosures in a similar
manner. However, with respect to requests not made on a routine and
recurring basis, the Department omitted from Sec. 164.514(d)(4) the
requirement that a covered entity may implement this standard by
developing criteria designed to limit its request for protected health
information to the minimum necessary to accomplish the intended
purpose. The Department proposes to add such a provision to make the
implementation specifications for applying the minimum necessary
standard to requests for protected health information by a covered
entity more consistent with the implementation specifications for
disclosures.
Other Comments on the Minimum Necessary Standard
    In addition to the comments described above regarding incidental
uses or disclosures, the Department received many other varied comments
expressing both support of, and concerns about, the minimum necessary
standard. The Department, in its July 6, 2001, guidance, attempted to
address many of the commenters' concerns by clarifying the Department's
intent with respect to the minimum necessary provisions. For example,
many commenters expressed concerns about the costs and burden to
covered entities in implementing the standard. A number of these
commenters questioned whether they will be required to redesign office
space or implement expensive upgrades to computer systems.
    The Department's guidance emphasized that the minimum necessary
standard is a reasonableness standard, intended to be flexible to
account for the characteristics of the entity's business and workforce.
The standard is not intended to override the professional judgment of
the covered entity. The Department clarified that facility redesigns
and expensive computer upgrades are not specifically required by the
minimum necessary standard. Covered entities may, however, need to make
certain adjustments to their facilities, as reasonable, to minimize
access or provide additional security. For example, covered entities
may decide to isolate and/or lock file cabinets or records rooms, or
provide additional security, such as passwords, on computers that
maintain protected health information.
    A number of commenters, especially health care providers, also
expressed concern that the minimum necessary restrictions on uses
within the entity will jeopardize patient care and exacerbate medical
errors by impeding access to information necessary for treatment
purposes. These commenters urged the Department to expand the treatment
exception to cover uses of protected health information within the
entity. Other commenters urged the Department to exempt all uses and
disclosures for treatment, payment, and health care operations purposes
from the minimum necessary standard.
    The Privacy Rule is not intended to impede access by health care
professionals to information necessary for treatment purposes. As the
Department explained in its guidance, a covered entity is permitted to
develop policies and procedures that allow for the appropriate
individuals within the entity to have access to protected health
information, including entire medical records, as appropriate, so that
those workforce members are able to provide timely and effective
treatment.
    With regard to payment and health care operations, the Department
remains concerned, as stated in the preamble to the Privacy Rule, that,
without the minimum necessary standard, covered entities may be tempted
to disclose an entire medical record when only a few items of
information are necessary, to avoid the administrative step of
extracting or redacting information. The Department also believes that
this standard will cause covered entities to assess their privacy
practices, give the privacy interests of their patients and enrollees
greater attention, and make improvements that might otherwise not be
made. For these reasons, the Department continues to believe that the
privacy benefits of retaining the minimum necessary standard for these
purposes outweigh the burdens involved.
    In addition, the NCVHS Subcommittee on Privacy and Confidentiality
solicited public testimony on implementation of the minimum necessary
standard of the Privacy Rule at its August 2001 public hearings. The
testimony reflected a wide range of views, from those who commented
that the Privacy Rule provides sufficient protections on individually
identifiable health information without the minimum necessary standard,
to those who expressed strong support for the standard as an integral
part of the Privacy Rule. A number of panelists welcomed the
flexibility of the standard, while others expressed concern that the
vagueness of the standard might restrict the necessary flow of
information, impede care, and lead to an increase in defensive
information practices that would lead to the withholding of important
information for fear of liability. Testimony also reflected differing
views on the cost and administrative burden of implementing the
standard. Some expressed much concern regarding the increased cost and
burden, while others argued that the cost will be barely discernable.
    The NCVHS developed recommendations on the minimum necessary
standard based on the testimony and written comments provided at the
hearings. In its recommendations, the NCVHS strongly reaffirmed the
importance of the minimum necessary principle, but also generally
recommended that HHS provide additional clarification and guidance to
industry regarding the minimum necessary requirements to assist with
effective implementation of these provisions, while allowing for the
necessary flow of information and minimizing defensive information
practices. While the NCVHS pointed out that many panelists at the
hearing found the Department's July 6 guidance helpful in addressing
questions about the minimum necessary standard, the Committee heard
that many questions still remain within the industry. Therefore, the
NCVHS specifically requested further guidance by the Department on the
reasonable reliance provisions, and the requirement that covered
entities develop policies and procedures for addressing routine uses

[[Page 14787]]

of information. In addition, the NCVHS recommended that the Department
provide education to address the increasing concerns about liability
and defensive information practices that may lessen the flow of
information and impede care. The NCVHS generally recommended that the
Department issue advisory opinions, publish best practices, and make
available model policies, procedures, and forms to assist in
alleviating the cost and administrative burden that will be incurred
when developing policies and procedures as required by the minimum
necessary provisions.
    The Department agrees with the NCVHS about the need for further
guidance on the minimum necessary standard and intends to issue further
guidance to clarify issues causing confusion and concern in the
industry, as well as provide additional technical assistance materials
to help covered entities implement the provisions.

D. Business Associates

    The Privacy Rule at Sec. 164.502(e) permits a covered entity to
disclose protected health information to a business associate who
performs a function or activity on behalf of, or provides a service to
the covered entity that involves the creation, use, or disclosure of,
protected health information, provided that the covered entity obtains
satisfactory assurances that the business associate will appropriately
safeguard the information. The Department recognizes that most covered
entities do not perform or carry out all of their health care
activities and functions by themselves, but rather acquire the services
or assistance of a variety of other persons or entities. Given this
framework, the Department intended these provisions to allow such
business relationships to continue while ensuring that identifiable
health information created or shared in the course of the relationships
was protected.
    The Privacy Rule requires that the satisfactory assurances obtained
from the business associate be in the form of a written contract (or
other written arrangement as between governmental entities) between the
covered entity and the business associate that contains the elements
specified at Sec. 164.504(e). For example, the agreement must identify
the uses and disclosures of protected health information the business
associate is permitted or required to make, as well as require the
business associate to put in place appropriate safeguards to protect
against a use or disclosure not permitted by the contract or agreement.
    The Privacy Rule also provides that, where a covered entity knows
of a material breach or violation by the business associate of the
contract or agreement, the covered entity is required to take
reasonable steps to cure the breach or end the violation, and if such
steps are unsuccessful, to terminate the contract or arrangement. If
termination of the contract or arrangement is not feasible, a covered
entity then is required to report the problem to the Secretary of HHS.
A covered entity that violates the satisfactory assurances it provided
as a business associate of another covered entity will be in
noncompliance with the Privacy Rule's business associate provisions.
    The Privacy Rule's definition of "business associate" at
Sec. 160.103 includes some of the functions or activities, and all of
the types of services, that make a person or entity who engages in them
a business associate, if such activity or service involves protected
health information. For example, a third party administrator (TPA) is a
business associate of a health plan to the extent the TPA assists the
health plan with claims processing or another covered function.
Similarly, accounting services performed by an outside consultant give
rise to a business associate relationship when provision of the service
entails access to the protected health information held by a covered
entity.
    The Privacy Rule excepts from the business associate standard
certain uses or disclosures of protected health information. That is,
in certain situations, a covered entity is not required to have a
contract or other written agreement in place before disclosing
protected health information to a business associate or allowing
protected health information to be created by the business associate on
its behalf. Specifically, the standard does not apply to: disclosures
by a covered entity to a health care provider for treatment purposes;
disclosures to the plan sponsor by a group health plan, or a health
insurance issuer or HMO with respect to a group health plan, to the
extent that the requirements of Sec. 164.504(f) apply and are met; or
to the collection and sharing of protected health information by a
health plan that is a public benefits program and an agency other than
the agency administering the health plan, where the other agency
collects protected health information for, or determines, eligibility
or enrollment with respect to the government program, and where such
activity is authorized by law. See Sec. 164.502(e)(1)(ii).
Public Comments
    The Department has received many comments on the business associate
provisions of the Privacy Rule. The majority of commenters expressed
some concern over the anticipated administrative burden and cost to
implement the business associate provisions. Some commenters stated
that covered entities might have existing contracts that are not set to
terminate or expire until after the compliance date of the Privacy
Rule. Many of these commenters expressed specific concern that the two-
year compliance period does not provide enough time to reopen and
renegotiate what could be hundreds or more contracts for large covered
entities. A number of these commenters urged the Department to
grandfather in existing contracts until such contracts come up for
renewal instead of requiring that all contracts be in compliance with
the business associate provisions by the compliance date of the Privacy
Rule. In response to these comments, the Department intends to relieve
some of the burden on covered entities in complying with the business
associate provisions, both by proposing to grandfather certain existing
contracts for a specified period of time, as well as publishing model
contract language. These proposed changes are discussed below in this
section under "Proposed Modifications."
    In addition, commenters continued to express concern over a
perceived liability imposed by the Privacy Rule that would essentially
require that the covered entity monitor, and be responsible for, the
actions of its business associates with respect to the privacy and
safeguarding of protected health information. However, the Privacy Rule
only requires that, where a covered entity knows of a pattern of
activity or practice that constitutes a material breach or violation of
the business associate's obligation under the contract, the covered
entity take steps to cure the breach or end the violation. Accordingly,
the Department, in its July 6 guidance, clarified that active
monitoring of the actions of business associates is not required of
covered entities, and more importantly, that covered entities are not
responsible or liable for the actions of their business associates.
    A number of commenters urged the Department to exempt covered
entities from having to enter into contracts with business associates
who are also covered entities under the Privacy Rule. The Department
continues to believe, as stated in the preamble to the Privacy Rule,
that a covered entity that is a

[[Page 14788]]

business associate should be restricted from using or disclosing the
protected health information it creates or receives through its
business associate function for any purposes other than those
explicitly provided for in its contract. In addition, the contract
serves to clarify the uses and disclosures made as, and the protected
health information held by, the covered entity, versus those uses and
disclosures made as, and the protected health information held by, the
same entity as the business associate.
    Many commenters continued to express concerns that requiring
business associate contracts between health care providers in treatment
situations would burden and impede quality care. The Department
clarifies that the Privacy Rule does not require a contract for a
covered entity to disclose protected health information to a health
care provider for treatment purposes. In fact, such disclosures are
explicitly excepted from the business associate requirements. See
Sec. 164.502(e)(1). For example, a hospital is not required to have
business associate contracts with health care providers who have staff
privileges at the institution in order for these entities to share
protected health information for treatment purposes. Nor is a physician
required to have a business associate contract with a laboratory as a
condition of disclosing protected health information for the treatment
of an individual.
    Some commenters requested clarification as to whether business
associate contracts were required between a health plan and the health
care providers participating in the plan's network. Participation in a
plan network in and of itself does not give rise to a business
associate relationship to the extent that neither entity is performing
functions or activities, or providing services to, the other entity.
For example, each covered entity is acting on its own behalf when a
provider submits a claim to a health plan, and when the health plan
assesses and pays the claim. Discount payment arrangements do not
require business associate relationships. However, this does not
preclude a covered entity from establishing a business associate
relationship with the health plan or another entity in the network for
some other purpose. If the health plan and one or more of the providers
participating in its network do perform covered functions on behalf of
each other, a business associate agreement is required. For example, if
one health care provider handles the billing activities of another
health care provider in the same network, a business associate contract
would be required before protected health information could be
disclosed for this activity.
Proposed Modifications
    The Department proposes new transition provisions at
Sec. 164.532(d) and (e) to allow covered entities, other than small
health plans, to continue to operate under certain existing contracts
with business associates for up to one year beyond the April 14, 2003,
compliance date of the Privacy Rule. This modification is proposed in
response to commenter concerns regarding the insufficient time provided
by the two-year period between the effective date and compliance date
of the Privacy Rule for covered entities, especially large entities, to
reopen and renegotiate all existing vendor and service contracts in
order to bring such contracts into compliance with the Privacy Rule's
requirements.
    The additional transition period would be available to a covered
entity, other than a small health plan, if, prior to the effective date
of this transition provision, the covered entity has an existing
contract or other written arrangement with a business associate, and
such contract or arrangement is not renewed or modified between the
effective date of this provision and the Privacy Rule's compliance date
of April 14, 2003. The provisions are intended to allow those covered
entities who qualify as described above to continue to disclose
protected health information to the business associate, or allow the
business associate to create or receive protected health information on
its behalf, for up to one year beyond the Privacy Rule's compliance
date, regardless of whether the contract meets the applicable contract
requirements in the Privacy Rule. The Department proposes to deem such
contracts to be compliant with the Privacy Rule until either the
covered entity has renewed or modified the contract following the
compliance date of the Privacy Rule (April 14, 2003), or April 14,
2004, whichever is sooner. In cases where a contract simply renews
automatically without any change in terms or other action by the
parties (also known as "evergreen contracts"), the Department intends
that such evergreen contracts would be eligible for the extension and
that deemed compliance would not terminate when these contracts
automatically roll over.
    Covered entities that were concerned about timely compliance wanted
to be able to incorporate the business associate contract requirements
at the time they would otherwise be modifying or renewing the contract.
Therefore, the extension would only apply until such time as the
contract is modified or renewed following the effective date of this
modification. Furthermore, the Department proposes to limit the deemed
compliance period to one year, as the appropriate balance between
maintaining individuals' privacy interests and alleviating the burden
on the covered entity.
    These transition provisions would apply to covered entities only
with respect to written contracts or other written arrangements as
specified above, and not to oral contracts or other arrangements. In
addition, a covered entity that enters into a contract after the
effective date of this modification must have a business associate
contract that meets the applicable requirements of Secs. 164.502(e) and
164.504(e) by April 14, 2003.
    The proposed transition provisions would not apply to small health
plans, as defined in the Privacy Rule. Small health plans would still
be required to have business associate contracts that are in compliance
with the Privacy Rule's applicable provisions, by the Privacy Rule's
compliance deadline for such covered entities of April 14, 2004. The
Department proposes to exclude this subset of covered entities from
these provisions because the statute already provides an additional
year for these smaller entities to come into compliance, which should
be sufficient for compliance with the Privacy Rule's business associate
provisions. In addition, the Department believes that the proposed
model contract provisions (see the Appendix to the preamble) will
assist small health plans and other covered entities in their
implementation of the Privacy Rule's business associate provisions by
April 14, 2004.
    Proposed Sec. 164.532(e)(2) provides that, after the Privacy Rule's
compliance date, these new provisions would not relieve a covered
entity of its responsibilities with respect to making protected health
information available to the Secretary, including information held by a
business associate, as necessary for the Secretary to determine
compliance. Similarly, under proposed Sec. 164.532(e)(2), these
provisions would not relieve a covered entity of its responsibilities
with respect to an individual's rights to access or amend his or her
protected health information held by business associates, or receive an
accounting of uses and disclosures by business associates, as provided
for by the Privacy Rule's requirements at Secs. 164.524, 164.526, and
164.528. Covered entities would still be required to fulfill
individuals' rights with respect to their protected health information,

[[Page 14789]]

including information held by a business associate of the covered
entity. Covered entities must ensure, in whatever manner effective, the
appropriate cooperation by their business associates in meeting these
requirements.
    The Department retains without modification the standards and
implementation specifications that apply to business associate
relationships as set forth at Secs. 164.502(e) and 164.504(e),
respectively, of the Privacy Rule.

E. Uses and Disclosures of Protected Health Information for Marketing

    The Privacy Rule defines "marketing" at Sec. 164.501 as a
communication about a product or service, a purpose of which is to
encourage recipients of the communication to purchase or use the
product or service, subject to certain limited exceptions. The
definition does not limit the type or means of communication that is
considered marketing. In general, a covered entity is not permitted to
use or disclose protected health information for the purposes of
marketing products or services that are not health-related without the
express authorization of the individual. Moreover, the Privacy Rule
prohibits a covered entity from selling lists of patients or enrollees
to third parties, or from disclosing protected health information to a
third party for the independent marketing activities of the third
party, without the express authorization of the individual.
    The Department understands that covered entities need to be able to
discuss their own health-related products and services, or those of
third parties, as part of their everyday business and as part of
promoting the health of their patients and enrollees. For example, a
health care provider may recommend to a patient a particular brand name
drug for the treatment of that patient. Even though these
communications also meet the above definition of "marketing," the
Privacy Rule does not require an authorization for such communications.
Instead, the Privacy Rule addresses these types of health-related
communications in two ways.
    First, the Department did not want to interfere with or
unnecessarily burden communications about treatment or about the
benefits and services of plans and providers. Therefore, the Privacy
Rule explicitly excludes from the definition of "marketing" certain
health-related communications that may be part of a covered entity's
treatment of the individual or its health care operations, but that may
also promote the use or sale of a service or product. For example,
communications made by a covered entity for the purpose of describing
the participating providers and health plans in a network, or
describing the services offered by a provider or the benefits covered
by a health plan, are excluded from the definition of "marketing." In
addition, communications made by a health care provider as part of the
treatment of a patient and for the purpose of furthering that
treatment, or made by a covered entity in the course of managing an
individual's treatment or recommending an alternative treatment, are
not considered marketing under the Privacy Rule. These exceptions do
not apply, however, to written communications for which a covered
entity is compensated by a third party. The Department intended that
covered entities be able to discuss freely their products and services
and the products and services of others in the course of managing an
individual's health care or providing or discussing treatment
alternatives with an individual. Under the Privacy Rule, therefore,
covered entities are permitted to use and disclose protected health
information for these excepted activities without authorization under
Sec. 164.508.
    Second, the Privacy Rule permits, at Sec. 164.514(e), covered
entities to use and disclose protected health information without
individual authorization for other health-related communications that
meet the definition of "marketing," subject to certain conditions on
the manner in which the communications are made. The Privacy Rule does
not condition the substance of health-related marketing communications.
Rather, it attempts to assure that individuals are aware of the source
of the communication and the reason they received such communications,
as well as to provide individuals with some control over whether or not
they receive these communications in the future.
    Specifically, the Privacy Rule permits a covered entity to use or
disclose protected health information to communicate to individuals
about the health-related products or services of the covered entity or
of a third party if the communication: (1) Identifies the covered
entity as the party making the communication; (2) identifies, if
applicable, that the covered entity received direct or indirect
remuneration from a third party for making the communication; (3)
generally contains instructions describing how the individual may opt
out of receiving future communications about health-related products
and services; and (4) where protected health information is used to
target the communication about a product or service to individuals
based on their health status or health condition, explains why the
individual has been targeted and how the product or service relates to
the health of the individual. The Privacy Rule also requires a covered
entity to make a determination, prior to using or disclosing protected
health information to target a communication to individuals based on
their health status or condition, that the product or service may be
beneficial to the health of the type or class of individual targeted to
receive the communication.
    For certain permissible marketing communications, however, the
Department did not believe these conditions to be practicable.
Therefore, Sec. 164.514(e) also permits, without the above conditions,
a covered entity to make a marketing communication that occurs in a
face-to-face encounter with the individual, or that involves products
or services of only nominal value. These provisions permit a covered
entity to discuss services and products, as well as provide sample
products without restriction, during a face-to-face communication, or
distribute calendars, pens, and other merchandise that generally
promote a product or service if they are of only nominal value.
Public Comments
    The Department received many comments on the Privacy Rule's
marketing requirements, as well as recommendations from the NCVHS,
based on public testimony from trade associations, medical
associations, insurance commissioners, academic medical centers, non-
profit hospitals, and consumers. Both industry and consumer groups
argued that the marketing provisions were complicated and confusing.
Covered entities expressed confusion over the Privacy Rule's
distinction between health care communications that are excepted from
the definition of "marketing" versus those that are marketing but
permitted subject to the special conditions in Sec. 164.514(e). For
example, commenters questioned if, and if so, when, disease management
communications or refill reminders are "marketing" communications
subject to the special disclosure and opt-out conditions in
Sec. 164.514(e). Commenters also stated that it was unclear how to
characterize various health care operations activities, such as general
health-related educational and wellness promotional activities, and
therefore unclear how to treat such activities under the marketing
provisions of the Privacy Rule.
    The Department also learned of a general dissatisfaction by
consumers

