[Federal Register: March 27, 2002 (Volume 67, Number 59)] [Proposed Rules] [Page 14775-14815] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr27mr02-22] [[Page 14775]] ----------------------------------------------------------------------- Part II Department of Health and Human Services ----------------------------------------------------------------------- 45 CFR Parts 160 and 164 Office of the Secretary; Standards for Privacy of Individually Identifiable Health Information; Proposed Rule [[Page 14776]] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160 and 164 RIN 0991-AB14 Standards for Privacy of Individually Identifiable Health Information AGENCY: Office for Civil Rights, HHS. ACTION: Proposed rule; modification. ----------------------------------------------------------------------- SUMMARY: The Department of Health and Human Services (HHS) proposes to modify certain standards in the Rule entitled "Standards for Privacy of Individually Identifiable Health Information" (the "Privacy Rule"). The Privacy Rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. The purpose of this action is to propose changes that maintain strong protections for the privacy of individually identifiable health information while clarifying misinterpretations, addressing the unintended negative effects of the Privacy Rule on health care quality or access to health care, and relieving unintended administrative burden created by the Privacy Rule. DATES: To assure consideration, written comments mailed to the Department as provided below must be postmarked no later than April 26, 2002, and written comments hand delivered to the Department and comments submitted electronically must be received as provided below, no later than 5 p.m. on April 26, 2002. ADDRESSES: Comments will be considered only if provided through any of the following means: 1. Mail written comments (1 original and, if possible, 3 copies and a floppy disk) to the following address: U.S. Department of Health and Human Services, Office for Civil Rights, Attention: Privacy 2, Hubert H. Humphrey Building, Room 425A, 200 Independence Avenue, SW., Washington, DC 20201. 2. Deliver written comments (1 original and, if possible, 3 copies and a floppy disk) to the following address: Attention: Privacy 2, Hubert H. Humphrey Building, Room 425A, 200 Independence Avenue, SW., Washington, DC 20201. 3. Submit electronic comments at the following Web site: https:// www.hhs.gov/ocr/hipaa/. See the SUPPLEMENTARY INFORMATION section for further information on comment procedures, availability of copies, and electronic access. FOR FURTHER INFORMATION CONTACT: Felicia Farmer 1-866-OCR-PRIV (1-866- 627-7748) or TTY 1-866-788-4989. SUPPLEMENTARY INFORMATION: Comment procedures, availability of copies, and electronic access. Comment Procedures: All comments should include the full name, address, and telephone number of the sender or a knowledgeable point of contact. Comments should address only those sections of the Privacy Rule for which modifications are being proposed or for which comments are requested. Comments on other sections of the Privacy Rule will not be considered, except insofar as they pertain to the standards for which modifications are proposed or for which comments are requested. Each specific comment should specify the section of the Privacy Rule to which it pertains. Written comments should include 1 original and, if possible, 3 copies and an electronic version of the comments on a 3\1/2\ inch DOS format floppy disk in HTML, ASCII text, or popular word processor format (Microsoft Word, Corel WordPerfect). All comments and content must be limited to the 8.5 inches wide by 11.0 inches high vertical (also referred to as "portrait") page orientation. Additionally, if identical/duplicate comment submissions are submitted both electronically at the specified Web site and in paper form, the Department requests that each submission clearly indicate that it is a duplicate submission. Because of staffing and resource limitations, the Department will not accept comments by telephone or facsimile (FAX) transmission. Any comments received through such media will be deleted or destroyed, as appropriate, and not be considered as public comments. The Department will accept electronic comments only as submitted through the Web site identified in the ADDRESSES section above. No other form of electronic mail will be accepted or considered as public comment. In addition, when mailing written comments, the public is encouraged to submit comments as early as possible due to potential delays in mail service. Inspection of Public Comments: Comments that are timely received in proper form and at one of the addresses specified above will be available for public inspection by appointment as they are received, generally beginning approximately three weeks after publication of this document, at 200 Independence Avenue, SW., Washington, DC on Monday through Friday of each week from 9 a.m. to 4 p.m. Appointments may be made by telephoning 1-866-OCR-PRIV (1-866-627-7748) or TTY 1-866-788- 4989. Copies: To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 (or toll-free at 1-866-512- 1800) or by fax to (202) 512-2250. The cost for each copy is $10.00. Alternatively, you may view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register. Electronic Access: This document is available electronically at the OCR Privacy Web site at https://www.hhs.gov/ocr/hipaa/, as well as at the Web site of the Government Printing Office at https://www.access.gpo.gov/su_docs/aces/ aces140.html. I. Background A. Statutory Background Congress recognized the importance of protecting the privacy of health information given the rapid evolution of health information systems in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which became law on August 21, 1996. HIPAA's Administrative Simplification provisions, sections 261 through 264 of the statute, were designed to improve the efficiency and effectiveness of the health care system by facilitating the electronic exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information electronically in connection with such transactions. To implement these provisions, the statute directed HHS to adopt a suite of uniform, national standards for transactions, unique health identifiers, code sets for the data elements of the transactions, security of health information, and electronic signature. At the same time, Congress recognized the challenges to the [[Page 14777]] confidentiality of health information presented by the increasing complexity of the health care industry, and by advances in the health information systems technology and communications. Thus, the Administrative Simplification provisions of HIPAA authorized the Secretary to promulgate regulations on standards for the privacy of individually identifiable health information if Congress did not enact health care privacy legislation by August 21, 1999. HIPAA also required the Secretary of HHS to provide Congress with recommendations for protecting the confidentiality of health care information. The Secretary submitted such recommendations to Congress on September 11, 1997, but Congress was unable to act within its self-imposed deadline. With respect to these regulations, HIPAA provided that the standards, implementation specifications, and requirements established by the Secretary not supersede any contrary State law that imposes more stringent privacy protections. Additionally, Congress required that HHS consult with the National Committee on Vital and Health Statistics, a Federal Advisory committee established pursuant to section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k)), and the Attorney General in the development of HIPAA privacy standards. After a set of standards is adopted by the Department, HIPAA provides HHS with authority to modify the standards as deemed appropriate, but not more frequently than once every 12 months. However, modifications are permitted during the first year after adoption of the standard if the changes are necessary to permit compliance with the standard. HIPAA also provides that compliance with modifications to standards or implementation specifications must be accomplished by a date designated by the Secretary, which may not be earlier than 180 days from the adoption of the modification. B. Regulatory and Other Actions to Date As Congress did not enact legislation regarding the privacy of individually identifiable health information prior to August 21, 1999, HHS published a proposed Rule setting forth such standards on November 3, 1999 (64 FR 59918). The Department received more than 52,000 public comments in response to the proposal. After reviewing and considering the public comments, HHS issued a final Rule (65 FR 82462) on December 28, 2000, establishing "Standards for Privacy of Individually Identifiable Health Information" ("Privacy Rule"). In an era where consumers are increasingly concerned about the privacy of their personal information, the Privacy Rule creates for the first time national protections for the privacy of their most sensitive information--health information. Congress has passed other laws to protect consumer's personal information contained in bank, credit card, other financial records, and even video rentals. These health privacy protections are intended to provide consumers with similar assurances that their health information, including genetic information, will be properly protected. Under the Privacy Rule, health plans, health care clearinghouses, and certain health care providers must guard against misuse of individuals' identifiable health information and limit the sharing of such information, and consumers are afforded significant new rights to understand and control how their health information is used and disclosed. After publication of the Privacy Rule, HHS received many inquiries and unsolicited comments through telephone calls, e-mails, letters, and other contacts about the impact and operation of the Privacy Rule on numerous sectors of the health care industry. Many of these commenters exhibited substantial confusion over how the Privacy Rule will operate; others expressed great concern over the complexity of the Privacy Rule. In response to these communications and to ensure that the provisions of the Privacy Rule would protect patients' privacy without creating unanticipated consequences that might harm patients' access to health care or quality of health care, the Secretary of HHS requested comment on the Privacy Rule in March 2001 (66 FR 12738). After an expedited review of the comments by the Department, the Secretary decided that it was appropriate for the Privacy Rule to become effective on April 14, 2001, as scheduled (65 FR 12433). At the same time, the Secretary directed the Department immediately to begin the process of developing guidelines on how the Privacy Rule should be implemented and to clarify the impact of the Privacy Rule on health care activities. In addition, the Secretary charged the Department with proposing appropriate changes to the Privacy Rule during the next year to clarify the requirements and correct potential problems that could threaten access to, or quality of, health care. The comments received during the comment period, as well as other communications from the public and all sectors of the health care industry, including letters, testimony at public hearings, and meetings requested by these parties, have helped to inform the Department's efforts to develop proposed modifications and guidance on the Privacy Rule. On July 6, 2001, the Department issued its first guidance to answer common questions and clarify certain of the Privacy Rule's provisions. In the guidance, the Department also committed to proposing modifications to the Privacy Rule to address problems arising from unintended effects of the Privacy Rule on health care delivery and access. The guidance is available on the HHS Office for Civil Rights (OCR) Privacy Web site at https://www.hhs.gov/ocr/hipaa/. II. Overview of the Proposed Rule As described above, through public comments, testimony at public hearings, meetings at the request of industry and other stakeholders, as well as other communications, the Department learned of a number of concerns about the potential unintended effect certain provisions would have on health care delivery and access. In response to these concerns, and pursuant to HIPAA's provisions for modifications to the standards, the Department is proposing modifications to the Privacy Rule. In addition, the National Committee for Vital and Health Statistics (NCVHS), Subcommittee on Privacy and Confidentiality, held public hearings on the implementation of the Privacy Rule on August 21-23, 2001, and January 24-25, 2002, and provided recommendations to the Department based on these hearings. The NCVHS serves as the statutory advisory body to the Secretary of HHS with respect to the development and implementation of the Rules required by the Administrative Simplification provisions of HIPAA, including the privacy standards. Through the hearings, the NCVHS specifically solicited public input on issues related to certain key standards in the Privacy Rule: consent, minimum necessary, marketing, fundraising, and research. The resultant public testimony and subsequent recommendations submitted to the Department by the NCVHS also served to inform the development of these proposed modifications. Based on the information received through the various sources described above, the Department proposes to modify the following areas or provisions of the Privacy Rule: consent, including other provisions for uses and disclosures of protected health information for treatment, payment, and health care operations; notice of privacy [[Page 14778]] practices for protected health information; minimum necessary uses and disclosures, and oral communications; business associates; uses and disclosures for marketing; parents as the personal representatives of unemancipated minors; uses and disclosures for research purposes; uses and disclosures of protected health information for which authorizations are required; and de-identification of protected health information. In addition to these key areas, the proposal includes changes to certain other provisions where necessary to clarify the Privacy Rule. The Department also includes in the proposed Rule a list of technical corrections intended as editorial or typographical corrections to the Privacy Rule. The proposed modifications collectively are designed to ensure that protections for patient privacy are implemented in a manner that maximizes the effectiveness of such protections while not compromising either the availability or the quality of medical care. They reflect a continuing commitment on the part of the Department to strong privacy protections for medical records and the belief that privacy is most effectively protected by requirements that are not exceptionally difficult to implement. If there are any ways in which privacy protections are unduly compromised by these modifications, the Department welcomes comments and suggestions for alternative ways effectively to protect patient privacy without adversely affecting access to, or the quality of, health care. Given that the compliance date of the Privacy Rule for most covered entities is April 14, 2003, and statutory requirements to ensure that affected parties have sufficient time to come into compliance require any revisions to become effective by October 13, 2002, the Department is soliciting public comment on these proposed modifications for only 30 days. As stated above, the modifications address public concerns already communicated to the Department through a wide variety of sources since publication of the Privacy Rule in December 2000. For these reasons, the Department believes that 30 days should be sufficient for the public to state its views fully to the Department on the proposed modifications to the Privacy Rule. III. Description of Proposed Modifications A. Uses and Disclosures for Treatment, Payment, and Health Care Operations 1. Consent Treatment and payment for health care are core functions of the health care industry, and uses and disclosures of individually identifiable health information for such purposes are critical to the effective operation of the health care system. Health care providers and health plans must also use individually identifiable health information for certain health care operations, such as administrative, financial, and legal activities, to run their businesses, and to support the essential health care functions of treatment and payment. Equally important are health care operations designed to maintain and improve the quality of health care. In developing the Privacy Rule, the Department considered the privacy implications of uses and disclosures for treatment, payment, and health care operations in connection with the need for these activities to continue. In balancing the need for these activities and the privacy interests involved in using and disclosing protected health information for these purposes, the Department considered the fact that many individuals expect that their health information will be used and disclosed as necessary to treat them, bill for treatment, and, to some extent, operate the covered entity's health care business. Due to individual expectations with respect to the use or disclosure of information for such activities and so as not to interfere with an individual's access to quality health care or efficient payment for such health care, the Department's goal is to permit these activities to occur with little or no restriction. Consistent with this view, the Privacy Rule generally provides covered entities with permission to use and disclose protected health information as necessary for treatment, payment, and health care operations. For certain health care providers that have a direct treatment relationship with individuals, such as many physicians, hospitals, and pharmacies, the Privacy Rule requires such providers to obtain an individual's written consent prior to using or disclosing protected health information for these purposes. To implement the consent standard, the Privacy Rule requires a covered health care provider with a direct treatment relationship with the individual to obtain a single, one-time, general permission from the individual prior to using or disclosing protected health information about him or her for treatment, payment, and health care operations. An individual may revoke his or her consent at any time, except to the extent that the covered entity has taken action in reliance on the consent. The Privacy Rule contains exceptions to the consent requirements, under which a provider may use or disclose protected health information without prior consent when there is an emergency treatment situation, when a provider is required by law to treat the individual, or when there are substantial communication barriers. Additionally, because the Department realizes that a health care provider cannot treat a patient without being able to use and disclose his or her protected health information for treatment purposes, the Privacy Rule permits a covered health care provider to refuse to treat a patient who refuses to provide consent. Finally, the Privacy Rule permits other covered entities to voluntarily obtain consent, in accordance with these consent provisions. The consent requirement for health care providers with direct treatment relationships was a significant change from the Department's initial proposal published in November 1999. At that time, the Department proposed to permit all covered entities to use and disclose protected health information to carry out treatment, payment, and health care operations without any requirement that the covered entities obtain an individual's consent for such uses and disclosures, subject to a few limited exceptions. Further, the Department had proposed to prohibit covered entities from obtaining an individual's consent for uses and disclosures of protected health information for these purposes, unless required by other applicable law. Instead, the Department relied on the principle of fair notice, coupled with regulatory limits on the use and disclosure of health information, to balance the individual's privacy interests against the need not to impede the delivery of quality health care. Providing individuals with fair notice about the information practices and responsibilities of their plans and providers, and their rights with respect to information about them, is a privacy principle as important as the principle of consent. Indeed, consents often provide individuals with little actual control over information. When an individual is required to sign a blanket consent at the point of treatment as a condition of treatment or payment, that [[Page 14779]] consent is often not voluntary. Instead, therefore, the Department proposed to require most covered entities to create and provide to individuals a notice describing all of the entity's information practices, including their practices with respect to uses and disclosures of protected health information to carry out treatment, payment, and health care operations. The Department received a strong public response opposing this proposal. Health care providers and patients argued that consent provides individuals with a sense of control over how their information will be used and disclosed, is a current practice of many health care providers, and is expected by patients. Providers explained that they would face an ethical conflict from a prohibition on obtaining consent. The consent requirement for direct treatment providers was a direct response to these comments. Public Comments The Department received many comments in March 2001, as well as recommendations from the NCVHS based on public testimony, about the consent provisions in the Privacy Rule. There were some proponents of consent that urged the Department to retain, expand, or