[[Page 14790]]

with the conditions required by Sec. 164.514(e). Many commenters
questioned the general effectiveness of the conditions and whether the
conditions would properly protect consumers from unwanted disclosure of
protected health information to commercial entities, the re-disclosure
of the information by these commercial entities, and the intrusion of
unwanted solicitations. They did not feel that they were protected by
the fact that commercial entities handling the protected health
information would be subject to business associate agreements with
covered entities. In addition, commenters expressed specific
dissatisfaction with the provision at Sec. 164.514(e)(3)(iii) for
individuals to opt out of future marketing communications. Many argued
for the opportunity to opt out of marketing communications before any
marketing occurred. Others requested that the Department limit
marketing communications to only those consumers that affirmatively
chose to be the target of such communications.
Proposed Modifications
    In response to these concerns, the Department proposes to modify
the Privacy Rule to make the marketing provisions clearer and simpler.
First, and most significantly, the Department proposes to simplify the
Privacy Rule by eliminating the special provisions for marketing
health-related products and services at Sec. 164.514(e). Instead, any
communication defined as "marketing" in Sec. 164.501 would require
authorization by the individual. In contrast to the Privacy Rule, under
these proposed modifications, covered entities would no longer be able
to make any type of marketing communications without authorization
simply by meeting the disclosure and opt-out provisions in the Privacy
Rule. The Department believes that requiring authorization for all
marketing communications would effectuate greater consumer privacy
protection not currently afforded by the disclosure and opt-out
conditions of Sec. 164.514(e) of the Privacy Rule.
    Second, the Department proposes to maintain the substance of the
Privacy Rule's definition of "marketing" at Sec. 164.501, with minor
clarifications. Specifically, the Department proposes to define
"marketing" as "to make a communication about a product or service
to encourage recipients of the communication to purchase or use the
product or service." The proposed modification retains the substance
of the "marketing" definition, but changes the language slightly to
avoid the implication that marketing is tied to the intent of the
communication. Removing language referencing the purpose of the
communication would shift the assessment of whether a communication is
marketing from the intent of the speaker to the effect of the
communication. If the effect of the communication is to encourage
recipients of the communication to purchase or use the product or
service, the communication would be marketing.
    Third, with respect to the exclusions from the definition of
"marketing" in Sec. 164.501, the Department has tried to simplify the
language to avoid confusion and better conform to other sections of the
regulation, particularly in the area of treatment communications, and
is proposing one substantive change. The modified language reads as
follows: "(1) To describe the entities participating in a health care
provider network or health plan network, or to describe if, and the
extent to which, a product or service (or payment for such product or
service) is provided by a covered entity or included in a plan of
benefits; (2) For treatment of that individual; or (3) For case
management or care coordination for that individual, or to direct or
recommend alternative treatments, therapies, health care providers, or
settings of care to that individual."
    With respect to the third exclusion, the Department is proposing to
replace a communication made "in the course of managing the treatment
of that individual," with a communication for "case management" or
"care coordination" for that individual. The Department is proposing
these changes for clarity because "case management" and "care
coordination" are the terms that are used in the definition of
"health care operations," while "managing the treatment of that
individual" is not. These changes are not intended to increase the
scope of the marketing exclusions.
    The Department is proposing to eliminate the distinction in the
definition of "marketing" at Sec. 164.501 pertaining to written
communications for which a covered entity is compensated by a third
party. Under the Privacy Rule, exceptions from the definition of
"marketing" are only applicable if the communication is made either
orally or in writing when no remuneration from a third party has been
paid to a covered entity for making the communication. The Department
found that these rules led to confusion and many questions about
treatment-related communications, such as prescription refill
reminders. Many commenters felt that these restriction rules could
burden the ability of providers and patients to communicate freely
about treatment. Most commenters did not want any treatment
communications to be considered marketing. The Department understands
these concerns and wants to avoid situations where a health care
provider would be required to obtain an authorization to send out a
prescription refill reminder, even if the provider is compensated by a
third party for the activity. Therefore, the Department proposes to
eliminate this provision in order to facilitate necessary and important
treatment communications.
    None of these proposed modifications change the basic prohibition
in the Privacy Rule against covered entities selling lists of patients
or enrollees to third parties, or from disclosing protected health
information to a third party for the independent marketing activities
of a third party, without the express authorization of the individual.
    The Department received numerous comments suggesting that the
Privacy Rule's marketing exceptions in the definition and under
Sec. 164.514(e) may not allow for certain common health care
communications, such as disease management, wellness programs,
prescription refill reminders, and appointment notifications that
individuals expect to receive as part of their health care to continue
unimpeded. The Department believes that these types of communications
are allowed under the exceptions to the definition of "marketing" in
the Privacy Rule, and therefore would continue to be allowed under the
proposed modification. The Department is interested in comments
identifying specific types of communication that should or should not
be considered marketing.
    To reinforce the policy requiring an authorization for most
marketing communications, the Department proposes to add a specific
marketing provision at Sec. 164.508(a)(3) explicitly requiring an
authorization for a use or disclosure of protected health information
for marketing purposes. Additionally, if the marketing is expected to
result in direct or indirect remuneration to the covered entity from a
third party, the Department proposes that the authorization state this
fact. As in the Privacy Rule at Sec. 164.514(e)(2), proposed
Sec. 164.508(a)(3) would exclude from the marketing authorization
requirements face-to-face communications made by a covered entity to an
individual. The Department proposes to retain this exception in the
Privacy Rule so that the marketing provisions would not interfere with
the

[[Page 14791]]

relationship and dialogue between health care providers and
individuals. Similarly, the Department proposes to retain the Privacy
Rule's exception to the authorization requirement for a marketing
communication that concerns products or services of nominal value, but
proposes to replace the language with the common business term
"promotional gift of nominal value."
    Given the above proposal, the Department also proposes to remove
Sec. 164.514(e) as unnecessary. Accordingly, conforming changes to
remove references to Sec. 164.514(e) are proposed at
Sec. 164.502(a)(1)(vi) and in paragraph (6)(v) of the definition of
"health care operations" in Sec. 164.501.
    With the elimination of the special rules in Sec. 164.514(e), the
Department thereby proposes to eliminate the requirement that
disclosures for health-related marketing are limited to disclosures to
business associates hired to assist the covered entity with the
communication. Under the proposed rule, this distinction would serve no
purpose, because an authorization would be required for such
disclosures and thus the individual would know from the face of the
authorization who will receive the information. Similarly, this
simplification also would eliminate the requirement that a marketing
communication identify the covered entity responsible for the
communication. Under the proposal, the individual would have authorized
the disclosure and thus would know which plans and providers are
disclosing health information for marketing purposes. There would be
added burden but no benefit in retaining an additional notification
requirement.

F. Parents as Personal Representatives of Unemancipated Minors \1\
---------------------------------------------------------------------------

    \1\ Throughout this section of the preamble, "minor" refers to
an unemancipated minor and "parent" refers to a parent, guardian,
or other person acting in loco parentis.
---------------------------------------------------------------------------

    The Privacy Rule is intended to assure that parents have
appropriate access to health information about their children. By
generally creating new protections and individual rights with respect
to individually identifiable health information, the Privacy Rule
establishes new rights for parents with respect to the health
information about their minor children in the vast majority of cases.
In addition, the Department intended that State or other applicable law
regarding disclosure of health information about a minor child to a
parent should govern where such law exists.
    Under the Privacy Rule, parents are granted new rights with respect
to health information about their minor children as the personal
representatives of their minor children. See Sec. 164.502(g).
Generally, parents will be able to access and control the health
information about their minor children. See Sec. 164.502(g)(3).
    The Privacy Rule recognizes a limited number of exceptions to this
general rule. These exceptions generally track the ability of certain
minors to obtain specified health care without parental consent under
State or other applicable laws. For example, every State has a law that
permits adolescents to be tested for HIV without the consent of a
parent. These laws are created to assure that adolescents will seek
health care that is essential to their own health, as well as public
health. In these exceptional cases, where a minor can obtain a
particular health care service without the consent of a parent under
State or other applicable law, it is the minor and not the parent who
may exercise the privacy rights afforded to individuals under the
Privacy Rule. See Sec. 164.502(g)(3)(i)-(ii).
    The Privacy Rule also allows the minor to exercise control of the
protected health information when the parent has agreed to the minor
obtaining confidential treatment (see Sec. 164.502(g)(3)(iii)), and
allows a covered health care provider to choose not to treat a parent
as a personal representative of the minor when the provider is
concerned about abuse or harm to the child. See Sec. 164.502(g)(5).
    Of course, a covered provider always may disclose health
information about a minor to a parent in the most important cases, even
if one of the limited exceptions discussed above apply. Disclosure of
such information is always permitted as necessary to avert a serious
and imminent threat to the health or safety of the minor. See
Sec. 164.512(j). The Privacy Rule also states that disclosure of health
information about a minor to a parent is permitted if State law
authorizes or requires disclosure to a parent, thereby allowing such
disclosure where State law determines it is appropriate. See
Sec. 160.202, definition of "more stringent." Finally, health
information about the minor may be disclosed to the parent if the minor
involves the parent in his or her health care and does not object to
such disclosure. See Secs. 164.502(g)(3)(i) and 164.510(b). The parent
will retain all rights concerning any other health information about
his or her minor child that does not meet one of the exceptions.
Rationale for Privacy Rule's Provisions Regarding Parents and Minors
    The Department continues to balance multiple goals in developing
standards in the Privacy Rule with respect to parents and minors.
First, the standards need to operate in a way that facilitates access
to quality health care. This is an overarching goal throughout the
Privacy Rule and is equally important here. Thus, the Department wants
to ensure that parents have appropriate access to the health
information about their minor children to make important health care
decisions about them. The Department also wants to make sure that the
Privacy Rule does not interfere with a minor's ability to consent to
and obtain health care under current State or other applicable law.
Second, the Department does not want to interfere with State or other
applicable laws related to competency or parental rights, in general,
or the role of parents in making health care decisions about their
minor children, in particular. Third, the Department does not want to
interfere with the professional requirements of State medical boards or
other ethical codes of health care providers with respect to
confidentiality of health information or health care practices of such
providers with respect to adolescent health care.
    As a result of these competing goals, the Department's approach
continues to be that the standards, implementation specifications, and
requirements with respect to parents and minors defer to, and are
consistent with, State or other applicable law and professional
practice. Where State and other applicable law is silent, the
Department has attempted to create standards that are consistent with
such laws and that permit States the discretion to continue to decide
the rights of parents and minors with respect to health information
without interference from the federal Privacy Rule.
Public Comments
    Since December 2000, the Department has heard concerns about the
impact of the Privacy Rule on both parental and minor rights.
Physicians and other health care professionals who treat adolescents
support the existing provisions in the Privacy Rule. These commenters
assert that these provisions allow health care providers to deliver
care in a manner consistent with their ethical and legal obligations,
and that they strike the appropriate balance by permitting providers to
render confidential care to minors in limited circumstances, while
providing States

[[Page 14792]]

the ultimate discretion to determine the extent of parents' access to
information.
    Other commenters oppose the Privacy Rule on the grounds that the
Privacy Rule unduly interferes with parental rights to control health
care for their minor children and to access health information about
their minor children. They assert that failure to provide parents with
access to all health information about their minor children could
result in negative health outcomes because parents could be making
health care decisions for their children based on incomplete
information.
    Finally, some commenters believe, incorrectly, that the Privacy
Rule creates new rights for minors to consent to treatment. The
Department issued guidance to clarify that the Privacy Rule does not
address access to treatment or the ability to consent to treatment. It
is State or other applicable law, and not the Privacy Rule, that
governs who can consent to treatment. The Privacy Rule does not in any
way alter the ability of a parent to consent to health care for a minor
child or the ability of a minor child to consent to his or her own
health care.
Proposed Modifications
    The Department has reassessed the parents and minors provisions in
the Privacy Rule, and does not propose to change its approach. The
Department will continue to defer to State or other applicable law and
to remain neutral and preserve the status quo to the extent possible.
However, the Department is proposing changes to these standards where
they do not operate as intended and are inconsistent with the
Department's underlying goals.
    The Privacy Rule accomplishes the goals of deferring to State law
and preserving the status quo when State law is definitive, that is,
when State law requires or prohibits disclosure or access. However,
when State law provides discretion or is silent, the Privacy Rule may
not always accomplish these goals. In particular, the Department has
identified two areas in which the standard does not work as intended.
First, the language regarding deference to State law that authorizes or
prohibits disclosure of health information about a minor to a parent
fails to assure that State law governs when the law grants a provider
discretion to disclose protected health information to a parent in
certain circumstances. Second, the Privacy Rule may prohibit parental
access in cases where State law is silent, but where a parent could get
access today, consistent with State law.
    First, in order to assure that State and other applicable laws that
address disclosure of health information about a minor to his or her
parent govern in all cases, the Department proposes to move the
relevant language about the disclosure of health information from the
definition of "more stringent" (see Sec. 160.202) to the standards
regarding parents and minors (see Sec. 164.502(g)(3)). This change
would make it clear that State and other applicable law governs not
only when a State explicitly addresses disclosure of protected health
information to a parent but also when such law provides discretion to a
provider.
    The language itself is also changed in the proposal to adapt it to
the new section. The proposed language in Sec. 164.502(g)(3)(ii) states
that a covered entity may disclose protected health information about a
minor to a parent if an applicable provision of State or other law,
including applicable case law, permits or requires such disclosure, and
that a covered entity may not disclose protected health information
about a minor to a parent if an applicable provision of State or other
law, including applicable case law, prohibits such disclosure. This new
language would help clarify when disclosure of health information about
a minor to his or her parent is permitted or prohibited based on State
or other law. The revision would also clarify that the deference to
State or other applicable law includes deference to established case
law as well as an explicit provision in a statute or regulation.
    Second, the Department proposes to add a new paragraph (iii) to
Sec. 164.502(g)(3) to establish a neutral policy regarding the right of
access of a parent to health information about a minor under
Sec. 164.524, in the rare circumstance in which the parent is
technically not the personal representative of the minor under the
Privacy Rule. This policy would apply particularly where State or other
law is silent or unclear. The new paragraph would not change the right
of access, but would simply provide that the person who can exercise
the right of access to health information under the Privacy Rule must
be consistent with State or other applicable law. It would assure that
the Privacy Rule would not prevent a covered entity from providing such
access, in accordance with the Privacy Rule, to a parent, as if a
personal representative of the minor child, if access would be
consistent with State or other applicable law.
    This modification also would not affect a parent's right of access
under the Privacy Rule in the vast majority of cases where the parent
is the personal representative of the minor. In those cases, the parent
could exercise the right of access in accordance with the Privacy Rule.
This provision would be relevant only in the rare exceptions in which
the parent is not the personal representative of the minor.
    The Department proposes to use the phrase "consistent with State
or other applicable law" with regard to access in the personal
representatives section of the Privacy Rule. This is different than the
proposed language in the section about personal representatives that
relates to disclosures, in which a disclosure to a parent is permitted
if such disclosure is permitted or required by an "applicable
provision of State or other law, including applicable case law." The
language in the disclosure paragraphs requires an explicit law for such
disclosure to be permitted by the Privacy Rule. The language in the
access paragraphs permits parental access in accordance with the
Privacy Rule if such access is consistent with State or other law,
regardless of whether such law is explicit. Therefore, if a State
permits a minor to obtain care without the consent of a parent, but is
silent as to whether the parent can access the related medical records
of the minor, as is typically the case, then the provider may provide
access to the parent if such access is consistent with State law and
could deny access to the parent if such denial of access is consistent
with State law. This may be based on interpretation of State consent
law or may be based on other law. The provider could not, however,
abuse this provision to deny access to both the parent and the minor.
    This provision would not significantly change the operation of the
Privacy Rule with respect to parental access. In cases where the parent
is not the personal representative of the minor under the Privacy Rule,
the proposed language would not require a provider to grant access to a
parent. In these cases, a provider would have discretion to provide
access to a parent when permitted to do so under State or other
applicable law despite the ability of the minor to obtain health care
confidentially or without parental consent under applicable law or
professional practice. The Department further assumes that current
professional health care provider practices with respect to access by
parents and confidentiality of minor's records are consistent with
State and other applicable law. In any event, parental access under
this section would continue to be subject to any relevant limitations
on access in

[[Page 14793]]

Sec. 164.524. This proposed change provides States with the option of
clarifying the interaction between their consent laws and the ability
for parents to have access to the health information about the care
that their minor children received in accordance with such laws. As
such, this change should more accurately reflect current State law.

G. Uses and Disclosures for Research Purposes

1. Institutional Review Board (IRB) or Privacy Board Approval of a
Waiver of Authorization
    Much of the biomedical and behavioral research conducted in the
U.S. is governed either by the rule entitled "Federal Policy for the
Protection of Human Subjects" (the "Common Rule") and/or the Food
and Drug Administration's (FDA) human subject protection regulations.
Although these regulatory requirements, which apply to federally-funded
and to some privately-funded research, include protections to help
ensure the privacy of subjects and the confidentiality of information,
the intent of the Privacy Rule, among other things, is to supplement
these protections by requiring covered entities to implement specific
measures to safeguard the privacy of individually identifiable health
information.
    The Common Rule applies to all human research that is supported,
conducted, or regulated by any of the seventeen federal agencies that
have adopted the Common Rule, including research that uses individually
identifiable health information. FDA's human subject protection
regulations generally apply to clinical investigations under FDA's
jurisdiction, whether or not such research is federally funded. Both
sets of regulations have requirements relating to review by an
institutional review board (IRB) to ensure that the risks to research
participants, including privacy risks, are minimized. As part of this
review, generally, IRBs must consider the informed consent document
that will be used to inform prospective research participants about the
study. Both the Common Rule and FDA regulations have provisions
relating to the waiver of informed consent. The Common Rule waiver
provisions allow research covered by the Common Rule to be conducted if
an IRB determines that certain criteria specified in the Common Rule
have been met. FDA's regulations do not contain equivalent waiver
provisions since the criteria for a waiver of informed consent are
generally not appropriate for clinical research. However, FDA's human
subject protection regulations contain exceptions to informed consent
for emergency research and for the emergency use of an investigational
product.
    The Common Rule and FDA's regulations explicitly address privacy
and confidentiality in the following places: (1) The informed consent
document is required to include "a statement describing the extent, if
any, to which confidentiality of records identifying the subject will
be maintained" (Common Rule Sec. ____.116(a)(5), 21 CFR 50.25(a)(5));
and (2) to approve a study an IRB must determine that "when
appropriate, there are adequate provisions to protect the privacy of
subjects and to maintain the confidentiality of data" (Common Rule
Sec. ____.111(a)(7), 21 CFR 56.111(a)(7)).
Privacy Rule
    The Privacy Rule builds upon these existing federal regulations.
The requirements are intended to strike a balance by minimizing the
privacy risks of research participants, while not impeding the conduct
of vital national and international research. For research
participants, this means that they will have more information about how
their protected health information may be used for research purposes.
The Privacy Rule requires researchers who are subject to the Common
Rule or FDA's human subject protection regulations to make some changes
to the way they use and disclose protected health information.
Researchers who are not currently subject to these requirements may,
however, need to make more significant changes to current practice.
    The Privacy Rule at Secs. 164.508 and 164.512(i) establishes the
conditions under which covered entities may disclose protected health
information for research purposes. In general, covered entities are
permitted to use or disclose protected health information for research
either with individual authorization, or without individual
authorization in limited circumstances and under certain conditions.
    A covered entity is permitted to use and disclose protected health
information for research purposes with an authorization from the
research participant that meets the requirements of Sec. 164.508 of the
Privacy Rule. Additional requirements apply to research that is not
solely record-based but, rather, involves the treatment of individuals.
Specifically, in order for a covered entity to use or disclose
protected health information that it creates from a research study that
includes treatment of individuals (e.g., a clinical trial), the Privacy
Rule at Sec. 164.508(f) requires that additional research-specific
elements be included in the authorization form, which describes how
protected health information created for the research study will be
used or disclosed. The Privacy Rule provides that such an authorization
pursuant to Sec. 164.508(f) may be combined with the traditional
informed consent document used in research, as well as the consent
required under Sec. 164.506 and the notice of privacy practices
required under Sec. 164.520. In addition, a covered entity is permitted
to condition the provision of the research-related treatment on the
individual's authorization for the covered entity to use and disclose
protected health information created from the study. The Privacy Rule,
however, does not permit an individual authorization form for a
research use or disclosure of existing protected health information to
be combined with a research informed consent document or an
authorization form for research that involves treatment.
    Alternatively, a covered entity is permitted to use or disclose
protected health information for research purposes without
authorization by the research participant if the covered entity first
obtains either of the following:
     Documentation of approval of a waiver of authorization
from an IRB or a Privacy Board. The Privacy Rule delineates specific
requirements for the elements that must be documented, including the
Board's determinations with respect to eight defined waiver criteria.
     Where a review is conducted preparatory to research or
where research is conducted on decedent's information, certain
representations from the researcher, including that the use or
disclosure is sought solely for such a purpose and that the protected
health information is necessary for the purpose.
Public Comment
    A number of commenters argued that the waiver criteria in the
Privacy Rule were confusing, redundant, and internally inconsistent.
These commenters urged the Department to simplify the provisions,
especially for entities subject to both the Privacy Rule and the Common
Rule. Consequently, these commenters recommended that the Privacy Rule
be modified to allow protected health information to be used or
disclosed for research without individual authorization if informed
consent is obtained as stipulated by the Common Rule or FDA's human
subject protection regulations, or waived as