strengthen the consent provisions. There were also many opponents of consent that raised a number of issues and serious concerns that the consent requirements will impede access to, and the delivery of, quality health care. Most significantly, many covered entities described an array of circumstances when they need to use or disclose protected health information for treatment, payment, or health care operations purposes prior to the initial face-to-face contact with the patient, and therefore, prior to obtaining consent. Consistent with the comments that the Department received after the initial notice of proposed rulemaking (NPRM), proponents of the consent requirement argued that consent is integral to providing individuals the opportunity to be active participants in their own health care and can bolster patient trust in providers. One of the most significant values that proponents placed on consent was that it defines an "initial moment" when patients can focus on information practices and raise questions about privacy concerns. Some proponents recommended that the consent requirement be extended to health plans because these entities may not have the same duty and legal obligation as health care providers to maintain confidentiality. Others urged the Department to strengthen consent by eliminating the ability of providers to condition treatment on the receipt of consent. There were also some commenters that thought that consent should be required more frequently. They claimed that the consent provisions will be ineffective to provide individuals with control over how their information will be used or disclosed because it is general and only must be obtained one time. They argued that an individual may have differing degrees of concern about the privacy of health information, depending on the nature of the information raised in the particular encounter with the provider, and that an initial, one-time consent cannot account for such variation. At the same time, most covered entities were concerned about significant practical problems that resulted from the consent requirements in the Privacy Rule. Commenters raised numerous examples of obstacles that the prior consent provisions will pose to timely access to health care. Health care providers commented that they often use health information about an individual for necessary treatment, payment, and health care operations activities prior to the first face- to-face contact with the individual. Under the Privacy Rule, these routine and often essential activities are not permitted unless the provider first obtains consent from the individual. Although the consent only needs to be obtained one time, there may be problems for new patients who have not yet provided consent, for existing patients who have not yet provided consent after the compliance date of the Privacy Rule, for patients who have revoked consent, and for patients who may have provided consent, but the provider cannot find such documentation. These concerns were primarily raised by pharmacists and pharmacies, but the same issue exists in any referral or new patient situation. Pharmacists informed us that they typically use individually identifiable health information, received from a physician, to fill a prescription, search for potential drug interactions, and determine eligibility and obtain authorization for payment, before the individual arrives at the pharmacy to pick up the prescription. The consent requirement would delay such activity for any first-time customers and for many more customers immediately following the compliance date of the Privacy Rule. Tracking consents in large, multi-state pharmacy chains can result in delays as well. At best, an individual will experience significant delays in obtaining his or her prescription if a pharmacist cannot fill the prescription until the individual is present to sign a consent. Even greater delays may be experienced by individuals too ill to pick up their own prescriptions. Although the Privacy Rule permits a friend or neighbor to pick up the prescription, that person may not have the legal authority to sign a consent on the individual's behalf. Thus, a number of trips back and forth to the pharmacy may be needed to obtain the prior consent. This problem is greatly magnified in rural areas, where persons may travel much longer distances to see health care providers, including pharmacists. Similarly, a hospital receives information about a patient from a referring physician and routinely uses this information to schedule and prepare for procedures before the individual presents at the hospital for such procedure. The Privacy Rule's requirement that a covered entity obtain an individual's consent prior to using or disclosing their information is an impediment to these activities and could require an individual to make an additional trip to the hospital simply to provide consent. The Department did not intend that the Privacy Rule interfere with such activities. Commenters also raised concerns that providers who do not provide treatment in person may be unable to provide care because they are unable to obtain prior written consent to use protected health information at the first service delivery. This was a special concern with respect to providers who care for individuals over the telephone. For example, providers who cover for other providers during non- business hours or providers who had not yet had the opportunity to obtain a patient's consent were concerned that they would not be able to respond to telephone calls from individuals in need of treatment because they were not able to obtain consent over the telephone. Nurses who staff telephone centers that provide health care assessment and advice, but who never see patients, had similar concerns. Other concerns related to treatment were expressed about the limitations of the exceptions to the consent requirement in the Privacy Rule. For example, emergency medical providers were unclear as to whether all activities in which they engage qualify for the emergency treatment exception to the consent requirement. As a result of this confusion, they were concerned that, if a situation was urgent, they would have to try to obtain consent to comply with the Privacy Rule even if that would be inconsistent with current practice of emergency medicine. These providers [[Page 14780]] also were concerned about the requirement that a provider must attempt to obtain consent as soon as reasonably practicable after an emergency. Emergency medical providers explained that they typically do not have ongoing relationships with individuals and that the requirement to attempt to obtain consent after the emergency would require significant efforts and administrative burden on their part, and would be viewed as harassment by individuals. Providers who do not provide emergency care and who are not likely meet one of the consent exceptions were concerned that they may be put in the untenable position of having to decide whether to withhold treatment when an individual does not provide consent or proceed to use information to treat the individual in violation of the consent requirements. Covered entities were also concerned that the difficultly in tracking consents may hamper treatment. The Privacy Rule permits an individual to revoke his or her consent. Large institutional providers claimed that, since tracking of patient consents and revocations would be very difficult and expensive, in practice, they would need to obtain consent for each patient encounter, rather than just one-time as allowed by the Privacy Rule. Covered entities were concerned that, if an individual revokes consent, they would have to eliminate all protected health information about that individual from their systems in order to ensure that it was not used inadvertently for routine health care operations purposes, which would hinder their quality improvement activities and other health care operations. Additionally, testimony before the NCVHS revealed a concern that the ability of a patient to revoke consent might prevent health care providers from accessing protected health information that is critical for the treatment of an individual in an emergency treatment situation where a new consent is not obtained. The Department also heard many concerns about the transition provisions related to the use and disclosure of protected health information for treatment, payment, or health care operations. The Privacy Rule permits covered health care providers that are required to obtain consent for treatment, payment, or health care operations to continue, after the compliance date of the Privacy Rule, to use and disclose protected health information they created or received prior to the compliance date of the Privacy Rule for these purposes if they have obtained consent, authorization, or other express legal permission to use or disclose such information for any of these purposes, even if such permission does not meet the consent requirements under the Privacy Rule. Many providers informed the Department that they currently were not required to obtain consent for these purposes, that these transition provisions would result in significant operational problems, and the inability to access health records would have an adverse effect on quality activities. Concerns also were raised regarding the exception to the consent requirement for cases where a provider is required by law to treat an individual. For example, providers that are required by law to treat were concerned about the mixed messages to patients and interference with the physician-patient relationship that would result when they are required to ask for consent to use or disclose protected health information for treatment, payment, or health care operations, but if the patient says "no," they are permitted to use or disclose the information for such purposes anyway. There also was confusion about the interaction of the consent provisions and the provisions regarding parents and minors. Testimony received by the NCVHS indicated uncertainty as to the validity of a consent signed by a parent for his or her minor child once the child reaches the age of majority. The NCVHS requested clarification regarding whether a child must sign a new consent upon reaching the age of majority. The NCVHS hearings and recommendations focused on practical implementation issues, including the unintended consequences of the consent provisions, but did not address whether the Privacy Rule should or should not require consent. The NCVHS generally recommended that the Department consider circumstances in which protected health information could be used and disclosed without an individual's prior written consent and modify the Privacy Rule accordingly. The Committee specifically recommended that the Privacy Rule should be amended to include provisions for allowing covered entities to use and disclose protected health information prior to the initial face-to-face contact with an individual. Proposed