[[Page 14794]]

stipulated by the Common Rule. Commenters who favored these changes
asserted that the existing federal human subject protection regulations
adequately protect all of the rights and welfare of human subjects, and
therefore, the Privacy Rule's provisions are unnecessary and
duplicative for research currently governed by federal regulations.
These commenters also argued that the Privacy Rule's waiver criteria
and requirements for individual authorization, in effect,
inappropriately modify the Common Rule, since the Privacy Rule
prohibits covered entities from honoring an IRB's decisions unless the
Privacy Rule's requirements are met. Some of these commenters further
suggested that the confidentiality provisions of the Common Rule and
FDA's human subject protection regulations be reviewed to determine if
they adequately protect the privacy of research participants, and if
found to be inadequate, these regulations should be modified.
    The Department understands commenters' recommendations to simplify
the Privacy Rule as it applies to research. However, as stated in the
preamble to the Privacy Rule and the Department's July 6 guidance, the
Department disagrees that the Privacy Rule will modify the Common Rule.
The Privacy Rule regulates only the content and conditions of the
documentation that covered entities must obtain before using or
disclosing protected health information for research purposes.
    The NCVHS also heard a number of concerns and confusion in
testimony at the August 2001 hearing regarding the research provisions
in the Privacy Rule. As a result, the NCVHS generally recommended that
the Department provide additional guidance in this area. Consistent
with this recommendation, the HHS Office for Civil Rights and the HHS
Office for Human Research Protections intend to work together to
provide interpretations, guidance, and technical assistance to help the
research community in understanding the relationship between the
Privacy Rule and the Common Rule.
    The NCVHS also received testimony requesting that uses and
disclosures of protected health information for research be
characterized as an element of treatment, payment, and health care
operations under the Privacy Rule, and thus be permitted without
individual authorization. The NCVHS, in their recommendations to the
Department, disagreed with this viewpoint, and expressed support for
the policy embodied in the Privacy Rule, permitting uses and
disclosures for research pursuant to an authorization or an IRB or
Privacy Board waiver of authorization.
    In addition, the NCVHS received testimony regarding the issue of
recruiting research subjects. Commenters expressed concern and
confusion as to how researchers would be able to recruit research
subjects when the Privacy Rule does not permit protected health
information to be removed from the covered entity's premises during
reviews preparatory to research. The NCVHS recommended that the
Department provide guidance on this issue. The Department clarifies
that the Privacy Rule's provisions for IRB or Privacy Board waiver of
authorization are intended to encompass a partial waiver of
authorization for the purposes of allowing a researcher to obtain
protected health information necessary to recruit potential research
participants. For example, even if an IRB does not waive informed
consent and individual authorization for the study itself, it may waive
such authorization to permit the disclosure of protected health
information to a researcher as necessary for the researcher to be able
to contact and recruit individuals as potential research subjects.
    Many researchers also expressed concerns that the Privacy Rule's
de-identification safe harbor was so strict that it would result in
more research being subject to IRB review than is currently the case.
These commenters requested that the standards for de-identification be
changed in order to make de-identification a more plausible option for
the sharing of data with researchers.
    The Privacy Rule's de-identification safe harbor was not designed
to be used for research purposes. Rather, the Privacy Rule permits uses
and disclosures of protected health information for research purposes
with individual authorization, or pursuant to an IRB or Privacy Board
waiver of authorization as permitted by Sec. 164.512(i). The Department
is aware, however, that some research is conducted today without IRB
oversight because the information is not facially identifiable. While
the Department is not convinced of the need to modify the safe harbor
standard for de-identified information, the Department is requesting
comment on an alternative approach that would permit uses and
disclosures of a limited data set for research purposes which does not
include facially identifiable information but in which certain
identifiers remain. See section III.I of the preamble regarding de-
identification of protected health information for a detailed
discussion of this proposed approach.
    A number of commenters were concerned about the Privacy Rule's
requirement for "a statement of the individual's right to revoke the
authorization in writing and the exceptions to the right to revoke * *
*", because this provision would prohibit researchers from analyzing
the data collected prior to the individual's decision to revoke his or
her authorization. The Department is not proposing to modify this
provision. The Privacy Rule limits an individual's right to revoke his
or her authorization by the extent to which the covered entity has
taken action in reliance on the authorization. Therefore, even though a
revocation will prohibit a covered entity from further disclosing
protected health information for research purposes, the exception to
this requirement is intended to allow for certain continued uses of the
information as appropriate to preserve the integrity of the research
study, e.g., as necessary to account for the individual's withdrawal
from the study.
    The Department believes that researchers have established practices
for accommodating an individual's decision to withdraw from a research
study. Indeed, the Common Rule at Sec. ____46.116 and FDA's human
subject protection regulations at 21 CFR 50.25(a)(8) contain similar
provisions that require the informed consent document include a
statement that "* * * the subject may discontinue participation at any
time without penalty or loss of benefits to which the subject is
otherwise entitled." However, the Department understands that these
practices may not be uniform and may vary depending on the nature of
the research being conducted, with respect to the continued use or
disclosure of data collected prior to the participant's withdrawal. If
covered entities were permitted to continue using or disclosing
protected health information for the research project even after an
individual had revoked his or her authorization, this would undermine
the primary objective of the authorization requirements to be a
voluntary, informed choice of the individual. The Department believes
that limiting uses and disclosures following revocation of an
authorization to those necessary to preserve the integrity of the
research appropriately balances the individual's right of choice and
the researcher's reliance on the authorization. However, the Department
solicits comment on other means of achieving this balance.

[[Page 14795]]

    Specific comments, including testimony to the NCVHS, are addressed
below where relevant to the corresponding proposed modifications to the
Privacy Rule.
Proposed Modifications to Waiver Criteria
    The Department understands commenters' concerns that several of the
Privacy Rule's criteria for the waiver of a research participant's
authorization are confusing and redundant, or inconsistent and
conflicting with the Common Rule's requirements for the waiver of an
individual's informed consent. However, since the Common Rule's
criteria for the waiver of informed consent do not explicitly require
IRBs to consider issues related to the privacy of prospective research
participants, the Department disagrees with the recommendation to
exempt from the Privacy Rule research uses and disclosures that are
made with a waiver of informed consent pursuant to the Common Rule.
    In response to commenter concerns, the Department proposes the
following modifications to the waiver criteria to maintain uniform
standards in the Privacy Rule for all research, whether or not the
research is subject to the Common Rule, as well as to ensure that the
Privacy Rule's waiver process works more seamlessly with the Common
Rule's waiver process. The Department, in reassessing the waiver
criteria defined by the Common Rule, believes that only two of the
Common Rule waiver criteria are practicable when focused solely on
patient privacy. Accordingly, the Department proposes to retain the
following two criteria in the Privacy Rule that are comparable to two
of the Common Rule criteria: (1) The use or disclosure of protected
health information involves no more than a minimal risk to the privacy
of individuals; and (2) the research could not practicably be conducted
without the waiver or alteration. The criterion in the Common Rule to
determine that the rights and welfare of subjects will not adversely be
affected, when limited to privacy, seems to conflict with the criterion
regarding assessing minimal privacy risk; it is not clear how both
criteria can be met when the focus is solely on privacy. The Department
therefore proposes to delete the criterion in the Privacy Rule that the
alteration or waiver will not adversely affect the privacy rights and
the welfare of the individuals.
    Moreover, the Department understands commenters' concerns that
substantial overlap and potential inconsistency may exist among three
of the Privacy Rule's criteria and the criterion that the use or
disclosure involves no more than a minimal risk to the individuals. The
Department believes that the three criteria in the Privacy Rule that
focus on (1) plans to protect identifiers from improper use and
disclosure, (2) plans to destroy the identifiers at the earliest
opportunity, and (3) adequate written assurances against redisclosure,
essentially help to define when the research use or disclosure poses
only a minimal risk to the individual's privacy interests, rather than
operate as stand-alone criteria. As such, the Department proposes to
require the assessment of these three factors as part of the waiver
criterion for assessment of minimal privacy risk. This provision does
not preclude the IRB or Privacy Board from assessing other criteria as
necessary to determine minimal privacy risk, e.g., whether the
safeguards included in the protocol are appropriate to the sensitivity
of the data.
    In addition, the Department agrees with commenters that the
following waiver criterion is unnecessarily duplicative of other
provisions to protect patients' confidentiality interests, and
therefore, proposes to eliminate it: the privacy risks to individuals
whose protected health information is to be used or disclosed are
reasonable in relation to the anticipated benefits, if any, to the
individual, and the importance of the knowledge that may reasonably be
expected to result from the research.
    Lastly, the Department proposes to retain the criterion that the
research could not practicably be conducted without access to and use
of the protected health information. The Privacy Rule permits a covered
entity to reasonably rely on a researcher's documentation of approval
of these waiver criteria, and a description of the data needed for the
research as approved by an IRB or Privacy Board, to satisfy it's
obligation with respect to limiting the disclosure to the minimum
necessary.
    In sum, the Department proposes that the following wavier criteria
replace the waiver criteria listed in the Privacy Rule at
Sec. 164.512(i)(2)(ii):
    (1) The use or disclosure of protected health information involves
no more than a minimal risk to the privacy of individuals, based on, at
least, the presence of the following elements:
    (a) an adequate plan to protect the identifiers from improper use
and disclosure;
    (b) an adequate plan to destroy the identifiers at the earliest
opportunity consistent with conduct of the research, unless there is a
health or research justification for retaining the identifiers or such
retention is otherwise required by law; and
    (c) adequate written assurances that the protected health
information will not be reused or disclosed to any other person or
entity, except as required by law, for authorized oversight of the
research project, or for other research for which the use or disclosure
of protected health information would be permitted by this subpart;
    (2) The research could not practicably be conducted without the
waiver or alteration; and
    (3) The research could not practicably be conducted without access
to and use of the protected health information.
    The Department believes that the proposed modifications to the
waiver criteria in the Privacy Rule would eliminate both the
redundancies in the waiver criteria and the conflicts these provisions
pose to research conducted pursuant to the Common Rule.
2. Research Authorizations
    Several commenters argued that certain authorization requirements
in the Privacy Rule at Sec. 164.508 are problematic as applied to
research uses and disclosures. Generally, commenters raised concerns
that the requirements for individual authorization for uses and
disclosures for research purposes are unduly complex and burdensome. In
response to these concerns, the Department proposes to make a number of
modifications to simplify the authorization requirements, both
generally and in certain circumstances as they specifically apply to
uses and disclosures of protected health information for research. The
discussion below focuses on the proposed modifications specific to uses
and disclosures for research. See section III.H of the preamble for a
discussion of the Department's general proposal to modify the Privacy
Rule's authorization requirements.
    In particular, the Department proposes a single set of requirements
that generally apply to all types of authorizations, including those
for research purposes. This modification would eliminate the specific
provisions at Sec. 164.508(f) for authorizations for uses and
disclosures of protected health information created for research that
includes treatment of the individual. As a result, an authorization for
such purposes would not require any additional elements above and
beyond those required for authorizations in general at Sec. 164.508(c).
To conform to this proposed change, the Department also proposes to
modify the requirements for prohibiting

[[Page 14796]]

conditioning of authorizations at Sec. 164.508(b)(4)(i) to remove the
reference to Sec. 164.508(f). A covered health care provider, thus,
would be able to condition the provision of research-related treatment
on provision of an authorization for the use and disclosure of
protected health information for the particular research study.
    Additionally, the Department proposes to modify
Sec. 164.508(b)(3)(i) to reflect its intent to eliminate the special
authorization requirements for research studies that involve treatment
in Sec. 164.508(f), as well as to clarify that the Privacy Rule would
allow an authorization for the use or disclosure of protected health
information for research to be combined with any other legal permission
related to the research study, including another authorization or
consent to participate in the research. The Department heard from
several provider groups who thought the authorization provisions as
they relate to research to be too complex. These commenters argued in
favor of permitting covered entities to combine all of the research
authorizations required by the Privacy Rule with the informed consent
to participate in research. To simplify the requirements in response to
these concerns, the Department proposes to modify the Privacy Rule to
allow for the combining of such permissions.
    Finally, the Department proposes to include provisions specific to
authorizations for research within the core element proposed at
Sec. 164.508(c)(1)(v) for an expiration date or an expiration event
that relates to the individual or the purpose of the use or disclosure.
First, the Department proposes to explicitly provide that the statement
"end of the research study" or similar language is sufficient to meet
this requirement for an expiration date or event where the
authorization is for a use or disclosure of protected health
information for research. This modification is proposed in response to
commenter concerns that the particular end date of a research study may
not be known and questions regarding whether the end of a research
study is an "event". In addition, such a statement would also be
sufficient to encompass additional time, even after the conclusion of
the research, to allow for the use of protected health information as
necessary to meet record retention requirements to which the researcher
is subject. The Department, therefore, proposes to clarify that
including such a statement on the research authorization would fulfill
the requirement to include an expiration event.
    Similarly, the Department proposes to explicitly provide that the
statement "none" or similar language is sufficient to meet this
provision if the authorization is for a covered entity to use or
disclose protected health information for the creation or maintenance
of a research database or repository. The Department proposes this
modification in response to commenter concerns that the Privacy Rule's
requirement for an "expiration date or an expiration event that
relates to the individual or the purpose of the use or disclosure"
will create a significant obstacle for the development of research
databases or repositories. Commenters stated that research databases
and repositories are often retained indefinitely, and the requirement
that an authorization include an expiration date or event was found to
be counter to the purpose of developing such research resources. The
Department understands these concerns and, therefore, proposes to
permit an individual's authorization to use or disclose protected
health information for the creation and maintenance of a research
database or repository to be valid without an expiration date or event.
The Department emphasizes that this provision is intended to apply only
in the limited circumstances where a use or disclosure is sought solely
for the creation or maintenance of a database or repository, and does
not extend to authorizations for further research or any other purpose.
Therefore, subsequent research using the information maintained in the
database or repository pursuant to an authorization would require that
the authorization include the term "end of the research study" or
other explicit expiration date or event.
3. Research Transition Provisions
    The Privacy Rule includes at Sec. 164.532 different transition
requirements for research that includes treatment (i.e., clinical
trials) and for research that does not include treatment (i.e., records
research). For research that includes treatment, the Privacy Rule
states that as long as legal permission was obtained to use or disclose
protected health information for a specific research project, that
legal permission will continue to be valid until the completion of the
research project; a new permission will not be required to use or
disclose protected health information that was created or received
either before or after the compliance date. However, for research that
does not include treatment, a legal permission obtained before the
compliance date will only be valid for the use and disclosure of
protected health information obtained before the compliance date. The
Privacy Rule does not prescribe the form of the express legal
permission in either case. Express legal permission could be a signed
agreement by the individual to participate in a privately-funded
research study.
    The Privacy Rule does not explicitly address transition provisions
for research studies ongoing after the compliance date where the legal
permission of the individual had not been sought. This point was noted
by several of those who commented on the Privacy Rule's transition
provisions as they apply to research. Some of these commenters
recommended that the Privacy Rule be revised to grandfather in the
research use and disclosure of all protected health information that
existed prior to the compliance date. These commenters expressed
concern that much data would be lost to the research community since it
would often be infeasible or impossible to obtain individuals'
permission to use this archival information.
    Given the confusion about the transition provisions and to assure
that ongoing, vital research will not be impeded, the Department
reassessed the relevant provisions and proposes that there be no
distinction between research that includes treatment and research that
does not, and no distinction between requirements for research
conducted with patients' informed consent versus research conducted
with an IRB-approved waiver of patients' informed consent. Therefore,
the Department proposes to permit a covered entity to use or disclose
for a specific research study protected health information that is
created or received either before or after the compliance date (if
there is no agreed-to restriction in accordance with Sec. 164.522(a)),
if the covered entity has obtained, prior to the compliance date an
authorization or other express legal permission from an individual to
use or disclose protected health information for the research study. In
addition, the Department proposes to grandfather in research in which
the individual has signed an informed consent to participate in the
research study, or an IRB has waived informed consent for the research
study, in accordance with the Common Rule or FDA's human subject
protection regulations.
    These proposed provisions are intended to apply once any of the
permissions described above has been granted, regardless of whether the

[[Page 14797]]

research study actually has begun by the compliance date or not,
provided that the permission was obtained prior to the compliance date.
In addition, with respect to the informed consent of the individual,
the Department proposes not to limit the transition provisions to an
informed consent pursuant to the Common Rule, but rather intends to
allow for the transition of an informed consent for privately-funded
research. Research studies that do not obtain such express legal
permission, informed consent, or IRB waiver prior to the compliance
date must obtain either authorization, as required by Sec. 164.508, or
a waiver of authorization from an IRB or Privacy Board, as required by
Sec. 164.512(i).

H. Uses and Disclosures for Which Authorization Is Required

    The Privacy Rule permits covered entities to use and disclose
protected health information for treatment, payment, and health care
operations (subject to the individual's consent, if applicable) and as
necessary for public policy purposes, such as public health and safety,
health oversight activities, and enforcement. Covered entities must
obtain an individual's voluntary and informed authorization before
using or disclosing protected health information for any purpose that
is not otherwise permitted or required under the Privacy Rule.
    The Privacy Rule provides for the individual's voluntary
authorization for uses and disclosure of his or her protected health
information by prohibiting, with very limited exceptions, covered
entities from conditioning treatment, payment, or eligibility for
benefits or enrollment in a health plan, on obtaining an authorization.
Furthermore, in Sec. 164.508(b)(5), the Privacy Rule permits
individuals, with limited exceptions, to revoke an authorization at any
time. These provisions are intended to prevent covered entities from
coercing individuals into signing an authorization that is not
necessary for their health care.
    To help ensure that individuals give their authorization for the
use or disclosure of their protected health information on an informed
basis, the Privacy Rule, under Sec. 164.508(c), sets out core elements
that must be included in any authorization. These core elements are
intended to provide individuals with information needed to make an
informed decision about giving their authorization. This information
includes specific details about the use or disclosure, as well as
providing the individual fair notice about his or her rights with
respect to the authorization and the potential for the information to
be redisclosed. The Privacy Rule requires authorizations to provide
individuals with additional information for specific circumstances
under the following three sets of implementation specifications: in
Sec. 164.508(d), for authorizations requested by a covered entity for
its own uses and disclosures; in Sec. 164.508(e), for authorizations
requested by a covered entity for disclosures by others; and in
Sec. 164.508(f), for authorizations for research that includes
treatment of the individual. Additionally, the authorization must be
written in plain language so individuals can understand the information
presented in the authorization.
Public Comments
    The Department received a number of comments raising various issues
regarding implementation of the authorization requirements. A majority
of commenters said the authorization provisions of the Privacy Rule are
too complex and confusing. Some commented that the sets of
implementation specifications are not discrete, creating the potential
for the implementation specifications for specific circumstances to
conflict with the required core elements. Others expressed confusion
generally about which authorization requirements they would be required
to implement.
    Commenters also have raised concerns about the revocation
provisions in Sec. 164.508(b)(5). The Privacy Rule provides an
exception to the individual's right to revoke an authorization where
the authorization is obtained as a condition of obtaining insurance
coverage, or where other law provides the insurer the right to contest
a claim under the policy. The Department intended this provision to
permit insurers to obtain necessary protected health information during
contestability periods under State law. For example, an individual may
not revoke an authorization for the disclosure of protected health
information to a life insurer for the purpose of investigating material
misrepresentation if the individual's policy is still subject to the
contestability period. However, commenters were concerned because other
law also provides the insurer with the right to contest the policy
itself, not just a claim under the policy, and the Privacy Rule does
not provide an explicit exception to allow for this right.
Proposed Modifications
    In response to these concerns, the Department is proposing
modifications to the Privacy Rule to simplify the authorization
provisions, while preserving the provisions for ensuring that
authorizing the use or disclosure of protected health information is a
voluntary and informed decision. The Department proposes to consolidate
the implementation specifications into a single set of criteria to
simplify these provisions, prevent confusion, and eliminate the
potential for conflicts between the authorization requirements.
    Thus, under the proposed modifications, the specifications for the
elements and requirements of an authorization would be consolidated
under Sec. 164.508(c). Paragraphs (d), (e), and (f) in this section
would be eliminated. Paragraph (c)(1) would require all authorizations
to contain the following core elements: (1) A description of the
information to be used or disclosed, (2) the identification of the
persons or class of persons authorized to make the use or disclosure of
the protected health information, (3) the identification of the persons
or class of persons to whom the covered entity is authorized to make
the use or disclosure, (4) a description of each purpose of the use or
disclosure, (5) an expiration date or event, (6) the individual's
signature and date, and (7) if signed by a personal representative, a
description of his or her authority to act for the individual. The
Department also proposes to add new language to clarify that when the
individual initiates the authorization for his or her own purposes, the
purpose may be described as "at the request of the individual." Thus,
individuals would not have to reveal the purpose of the requested
disclosure if they chose not to do so.
    Paragraph (c)(2) would require authorizations to contain the
following notifications: (1) A statement that the individual may revoke
the authorization in writing, and either a statement regarding the
right to revoke, and instructions on how to exercise such right, or to
the extent this information is included in the covered entity's notice,
a reference to the notice, (2) a statement that treatment, payment,
enrollment, or eligibility for benefits may not be conditioned on
obtaining the authorization if such conditioning is prohibited by the
Privacy Rule, or, if conditioning is permitted by the Privacy Rule, a
statement about the consequences of refusing to sign the authorization,
and (3) a statement about the potential for the protected health
information to be subject to redisclosure