Modifications The Department is concerned by the multitude of comments and examples demonstrating that the consent requirements result in unintended consequences that impede the provision of health care in many critical circumstances and that other such unintended consequences may exist which have yet to be brought to its attention. However, the Department understands that the opportunity to discuss privacy practices and concerns is an important component of privacy, and that the confidential relationship between a patient and a health care provider includes the patient's ability to be involved in discussions and decisions related to the use and disclosure of any protected health information about him or her. Accordingly, the Department proposes an approach that protects privacy interests by affording patients the opportunity to engage in important discussions regarding the use and disclosure of their health information, while allowing activities that are essential to provide access to quality health care to occur unimpeded. Specifically, the Department proposes to make optional the obtaining of consent to use and disclose protected health information for treatment, payment, or health care operations on the part of all covered entities, including providers with direct treatment relationships. Under this proposal, health care providers with direct treatment relationships with individuals would no longer be required to obtain an individual's consent prior to using and disclosing information about him or her for treatment, payment, and health care operations. They, like other covered entities, would have regulatory permission for such uses and disclosures. In order to preserve flexibility and the valuable aspects of the consent requirement, the Department proposes changes that would: (1) Permit all covered entities to obtain consent if they choose, (2) strengthen the notice requirements to preserve the opportunity for individuals to discuss privacy practices and concerns with providers, and (3) enhance the flexibility of the consent process for those covered entities that choose to obtain consent. See section III.B. of the preamble below for the related discussion of proposed modifications to the Privacy Rule's notice requirements. Other individual rights would not be affected by this proposal. Although covered entities would not be required to obtain an individual's consent, any uses or disclosures of protected health information for treatment, payment, or health care operations would still need to be consistent with the covered entity's notice of privacy practices. Also, the removal of the consent requirement only applies to consent for treatment, payment, and health care operations; it does not alter the [[Page 14781]] requirement to obtain an authorization under Sec. 164.508 for uses and disclosures of protected health information not otherwise permitted by the Privacy Rule. The functions of treatment, payment, and health care operations were all given carefully limited definitions in the Privacy Rule, and the Department intends to enforce strictly the requirement for obtaining an individual's authorization, in accordance with Sec. 164.508, for uses and disclosure of protected health information for other purposes not otherwise permitted or required by the Privacy Rule. Furthermore, individuals would retain the right to request restrictions, in accordance with Sec. 164.522(a). Although consent for use and disclosure of protected health information for treatment, payment, and health care operations would no longer be mandated, the Department is proposing to allow covered entities to have a consent process if they wish to do so. The Department heard from some commenters that obtaining consent was an integral part of the ethical and other practice standards for many health care professionals. The Department, therefore, would not prohibit covered entities from obtaining consent. Under this proposal, a consent could apply only to uses and disclosures that are otherwise permitted by the Privacy Rule. A consent obtained through this voluntary process would not be sufficient to permit a use or disclosure which, under the Privacy Rule, requires an authorization or is otherwise expressly conditioned. For example, a consent could not be obtained in lieu of an authorization or a waiver of authorization by an IRB or Privacy Board to disclose protected health information for research purposes. The Department proposes to allow covered entities that choose to have a consent process complete discretion in designing this process. The comments have informed the Department that one consent process and one set of principles will likely be unworkable. As a result, these proposed standards would leave complete flexibility to each covered entity. Covered entities that chose to obtain consent could rely on industry practices to design a voluntary consent process that works best for their practice area and consumers. To effectuate these changes to the consent standard, the Department proposes to replace the consent provisions in Sec. 164.506 with a new provision at Sec. 164.506(a) that would provide regulatory permission for covered entities to use or disclose protected health information for treatment, payment, and health care operations, and a new provision at Sec. 164.506(b) that would allow covered entities to obtain consent if they choose to, and make clear that such consent may not permit a use or disclosure of protected health information not otherwise permitted or required by the Privacy Rule. Additionally, the Department proposes a number of conforming modifications throughout the Privacy Rule to accommodate the proposed approach. The most substantive corresponding changes are proposed at Secs. 164.502 and 164.532. Section 164.502(a)(1) provides a list of the permissible uses and disclosures of protected health information, and refers to the corresponding section of the Privacy Rule for the detailed requirements. The Department collapses the provisions at Secs. 164.502(a)(1)(ii) and (iii) that address uses and disclosures of protected health information for treatment, payment, and health care operations and modifies the language to eliminate the consent requirement for these purposes. Section 164.532 consists of the transition provisions. In Sec. 164.532, the Department deletes references to Sec. 164.506 and to consent, authorization, or other express legal permission obtained for uses and disclosures of protected health information for treatment, payment, and health care operations prior to the compliance date of the Privacy Rule. The proposal to permit a covered entity to use or disclose protected health information for these purposes without consent or authorization would apply to any protected health information held by a covered entity whether created or received before or after the compliance date. Therefore, transition provisions would not be necessary. The Department also proposes conforming changes to the definition of "more stringent" in Sec. 160.202, Sec. 164.500(b)(1)(v), Secs. 164.508(a)(2)(i) and (b)(3)(i), the introductory text of Secs. 164.510 and 164.512, the title of Sec. 164.512, and Sec. 164.520(b)(1)(ii)(B) to reflect that consent is no longer required. 2. Disclosures for Treatment, Payment, or Health Care Operations of Another Entity The Privacy Rule permits a covered entity to use and disclose protected health information for treatment, payment, or health care operations (subject to a consent in some cases). Uses and disclosures for treatment are broad because the definition of treatment incorporates the interaction among more than one entity; specifically, coordination and management of health care among health care providers or by a health care provider with a third party, consultations between health care providers, and referrals of a patient for health care from one health care provider to another. As a result, covered entities are permitted to disclose protected health information for treatment regardless of to whom the disclosure is made, as well as to disclose protected health information for the treatment activities of another health care provider. However, for payment and health care operations, the Privacy Rule generally limits a covered entity's uses and disclosures of protected health information to those that are necessary for its own payment and health care operations activities. This limitation is explicitly stated in the preamble discussions in the Privacy Rule of the definitions of "payment" and "health care operations." The Privacy Rule also provides that a covered entity must obtain authorization to disclose protected health information for the payment or health care operations of another entity. The Department intended these requirements to be consistent with individuals' privacy expectations. See Secs. 164.506(a)(5) and 164.508(e). Public Comments A number of commenters raised specific concerns with the restriction that a covered entity is permitted to use and disclose protected health information only for its own payment and health care operations activities. These commenters presented a number of examples where such a restriction would impede the ability of certain covered entities to obtain reimbursement for health care, to conduct certain quality assurance or improvement activities, such as accreditation, or to monitor fraud and abuse. With regard to payment, the Department received specific concerns about the difficultly that the Privacy Rule will place on certain providers trying to obtain information needed for reimbursement for health care. Specifically, ambulance service providers explained that they normally receive the information they need to seek payment for treatment from the hospital emergency departments to which they transport their patients, since it is usually not possible at the time the service is rendered for the ambulance service provider to obtain such information directly from the individual. Nor is it practicable or [[Page 14782]] feasible in all cases for the hospital to obtain the individual's authorization to provide payment information to the ambulance service provider after the fact. This disclosure of protected health information from the hospital to the ambulance service provider is not permitted under the Privacy Rule without an authorization from the patient because it is a disclosure by the hospital for the payment activities of the ambulance service provider. In addition, commenters stated that physicians and other covered entities outsource their billing, claims, and reimbursement functions to accounts receivable management companies. These collectors often attempt to recover payments from a patient for care rendered by multiple health care providers. Commenters were concerned that the Privacy Rule will prevent these collectors, as business associates of multiple providers, from using a patient's demographic information received from one provider in order to facilitate collection for another provider's payment