[[Page 14798]]

by the recipient. The Department also proposes to limit the requirement
that a covered entity disclose any remuneration that will result from
obtaining an authorization, to authorizations for marketing purposes.
Therefore, the remuneration disclosure requirement appears only in the
new Sec. 164.508(a)(3) on marketing authorizations. These modifications
would permit covered entities to use a single authorization form, and
make it easier to use for the individual and the covered entity, as
well as third parties.
    The Department also proposes to add language to the revocation
exceptions in Sec. 164.508(b)(5)(ii) to include an exception with
respect to the insurer's right to contest the policy under other law.
This proposed modification would recognize, without expanding upon, an
insurer's right to contest the policy under existing law.
    Other proposed modifications concerning authorizations for research
are discussed in section III.G of the preamble.
    Finally, the Department proposes a number of technical conforming
modifications throughout this section of the Privacy Rule to
accommodate the modifications to this section, as well as the proposed
modifications to the consent provision. Specifically, the Department
proposes to modify the exception to the minimum necessary standard in
the Privacy Rule at Sec. 164.502(b)(2), which exempts from the standard
uses or disclosures made pursuant to an authorization under
Sec. 164.508, except for authorizations requested by the covered entity
under Sec. 164.508(d), (e), or (f). By simplifying the authorization
requirements, the proposed modifications described above would
eliminate the special authorizations required by Sec. 164.508(d), (e),
or (f) in the Privacy Rule. To be consistent with the proposed
approach, the Department proposes to eliminate the reference to such
authorizations in the exception at Sec. 164.502(b)(2), thereby
expanding the exception to exempt from the minimum necessary standard
uses and disclosures made pursuant to an authorization for any purpose.
    The Department also proposes modifications at
Secs. 164.508(a)(2)(i)(A), (B), and (C) to place limits on the use and
disclosure of psychotherapy notes without authorization to carry out
treatment, payment or health care operations. The modifications clarify
that this information is not permitted to be used or disclosed without
individual authorization for purposes of another entity.
    The Department proposes to delete Sec. 164.508(b)(4)(iii), relating
to a health plan conditioning payment of a claim on the provision of an
authorization, since this provision will be rendered moot under the
proposed modifications to the consent provision. Additionally, the
Department proposes to delete Sec. 164.508(b)(2)(iv) of the Privacy
Rule, because it is redundant with Sec. 164.508(b)(1)(i), and to modify
Sec. 164.508(b)(1)(i) to clarify that an authorization is valid only if
it meets the requirements of paragraphs (c)(1) and (c)(2).
odifications are also proposed at Sec. 164.508(b)(1)(v) of the Privacy
Rule (newly designated as Sec. 164.508(b)(2)(iv) in the proposed Rule)
to clarify that an authorization that violates paragraph (b)(4)
(prohibiting the conditioning of authorizations) is not a valid
authorization.
    These proposed modifications also expressly provide that an
authorization is needed for purposes of marketing. See section III.G of
the preamble for a detailed discussion of the proposed modifications
regarding marketing.

I. De-Identification of Protected Health Information

    At Sec. 164.514(a)-(c), the Privacy Rule permits a covered entity
to de-identify protected health information so that such information
may be used and disclosed freely, without being subject to the Privacy
Rule's protections. Health information is de-identified, or not
individually identifiable, under the Privacy Rule, if it does not
identify an individual and if the covered entity has no reasonable
basis to believe that the information can be used to identify an
individual. In order to meet this standard, the Privacy Rule provides
two alternative methods for covered entities to de-identify protected
health information.
    First, a covered entity may demonstrate that it has met the
standard if a person with appropriate knowledge and experience applying
generally acceptable statistical and scientific principles and methods
for rendering information not individually identifiable makes and
documents a determination that there is a very small risk that the
information could be used by others to identify a subject of the
information. The preamble to the Privacy Rule refers to two government
reports that provide guidance for applying these principles and
methods, including describing types of techniques intended to reduce
the risk of disclosure that should be considered by a professional when
de-identifying health information. These techniques include removing
all direct identifiers, reducing the number of variables on which a
match might be made, and limiting the distribution of records through a
"data use agreement" or "restricted access agreement" in which the
recipient agrees to limits on who can use or receive the data.
    Alternatively, covered entities may choose to use the Privacy
Rule's safe harbor method for de-identification. Under the safe harbor
method, covered entities must remove all of a list of 18 enumerated
identifiers and have no actual knowledge that the information remaining
could be used alone or in combination to identify a subject of the
information. The identifiers that must be removed include direct
identifiers, such as name, street address, social security number, as
well as other identifiers, such as birth date, admission and discharge
dates, and five-digit zip code. The safe harbor does allow for the
disclosure of all geographic subdivisions no smaller than a State, as
well as the initial three digits of a zip code if the geographic unit
formed by combining all zip codes with the same initial three digits
contains more than 20,000 people. In addition, age, if less than 90,
gender, ethnicity, and other demographic information not listed may
remain in the information. The safe harbor is intended to provide
covered entities with a simple, definitive method that does not require
much judgment by the covered entity to determine if the information is
adequately de-identified.
    The Privacy Rule also allows for the covered entity to assign a
code or other means of record identification to allow de-identified
information to be re-identified by the covered entity, if the code is
not derived from or related to information about the subject of the
information, e.g., derivation of the individual's social security
number, and is not otherwise capable of being translated so as to
identify the individual. The covered entity also may not use or
disclose the code for any other purpose, and may not disclose the
mechanism, e.g., algorithm or other tool, for re-identification.
    The Department is cognizant of the increasing capabilities and
sophistication of electronic data matching used to link data elements
from various sources, and from which, therefore, individuals may be
identified. Given this increasing risk to individuals' privacy, the
Department included in the Privacy Rule the above stringent standards
for determining when information may flow unprotected. The Department
also wanted the standards to be flexible enough so the Privacy Rule
would not be a disincentive for covered entities to use or disclose de-
identified

[[Page 14799]]

information wherever possible. The Privacy Rule, therefore, strives to
balance an individuals' privacy interests with providing a sufficient
level of information to make de-identified databases useful.
Public Comments
    The Department heard a number of concerns from commenters regarding
the de-identification standard in the Privacy Rule. These comments
generally were raised in the context of using and disclosing
information for research, public health purposes, or for certain health
care operations. Commenters were concerned that the safe harbor method
for de-identifying protected health information was so stringent that
it required removal of many of the data elements that were essential to
their analyses for these purposes. The comments, however, demonstrated
little consensus as to which data elements were needed for such
analyses, with many commenters requesting elements, such as birth date,
neighborhood, account numbers, medical record numbers, and device
identifiers. In addition, commenters largely were silent with regard to
the feasibility of using the Privacy Rule's alternative statistical
method to de-identify information. The Department is aware, however, of
a general view of covered entities that the statistical method is
beyond their capabilities.
    With regard to health care operations, a number of state hospital
associations were concerned that the Privacy Rule will prevent them
from collecting patient information from area hospitals in order to
conduct and disseminate analyses that are useful for hospitals in
making decisions about quality and efficiency improvements. These
commenters explained that the Privacy Rule's stringent provisions for
de-identification would not allow for the necessary data elements to be
collected for such analyses. Specifically, commenters identified the
following critical elements that would be restricted from disclosure by
the Privacy Rule's de-identification standard: Five-digit zip code,
city, county or neighborhood; the dates on which the injury or illness
was treated and the patient released from the hospital; and the month
of birth (noted by commenters as especially important for very young
children). In addition, commenters argued that the Privacy Rule's
provisions for data aggregation by a business associate, while allowing
for the collection and aggregation of identifiable data from multiple
hospitals for quality and efficiency purposes, would not allow state
hospital associations to disclose all the desired analyses back to the
contributing hospitals because some identifiers would remain in the
data. These commenters emphasized the importance to hospitals to have
access to information about community health care needs and the ability
to compare their community to others in the state so that they may
adequately respond to and fulfill such needs.
    In addition, commenters identified a problem with hospitals
themselves sharing aggregated information with other hospitals for
health care operations purposes. The Privacy Rule prohibits covered
entities from disclosing protected health information for the health
care operations purposes of other covered entities. As described in
section III.A.2 of the preamble regarding Uses and Disclosures for
Treatment, Payment, and Health Care Operations, the Department is
proposing to modify this restriction and allow covered entities to
disclose protected health information for another covered entity's
health care operations under some circumstances. However, two
conditions on the sharing of individually identifiable information for
health care operations may continue to pose a problem. The proposed
modifications would condition the sharing on both entities being
covered entities and both entities having a relationship with the
individual. Hospitals wishing to exchange patient information with each
other or with other community health care providers would not satisfy
these conditions in all cases.
    Many researchers expressed similar concerns, explaining that the
Privacy Rule's de-identification safe harbor was so strict that it
would result in more research being done on identifiable health
information and, thereby, being subject to IRB review than is currently
the case. Under the Common Rule, research that uses "identifiable
private information" must undergo IRB review. However, there is no
agreed-upon definition of "identifiable private information" and IRBs
determine on a case-by-case basis what constitutes "identifiable
private information." Consistent with this variability, the comments
did not demonstrate consensus on what identifiers should be permitted
to be retained for research purposes.
    In addition, commenters also expressed concerns with respect to
public health reporting. For example, some product manufacturers
subject to the jurisdiction of FDA were concerned that they would not
be able to operate post-marketing surveillance registries, to which
health care providers report problems. Commenters stated that even
though they do not need information with direct identifiers, the
Privacy Rule's strict de-identification standard would not allow the
reporting of useful information into the registry. Additionally, a
number of commenters described the de-identification standard as
hampering many research and health care operations activities that also
serve a public health purpose, e.g., the tracking of the emergence of
disease that could be the result of bioterrorism.
    The Department also heard from some consumer advocates who
supported the elimination of barriers they believe are imposed by the
de-identification standard to important medical research. In order to
ensure privacy is protected, but at the same time not render impossible
research using de-identified information, these commenters recommended
that the Department permit the use of information for research that is
facially de-identified, i.e., stripped of direct identifiers, so long
as the research entity provides assurances that it will not use or
disclose the information for purposes other than research and will not
identify or contact the individuals who are the subjects of the
information.
Solicitation of Comment
    The Department is aware of the importance of the activities
described by the commenters but is not currently convinced of the need
to modify the safe harbor standard for de-identified information.
Instead, the Department requests comment on an alternative approach
that would permit uses and disclosures of a limited data set which does
not include facially identifiable information but in which certain
identifiers would remain. The Department is not considering permitting
the disclosure of any such limited data set for general purposes, but
rather is considering permitting disclosure of such information for
research, public health, and health care operations purposes.
    The limited data set would not include the following information,
which the Department considers direct identifiers: name, street
address, telephone and fax numbers, e-mail address, social security
number, certificate/license number, vehicle identifiers and serial
numbers, URLs and IP addresses, and full face photos and any other
comparable images. The limited data set would include the following
identifiable information: admission, discharge, and service dates; date
of death; age (including age 90 or over); and five-digit zip code. The

[[Page 14800]]

Department solicits comment on whether another one or more geographic
units smaller than State, such as city, county, precinct, neighborhood
or other unit, would be needed in addition to, or be preferable to,
five-digit zip code.
    In addition, to address concerns raised by commenters regarding
access to birth date for research or other studies relating to young
children or infants, the Department clarifies that the Privacy Rule
does not prohibit age of an individual from being expressed as an age
in months, days, or hours. Given that the limited data set would
include all ages, including age in months, days, or hours, if
preferable, the Department requests comment on whether date of birth is
needed and, if so, whether the entire date is needed, or just the month
and year.
    In addition, to further protect privacy, the Department would
propose to condition the disclosure of the limited data set on covered
entities obtaining from the recipients a data use or similar agreement,
in which the recipient would agree to limit the use of the limited data
set to the specified purposes in the Privacy Rule, and limit who can
use or receive the data, as well as agree not to re-identify the data
or contact the individuals. Commenters seemed to indicate that
recipients would be amenable to such conditions.
    The Department solicits public comment on the feasibility and
acceptability of the above approach for the described purposes, and
whether or not the limitations and conditions would be sufficiently
protective of patient privacy.
Proposed Modifications
    In addition to the solicitation of comment above, the Department
proposes a technical modification to the safe harbor provisions. A
number of commenters expressed confusion regarding what was believed to
be conflicting provisions within the de-identification standard.
Commenters argued that, on the one hand, the Privacy Rule treats
information as de-identified if all listed identifiers on the
information are stripped, including any unique, identifying number,
characteristic, or code. Yet, the Privacy Rule permits a covered entity
to assign a code or other record identification to the information so
that it may be re-identified by the covered entity at some later date.
    The Department did not intend the re-identification code to be
considered one of the enumerated identifiers. Therefore, the Department
proposes to clarify its intent by explicitly excepting the re-
identification code or other means of record identification permitted
by Sec. 164.514(c) from the listed identifiers at
Sec. 164.514(b)(2)(i)(R).

J. Technical Corrections and Other Clarifications

    In addition to the modifications described above, the Department
proposes to make the following clarifications:
    1. Changes of Legal Ownership. The Privacy Rule's definition of
health care operations, at Sec. 164.501, includes business management
and general administrative activities of the entity, including, due
diligence in connection with the sale or transfer of assets to a
potential successor in interest, if the potential successor in interest
is a covered entity or, following completion of the sale or transfer,
will become a covered entity.
    In the preamble to the Privacy Rule, the Department explained that
this language was included to remedy an omission in the 1999 proposed
Rule by

add[ing] to the definition of health care operations disclosures of
protected health information for due diligence to a covered entity
that is a potential successor in interest. This provision includes
disclosures pursuant to the sale of a covered entity's business as a
going concern, mergers, acquisitions, consolidations, and other
similar types of corporate restructuring between covered entities,
including a division of a covered entity, and to an entity that is
not a covered entity but will become a covered entity if the
reorganization or sale is completed.

65 FR at 82609 (December 28, 2000) (response to comment); see also 65
FR at 82491 (similar language); 65 FR at 82652 ("We clarify in the
definition of health care operations that a covered entity may sell or
transfer its assets, including protected health information, to a
successor in interest that is or will become a covered entity.")
    Despite language in the preamble to the contrary, the definition of
health care operations in the Privacy Rule does not expressly provide
for the transfer of protected health information upon sale or transfer
to a successor in interest. Instead, the definition of "health care
operations" only mentions disclosures of protected health information
for "due diligence" purposes when a sale or transfer to a successor
in interest is contemplated. "Due diligence" is generally understood
to mean the "[a] prospective buyer's or broker's investigation and
analysis of a target company, a piece of property, or a newly issued
security." Black's Law Dictionary (7th ed. 1999) available in Westlaw,
DIBLACK database.
    The Department proposes to add language to paragraph (6) of the
definition of "health care operations" to clarify the intent to
permit the transfer of records to a covered entity upon a sale,
transfer, merger, or consolidation. This proposed change would prevent
the Privacy Rule from interfering with necessary treatment or payment
activities upon the sale of a covered entity or its assets.
    The Department also proposes to use the terms "sale, transfer,
consolidation or merger" to eliminate the term "successor in
interest" from this paragraph. The Department intended this provision
to apply to any sale, transfer, merger or consolidation and believes
the current language may not sufficiently accomplish this goal. The
proposed language's use of the terms "sale, transfer, merger and
consolidation" is based on language used in model State laws
addressing the disclosure of personal or privileged information
collected or received in connection with an insurance transaction.
    The Department retains the limitation that such disclosures are
health care operations only to the extent the entity receiving the
protected health information is a covered entity or will become a
covered entity as a result of the sale, transfer, merger, or
consolidation. In addition, the proposed modification does not affect
any responsibility of covered entities either under other law or
ethical obligation to notify individuals appropriately of a sale,
transfer, merger, or consolidation.
    2. Group Health Plan Disclosures of Enrollment and Disenrollment
Information to Plan Sponsors. The Department proposes to modify the
Privacy Rule to make express the Department's policy, which was
explained in the preamble to the Privacy Rule, that group health plans
are permitted to share enrollment and disenrollment information with
plan sponsors without amending plan documents. Under the Privacy Rule,
a group health plan, as well as a health insurance issuer or HMO
providing health insurance or health coverage to the group health plan,
are covered entities. Neither employers nor other plan sponsors are
defined as covered entities. The Department recognizes the legitimate
need of the plan sponsor to have access to health information of these
covered entities in certain situations. Therefore, the Privacy Rule at
Sec. 164.504(f) permits a group health plan, and health insurance
issuers or HMOs with respect to the group health plan, to disclose
protected health information to the plan sponsor provided that, among
other requirements, the plan documents are

[[Page 14801]]

amended to appropriately reflect and restrict the plan sponsor's uses
and disclosures of such information.
    There are two exceptions where the Privacy Rule permits group
health plans (or health insurance issuers or HMOs, as appropriate) to
disclose information to a plan sponsor without requiring amendment of
plan documents. First, Sec. 164.504(f) permits such disclosures when
the information needed by the plan sponsor is summary health
information. Second, as explained in the preamble to the Privacy Rule,
a plan sponsor is permitted to perform enrollment functions on behalf
of its employees without meeting the requirements of Sec. 164.504(f),
as such functions are considered outside of the plan administration
functions. Therefore, a group health plan is also permitted to disclose
enrollment or disenrollment information to the plan sponsor without
amending the plan documents as required by Sec. 164.504(f).
    However, this policy regarding disclosures of enrollment or
disenrollment information was addressed only in the preamble to the
Privacy Rule and not explicitly in the regulation itself. As a result,
the policy seems to have been overlooked and the absence of a specific
provision in the regulation itself has caused misinterpretation within
industry. To remedy this misunderstanding and make its policy clear,
the Department proposes to add an explicit exception at
Sec. 164.504(f)(1)(iii) to clarify that group health plans (or health
insurance issuers or HMOs, as appropriate) are permitted to disclose
enrollment or disenrollment information to a plan sponsor without
meeting the plan document amendment and other related requirements.
    3. Definition of "Individually Identifiable Health Information."
The Department proposes to move the definition of "individually
identifiable health information" from Sec. 164.501 to Sec. 160.103 to
clarify that the definition is relevant to all of the provisions in
Parts 160 through 164.
    4. Accounting of Disclosures of Protected Health Information. Under
the Privacy Rule at Sec. 164.528, individuals have the right to receive
an accounting of disclosures of protected health information made by
the covered entity, with certain exceptions. These exceptions, or
instances where a covered entity is not required to account for
disclosures, include disclosures made by the covered entity to carry
out treatment, payment, or health care operations, as well as
disclosures to individuals of protected health information about them.
    The accounting is required to include the following: (1)
disclosures of protected health information that occurred during the
six years prior to the date of the request for an accounting, including
disclosures to or by a business associate of the covered entity; (2)
for each disclosure: the date of the disclosure; the name of the entity
or person who received the protected health information; if known, the
address of such entity or person; a brief description of the protected
health information disclosed; and a brief statement of the purpose of
the disclosure that reasonably informs the individual of the basis for
the disclosure, or in lieu of such a statement, a copy of the
individual's written authorization pursuant to Sec. 164.508 or a copy
of a written request for a disclosure under Secs. 164.502(a)(2)(ii) or
164.512. For multiple disclosures of protected health information to
the same person, the Privacy Rule allows covered entities to provide
individuals with an accounting that contains only the following
information: (1) For the first disclosure, a full accounting, with the
elements described in (2) above; (2) the frequency, periodicity, or
number of disclosures made during the accounting period; and (3) the
date of the last such disclosure made during the accounting period.
    A number of commenters raised concerns that the high costs and
administrative burdens associated with the accounting requirements
would deter covered entities from disclosing protected health
information. In response to these concerns, the Department proposes to
expand the exceptions to the standard at Sec. 164.528(a)(1) to include
disclosures made pursuant to an authorization as provided in
Sec. 164.508. Covered entities would no longer be required to account
for any disclosures authorized by the individual in accordance with
Sec. 164.508. The Department is proposing to alleviate burden in this
way because it is believed that an accounting of disclosures made
pursuant to such permissions is unnecessary because such disclosures
are already known by the individual, in as much as the individual was
required to sign the forms authorizing the disclosures.
    Accordingly, the Department proposes to make two conforming
amendments at Secs. 164.528(b)(2)(iv) and (b)(3) to delete references
in the accounting content requirements to disclosures made pursuant to
an authorization.
    5. Uses and Disclosures Regarding FDA-regulated Products and
Activities. The Department recognizes the importance of public health
activities and, in the Privacy Rule, allows information to be used and
disclosed for these purposes without requiring individual consent or
authorization. The recent anthrax attacks and the threat of other forms
of bio-terrorism have served to underscore the vital necessity of a
strong and effective public health system. The Rule allows covered
entities to disclose protected health information to public health
authorities for a broad array of public health purposes, including
reporting of diseases, injuries, vital statistics, and for the conduct
of public health surveillance and interventions. The Rule permits
public health reporting to private persons who are contractors for or
agents of the public health authority. The Rule also recognizes the
essential role of manufacturers and other private persons in carrying
out the Food and Drug Administration's (FDA) public health mission.
    The Privacy Rule, at Sec. 164.512(b)(1)(iii), specifically permits
covered entities to disclose protected health information, without
individual authorization, to a person who is subject to the
jurisdiction of the FDA for the following specified purposes: (1) To
report adverse events, defects or problems, or biological product
deviations with respect to products regulated by the FDA (if the
disclosure is made to the person required or directed to report such
information to the FDA), (2) to track products (if the disclosure is
made to the person required or directed to report such information to
the FDA), (3) for product recalls, repairs, or replacement, and (4) for
conducting post-marketing surveillance to comply with FDA requirements
or at the direction of the FDA.
    The Department received a number of comments on the provisions for
public health activities related to FDA-regulated products. The
majority of these commenters were concerned that the Privacy Rule
constrains important public health surveillance and reporting
activities by impeding the flow of needed information to those subject
to the FDA's jurisdiction. In particular, commenters noted that
limiting disclosures to those that are "required or directed" by FDA
does not reflect the breadth of public health activities that are
currently being conducted by the private sector on a voluntary basis or
under the general auspices of--but not at the direction of--FDA. In
general, commenters were concerned that such limitations would stifle
current reporting practices. For example, the

[[Page 14802]]

FDA currently obtains the vast majority of its information about drugs
and devices indirectly from health care providers who voluntarily
report known adverse events or problems to the manufacturer of the
product. The manufacturer may or may not be required to report such
adverse events to FDA. Commenters assert that the present language of
the Privacy Rule will have a "chilling effect" on these important
communications due to uncertainty over the manufacturer's obligation to
report to the FDA.
    Some concern was expressed about the potential liability of a
covered entity for a disclosure to an employee of the manufacturer who
is not "a person subject to the jurisdiction of the FDA" or to the
wrong manufacturer. The Department seeks to assure covered entities
that use of the term "a person" was not intended to limit reporting
to a single individual within an entity, but to allow reporting to flow
as it does today between health care providers and representatives of
manufacturers or other companies. Moreover, the Department seeks to
clarify that covered entities may continue to disclose protected health
information to the companies identified on the product labels as the
manufacturer registered with the FDA to distribute the product.
    To eliminate the "chilling effect" of the Rule, some commenters
requested that the Department include in the Rule a "good-faith" safe
harbor to protect covered entities from enforcement actions arising
from unintentional violations of the Privacy Rule. For example, a
health care provider would not have violated the Rule if the disclosure
was made in the good faith belief that the entity to whom the adverse
event was reported was responsible for the FDA-regulated product, even
if it turned out to be the wrong manufacturer.
    Finally, a number of commenters, including some that are subject to
the FDA's jurisdiction, suggested that: identifiable health information
is not necessary for some or all of these public health reporting
purposes; that identifiable health information is not reported to FDA;
and that for purposes of post-marketing surveillance, information
without direct identifiers (such as name, mailing address, phone
number, social security number, and email address) should suffice. The
Department recognizes that there must be a balance between the need for
public health activities that benefit every individual by safeguarding
the effectiveness, safety, and quality of the products regulated by the
FDA, and the privacy interests of specific individuals. However, the
comments did not offer a consensus as to which activities could be
performed without identifiable information or which identifiers, if
any, were needed. In Section III.I of this preamble regarding De-
identification issues, the Department is soliciting comments on a
limited data set for use for specific purposes, including public
health. The Department also requests comments as to whether this
limited data set should be required or permitted for some or all public
health purposes or if a special rule should be developed for public
health reporting.
    The Department did not intend the Privacy Rule to discourage or
prevent the reporting of adverse events or otherwise disrupt the flow
of essential information that FDA and persons subject to the
jurisdiction of FDA need in order to carry out their important public
health activities. Therefore, the Department proposes a number of
changes to eliminate uncertainties identified by the commenters, and,
thereby, encourage covered entities to continue to report and cooperate
in these essential public health activities. The proposed modifications
attempt to recognize and preserve current public health activities of
persons subject to the jurisdiction of the FDA while not diminishing
the health information privacy protections for individuals.
    Specifically, the Department proposes to remove from
Sec. 164.512(b)(1)(iii)(A) and (B) the phrase "if the disclosure is
made to a person required or directed to report such information to the
Food and Drug Administration" and to remove from subparagraph (D) the
phrase "to comply with requirements or at the direction of the Food
and Drug Administration." In lieu of this language, HHS proposes to
describe at the outset the public health purposes for which disclosures
may be made. The proposed language reads: "A person subject to the
jurisdiction of the Food and Drug Administration (FDA) with respect to
an FDA-regulated product or activity for which that person has
responsibility, for the purpose of activities related to the quality,
safety or effectiveness of such FDA-regulated product or activity."
    The Department proposes to retain the listing of specific
activities identified in paragraphs (A), (B), (C), and (D), to give
covered entities additional assurance that public health disclosures
for these activities are permissible under the Privacy Rule. The
listing, however, is no longer an exclusive list of FDA-related public
health activities, but rather is a list of examples of the most common
activities. Additionally, language has been added to paragraph (C) to
include "lookback" activities which are necessary for tracking blood
and plasma products, as well as quarantining tainted blood or plasma
and notifying recipients of such tainted products.
    The privacy of individuals' health information would continue to be
protected through the limitations placed on the permissible disclosures
for FDA purposes. Specifically, such disclosures must relate to FDA-
regulated products or activities for which the person using or
receiving the information has responsibility, and for activities
related to the safety, effectiveness, or quality of such FDA-regulated
product or activity.
    The Department is not proposing a good-faith safe harbor at this
time because it believes that these proposed modifications will
adequately address the concerns and uncertainties facing covered
entities. However, the Department is interested in hearing from
affected parties as to whether the proposed modifications are adequate
or if additional measures are necessary for health care providers or
others to continue to report this vital information about FDA-regulated
products or activities.
    6. Hybrid Entities. The Privacy Rule defines covered entities that
primarily engage in activities that are not covered functions--i.e.,
functions that relate to the entity's operation as a health plan,
health care provider, or health care clearinghouse--as hybrid entities.
See Sec. 164.504(a). In order to limit the burden on such entities,
most of the requirements of the Privacy Rule only apply to the health
care component(s) of the hybrid entity and not to the parts of the
entity that do not engage in covered functions. The health care
component(s) include those components of the entity that perform
covered functions and other components of the entity that support those
covered functions, in the same way such support may be provided by a
business associate. A covered entity that is a hybrid entity is
required to define and designate those parts of the entity that engage
in the covered functions and "business associate" functions and that
are, therefore, part of the health care component(s). The health care
component is designed to include components that engage in "business
associate" functions because it is impossible for the entity to
contract with itself and the authorization requirement would limit the
ability to engage in necessary health care operations functions.
    The hybrid entity is also required to create adequate separation
(i.e., fire walls) between the health care component(s) and other
components of

[[Page 14803]]

the entity. Transfer of protected health information held by the health
care component to other components of the hybrid entity is a disclosure
under the Privacy Rule and is only allowed to the same extent as such
disclosure would be permitted to a separate entity.
    Examples of hybrid entities are: (1) corporations that are not in
the health care industry, but that operate on-site health clinics, and
(2) insurance carriers that have multiple lines of business which
include both health insurance and other insurance lines such as general
liability or property and casualty insurance.
    A "hybrid entity" is defined in the Privacy Rule as an entity
"whose covered functions are not its primary functions." (emphasis
added). In the preamble to the Privacy Rule, the Department explained
that the use of the term "primary" in the definition of a "hybrid
entity" was not intended to operate with mathematical precision. The
Department intended a common sense evaluation of whether the covered
entity mostly operates as a health plan, health care provider, or
health care clearinghouse. If an entity's primary activity was engaging
in covered functions, then the whole entity would be a covered entity
and the hybrid entity provisions would not apply. However, if the
covered entity primarily conducted non-health activities, it would
qualify as a hybrid entity and would be required to comply with the
Privacy Rule with respect to its health care component(s). Commenters
expressed concern that the policy guidance in the preamble was
insufficient as long as the Privacy Rule itself limited the hybrid
entity provisions to entities that primarily conducted non-health
related activities. There were particular concerns in cases in which
the health plan line of business was the primary business, and the line
of business that is one of the excepted benefits, e.g., workers'
compensation insurance, was only a small portion of the business. There
were also concerns about what "primary" meant if not a mathematical
calculation and how the entity would know whether or not it was a
hybrid entity based on the guidance in the preamble.
    As a result of these comments, the Department proposes to delete
the term "primary" from the definition of "hybrid entity" in
Sec. 164.504(a). In order to avoid the problem of line drawing, the
Department proposes to permit any covered entity to be a hybrid entity
if it is a single legal entity that performs both covered and non-
covered functions, regardless of whether the non-covered functions
represent that entity's primary function, a substantial function, or
even a small portion of the entity's activities.
    The Department proposes to permit covered entities that could
qualify as hybrid entities to choose whether or not they want to be
hybrid entities. Elimination of the requirement in the definition of
"hybrid entity" that covered functions not be the "primary"
functions of the covered entity would greatly increase the proportion
of covered entities that are hybrid entities. In order to avoid the
burden of requiring many more covered entities to designate the health
care components and create fire walls within their entity when it is
administratively simpler to treat the entire entity as a covered
entity, the proposal would allow the covered entity to choose whether
it will be a hybrid entity or not. To accomplish this objective, the
proposed definition of "hybrid entity" would require that in order to
be a hybrid entity, a covered entity that otherwise qualifies must
designate health care components. If a covered entity does not
designate health care components, the entire entity would be a covered
entity.
    There are advantages and disadvantages to being a hybrid entity.
Whether or not the advantages outweigh the disadvantages will be a
decision of each covered entity that may qualify as a hybrid entity and
will be influenced by factors such as how the entity is organized and
the proportion of the entity that must be included in the health care
component. Where the non-covered functions of the entity are only a
small portion of the entity, it will likely be more efficient to simply
consider the entire entity as a covered entity. Nonetheless, the
Department is proposing to permit flexibility for covered entities to
choose whether or not to be treated as a covered entity entirely or as
a hybrid entity.
    The Department also proposes to simplify the definition of "health
care component" in Sec. 164.504(a) to make clear that a health care
component is whatever the covered entity designates as the health care
component, consistent with the provisions regarding designation in
Sec. 164.504(c)(3)(iii). The specific language regarding which
components make up a health care component would be in the
implementation specification that addresses designation of health care
components. The Department proposes to move this specific language
because it provides requirements and directions that are more
appropriately placed in an implementation specification. The Department
proposes that health care components may include: (1) Components of the
covered entity that engage in covered functions, and (2) any component
that engages in activities that would make such component a business
associate of a component that performs covered functions if the two
components were separate legal entities.
    With respect to the components that perform covered functions, the
Department also clarifies that a hybrid entity must include in its
health care component(s) any component that would meet the definition
of "covered entity" if it were a separate legal entity. "Covered
functions" are those functions of a covered entity that make the
entity a health plan, health care provider, or health care
clearinghouse. However, there was some ambiguity as to whether a
component of a covered entity that is a health care provider, but that
does not conduct standard electronic transactions, must be included in
the health care component. The proposed language would clarify that any
component that would be a covered entity if it were a separate legal
entity must be included in the health care component.
    Under these proposed changes, a component that is a health care
provider and that engages in standard electronic transactions must be
included in the health care component, but a component that is a health
care provider but that does not engage in standard electronic
transactions may, but would not be required to, be included in the
health care component of the hybrid entity. The decision would be left
to the covered entity in the second case. For example, in a university
setting, the single legal entity may operate hospital facilities that
bill electronically and research laboratories that do not engage in any
electronic billing. The modification would clarify that the university
as a hybrid entity need only include the hospital facilities that bill
electronically in the health care component. The modification also
would make clear that the university has the option to include the
components, such as the research laboratory, that function as a health
care provider, but not as a covered health care provider. A covered
entity that chooses to include a non-covered health care provider in
their health care component would be required to ensure that the non-
covered health care provider, as well as the rest of the health care
component, is in compliance with the Privacy Rule.
    There is also a conforming change in the proposed language in
Sec. 164.504(c)(1)(ii) to make it clear that a reference to a "covered
health care provider" in the Privacy Rule could

[[Page 14804]]

include the functions of a health care provider who does not engage in
electronic transactions, if the covered entity chooses to include such
functions in the health care component.
    With respect to the language regarding components that engage in
"business associate" functions, the Department does not make any
substantive change. The components of a hybrid that may provide
services to the component that performs covered functions, such as a
portion of the legal or accounting departments of the entity, may be
included in the health care component so protected health information
can be shared with such components of the entity without requiring
business associate agreements or individual authorizations. The related
language in paragraph (2)(ii) of the definition of "health care
component" in the Privacy Rule that requires the "business
associate" functions include the use of protected health information
is not included in this proposed Rule because it is redundant.
    It is important to note that a covered entity may include
components that engage in "business associate" functions in its
health care component or not. It is not a violation of the Privacy Rule
to fail to include such a component in the health care component
designation. However, a disclosure of protected health information from
the health care component to such other component if it is not part of
the health care component is the same as a disclosure outside the
covered entity and is a violation unless it is permitted by the Privacy
Rule. Because an entity cannot have a business associate contract with
itself, such a disclosure likely would require individual
authorization.
    Finally, to avoid needless application of the hybrid entity
provisions to a covered entity's activities as an employer, rather than
as a health plan, health care provider, or health care clearinghouse,
the Department proposes to modify the definition of "protected health
information" in Sec. 164.501. The preamble to the Privacy Rule makes
clear that the Privacy Rule does not treat employment records as
protected health information. To avoid any confusion or
misinterpretation on this point, the Department proposes to expressly
exclude employment records held by a covered entity in its role as
employer from the definition of "protected health information." In
that way, employment records will be treated in the same manner as
student medical records covered by FERPA, which the Privacy Rule
excludes from the definition of "protected health information." This
change will limit the need for a covered entity, whose primary
activities are covered functions, to designate itself as a hybrid
entity simply to carve out employment records.
    It is important to note that the exception from the definition of
"protected health information" for employment records only applies to
individually identifiable health information in those records that are
held by a covered entity in its role as employer. The exception does
not apply to individually identifiable health information held by a
covered entity when carrying out its health plan or health care
provider functions. Such information would be protected health
information. The Department specifically is soliciting comments on
whether the term "employment records" is clear or whether it needs to
be more fully explained. It would be particularly helpful if commenters
could identify certain types of records that should be included or
excluded from "employment records."
    7. Technical Corrections. The Privacy Rule contained some technical
and typographical errors. Therefore, the Department proposes to make
the following corrections:
    a. In Sec. 160.102(b), beginning in the second line, "section
201(a)(5) of the Health Insurance Portability Act of 1996, (Pub. L.
104-191)," is replaced with "42 U.S.C. 1320a-7c(a)(5)".
    b. In Sec. 160.203(b), in the second line, "health information"
is replaced with "individually identifiable health information".
    c. In Sec. 164.102, "implementation standards" is corrected to
read "implementation specifications."
    d. In Sec. 164.501, in the definition of "protected health
information", "Family Educational Right and Privacy Act" is
corrected to read "Family Educational Rights and Privacy Act."
    e. In Sec. 164.508(b)(1)(ii), in the fifth line, the word "be" is
deleted.
    f. In Sec. 164.508(b)(3)(iii), a comma is added after the words
"psychotherapy notes".
    g. In Sec. 164.510(b)(3), in the third line, the word "for" is
deleted.
    h. In Sec. 164.512(b)(1)(v)(A), in the fourth line, the word "a"
is deleted.
    i. In Sec. 164.512(b)(1)(v)(C), in the eighth line, the word
"and" is added after the semicolon.
    j. In Sec. 164.512(f)(3), paragraphs (ii) and (iii) are
redesignated as (i) and (ii), respectively.
    k. In Sec. 164.512(g)(2), in the seventh line, the word "to" is
added after the word "directors."
    l. In Sec. 164.512(i)(1)(iii)(A), in the second line, the word
"is" after the word "sought" is deleted.
    m. In Sec. 164.522(a)(1)(v), in the sixth line,
"Secs. 164.502(a)(2)(i)" is corrected to read
"Secs. 164.502(a)(2)(ii)".
    n. In Sec. 164.530(i)(4)(ii)(A), in the second line, "the
requirements" is replaced with the word "specifications".

IV. Preliminary Regulatory Impact Analysis

    Federal law (5 U.S.C. 804(2), as added by section 251 of Pub. L.
104-21), specifies that a "major rule" is any rule that the Office of
anagement and Budget finds is likely to result in:
     An annual effect on the economy of $100 million or more;
     A major increase in costs or prices for consumers,
individual industries, federal, State, or local government agencies, or
geographic regions; or
     Significant adverse effects in competition, employment,
investment productivity, innovation, or on the ability of United States
based enterprises to compete with foreign-based enterprises in domestic
and export markets.
    The impact of the modifications proposed in this rulemaking would
be a net reduction of costs associated with the Privacy Rule of
approximately $100 million. Therefore, this Rule is a major rule as
defined in 5 U.S.C. 804(2).
    Executive Order 12866 directs agencies to assess all costs and
benefits of available regulatory alternatives and, when regulation is
necessary, to select regulatory approaches that maximize net benefits
(including potential economic, environmental, public health and safety
effects; distributive impacts; and equity). According to Executive
Order 12866, a regulatory action is "significant" if it meets any one
of a number of specified conditions, including having an annual effect
on the economy of $100 million or more, adversely affecting in a
material way a sector of the economy, competition, or jobs, or if it
raises novel legal or policy issues. The purpose of the regulatory
impact analysis is to assist decision-makers in understanding the
potential ramifications of a regulation as it is being developed. The
analysis is also intended to assist the public in understanding the
general economic ramifications of the regulatory changes.
    The Privacy Rule included a regulatory impact analysis (RIA), which
estimated the cost of the Privacy Rule at $17.6 billion over ten years.
65 FR 82462, 82758. The changes to the Privacy Rule proposed by this
notice of proposed rulemaking are a result of comment by the industry
and the public at large identifying a number of unintended consequences
of the Privacy

[[Page 14805]]

Rule that could adversely affect access to, or the quality of health
care delivery. These proposed changes should facilitate implementation
and compliance with the Privacy Rule, and lower the costs and burdens
associated with the Privacy Rule while maintaining the confidentiality
of protected health information.
    The proposed changes would affect five areas of the Privacy Rule
that will have an economic impact: (1) Consent; (2) notice; (3)
marketing; (4) research; and (5) business associates. In addition, the
proposal contains a number of changes that, though important, can be
categorized as clarifications of intended policy. For example, the
modifications would permit certain uses and disclosures of protected
health information that are incidental to an otherwise permitted use or
disclosure. This change would recognize such practices as the need for
physicians to talk to patients in semi-private hospital rooms or nurses
to communicate with others in public areas, and avoids the costs
covered entities might have incurred to reconfigure facilities as
necessary to ensure absolute privacy for these common treatment-related
communications. This and other modifications in this proposal (other
than those described below) clarify the intent of the standards in the
Privacy Rule and, as such, do not change or alter the associated costs
that were estimated for the Privacy Rule. There are no new costs or
savings by these changes, and therefore, there is no cost estimate made
here for them.