purposes. With regard to health care operations, the Department also received comments about the difficultly that the Privacy Rule will place on health plans trying to obtain information needed for quality assessment activities. Health plans informed the Department that they need to obtain individually identifiable health information from health care providers for the plans' own quality-related activities, accreditation, and performance measures, e.g., Health Plan Employer Data and Information Set (HEDIS). Commenters explained that the information provided to plans for payment purposes (e.g., claims or encounter information) may not be sufficient for quality assessment or accreditation purposes. Plans may receive even less information from their capitated providers. The NCVHS also received specific public testimony with regard to this issue as part of public hearings held in August 2001. The NCVHS subsequently recommended to the Department that the Privacy Rule be amended to allow for uses and disclosures for quality-related activities among covered entities without individual written authorization. Proposed Modifications Based on concerns raised by comments, the Department proposes to modify Sec. 164.506 to permit a covered entity to disclose protected health information for the payment activities of another covered entity or health care provider, and for certain health care operations of other covered entities. This proposal would broaden the uses and disclosures that are permitted as part of treatment, payment, and health care operations so as not to interfere inappropriately with access to quality and effective health care, while limiting this expansion in order to continue to protect the privacy expectations of individuals. It would be a limited expansion of the information that is allowed to flow between entities, without an authorization, as part of treatment, payment, and certain health care operations. The Department proposes the following. First, the Department explicitly includes in Sec. 164.506(c)(1) language stating that a covered entity may use or disclose protected health information for its own treatment, payment, or health care operations without prior consent or authorization. Second, in Sec. 164.506(c)(2), the Department includes language to clarify its intent that a covered entity may share protected health information for the treatment activities of another health care provider. For example, a primary care provider, who is a covered entity under the Privacy Rule, may send a copy of an individual's medical record to a specialist who needs the information to treat the same individual. No authorization would be required. Third, with respect to payment, the Department proposes, in Sec. 164.506(c)(3), to explicitly permit a covered entity to disclose protected health information to another covered entity or health care provider for the payment activities of that entity. The Department recognizes that not all health care providers who need protected health information to obtain payment are covered entities, and therefore, proposes to allow disclosures of protected health information to both covered and non-covered health care providers. The Department is unaware of any similar barrier with respect to plans that are not covered under the Privacy Rule to obtain the protected health information they need for payment purposes, but solicits comment on whether such barriers exist. Therefore, the Department proposes to limit disclosures under this provision to those health plans that are covered by the Privacy Rule. Fourth, in Sec. 164.506(c)(4), the Department proposes to permit a covered entity to disclose protected health information about an individual to another covered entity for certain health care operations purposes of the covered entity that receives the information. The proposal would permit such disclosures only for the activities described in paragraphs (1) and (2) of the definition of "health care operations," as well as for health care fraud and abuse detection and compliance programs (as provided for in paragraph (4) of the definition of "health care operations"). The activities that fall into paragraphs (1) and (2) of the definition of "health care operations" include quality assessment and improvement activities, population-based activities relating to improving health or reducing health care costs, case management, conducting training programs, and accreditation, certification, licensing, or credentialing activities. This provision is intended to allow information to flow from one covered entity to another for activities important to providing quality and effective health care. The proposed expansion for permissible disclosures for health care operations without authorization is more limited than the permissible disclosures for treatment and payment in two ways. First, in contrast to treatment and payment, the proposal limits the types of health care operations that are covered by this expansion. The Department proposes this limitation because it recognizes that "health care operations" is a broad term and that individuals are less aware of the business- related activities that involve the use and disclosure of protected health information. In addition, many commenters and the NCVHS focused their comments on covered entities' needs to share protected health information for quality-related health care operations activities. Second, in contrast to the treatment and payment provisions in this section, the proposal for disclosures of protected health information for health care operations of another entity limits disclosures to other covered entities. By limiting disclosure for such purposes to entities that are required to comply with the Privacy Rule, the protected health information would continue to be protected. The Department believes that this would create the appropriate balance between meeting an individual's privacy expectations and meeting a covered entity's need for information for quality-related health care operations. These proposed modifications to allow disclosures for health care operations of another entity are permitted only to the extent that each entity has, or has had, a relationship with the individual who is the subject of the information being requested. Where the relationship between the individual and the covered entity has ended, a disclosure of protected health information about the individual only would be allowed if related to the past [[Page 14783]] relationship. The Department believes that this limitation is necessary in order to protect the privacy expectations of the individual. An individual should expect that two providers that are providing treatment to the individual, and the health plan that pays for the individual's health care, would have protected health information about the individual for health care operations purposes. However, an individual would not expect a health plan with which the individual has no relationship to be able to obtain identifiable information from his or her health care provider. Therefore, this proposed limitation would minimize the effect on privacy interests, while not interfering with covered entities' ability to continue to provide access to quality and effective health care. These provisions do not eliminate a covered entity's responsibility to apply the Privacy Rule's minimum necessary provisions to both the disclosure of and request for information for payment and health care operations purposes. In addition, the Department continues to strongly encourage the use of de-identified information wherever feasible. The Department, however, is aware that the above proposal could pose barriers to disclosures for quality-related health care operations to plans and health care providers that are not covered entities, or to entities that do not have a relationship with the individual. For example, the proposal could be a problem for hospitals that share aggregated but identifiable information with other hospitals for health care operations purposes, when the recipient hospital does not have a relationship with the individual who is the subject of the information being disclosed. While the Department believes the proposed modification strikes the right balance between privacy expectations and covered entities' need for information for such purposes, the Department is considering permitting the disclosure of information that is not facially identifiable for quality-related purposes, subject to a data use or similar agreement. This would permit uses and disclosures for such purposes of a limited data set that does not include facially identifiable information, but in which certain identifiers remain. The Department is requesting comment on whether this approach would strike a proper balance. See section III.I of the preamble regarding de- identification of protected health information for a detailed discussion of this proposed approach. Related to the above modifications, and in response to comments evidencing confusion on this matter, the Department proposes in Sec. 164.506(c)(5) to make it clear that covered entities participating in an organized health care arrangement (OHCA) may share protected health information for the health care operations of the OHCA. The Privacy Rule allows legally separate covered entities that are integrated clinically or operationally to be considered an OHCA for purposes of the Privacy Rule if protected health information must be shared among the covered entities for the joint management and operations of the arrangement. See the definition of "organized health care arrangement" in Sec. 164.501. Additionally, the Privacy Rule, in the definition of "health care operations," permits the sharing of protected health information in an OHCA for such activities. The Department proposes to remove the language regarding OHCAs from the definition of "health care operations" as unnecessary because such language now would appear in Sec. 164.506(c)(5). In addition, the Department proposes a conforming change to delete the word "covered" in paragraph (1)(i) of the definition of "payment." This change would be necessary because the proposal would permit disclosures to non-covered providers for their payment activities. B. Notice of Privacy Practices for Protected Health Information The Privacy Rule requires most covered entities to provide individuals with adequate notice of the uses and disclosures of protected health information that may be made by the covered entity, and of the individual's rights, and the covered entity's responsibilities, with respect to protected health information. See Sec. 164.520. Content requirements for the notice are specified in the Privacy Rule. There are also specific requirements, which vary based on the type of covered entity, for providing such notice to individuals. For example, a covered health care provider that has a direct treatment relationship with an individual must provide the notice by the date of the first service delivery and, if such provider