A. Summary of Costs and Benefits in Final Regulatory Impact Statement

    The Privacy Rule was estimated to produce net costs of $17.6
billion, with net present value costs of $11.8 billion (2003 dollars)
over ten years (2003-2012). The Department estimates the modifications
in this proposal would lower the net cost of the Privacy Rule by
approximately $100 million over ten years.
    Measuring both the economic costs and benefits of health
information privacy was recognized as a difficult task. The paucity of
data and incomplete information on current industry privacy and
information system practices made cost estimation a challenge. Benefits
were difficult to measure because they are, for the most part,
inherently intangible. Therefore, the regulatory impact analysis in the
Privacy Rule focused on the key policy areas addressed by the privacy
standards, some of which would be affected by the proposed
modifications in this rulemaking.

B. Proposed Modifications To Prevent Barriers to Access to or Quality
of Health Care

    The changes proposed in this rulemaking are intended to address the
possible adverse effects of the final privacy standards on an
individual's access to, or the quality of, health care. The
modifications touch on five of the key policy areas addressed by the
final regulatory impact analysis, including consent, research,
marketing, notice, and business associates.

Consent

    Under the Privacy Rule, a covered health care provider with a
direct treatment relationship with an individual must obtain the
individual's prior written consent for use or disclosure of protected
health information for treatment, payment, or health care operations,
subject to a limited number of exceptions. Other covered health care
providers and health plans may obtain such a consent if they so choose.
The initial cost of the consent requirement was estimated to be $42
million. Based on assumptions for growth in the number of patients, the
total costs for ten years was estimated to be $103 million. See 65 FR
82771 (December 28, 2000).\2\
---------------------------------------------------------------------------

    \2\ The total cost for consent in the regulatory impact analysis
showed an initial cost of $166 million and $227 million over ten
years. Included in these total numbers is the cost of tracking
patient requests to restrict the disclosure of their health
information. This right is not changed in these modifications. The
numbers here represent the costs associated with the consent
functions that are proposed to be repealed.
---------------------------------------------------------------------------

    The proposed modifications would eliminate the consent requirement.
The consent requirement posed many difficulties for an individual's
access to health care, and was problematic for operations essential for
the quality of the health care delivery system. However, any health
care provider or health plan may choose to obtain an individual's
consent for treatment, payment, and health care operations. The
elimination of the consent requirement reduces the initial cost of the
privacy standards by $42 million in the first year and by $103 million
over ten years.
    As explained in detail in section III.A.1. above, many comments
that the Department received in March 2001 and testimony before the
NCVHS revealed that the consent requirements in the Privacy Rule create
unintended barriers to timely provision of care, particularly with
respect to use and disclosure of health information prior to a health
care provider's first face-to-face contact with the individual. These
and other barriers discussed above would have entailed costs not
anticipated in the economic analyses in the Privacy Rule. These
comments also revealed that the consent requirements create
administrative burdens, for example, with respect to tracking the
status and revocation of consents, that were not foreseen and thus not
included in that economic analysis. Therefore, while the estimated
costs of the consent provisions were $103 million, comments have
suggested that the costs were likely to be much higher. If these
comments are accurate, the cost savings associated with retracting the
consent provisions would, therefore, also be significantly higher than
$103 million.
Notice
    In eliminating the consent requirement, the Department proposes to
preserve the opportunity for a covered health care provider with a
direct treatment relationship with an individual to engage in a
meaningful communication about the provider's privacy practices and the
individual's rights by strengthening the notice requirements. Under the
Privacy Rule, these health care providers are required to distribute to
individuals their notice of privacy practices no later than the date of
the first service delivery after the compliance date. The modifications
would not change this distribution requirement, but would add a new
documentation requirement. A covered health care provider with a direct
treatment relationship would be required to make a good faith effort to
obtain the individual's acknowledgment of receipt of the notice
provided at the first service delivery. The form of the acknowledgment
is not prescribed and can be as unintrusive as retaining a copy of the
notice initialed by the individual. If the provider's good faith effort
fails, documentation of the attempt is all that would be required.
Since the modification would not require any change in the form of the
notice or its distribution, the ten-year cost estimate of $391 million
for these areas in the Privacy Rule's impact analysis remains the same.
See 65 FR 82770 (December 28, 2000).
    However, the additional effort by direct treatment providers in
obtaining and documenting the individual's acknowledgment of receipt of
the notice would add costs. This new requirement would attach only to
the initial provision of notice by a direct treatment provider to an
individual after the compliance date. Under the proposed modification,
providers would have considerable flexibility on how to achieve this.
Some providers could

[[Page 14806]]

choose to obtain the required written acknowledgment on a separate
piece of paper, while others could take different approaches, such as
an initialed check-off sheet or a signature line on the notice itself
with the provider keeping a copy.
    In the original analysis, the Department estimated that the consent
cost would be $0.05 per page based on the fact that the consent had to
be a stand alone document requiring a signature. This proposed
modification to the notice requirement would provide greater
flexibility and, therefore, greater opportunity to reduce costs
compared to the consent requirement. The Department estimates that the
additional cost of the signature requirement, on average, would be
$0.03 per notice. Based on data obtained from the Medical Expenditure
Panel Survey (MEPS), which estimate the number of patient visits in a
year, the Department estimates that in the first year there would be
816 million notices distributed, including the new additional
information needed to acknowledge receipt of the notice. Over the next
nine years, the Department estimates, again based on MEPS data, that
there would be 5.3 billion visits to health care providers by new
patients (established patients will not need to receive another copy of
the notice). At $0.03 per document, the first year cost would be $24
million and the total cost over ten years would be $184 million.
Business Associates
    The Privacy Rule requires a covered entity to have a written
contract, or other arrangement that documents satisfactory assurances
that a business associate will appropriately safeguard protected health
information in order to disclose protected health information to the
business associate. The regulatory impact analysis for the Privacy Rule
provided cost estimates for two aspects of this requirement. In the
Privacy Rule, $103 million in first-year costs was estimated for
development of a standard business associate contract language. (There
were additional costs associated with these requirements related to the
technical implementation of new data transfer protocols, but these are
not affected by the changes being proposed here.) In addition, $197
million in first-year costs and $697 million in total costs over ten
years were estimated in the Privacy Rule for the review and oversight
of existing business associate contracts.
    The modifications do not change the standards for business
associate contracts or the implementation specifications with respect
to the covered entity's responsibilities for managing the contracts.
However, as part of this proposal, the Department is including model
business associate contract language. This model is only suggested
language and is not a complete contract. The model language is designed
to be adapted to the business arrangement between the covered entity
and the business associate and to be incorporated into a contract
drafted by the parties. The final regulatory impact analysis assumed
the development of such standard language by trade and professional
associations. While this has, in fact, been occurring, the Department
continues to receive requests for model contract language, particularly
from small health care providers. The Department expects that trade and
professional associations will continue to provide assistance to their
members. However, the model contract language in this proposal will
simplify their efforts by providing a base from which they can develop
language. The Department had estimated $103 million in initial year
costs for this activity based on the assumption it would require one
hour per non-hospital provider and two hours for hospitals and health
plans to develop contract language and to tailor the language to the
particular needs of the covered entity. The additional time for
hospitals and health plans reflected the likelihood that these covered
entities would have a more extensive number of business associate
relationships. Because there will be less effort expended than
originally estimated in the Privacy Rule, the Department estimates a
reduction in contract development time by one-third because of the
availability of the model language. Thus, the Department now estimates
that this activity will take 40 minutes for non-hospital providers and
80 minutes for hospitals and health plans. The Department estimates
that the savings from the proposed business associate contract language
would be approximately $35 million in the first year.
    The Department is also proposing in this rulemaking to give covered
entities additional time to review their existing business associate
contracts and to conform written contracts to the privacy standards.
Under the proposal, a covered entity's written business associate
contracts, existing at the time the modifications become effective,
would be deemed to comply with the privacy standards until such time as
the contracts are renewed or modified or until April 14, 2004,
whichever is earlier. The effect of this proposal would be to spread
first year costs over an additional year, with a corresponding
postponement of the costs estimated for the out years. However, the
Department has no reliable information as to the number of contracts
potentially affected by the modification or how long a delay may occur.
Therefore, the Department does not compute any cost savings to this
modification.
arketing
    Under Sec. 164.514(e) of the Privacy Rule, certain health-related
communications are subject to special conditions on marketing
communications, if they also serve to promote the use or sale of a
product or service. These marketing conditions require that particular
disclosures be made as part of the marketing materials sent to
individuals. Absent these disclosures, protected health information can
only be used or disclosed in connection with such marketing
communications with the individual's authorization. The Department is
aware that the Privacy Rule's Sec. 164.514(e) conditions for health-
related communications create a potential burden on covered entities to
make difficult assessments regarding many of their communications. The
proposed modifications to the marketing provisions would relieve the
burden on covered entities by making most marketing subject to an
authorization requirement and eliminating the Sec. 164.514(e)
conditions on marketing communications.
    In developing the final impact analysis for the Privacy Rule, the
Department was unable to estimate the cost of the marketing provisions.
There was too little data and too much variation in current practice to
estimate how the Privacy Rule might affect marketing. The same remains
true today. However, the proposed modifications would relieve burden on
the covered entities in making communications for treatment and certain
health care operations relative to the requirements in the Privacy
Rule. Although the Department cannot provide a quantifiable estimate,
the effect of these proposed changes will be to lower costs relative to
the Privacy Rule.
Research
    In the final impact analysis for the Privacy Rule, the Department
estimated the total cost of the provisions requiring documentation of
an Institutional Review Board (IRB) or Privacy Board waiver of
individual authorization for the use or disclosure of protected health
information for a research purpose as $40 million for the first year
and $585

[[Page 14807]]

million for the ten-year period. The costs were estimated based on the
time that an IRB or privacy board would need to consider a request for
a waiver under the criteria provided in the Privacy Rule. See 65 FR
82770-82771 (December 28, 2000).
    The proposed modification would simplify and reduce the number of
criteria required for an IRB or Privacy Board to approve a waiver of
authorization in three ways. First, the proposal would simplify the
criteria for waivers to better conform to the Common Rule's waiver
criteria for informed consent to participate in the research study.
Second, the proposal would simplify the accounting procedures for
research by eliminating the need to account for disclosures based on
individual authorization. Third, the proposal would simplify the
authorization process for research to facilitate the combining of the
informed consent for participation in the research itself with all
authorizations required under the Privacy Rule. Therefore, the
Department estimates that the net effect of these modifications would
be to reduce the time necessary to assemble the necessary waivers and
for an IRB or Privacy Board to consider and act on waiver requests by
one quarter. The Department estimates these simplifications would
reduce the expected costs first year costs by $10 million and the ten
year costs by $146 million, relative to the Privacy Rule. Since this
initial estimate is based on limited information available to the
Department, the Department requests information to better assess this
cost savings.

                               Privacy Rule Modifications--Ten-Year Cost Estimates
----------------------------------------------------------------------------------------------------------------
                                                                                              Change due to
                Policy                      Original Cost             Modification             modification
----------------------------------------------------------------------------------------------------------------
Consent..............................  $103 million...........  Provision removed......  -$103 million.\1\
Notice...............................  $391 million...........  Good faith effort to     +$184 million.
                                                                 obtain acknowledgment
                                                                 of receipt.
arketing............................  Not scored due to lack   Fewer activities         Reduction in cost but
                                        of data.                 constitute marketing.    magnitude cannot be
                                                                                          estimated.
Business Associates..................  $103 million for         Model language provided  -$35 million.
                                        contract modifications.
Research.............................  $585 million...........  Waiver requirements      -$146 million.
                                                                 simplified.
Net Change...........................  .......................  .......................  -$100 million.
----------------------------------------------------------------------------------------------------------------
\1\ As noted above in the discussion on consent, while the estimated costs of the consent provisions were $103
  million, comments have suggested that the costs were likely to be much higher. If these comments are accurate,
  the cost savings associated with retracting the consent provisions would, therefore, also be significantly
  higher than $103 million.

C. Costs to the Federal Government

    The proposed changes in this Rule will result in small savings to
the federal government relative to the costs that would have occurred
under the Privacy Rule. Although there will be some increase in costs
for the new requirements for obtaining acknowledgment for receipt of
the notice, these costs are partially offset by the savings in the
elimination of the consent. As discussed above, to the extent comments
are accurate that the costs for the consent provisions are much higher
than estimated, the cost savings associated with the retraction of
these provisions would, therefore, be significantly higher. The
Department does not believe the federal government engages in
significant marketing as defined in the Privacy Rule. The federal
government will have business associates under the Privacy Rule, and
therefore, the model language proposed in this rulemaking will be of
benefit to federal departments and agencies. The Department has not
estimated the federal government's portion of the $35 million savings
it estimated for this change. Similarly, the federal government, which
conducts and sponsors a significant amount of research that is subject
to IRBs, will realize some savings as a result of the research
modifications proposed in this rulemaking. The Department does not have
sufficient information, however, to estimate the federal government's
portion of the total $146 million savings with respect to research
modifications.

D. Costs to State and Local Government

    The proposed changes also may affect the costs to state and local
governments. However, these effects likely will be small. As with the
federal government, state and local governments will have any costs of
the additional notice requirement offset by the savings realized by the
elimination of the consent requirement. As discussed above, to the
extent comments are accurate that the costs for the consent provisions
are much higher than estimated, the cost savings associated with the
retraction of these provisions would, therefore, be significantly
higher. State and local governments could realize savings from the
model language for business associates and the changes in research, but
the savings are likely to be small. The Department does not have
sufficient information to estimate the state and local government's
share of the net savings from the proposed changes.

E. Benefits

    The benefits of these modifications would be lower costs, and
enhanced implementation and compliance with the Privacy Rule without
compromising the protection of individually identifiable health
information or access to quality health care.

F. Alternatives

    In July 2001, the Department clarified the Privacy Rule in
guidance, where feasible, to resolve some of the issues raised by
commenters. Issues that could not adequately be addressed through
guidance because of the need for a regulatory change are addressed in
this proposed Rule. The Department examined a number of alternatives to
these proposed provisions. One alternative was to not make any changes
to the Privacy Rule, but this option was rejected for the reasons
explained throughout the preamble. The Department also considered
various alternatives to specific provisions in the development of this
proposed Rule. These alternatives are generally discussed above, where
appropriate.

V. Preliminary Regulatory Flexibility Analysis

    The Department also examined the impact of this proposed Rule as
required

[[Page 14808]]

by the Small Business Regulatory Enforcement and Fairness Act (SBREFA)
(5 U.S.C. 601, et seq.). SBREFA requires agencies to determine whether
a rule will have a significant economic impact on a substantial number
of small entities.
    The law does not define the thresholds to use in implementing the
law and the Small Business Administration discourages establishing
quantitative criteria. However, the Department has long used two
criteria--the number of entities affected and the impact on revenue and
costs--for assessing whether a regulatory flexibility analysis is
necessary. Department guidelines state that an impact of three to five
percent should be considered a significant economic impact. Based on
these criteria, the Department has determined that a regulatory
flexibility analysis is not required.
    As described in the Regulatory Flexibility Analysis for the Privacy
Rule, most covered entities are small businesses--approximately
465,000. See Table A, 65 FR 82780 (December 28, 2000). Lessening the
burden for small entities, consistent with the intent of protecting
privacy, was an important consideration in developing these
modifications. However, as discussed in the Preliminary Regulatory
Impact Analysis, above, the net affect of the proposed changes is an
overall savings of approximately $100 million over ten years. Even if
all of this savings were to accrue to small entities (an over
estimation), the impact per small entity would be de minimis.

VI. Collection of Information Requirements

    Under the Paperwork Reduction Act (PRA) of 1995, the Department is
required to provide 60-day notice in the Federal Register and solicit
public comment before a collection of information requirement is
submitted to the Office of Management and Budget (OMB) for review and
approval. In order to fairly evaluate whether an information collection
should be approved by OMB, section 3506(c)(2)(A) of the PRA requires
that the Department solicit comment on the following issues:
     The need for the information collection and its usefulness
in carrying out the proper functions of the agency.
     The accuracy of the estimate of the information collection
burden.
     The quality, utility, and clarity of the information to be
collected.
     Recommendations to minimize the information collection
burden on the affected public, including automated collection
techniques.
    In accordance with these requirements, the Department is soliciting
public comments on the model business associate contract language
displayed in the Appendix to this proposed Rule. The Department
provides these model business associate contract provisions in response
to numerous requests for guidance. These provisions are designed to
help covered entities more easily comply with the business associate
contract requirements of the Privacy Rule. However, use of these model
provisions is not required for compliance with the Privacy Rule. Nor is
the model language a complete contract. Rather, the model language is
designed to be adapted to the business arrangement between the covered
entity and the business associate and to be incorporated into a
contract drafted by the parties.

Section 164.506--Consent for Treatment, Payment, and Health Care
Operations

    Under the Privacy Rule, a covered health care provider that has a
direct treatment relationship with individuals must, except in certain
circumstances, obtain an individual's consent to use or disclose
protected health information to carry out treatment, payment, and
health care operations. The modifications would eliminate this
requirement. While the consent requirement is subject to the PRA, the
Department believes that the burden associated with the requirement is
exempt from the PRA as stipulated under 5 CFR 1320.3(b)(2). Therefore,
the modification does not affect the paperwork burden associated with
the Privacy Rule.

Section 164.520--Notice of Privacy Practices for Protected Health
Information

    The modifications would impose a good faith effort on direct
treatment providers to obtain an individual's acknowledgment of receipt
of the notice of privacy practices for protected health information and
to document such acknowledgment or, in the absence of such
acknowledgment, the entity's good faith efforts to obtain it. In
addition, a covered entity would have to retain the acknowledgment or
documentation of the good faith effort as required by Sec. 164.530(j).
The Department is continuing to work on estimating the burden imposed
by the Privacy Rule. The estimate for the acknowledgment of receipt of
the notice will be reflected in the paperwork reduction package to be
submitted to OMB as required by the PRA.
    The Department has submitted a copy of this proposed Rule to OMB
for its review of the information collection requirements described
above. These requirements are not effective until they have been
approved by OMB.
    If you comment on any of these information collection and record
keeping requirements, please mail copies directly to the following:

Center for Medicaid and Medicare Services, Information Technology
Investment Management Group, Division of CMS Enterprise Standards, Room
C2-26-17, 7500 Security Boulevard, Baltimore, MD 21244-1850. ATTN: John
Burke, HIPAA Privacy;
and
Office of Information and Regulatory Affairs, Office of Management and
Budget, Room 10235, New Executive Office Building, Washington, DC
20503, ATTN: Allison Herron Eydt, CMS Desk Officer.

VII. Unfunded Mandates

    Section 202 of the Unfunded Mandates Reform Act of 1995 also
requires that agencies assess anticipated costs and benefits before
issuing any rule that may result in an expenditure by State, local, or
tribal governments, in the aggregate, or by the private sector, of $110
million in a single year. A final cost-benefit analysis was published
in the Privacy Rule of December 28, 2000 (65 FR 82462, 82794). In
developing the final Privacy Rule, the Department adopted the least
burdensome alternatives, consistent with achieving the Rule's goals.
The Department does not believe that the modifications in the proposed
Rule would qualify as an unfunded mandate under the statute.

VIII. Environmental Impact

    The Department has determined under 21 CFR 25.30(k) that this
action is of a type that does not individually or cumulatively have a
significant effect on the human environment. Therefore, neither an
environmental assessment nor an environmental impact statement is
required.