maintains a physical service delivery site, must post the notice in a clear and prominent location. In addition, whenever the notice is revised, the provider must make the notice available upon request. If the covered provider maintains a website, the notice must also be available electronically on the web site. If the first service delivery to an individual is electronic, the covered provider must furnish electronic notice automatically and contemporaneously in response to the individual's first request for service. Proposed Modifications In order to preserve some of the most important benefits of the consent requirement, the Department proposes to modify the notice requirements at Sec. 164.520(c)(2) to require that a covered health care provider with a direct treatment relationship make a good faith effort to obtain an individual's written acknowledgment of receipt of the provider's notice of privacy practices. Other covered entities, such as health plans, would not be required to obtain this acknowledgment from individuals, but could do so if they chose. The Department believes that promoting individuals' understanding of privacy practices is an essential component of providing notice to individuals. In addition, the Department believes it is just good business practice to provide individuals with fair notice about how their information will be used, disclosed, and protected. This proposal would strengthen the notice process by incorporating into the notice process the "initial moment" between a covered health care provider and an individual, where individuals may focus on information practices and privacy rights and discuss any concerns related to the privacy of their protected health information. This express acknowledgment would also provide the opportunity for an individual to make a request for additional restrictions on the use or disclosure of his or her protected health information or for additional confidential treatment of communications, as permitted under Sec. 164.522. The Department intends the proposed notice acknowledgment requirement to be simple and not impose a significant burden on either the covered health care provider or the individual. First, the requirement for good faith efforts to obtain a written acknowledgment only applies to covered providers with direct treatment relationships. This is the same group of covered entities that would have been required to obtain consent under the Privacy Rule. The Department believes that these are the covered entities that have the most direct relationships with individuals, and therefore, the entities for which the requirement will provide the greatest privacy benefit to individuals with the least burden to covered entities. Second, the Department designed the timing of the proposed good faith acknowledgment requirement to limit the burden on covered entities by generally making it consistent with the [[Page 14784]] timing for notice distribution. Therefore, with one exception, a covered health care provider would be required to make good faith efforts to obtain a written acknowledgment of the notice at the time of first service delivery--the same time that the notice must be provided. The Department understands, however, that providing notice and obtaining an acknowledgment is not practicable during emergency treatment situations. In these situations, the Department proposes in Sec. 164.520(c)(2) to delay the requirement for provision of notice until reasonably practicable after the emergency treatment situation, and exempt health care providers from having to make a good faith effort to obtain the acknowledgment in emergency treatment situations. Third, the proposal does not prescribe in detail the form the acknowledgment must take. Rather, the Department proposes to require only that the acknowledgment be in writing, and intends to allow each covered health care provider to choose the form and other details of the acknowledgment that are best suited to the entity's practices and that will not pose an impediment to the delivery of timely, quality health care. While the Department believes that requiring the individual's signature is preferable because an individual is likely to pay more attention or more carefully read a document that he or she signs, the proposal does not require an individual's signature on the notice. An acknowledgment under this proposed modification also may be obtained, for example, by having the individual sign a separate list or simply initial a cover sheet of the notice to be retained by the covered entity. The proposal would not limit the manner in which a covered entity obtains the individual's acknowledgment of receipt of the notice. Most importantly, the proposed modification would require only the good faith effort of the provider to obtain the individual's acknowledgment. The Department understands that an individual may refuse to sign or otherwise fail to provide his or her acknowledgment. Unlike the Privacy Rule's consent requirement, an individual's failure or refusal to acknowledge the notice, despite a covered entity's good faith efforts to obtain such signature, would not interfere with the provider's ability to deliver timely and effective treatment. Failure by a covered entity to obtain an individual's acknowledgment, assuming it otherwise documented its good faith effort, would not be considered a violation of the Privacy Rule. Compliance with this requirement would be achieved in a particular case if the provider with a direct treatment relationship either: (1) Obtained a written acknowledgment, or (2) made a good faith effort to obtain such acknowledgment and documented such efforts and the reason for failure. Such reason for failure simply may be, for example, that the individual refused to sign after being requested to do so. In addition to the individual's failure or refusal to acknowledge receipt of the notice, this proposed provision is intended to allow covered health care providers flexibility to deal with a variety of circumstances in which obtaining an acknowledgment is problematic. The requirement for a good faith effort to obtain the individual's acknowledgment would apply, except in emergency treatment situations, to the provision of notice on the first delivery of service, regardless of whether such service is provided in person or electronically. When electronic notice is provided as part of the first service delivery, the system should be capable of capturing the individual's acknowledgment of receipt electronically. The Department does not anticipate that a notification of receipt would be difficult or costly to design. Documentation requirements under this proposal would be required to comply with the documentation requirements in Sec. 164.530(j). In addition, nothing in the proposed requirements described above would relieve any covered entity from its duty to provide the notice in plain language so that the average reader can understand the notice. As stated in the preamble to the Privacy Rule, the Department encourages covered entities to consider alternative means of communicating with certain populations, such as with individuals who cannot read or who have limited English proficiency. C. Minimum Necessary and Oral Communications The Privacy Rule at Sec. 164.502(b) generally requires covered entities to make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. Protected health information includes individually identifiable health information in any form, including information transmitted orally, or in written or electronic form. See the definition of "protected health information" at Sec. 164.501. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to, and disclosures of, protected health information. The Privacy Rule sets forth requirements at Sec. 164.514(d) for implementing the minimum necessary standard with regard to a covered entity's uses, disclosures, and requests. Essentially, a covered entity is required to develop and implement policies and procedures appropriate to the entity's business practices and workforce that reasonably minimize the amount of protected health information used, disclosed, and requested; and, for uses of protected health information, that also limit who has access to such information. Specifically, for uses of protected health information, the policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and conditions appropriate to such access. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols. Non-routine requests for and disclosures of protected health information must be reviewed individually. With regard to disclosures, the Privacy Rule permits a covered entity to rely on the judgment of certain parties requesting the disclosure as to the minimum amount of information that is needed. For example, a covered entity is permitted to reasonably rely on representation from a public health official that the protected health information requested is the minimum necessary for a public health purpose. Similarly, a covered entity is permitted to reasonably rely on the judgment of another covered entity requesting a disclosure that the information requested is the minimum amount of information reasonably necessary to fulfill the purpose for which the request has been made. See Sec. 164.514(d)(3)(iii). The Privacy Rule contains some exceptions to the minimum necessary standard. The minimum necessary requirements do not apply to uses or disclosures that are required by law, disclosures made to the individual or pursuant to an authorization initiated by the individual, disclosures to or requests by a health care provider for treatment purposes, uses or disclosures that are required for compliance with the regulations implementing the other administrative simplification provisions of HIPAA, or disclosures to the Secretary of HHS for enforcement purposes. See Sec. 164.502(b)(2). [[Page 14785]] The Department received much, varied commentary both on the minimum necessary provisions, as well as on the Privacy Rule's protections of oral communications. The following discussion addresses the concerns identified by commenters that were common to both the Privacy Rule's standards for minimum necessary as well as protecting oral communications, and describes the Department's proposal for modifying the Privacy Rule in response to these concerns. In addition, the Department proposes to modify certain other paragraphs within Sec. 164.514(d) to clarify the Department's intent with respect to these provisions. The Department also discusses some of the other concerns that have been received, which the Department attempted to address in its July 6 guidance on the Privacy Rule. Lastly, the Department describes the recommendations provided to the Department by the NCVHS as a result of public testimony received on implementation of the minimum necessary standard, as well as the Department's response to these recommendations. Public Comments--Incidental Uses and Disclosures During the March 2001, comment period on the Privacy Rule, the Department received a number of comments raising concerns and questions as to whether the Privacy Rule's restrictions on uses and disclosures will prohibit covered entities from engaging in certain common and essential health care communications and practices in use today. Commenters were concerned that the Department is imposing through the Privacy Rule absolute, strict standards that would not allow for the incidental or unintentional disclosure that could occur as a by-product of engaging in these health care communications and practices. It was argued that the Privacy Rule will, in effect, prohibit such practices and, therefore, impede many activities and communications essential to effective and timely treatment of patients. These concerns were raised both in the context of applying the Privacy Rule's protections to oral communications, as well as in implementing the minimum necessary standard. For example, with regard to oral communications, commenters expressed concern over whether health care providers may continue to engage in confidential conversations with other providers or with patients, if there were a possibility that they could be overheard. As examples, commenters specifically questioned whether health care staff can continue to: coordinate services at hospital nursing stations orally; discuss a patient's condition over the phone with the patient or another provider, if other people are nearby; discuss lab test results with a patient or other provider in a joint treatment area; call out a patient's name in a waiting room; or discuss a patient's condition during training rounds in an academic or training institution. Many covered entities also expressed confusion and concern that the Privacy Rule will stifle or unnecessarily burden many of their current health care practices. For example, commenters questioned whether they will be prohibited from using sign-in sheets in waiting rooms or maintaining patient charts at bedside, or whether they will need to isolate X-ray lightboards or destroy empty prescription vials. These concerns seemed to stem from a perception that covered entities will be required to prevent any incidental disclosure such as those that may occur when a visiting family member or other person not authorized to access protected health information happens to walk by medical equipment or other material containing individually identifiable health information, or when individuals in a waiting room sign their name on a log sheet and glimpse the names of other patients. Proposed Modifications--Incidental Uses and Disclosures The Department, in its July 6 guidance, clarified that the Privacy Rule is not intended to impede customary and necessary health care communications or practices, nor to require that all risk of incidental use or disclosure be eliminated to satisfy its standards. So long as reasonable safeguards are employed, the burden of impeding such communications are not outweighed by any benefits that may accrue to individuals' privacy interests. The guidance assured that the Privacy Rule would be modified to clarify that such communications and practices may continue, if reasonable safeguards are taken to minimize the chance of incidental disclosure to others. Accordingly, the Department proposes to modify the Privacy Rule to add a new provision at Sec. 164.502(a)(1)(iii) which explicitly permits certain incidental uses and disclosures that occur as a result of an otherwise permitted use or disclosure under the Privacy Rule. An incidental use or disclosure would be a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a by-product of an otherwise permitted use or disclosure under the Privacy Rule. The Department proposes that an incidental use or disclosure be permissible only to the extent that the covered entity has applied reasonable safeguards as required by Sec. 164.530(c), and implemented the minimum necessary standard, where applicable, as required by Secs. 164.502(b) and 164.514(d). Under this proposal, an incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, as appropriate, is not a permissible use or disclosure and is, therefore, a violation of the Privacy Rule. For example, a covered entity that asks for a patient's health history on the waiting room sign-in sheet is not abiding by the minimum necessary requirements and, therefore, any incidental disclosure of such information that results from this practice would be an unlawful disclosure under the Privacy Rule. Further, this proposed modification is not intended to excuse erroneous uses or disclosures or those that result from mistake or neglect. The Department would not consider such uses and disclosures to be incidental as they do not occur as a by-product of an otherwise permissible use or disclosure. For example, an impermissible disclosure would occur when a covered entity mistakenly sends protected health information via electronic mail to the wrong recipient or when protected health information is erroneously made accessible to others through the entity's web site. Proposed Modifications to the Minimum Necessary Standard Section 164.502(b)(2) sets forth the exceptions to the minimum necessary standard in the Privacy Rule. The Department proposes to separate Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii) and (iii)) to eliminate confusion regarding the exception to the minimum necessary standard for uses or disclosures made pursuant to an authorization under Sec. 164.508 and those for disclosures made to the individual. Additionally, to conform to the proposal to eliminate the special authorizations required by the Privacy Rule at Sec. 164.508(d), (e), and (f) (see section III.H for the relevant preamble discussion regarding authorization), the Department proposes to expand the exception for authorizations to apply generally to any authorization executed pursuant to Sec. 164.508. Therefore, the proposal would exempt from the minimum necessary standard any uses or disclosures for which the covered entity [[Page 14786]] has received an authorization that meets the requirements of Sec. 164.508. The Privacy Rule at Sec. 164.514(d) lists the standard and the specific requirements for implementing the minimum necessary standard. The Department proposes to modify Sec. 164.514(d)(1) to delete the term "reasonably ensure" in response to concerns that the term connotes an absolute, strict standard and, therefore, is inconsistent with how the Department has described the minimum necessary requirements as being reasonable and flexible to the unique circumstances of the covered entity. In addition, the Department generally revises the language to be more consistent with the description of standards elsewhere in the Privacy Rule. The Privacy Rule at Sec. 164.514(d)(4) consists of the implementation specifications for applying the minimum necessary standard to a request for protected health information. The Department intended these provisions to be consistent with the requirements set forth in Sec. 164.514(d)(3) for applying the minimum necessary standard to disclosures of protected health information, so that covered entities would be able to address requests and disclosures in a similar manner. However, with respect to requests not made on a routine and recurring basis, the Department omitted from Sec. 164.514(d)(4) the requirement that a covered entity may implement this standard by developing criteria designed to limit its request for protected health information to the minimum necessary to accomplish the intended purpose. The Department proposes to add such a provision to make the implementation specifications for applying the minimum necessary standard to requests for protected health information by a covered entity more consistent with the implementation specifications for disclosures. Other Comments on the Minimum Necessary Standard In addition to the comments described above regarding incidental uses or disclosures, the Department received many other varied comments expressing both support of, and concerns about, the minimum necessary standard. The Department, in its July 6, 2001, guidance, attempted to address many of the commenters' concerns by clarifying the Department's intent with respect to the minimum necessary provisions. For example, many commenters expressed concerns about the costs and burden to covered entities in implementing the standard. A number of these commenters questioned whether they will be required to redesign office space or implement expensive upgrades to computer systems. The Department's guidance emphasized that the minimum necessary standard is a reasonableness standard, intended to be flexible to account for the characteristics of the entity's business and workforce. The standard is not intended to override the professional judgment of the covered entity. The Department clarified that facility redesigns and expensive computer upgrades are not specifically required by the minimum necessary standard. Covered entities may, however, need to make certain adjustments to their facilities, as reasonable, to minimize access or provide additional security. For example, covered entities may decide to isolate and/or lock file cabinets or records rooms, or provide additional security, such as passwords, on computers that maintain protected health information. A number of commenters, especially health care providers, also expressed concern that the minimum necessary restrictions on uses within the entity will jeopardize patient care and exacerbate medical errors by impeding access to information necessary for treatment purposes. These commenters urged the Department to expand the treatment exception to cover uses of protected health information within the entity. Other commenters urged the Department to exempt all uses and disclosures for treatment, payment, and health care operations purposes from the minimum necessary standard. The Privacy Rule is not intended to impede access by health care professionals to information necessary for treatment purposes. As the Department explained in its guidance, a covered entity is permitted to develop policies and procedures that allow for the appropriate individuals within the entity to have access to protected health information, including entire medical records, as appropriate, so that those workforce members are able to provide timely and effective treatment. With regard to payment and health care operations, the Department remains concerned, as stated in the preamble to the Privacy Rule, that, without the minimum necessary standard, covered entities may be tempted to disclose an entire medical record when only a few items of information are necessary, to avoid the administrative step of extracting or redacting information. The Department also believes that this standard will cause covered entities to assess their privacy practices, give the privacy interests of their patients and enrollees greater attention, and make improvements that might otherwise not be made. For these reasons, the Department continues to believe that the