IX. Executive Order 13132: Federalism

    Executive Order 13132 establishes certain requirements that an
agency must meet when it promulgates a proposed rule (and subsequent
Privacy Rule) that imposes substantial direct requirement costs on
State and local governments, preempts State law, or otherwise has
Federalism implications. The federalism implications of the Privacy
Rule were assessed as required by Executive Order 13132 and published
in the Privacy Rule of

[[Page 14809]]

December 28, 2000 (65 FR 82462, 82797). The proposed change with the
most direct effect on federalism principles concerns the clarifications
regarding the rights of parents and minors under State law. The
modifications would make clear the intent of the Department to defer to
State law with respect to such rights. Therefore, the Department
believes that the modifications in this proposed Rule would not
significantly affect the rights, roles and responsibilities of States.

Appendix to the Preamble--Model Business Associate Contract Provisions

Introduction

    The Department of Health and Human Services provides these model
business associate contract provisions in response to numerous
requests for guidance. This is only model language. These provisions
are designed to help covered entities more easily comply with the
business associate contract requirements of the Privacy Rule.
However, use of these model provisions is not required for
compliance with the Privacy Rule. The language may be amended to
more accurately reflect business arrangements between the covered
entity and the business associate.
    These or similar provisions may be incorporated into an
agreement for the provision of services between the entities or they
may be incorporated into a separate business associate agreement.
These provisions only address concepts and requirements set forth in
the Privacy Rule and alone are not sufficient to result in a binding
contract under State law and do not include many formalities and
substantive provisions that are required or typically included in a
valid contract. Reliance on this model is not sufficient for
compliance with state law and does not replace consultation with a
lawyer or negotiations between the parties to the contract.
    Furthermore, a covered entity may want to include other
provisions that are related to the Privacy Rule but that are not
required by the Privacy Rule. For example, a covered entity may want
to add provisions in a business associate contract in order for the
covered entity to be able to rely on the business associate to help
the covered entity meet its obligations under the Privacy Rule. In
addition, there may be permissible uses or disclosures by a business
associate that are not specifically addressed in these model
provisions. For example, the Privacy Rule does not preclude a
business associate from disclosing protected health information to
report unlawful conduct in accordance with Sec. 164.502(j). However,
there is not a specific model provision related to this permissive
disclosure. These and other types of issues will need to be worked
out between the parties.

odel Business Associate Contract Provisions \1\
---------------------------------------------------------------------------

    \1\ Words or phrases contained in brackets are intended as
either optional language or as instructions to the users of these
model provisions and are not intended to be included in the
contractual provisions.
---------------------------------------------------------------------------

Definitions (alternative approaches)

    Catch-all definition:
    Terms used, but not otherwise defined, in this Agreement shall
have the same meaning as those terms in 45 CFR 160.103 and 164.501.
    Examples of specific definitions:
    (a) Business Associate. "Business Associate" shall mean
[Insert Name of Business Associate].
    (b) Covered Entity. "Covered Entity" shall mean [Insert Name
of Covered Entity].
    (c) Individual. "Individual" shall have the same meaning as
the term "individual" in 45 CFR 164.501 and shall include a person
who qualifies as a personal representative in accordance with 45 CFR
164.502(g).
    (d) Privacy Rule. "Privacy Rule" shall mean the Standards for
Privacy of Individually Identifiable Health Information at 45 CFR
part 160 and part 164, subparts A and E.
    (e) Protected Health Information. "Protected Health
Information" shall have the same meaning as the term "protected
health information" in 45 CFR 164.501, limited to the information
created or received by Business Associate from or on behalf of
Covered Entity.
    (f) Required By Law. "Required By Law" shall have the same
meaning as the term "required by law" in 45 CFR 164.501.
    (g) Secretary. "Secretary" shall mean the Secretary of the
Department of Health and Human Services or his designee.

Obligations and Activities of Business Associate

    (a) Business Associate agrees to not use or further disclose
Protected Health Information other than as permitted or required by
the Agreement or as Required By Law.
    (b) Business Associate agrees to use appropriate safeguards to
prevent use or disclosure of the Protected Health Information other
than as provided for by this Agreement.
    (c) Business Associate agrees to mitigate, to the extent
practicable, any harmful effect that is known to Business Associate
of a use or disclosure of Protected Health Information by Business
Associate in violation of the requirements of this Agreement. [This
provision may be included if it is appropriate for the Covered
Entity to pass on its duty to mitigate damages by a Business
Associate.]
    (d) Business Associate agrees to report to Covered Entity any
use or disclosure of the Protected Health Information not provided
for by this Agreement.
    (e) Business Associate agrees to ensure that any agent,
including a subcontractor, to whom it provides Protected Health
Information received from, or created or received by Business
Associate on behalf of Covered Entity agrees to the same
restrictions and conditions that apply through this Agreement to
Business Associate with respect to such information.
    (f) Business Associate agrees to provide access, at the request
of Covered Entity, and in the time and manner designated by Covered
Entity, to Protected Health Information in a Designated Record Set,
to Covered Entity or, as directed by Covered Entity, to an
Individual in order to meet the requirements under 45 CFR 164.524.
[Not necessary if business associate does not have protected health
information in a designated record set.]
    (g) Business Associate agrees to make any amendment(s) to
Protected Health Information in a Designated Record Set that the
Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at
the request of Covered Entity or an Individual, and in the time and
manner designated by Covered Entity. [Not necessary if business
associate does not have protected health information in a designated
record set.]
    (h) Business Associate agrees to make internal practices, books,
and records relating to the use and disclosure of Protected Health
Information received from, or created or received by Business
Associate on behalf of, Covered Entity available to the Covered
Entity, or at the request of the Covered Entity to the Secretary, in
a time and manner designated by the Covered Entity or the Secretary,
for purposes of the Secretary determining Covered Entity's
compliance with the Privacy Rule.
    (i) Business Associate agrees to document such disclosures of
Protected Health Information and information related to such
disclosures as would be required for Covered Entity to respond to a
request by an Individual for an accounting of disclosures of
Protected Health Information in accordance with 45 CFR 164.528.
    (j) Business Associate agrees to provide to Covered Entity or an
Individual, in time and manner designated by Covered Entity,
information collected in accordance with Section [Insert Section
Number in Contract Where Provision (i) Appears] of this Agreement,
to permit Covered Entity to respond to a request by an Individual
for an accounting of disclosures of Protected Health Information in
accordance with 45 CFR 164.528.

Permitted Uses and Disclosures by Business Associate

General Use and Disclosure Provisions (alternative approaches)

    Specify purposes:
    Except as otherwise limited in this Agreement, Business
Associate may use or disclose Protected Health Information on behalf
of, or to provide services to, Covered Entity for the following
purposes, if such use or disclosure of Protected Health Information
would not violate the Privacy Rule if done by Covered Entity: [List
Purposes].
    Refer to underlying services agreement:
    Except as otherwise limited in this Agreement, Business
Associate may use or disclose Protected Health Information to
perform functions, activities, or services for, or on behalf of,
Covered Entity as specified in [Insert Name of Services Agreement],
provided that such use or disclosure would not violate the Privacy
Rule if done by Covered Entity.

[[Page 14810]]

Specific Use and Disclosure Provisions [only necessary if parties wish
to allow Business Associate to engage in such activities]

    (a) Except as otherwise limited in this Agreement, Business
Associate may use Protected Health Information for the proper
management and administration of the Business Associate or to carry
out the legal responsibilities of the Business Associate.
    (b) Except as otherwise limited in this Agreement, Business
Associate may disclose Protected Health Information for the proper
management and administration of the Business Associate, provided
that disclosures are required by law, or Business Associate obtains
reasonable assurances from the person to whom the information is
disclosed that it will remain confidential and used or further
disclosed only as required by law or for the purpose for which it
was disclosed to the person, and the person notifies the Business
Associate of any instances of which it is aware in which the
confidentiality of the information has been breached.
    (c) Except as otherwise limited in this Agreement, Business
Associate may use Protected Health Information to provide Data
Aggregation services to Covered Entity as permitted by 42 CFR
164.504(e)(2)(i)(B).

Obligations of Covered Entity

Provisions for Covered Entity to Inform Business Associate of Privacy
Practices and Restrictions [provisions dependent on business
arrangement]

    (a) Covered Entity shall provide Business Associate with the
notice of privacy practices that Covered Entity produces in
accordance with 45 CFR 164.520, as well as any changes to such
notice.
    (b) Covered Entity shall provide Business Associate with any
changes in, or revocation of, permission by Individual to use or
disclose Protected Health Information, if such changes affect
Business Associate's permitted or required uses and disclosures.
    (c) Covered Entity shall notify Business Associate of any
restriction to the use or disclosure of Protected Health Information
that Covered Entity has agreed to in accordance with 45 CFR 164.522.

Permissible Requests by Covered Entity

    Covered Entity shall not request Business Associate to use or
disclose Protected Health Information in any manner that would not
be permissible under the Privacy Rule if done by Covered Entity.
[Include an exception if the Business Associate will use or disclose
protected health information for, and the contract includes
provisions for, data aggregation or management and administrative
activities of Business Associate].

Term and Termination

    (a) Term. The Term of this Agreement shall be effective as of
[Insert Effective Date], and shall terminate when all of the
Protected Health Information provided by Covered Entity to Business
Associate, or created or received by Business Associate on behalf of
Covered Entity, is destroyed or returned to Covered Entity, or, if
it is infeasible to return or destroy Protected Health Information,
protections are extended to such information, in accordance with the
termination provisions in this Section.
    (b) Termination for Cause. Upon Covered Entity's knowledge of a
material breach by Business Associate, Covered Entity shall provide
an opportunity for Business Associate to cure the breach or end the
violation and terminate this Agreement [and the ____ Agreement/
sections ____ of the ____ Agreement] if Business Associate does not
cure the breach or end the violation within the time specified by
Covered Entity, or immediately terminate this Agreement [and the
____ Agreement/sections ____ of the ____ Agreement] if Business
Associate has breached a material term of this Agreement and cure is
not possible. [Bracketed language in this provision may be necessary
if there is an underlying services agreement. Also, opportunity to
cure is permitted, but not required by the Privacy Rule.]
    (c) Effect of Termination.
    (1) Except as provided in paragraph (2) of this section, upon
termination of this Agreement, for any reason, Business Associate
shall return or destroy all Protected Health Information received
from Covered Entity, or created or received by Business Associate on
behalf of Covered Entity. This provision shall apply to Protected
Health Information that is in the possession of subcontractors or
agents of Business Associate. Business Associate shall retain no
copies of the Protected Health Information.
    (2) In the event that Business Associate determines that
returning or destroying the Protected Health Information is
infeasible, Business Associate shall provide to Covered Entity
notification of the conditions that make return or destruction
infeasible. Upon mutual agreement of the Parties that return or
destruction of Protected Health Information is infeasible, Business
Associate shall extend the protections of this Agreement to such
Protected Health Information and limit further uses and disclosures
of such Protected Health Information to those purposes that make the
return or destruction infeasible, for so long as Business Associate
maintains such Protected Health Information.

iscellaneous

    (a) Regulatory References. A reference in this Agreement to a
section in the Privacy Rule means the section as in effect or as
amended, and for which compliance is required.
    (b) Amendment. The Parties agree to take such action as is
necessary to amend this Agreement from time to time as is necessary
for Covered Entity to comply with the requirements of the Privacy
Rule and the Health Insurance Portability and Accountability Act,
Public Law 104-191.
    (c) Survival. The respective rights and obligations of Business
Associate under Section [Insert Section Number Related to "Effect
of Termination"] of this Agreement shall survive the termination of
this Agreement.
    (d) Interpretation. Any ambiguity in this Agreement shall be
resolved in favor of a meaning that permits Covered Entity to comply
with the Privacy Rule.

List of Subjects

45 CFR Part 160

    Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
edical research, Medicare, Privacy, Reporting and record keeping
requirements.

45 CFR Part 164

    Electronic transactions, Employer benefit plan, Health, Health
care, Health facilities, Health insurance, Health records, Medicaid,
edical research, Medicare, Privacy, Reporting and record keeping
requirements.

    Dated: March 12, 2002.
Tommy G. Thompson,
Secretary.

    For the reasons set forth in the preamble, the Department proposes
to amend 45 CFR Subtitle A, Subchapter C, as follows:

PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS

    1. The authority citation for part 160 continues to read as
follows:

    Authority: Sec. 1171 through 1179 of the Social Security Act,
(42 U.S.C. 1320d-1329d-8) as added by sec. 262 of Pub. L. 104-191,
110 Stat. 2021-2031 and sec. 264 of Pub. L. 104-191 (42 U.S.C.
1320d-2(note)).

Sec. 160.102  [Amended]

    2. Amend Sec. 160.102(b), by removing the phrase "section
201(a)(5) of the Health Insurance Portability Act of 1996, (Pub. L.
104-191)" and adding in its place the phrase "the Social Security
Act, 42 U.S.C. 1320a-7c(a)(5)".
    3. In Sec. 160.103 add the definition of "individually
identifiable health information" in alphabetical order to read as
follows:

Sec. 160.103  Definitions.

* * * * *
    Individually identifiable health information is information that is
a subset of health information, including demographic information
collected from an individual, and:
    (1) Is created or received by a health care provider, health plan,
employer, or health care clearinghouse; and
    (2) Relates to the past, present, or future physical or mental
health or condition of an individual; the provision of health care to
an individual; or the past, present, or future payment for the
provision of health care to an individual; and
    (i) That identifies the individual; or
    (ii) With respect to which there is a reasonable basis to believe
the

[[Page 14811]]

information can be used to identify the individual.
* * * * *
    4. In Sec. 160.202 revise paragraphs (2) and (4) of the definition
of "more stringent" to read as follows:

Sec. 160.202  Definitions.

* * * * *
    More stringent means * * *
    (2) With respect to the rights of an individual, who is the subject
of the individually identifiable health information, regarding access
to or amendment of individually identifiable health information,
permits greater rights of access or amendment, as applicable.
* * * * *
    (4) With respect to the form, substance, or the need for express
legal permission from an individual, who is the subject of the
individually identifiable health information, for use or disclosure of
individually identifiable health information, provides requirements
that narrow the scope or duration, increase the privacy protections
afforded (such as by expanding the criteria for), or reduce the
coercive effect of the circumstances surrounding the express legal
permission, as applicable.
* * * * *

Sec. 160.203  [Amended]

    5. Amend Sec. 160.203(b) by adding the words "individually
identifiable" before the word "health".

PART 164--SECURITY AND PRIVACY

Subpart E--Privacy of Individually Identifiable Health Information

    1. The authority citation for part 164 continues to read as
follows:

    Authority: 42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L.
104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)).

Sec. 164.102  [Amended]

    2. Amend Sec. 164.102 by removing the words "implementation
standards" and adding in its place the words "implementation
specifications."

Sec. 164.500  [Amended]

    3. In Sec. 164.500, remove "consent," from paragraph (b)(1)(v).

Sec. 164.501  [Amended]

    4. Amend Sec. 164.501 as follows:
    a. In the definition of "health care operations" remove from the
introductory text of the definition ", and any of the following
activities of an organized health care arrangement in which the covered
entity participates" and revise paragraphs (6)(iv) and (v).
    b. Remove the definition of "individually identifiable health
information".
    c. Revise the definition of "marketing".
    d. In paragraph (1)(ii) of the definition of "payment," remove
the word "covered".
    e. Revise paragraph (2) of the definition of "protected health
information".
    The revisions read as follows:

Sec. 164.501  Definitions.

* * * * *
    Health care operations means * * *
    (6) * * *
    (iv) The sale, transfer, merger, or consolidation of all or part of
a covered entity with another covered entity, or an entity that
following such activity will become a covered entity and due diligence
related to such activity; and
    (v) Consistent with the applicable requirements of Sec. 164.514,
creating de-identified health information and fundraising for the
benefit of the covered entity.
* * * * *
    Marketing means to make a communication about a product or service
to encourage recipients of the communication to purchase or use the
product or service. Marketing excludes a communication made to an
individual:
    (1) To describe the entities participating in a health care
provider network or health plan network, or to describe if, and the
extent to which, a product or services (or payment for such product or
service) is provided by a covered entity or included in a plan of
benefits;
    (2) For treatment of that individual; or
    (3) For case management or care coordination for that individual,
or to direct or recommend alternative treatments, therapies, health
care providers, or settings of care to that individual.
* * * * *
    Protected health information means * * *
    (2) Protected health information excludes individually identifiable
health information in:
    (i) Education records covered by the Family Educational Rights and
Privacy Act, as amended, 20 U.S.C. 1232g;
    (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and
    (iii) Employment records held by a covered entity in its role as
employer.
* * * * *
    5. Amend Sec. 164.502 as follows:
    a. Revise paragraphs (a)(1)(ii), (iii), and (vi).
    b. Revise paragraph (b)(2)(ii).
    c. Redesignate paragraphs (b)(2)(iii) through (v) as paragraphs
(b)(2)(iv) through (vi).
    d. Add a new paragraph (b)(2)(iii).
    e. Redesignate paragraphs (g)(3)(i) through (iii) as (g)(3)(i)(A)
through (C) and redesignate paragraph (g)(3) as (g)(3)(i).
    f. Add new paragraphs (g)(3)(ii) and (iii).
    The revisions and additions read as follows:

Sec. 164.502  Uses and disclosures of protected health information:
general rules.

    (a) Standard. * * *
    (1) Permitted uses and disclosures. * * *
    (ii) For treatment, payment, or health care operations, as
permitted by and in compliance with Sec. 164.506;
    (iii) As incident to a use or disclosure otherwise permitted or
required by this subpart, provided that the covered entity has complied
with the applicable requirements of Sec. 164.502(b), Sec. 164.514(d),
and Sec. 164.530(c) with respect to such otherwise permitted or
required uses or disclosures;
* * * * *
    (vi) As permitted by and in compliance with this section,
Sec. 164.512, or Sec. 164.514(f) and (g).
* * * * *
    (b) Standard: Minimum necessary. * * *
    (2) Minimum necessary does not apply. * * *
    (ii) Uses or disclosures made to the individual, as permitted under
paragraph (a)(1)(i) of this section or as required by paragraph
(a)(2)(i) of this section;
    (iii) Uses or disclosures made pursuant to an authorization under
Sec. 164.508;
* * * * *
    (g)(1) Standard: Personal representatives. * * *
    (3) Implementation specification: unemancipated minors.
    (i) * * *
    (ii) Notwithstanding the provisions of paragraph (g)(3)(i) of this
section:
    (A) A covered entity may disclose protected health information
about an unemancipated minor to a parent, guardian, or other person
acting in loco parentis if an applicable provision of State or other
law, including applicable case law, permits or requires such
disclosure; and
    (B) A covered entity may not disclose protected health information
about an unemancipated minor to a parent, guardian, or other person
acting in loco parentis if an applicable provision of State or other
law, including applicable case law, prohibits such disclosure.

[[Page 14812]]

    (iii) Notwithstanding the provisions of paragraph (g)(3)(i) of this
section, a covered entity must, consistent with State or other
applicable law, provide a right of access, as set forth in Sec. 164.524
to either:
    (A) A parent, guardian, or other person acting in loco parentis, as
the personal representative of the unemancipated minor;
    (B) The unemancipated minor; or
    (C) Both.
* * * * *
    6. Amend Sec. 164.504 as follows:
    a. In paragraph (a), revise the definitions of "health care
component" and "hybrid entity".
    b. Revise paragraph (c)(1)(ii).
    c. Revise paragraph (c)(3)(iii).
    d. Revise paragraph (f)(1)(i).
    e. Add paragraph (f)(1)(iii).
    The revisions and addition read as follows:

Sec. 164.504  Uses and disclosures: Organizational requirements.

    (a) Definitions. * * *
    Health care component means a component or combination of
components of a hybrid entity designated by the hybrid entity in
accordance with paragraph (c)(3)(iii) of this section.
    Hybrid entity means a single legal entity:
    (1) That is a covered entity;
    (2) Whose business activities include both covered and non-covered
functions; and
    (3) That designates health care components in accordance with
paragraph (c)(3)(iii) of this section.
* * * * *
    (c)(1) Implementation specification: Application of other
provisions. * * *
    (ii) A reference in such provision to a "health plan," "covered
health care provider," or "health care clearinghouse" refers to a
health care component of the covered entity if such health care
component performs the functions of a health plan, health care
provider, or health care clearinghouse, as applicable; and
* * * * *
    (3) Implementation specifications: Responsibilities of the covered
entity. * * *
    (iii) The covered entity is responsible for designating the
components that are part of one or more health care components of the
covered entity and documenting the designation as required by
Sec. 164.530(j), provided that if the covered entity designates a
health care component or components, it must include any component that
would meet the definition of covered entity if it were a separate legal
entity. Health care component(s) may include a component that performs:
    (A) covered functions; and
    (B) activities that would make such component a business associate
of a component that performs covered functions if the two components
were separate legal entities.
* * * * *
    (f)(1) Standard: Requirements for group health plans. (i) Except as
provided under paragraph (f)(1)(ii) or (iii) of this section or as
otherwise authorized under Sec. 164.508, a group health plan, in order
to disclose protected health information to the plan sponsor or to
provide for or permit the disclosure of protected health information to
the plan sponsor by a health insurance issuer or HMO with respect to
the group health plan, must ensure that the plan documents restrict
uses and disclosures of such information by the plan sponsor consistent
with the requirements of this subpart.
* * * * *
    (iii) The group health plan, or a health insurance issuer or HMO
with respect to the group health plan, may disclose to the plan sponsor
information on whether the individual is participating in the group
health plan, or is enrolled in or has disenrolled from a health
insurance issuer or HMO offered by the plan to the plan sponsor.
* * * * *
    7. Revise Sec. 164.506 to read as follows:

Sec. 164.506  Uses and disclosures to carry out treatment, payment, or
health care operations.

    (a) Standard: Permitted uses and disclosures. Except with respect
to uses or disclosures that require an authorization under
Sec. 164.508(a)(2) and (3), a covered entity may use or disclose
protected health information for treatment, payment, or health care
operations as set forth in paragraph (c) of this section, provided that
such use or disclosure is consistent with other applicable requirements
of this subpart.
    (b) Standard: Consent permitted. (1) A covered entity may obtain
consent of the individual to use or disclose protected health
information to carry out treatment, payment, or health care operations.
    (2) Consent of an individual under this paragraph shall not be
effective to permit a use or disclosure of protected health information
that is not otherwise permitted or required by this subpart.
    (c) Implementation specifications: Treatment, payment, or health
care operations.
    (1) A covered entity may use or disclose protected health
information for its own treatment, payment, or health care operations.
    (2) A covered entity may disclose protected health information for
treatment activities of another health care provider.
    (3) A covered entity may disclose protected health information to
another covered entity or health care provider for the payment
activities of the entity that receives the information.
    (4) A covered entity may disclose protected health information to
another covered entity for health care operations activities of the
entity that receives the information, if both entities have a
relationship with the individual who is the subject of the protected
health information being requested, and the disclosure is:
    (i) For a purpose listed in paragraph (1) or (2) of the definition
of health care operations; or
    (ii) For the purpose of health care fraud and abuse detection or
compliance.
    (5) A covered entity that participates in an organized health care
arrangement may disclose protected health information about an
individual to another covered entity that participates in the organized
health care arrangement for any health care operations activities of
the organized health care arrangement.
    8. Amend Sec. 164.508 as follows:
    a. Remove "consistent with consent requirements in Sec. 164.506"
in paragraph (a)(2)(i).
    b. Add "the" before "originator" in paragraph (a)(2)(i)(A).
    c. Remove the word "in" after the term "covered entity" and add
in its place the words "for its own" in paragraph (a)(2)(i)(B).
    d. Add the words "itself in" after the word "defend" in
paragraph (a)(2)(i)(C).
    e. Add paragraph (a)(3).
    f. Revise paragraphs (b)(1)(i).
    g. Remove the word "be" in paragraph (b)(1)(ii).
    h. Remove ", (d), (e), or (f)" from paragraph (b)(2)(ii).
    i. Remove paragraph (b)(2)(iv).
    j. Redesignate paragraphs (b)(2)(v) and (vi) as paragraphs
(b)(2)(iv) and (v).
    k. Add "or (4)" after "(b)(3)" in redesignated paragraph
(b)(2)(iv).
    l. Revise paragraphs (b)(3)(i).
    m. Add a comma after the term "psychotherapy notes" in paragraph
(b)(3)(iii).
    n. Remove "under paragraph (f) of" and add in its place "for the
use or disclosure of protected health information for such research
under" in paragraph (b)(4)(i).

[[Page 14813]]

    o. Add the word "and" at the end of paragraph (b)(4)(ii)(B).
    p. Remove paragraph (b)(4)(iii).
    q. Redesignate paragraph (b)(4)(iv) as paragraph (b)(4)(iii).
    r. Add "or the policy itself" after the word "policy" in
paragraph (b)(5)(ii).
    s. Remove paragraphs (d), (e), and (f).
    t. Revise paragraph (c).
    The revisions and addition read as follows:

Sec. 164.508  Uses and disclosures for which an authorization is
required.

    (a) Standard: Authorizations for uses and disclosures. * * *
    (3) Authorization required: Marketing. (i) Notwithstanding any
other provision of this subpart other than Sec. 164.532, a covered
entity must obtain an authorization for any use or disclosure of
protected health information for marketing, except if the communication
is in the form of:
    (A) A face-to-face communication made by a covered entity to an
individual; or
    (B) A promotional gift of nominal value provided by the covered
entity.
    (ii) If the marketing is expected to result in direct or indirect
remuneration to the covered entity from a third party, the
authorization must state that such remuneration is expected.
* * * * *
    (b) Implementation specifications: General requirements. * * *
    (1) Valid authorizations.
    (i) A valid authorization is a document that meets the requirements
in paragraphs (c)(1) and (2) of this section.
* * * * *
    (3) Compound authorizations. * * *
    (i) An authorization for the use or disclosure of protected health
information for a specific research study may be combined with any
other type of written permission for the same research study, including
another authorization for the use or disclosure of protected health
information for such research or a consent to participate in such
research;
* * * * *
    (c) Implementation specifications: Core elements and requirements.
(1) Core elements. A valid authorization under this section must
contain at least the following elements:
    (i) A description of the information to be used or disclosed that
identifies the information in a specific and meaningful fashion.
    (ii) The name or other specific identification of the person(s), or
class of persons, authorized to make the requested use or disclosure.
    (iii) The name or other specific identification of the person(s),
or class of persons, to whom the covered entity may make the requested
use or disclosure.
    (iv) A description of each purpose of the requested use or
disclosure. The statement "at the request of the individual" is a
sufficient description of the purpose when an individual initiates the
authorization and does not, or elects not to, provide a statement of
the purpose.
    (v) An expiration date or an expiration event that relates to the
individual or the purpose of the use or disclosure. The following
statements meet the requirements for an expiration date or an
expiration event if the appropriate conditions apply:
    (A) The statement "end of the research study" or similar language
is sufficient if the authorization is for a use or disclosure of
protected health information for research.
    (B) The statement "none" or similar language is sufficient if the
authorization is for the covered entity to use or disclose protected
health information for the creation and maintenance of a research
database or research repository.
    (vi) Signature of the individual and date. If the authorization is
signed by a personal representative of the individual, a description of
such representative's authority to act for the individual must also be
provided.
    (2) Required statements. In addition to the core elements, the
authorization must contain statements adequate to place the individual
on notice of all of the following:
    (i) The individual's right to revoke the authorization in writing,
and either:
    (A) The exceptions to the right to revoke and a description of how
the individual may revoke the authorization; or
    (B) To the extent that the information in paragraph (c)(2)(i)(A) of
this section is included in the notice required by Sec. 164.520, a
reference to the covered entity's notice.
    (ii) The ability or inability to condition treatment, payment,
enrollment or eligibility for benefits on the authorization, by stating
either:
    (A) The covered entity may not condition treatment, payment,
enrollment or eligibility for benefits on whether the individual signs
the authorization when the prohibition on conditioning of
authorizations in paragraph (b)(4) of this section applies; or
    (B) The consequences to the individual of a refusal to sign the
authorization when, in accordance with paragraph (b)(4) of this
section, the covered entity can condition treatment, enrollment in the
health plan, or eligibility for benefits on failure to obtain such
authorization.
    (iii) The potential for information disclosed pursuant to the
authorization to be subject to redisclosure by the recipient and no
longer be protected by this rule.
    (3) Plain language requirement. The authorization must be written
in plain language.
    (4) Copy to the individual. If a covered entity seeks an
authorization from an individual for a use or disclosure of protected
health information, the covered entity must provide the individual with
a copy of the signed authorization.
    9. Amend Sec. 164.510 as follows:
    a. Revise the first sentence of the introductory text.
    b. Remove the word "for" from paragraph (b)(3).
    The revision reads as follows:

Sec. 164.510  Uses and disclosures requiring an opportunity for the
individual to agree or to object.

    A covered entity may use or disclose protected health information,
provided that the individual is informed in advance of the use or
disclosure and has the opportunity to agree to or prohibit or restrict
the use or disclosure, in accordance with the applicable requirements
of this section. * * *
* * * * *
    10. Amend Sec. 164.512 as follows:
    a. Revise the section heading and the first sentence of the
introductory text.
    b. Revise paragraph (b)(1)(iii).
    c. In paragraph (b)(1)(v)(A) remove the word "a" before the word
"health."
    d. Add the word "and" after the semicolon at the end of paragraph
(b)(1)(v)(C).
    e. Redesignate paragraphs (f)(3)(ii) and (iii) as (f)(3)(i) and
(ii).
    f. In the second sentence of paragraph (g)(2) add the word "to"
after the word "directors."
    g. In paragraph (i)(1)(iii)(A) remove the word "is" after the
word "disclosure."
    h. Revise paragraph (i)(2)(ii).
    The revisions read as follows:

Sec. 164.512  Uses and disclosures for which an authorization or
opportunity to agree or object is not required.

    A covered entity may use or disclose protected health information
without the written authorization of the individual, as described in
Sec. 164.508, or the opportunity for the individual to agree or object
as described in Sec. 164.510, in the situations covered by this
section,

[[Page 14814]]

subject to the applicable requirements of this section. * * *
* * * * *
    (b) Standard: uses and disclosures for public health activities.
    (1) Permitted disclosures. * * *
    (iii) A person subject to the jurisdiction of the Food and Drug
Administration (FDA) with respect to an FDA-regulated product or
activity for which that person has responsibility, for the purpose of
activities related to the quality, safety or effectiveness of such FDA-
regulated product or activity. Such purposes include:
    (A) To collect or report adverse events (or similar activities with
respect to food or dietary supplements), product defects or problems
(including problems with the use or labeling of a product), or
biological product deviations;
    (B) To track FDA-regulated products;
    (C) To enable product recalls, repairs, or replacement, or lookback
(including locating and notifying individuals who have received
products that have been recalled, withdrawn, or are the subject of
lookback); or
    (D) To conduct post marketing surveillance;
* * * * *
    (i) Standard: Uses and disclosures for research purposes. * * *
    (2) Documentation of waiver approval. * * *
    (ii) Waiver criteria. A statement that the IRB or privacy board has
determined that the alteration or waiver, in whole or in part, of
authorization satisfies the following criteria:
    (A) The use or disclosure of protected health information involves
no more than a minimal risk to the privacy of individuals, based on, at
least, the presence of the following elements;
    (1) An adequate plan to protect the identifiers from improper use
and disclosure;
    (2) An adequate plan to destroy the identifiers at the earliest
opportunity consistent with conduct of the research, unless there is a
health or research justification for retaining the identifiers or such
retention is otherwise required by law; and
    (3) Adequate written assurances that the protected health
information will not be reused or disclosed to any other person or
entity, except as required by law, for authorized oversight of the
research study, or for other research for which the use or disclosure
of protected health information would be permitted by this subpart;
    (B) The research could not practicably be conducted without the
waiver or alteration; and
    (C) The research could not practicably be conducted without access
to and use of the protected health information.
* * * * *
    11. Amend Sec. 164.514 as follows:
    a. Revise paragraph (b)(2)(i)(R).
    b. Revise paragraph (d)(1).
    c. Revise paragraph (d)(4)(iii).
    d. Remove and reserve paragraph (e).
    The revisions read as follows:

Sec. 164.514  Other requirements relating to uses and disclosures of
protected health information.

* * * * *
    (b) Implementation specifications: Requirements for de-
identification of protected health information. * * *
    (2)(i) * * *
    (R) Any other unique identifying number, characteristic, or code,
except as permitted by paragraph (c) of this section; and
* * * * *
    (d)(1) Standard: minimum necessary requirements. In order to comply
with Sec. 164.502(b) and this section, a covered entity must meet the
requirements of paragraphs (d)(2) through (d)(5) of this section with
respect to a request for or the use and disclosure of protected health
information.
* * * * *
    (4) Implementation specifications: Minimum necessary requests for
protected health information. * * *
    (iii) For all other requests, a covered entity must:
    (A) Develop criteria designed to limit the request for protected
health information to the information reasonably necessary to
accomplish the purpose for which the request is made; and
    (B) Review requests for disclosure on an individual basis in
accordance with such criteria.
* * * * *
    (e) [Removed and Reserved]
* * * * *
    12. Amend Sec. 164.520 as follows:
    a. Remove the word "consent or" from paragraph (b)(1)(ii)(B).
    b. Revise paragraph (c)(2)(i).
    c. Redesignate paragraphs (c)(2)(ii) and (iii) as (c)(2)(iii) and
(iv).
    d. Add new paragraph (c)(2)(ii).
    e. Amend redesignated paragraph (c)(2)(iv) by removing
"(c)(2)(ii)" and adding in its place "(c)(2)(iii)'.
    f. Revise paragraph (c)(3)(iii) by adding a sentence at the end.
    g. Revise paragraph (e).
    The revisions and addition read as follows:

Sec. 164.520  Notice of privacy practices for protected health
information.

* * * * *
    (c) Implementation specifications: provision of notice. * * *
    (2) Specific requirements for certain covered health care
providers. * * *
    (i) Provide the notice:
    (A) No later than the date of the first service delivery, including
service delivered electronically, to such individual after the
compliance date for the covered health care provider; or
    (B) In an emergency treatment situation, as soon as reasonably
practicable after the emergency treatment situation.
    (ii) Except in an emergency treatment situation, make a good faith
effort to obtain a written acknowledgment of receipt of the notice
provided in accordance with paragraph (c)(2)(i) of this section, and if
not obtained, document its good faith efforts to obtain such
acknowledgment and the reason why the acknowledgment was not obtained;
* * * * *
    (3) Specific requirements for electronic notice. * * *
    (iii) * * * The requirements in paragraph (c)(2)(ii) of this
section apply to electronic notice.
* * * * *
    (e) Implementation specifications: Documentation. A covered entity
must document compliance with the notice requirements, as required by
Sec. 164.530(j), by retaining copies of the notices issued by the
covered entity and, if applicable, any written acknowledgments of
receipt of the notice or documentation of good faith efforts to obtain
such written acknowledgment, in accordance with paragraph (c)(2)(ii) of
this section.

Sec. 164.522  [Amended]

    13. Amend Sec. 164.522 by removing the reference to
"164.502(a)(2)(i)" in paragraph (a)(1)(v), and adding in its place
"164.502(a)(2)(ii)".
    14. Amend Sec. 164.528 as follows:
    a. In paragraph (a)(1)(i), remove "Sec. 164.502" and add in its
place "Sec. 164.506".
    b. Redesignate paragraphs (a)(1)(iii) through (vi) as (a)(1)(iv)
through (vii).
    c. Add paragraph (a)(1)(iii).
    d. Revise paragraph (b)(2)(iv) in its entirety.
    e. Remove "or pursuant to a single authorization under
Sec. 164.508," from paragraph (b)(3).
    The addition and revision read as follows:

Sec. 164.528  Accounting of disclosures of protected health
information.

    (a) Standard: Right to an accounting of disclosures of protected
health information.

[[Page 14815]]

    (1) * * *
    (iii) Pursuant to an authorization as provided in Sec. 164.508.
* * * * *
    (b) Implementation specifications: Content of the accounting. * * *
    (2) * * *
    (iv) A brief statement of the purpose of the disclosure that
reasonably informs the individual of the basis for the disclosure or,
in lieu of such statement, a copy of a written request for a disclosure
under Secs. 164.502(a)(2)(ii) or 164.512, if any.
* * * * *
    15. Amend Sec. 164.530 as follows:
    a. Redesignate paragraph (c)(2) as (c)(2)(i).
    b. Add paragraph (c)(2)(ii).
    c. Remove the words "the requirements" from paragraph
(i)(4)(ii)(A) and add in their place the word "specifications."
    The addition reads as follows:

Sec. 164.530  Administrative requirements.

* * * * *
    (c) Standard: Safeguards. * * *
    (2) Implementation specifications: Safeguards. (i) * * *
    (ii) A covered entity must reasonably safeguard protected health
information to limit incidental uses or disclosures made pursuant to an
otherwise permitted or required use or disclosure.
* * * * *
    16. Revise Sec. 164.532 to read as follows:

Sec. 164.532  Transition Provisions.

    (a) Standard: Effect of prior authorizations. Notwithstanding
Secs. 164.508 and 164.512(i), a covered entity may use or disclose
protected health information, consistent with paragraphs (b) and (c) of
this section, pursuant to an authorization or other express legal
permission obtained from an individual permitting the use or disclosure
of protected health information, informed consent of the individual to
participate in research, or a waiver of informed consent by an IRB.
    (b) Implementation specification: Effect of prior authorization for
purposes other than research. Notwithstanding any provisions in
Sec. 164.508, a covered entity may use or disclose protected health
information that it created or received prior to the applicable
compliance date of this subpart pursuant to an authorization or other
express legal permission obtained from an individual prior to the
applicable compliance date of this subpart, provided that the
authorization or other express legal permission specifically permits
such use or disclosure and there is no agreed-to restriction in
accordance with Sec. 164.522(a).
    (c) Implementation specification: Effect of prior permission for
research. Notwithstanding any provisions in Secs. 164.508 and
164.512(i), a covered entity may use or disclose, for a specific
research study, protected health information that it created or
received either before or after the applicable compliance date of this
subpart, provided that there is no agreed-to restriction in accordance
with Sec. 164.522(a) and that the covered entity has obtained, prior to
the applicable compliance date, either:
    (1) The authorization or other express legal permission from an
individual to use or disclose protected health information for the
research study;
    (2) The informed consent of the individual to participate in the
research study; or
    (3) A waiver, by an IRB, of informed consent for the research
study, in accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR
1230.116(d), 15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR
225.116(d), 24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34
CFR 97.116(d), 38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45
CFR 690.116(d), or 49 CFR 11.116(d), provided that a covered entity
must obtain authorization in accordance with Sec. 164.508 if, after the
compliance date, informed consent is sought from an individual
participating in the research study.
    (d) Standard: Effect of prior contracts or other arrangements with
business associates. Notwithstanding any other provisions of this
subpart, a covered entity, other than a small health plan, may disclose
protected health information to a business associate and may allow a
business associate to create, receive, or use protected health
information on its behalf pursuant to a written contract or other
written arrangement with such business associate that does not comply
with Secs. 164.502(e) and 164.504(e) consistent with the requirements,
and only for such time, set forth in paragraph (e) of this section.
    (e) Implementation specification: Deemed compliance.--(1)
Qualification. Notwithstanding other sections of this subpart, a
covered entity, other than a small health plan, is deemed to be in
compliance with the documentation and contract requirements of
Secs. 164.502(e) and 164.504(e), with respect to a particular business
associate relationship, for the time period set forth in paragraph
(e)(2) of this section, if:
    (i) Prior to the effective date of this provision, such covered
entity has entered into and is operating pursuant to a written contract
or other written arrangement with a business associate for such
business associate to perform functions or activities or provide
services that make the entity a business associate; and
    (ii) The contract or other arrangement is not renewed or modified
from the effective date of this provision and until the compliance date
set forth in Sec. 164.534.
    (2) Limited deemed compliance period. A prior contract or other
arrangement that meets the qualification requirements in paragraph (e)
of this section, shall be deemed compliant until the earlier of:
    (i) The date such contract or other arrangement is renewed or
modified on or after the compliance date set forth in Sec. 164.534; or
    (ii) April 14, 2004.
    (3) Covered entity responsibilities. Nothing in this section shall
alter the requirements of a covered entity to comply with part 160,
subpart C of this subchapter and Secs. 164.524, 164.526, and 164.528
with respect to protected health information held by a business
associate.

[FR Doc. 02-7144 Filed 3-21-02; 12:00 pm]
BILLING CODE 4153-01-P