privacy benefits of retaining the minimum necessary standard for these purposes outweigh the burdens involved. In addition, the NCVHS Subcommittee on Privacy and Confidentiality solicited public testimony on implementation of the minimum necessary standard of the Privacy Rule at its August 2001 public hearings. The testimony reflected a wide range of views, from those who commented that the Privacy Rule provides sufficient protections on individually identifiable health information without the minimum necessary standard, to those who expressed strong support for the standard as an integral part of the Privacy Rule. A number of panelists welcomed the flexibility of the standard, while others expressed concern that the vagueness of the standard might restrict the necessary flow of information, impede care, and lead to an increase in defensive information practices that would lead to the withholding of important information for fear of liability. Testimony also reflected differing views on the cost and administrative burden of implementing the standard. Some expressed much concern regarding the increased cost and burden, while others argued that the cost will be barely discernable. The NCVHS developed recommendations on the minimum necessary standard based on the testimony and written comments provided at the hearings. In its recommendations, the NCVHS strongly reaffirmed the importance of the minimum necessary principle, but also generally recommended that HHS provide additional clarification and guidance to industry regarding the minimum necessary requirements to assist with effective implementation of these provisions, while allowing for the necessary flow of information and minimizing defensive information practices. While the NCVHS pointed out that many panelists at the hearing found the Department's July 6 guidance helpful in addressing questions about the minimum necessary standard, the Committee heard that many questions still remain within the industry. Therefore, the NCVHS specifically requested further guidance by the Department on the reasonable reliance provisions, and the requirement that covered entities develop policies and procedures for addressing routine uses [[Page 14787]] of information. In addition, the NCVHS recommended that the Department provide education to address the increasing concerns about liability and defensive information practices that may lessen the flow of information and impede care. The NCVHS generally recommended that the Department issue advisory opinions, publish best practices, and make available model policies, procedures, and forms to assist in alleviating the cost and administrative burden that will be incurred when developing policies and procedures as required by the minimum necessary provisions. The Department agrees with the NCVHS about the need for further guidance on the minimum necessary standard and intends to issue further guidance to clarify issues causing confusion and concern in the industry, as well as provide additional technical assistance materials to help covered entities implement the provisions. D. Business Associates The Privacy Rule at Sec. 164.502(e) permits a covered entity to disclose protected health information to a business associate who performs a function or activity on behalf of, or provides a service to the covered entity that involves the creation, use, or disclosure of, protected health information, provided that the covered entity obtains satisfactory assurances that the business associate will appropriately safeguard the information. The Department recognizes that most covered entities do not perform or carry out all of their health care activities and functions by themselves, but rather acquire the services or assistance of a variety of other persons or entities. Given this framework, the Department intended these provisions to allow such business relationships to continue while ensuring that identifiable health information created or shared in the course of the relationships was protected. The Privacy Rule requires that the satisfactory assurances obtained from the business associate be in the form of a written contract (or other written arrangement as between governmental entities) between the covered entity and the business associate that contains the elements specified at Sec. 164.504(e). For example, the agreement must identify the uses and disclosures of protected health information the business associate is permitted or required to make, as well as require the business associate to put in place appropriate safeguards to protect against a use or disclosure not permitted by the contract or agreement. The Privacy Rule also provides that, where a covered entity knows of a material breach or violation by the business associate of the contract or agreement, the covered entity is required to take reasonable steps to cure the breach or end the violation, and if such steps are unsuccessful, to terminate the contract or arrangement. If termination of the contract or arrangement is not feasible, a covered entity then is required to report the problem to the Secretary of HHS. A covered entity that violates the satisfactory assurances it provided as a business associate of another covered entity will be in noncompliance with the Privacy Rule's business associate provisions. The Privacy Rule's definition of "business associate" at Sec. 160.103 includes some of the functions or activities, and all of the types of services, that make a person or entity who engages in them a business associate, if such activity or service involves protected health information. For example, a third party administrator (TPA) is a business associate of a health plan to the extent the TPA assists the health plan with claims processing or another covered function. Similarly, accounting services performed by an outside consultant give rise to a business associate relationship when provision of the service entails access to the protected health information held by a covered entity. The Privacy Rule excepts from the business associate standard certain uses or disclosures of protected health information. That is, in certain situations, a covered entity is not required to have a contract or other written agreement in place before disclosing protected health information to a business associate or allowing protected health information to be created by the business associate on its behalf. Specifically, the standard does not apply to: disclosures by a covered entity to a health care provider for treatment purposes; disclosures to the plan sponsor by a group health plan, or a health insurance issuer or HMO with respect to a group health plan, to the extent that the requirements of Sec. 164.504(f) apply and are met; or to the collection and sharing of protected health information by a health plan that is a public benefits program and an agency other than the agency administering the health plan, where the other agency collects protected health information for, or determines, eligibility or enrollment with respect to the government program, and where such activity is authorized by law. See Sec. 164.502(e)(1)(ii). Public Comments The Department has received many comments on the business associate provisions of the Privacy Rule. The majority of commenters expressed some concern over the anticipated administrative burden and cost to implement the business associate provisions. Some commenters stated that covered entities might have existing contracts that are not set to terminate or expire until after the compliance date of the Privacy Rule. Many of these commenters expressed specific concern that the two- year compliance period does not provide enough time to reopen and renegotiate what could be hundreds or more contracts for large covered entities. A number of these commenters urged the Department to grandfather in existing contracts until such contracts come up for renewal instead of requiring that all contracts be in compliance with the business associate provisions by the compliance date of the Privacy Rule. In response to these comments, the Department intends to relieve some of the burden on covered entities in complying with the business associate provisions, both by proposing to grandfather certain existing contracts for a specified period of time, as well as publishing model contract language. These proposed changes are discussed below in this section under "Proposed Modifications." In addition, commenters continued to express concern over a perceived liability imposed by the Privacy Rule that would essentially require that the covered entity monitor, and be responsible for, the actions of its business associates with respect to the privacy and safeguarding of protected health information. However, the Privacy Rule only requires that, where a covered entity knows of a pattern of activity or practice that constitutes a material breach or violation of the business associate's obligation under the contract, the covered entity take steps to cure the breach or end the violation. Accordingly, the Department, in its July 6 guidance, clarified that active monitoring of the actions of business associates is not required of covered entities, and more importantly, that covered entities are not responsible or liable for the actions of their business associates. A number of commenters urged the Department to exempt covered entities from having to enter into contracts with business associates who are also covered entities under the Privacy Rule. The Department continues to believe, as stated in the preamble to the Privacy Rule, that a covered entity that is a [[Page 14788]] business associate should be restricted from using or disclosing the protected health information it creates or receives through its business associate function for any purposes other than those explicitly provided for in its contract. In addition, the contract serves to clarify the uses and disclosures made as, and the protected health information held by, the covered entity, versus those uses and disclosures made as, and the protected health information held by, the same entity as the business associate. Many commenters continued to express concerns that requiring business associate contracts between health care providers in treatment situations would burden and impede quality care. The Department clarifies that the Privacy Rule does not require a contract for a covered entity to disclose protected health information to a health care provider for treatment purposes. In fact, such disclosures are explicitly excepted from the business associate requirements. See Sec. 164.502(e)(1). For example, a hospital is not required to have business associate contracts with health care providers who have staff privileges at the institution in order for these entities to share protected health information for treatment purposes. Nor is a physician required to have a business associate contract with a laboratory as a condition of disclosing protected health information for the treatment of an individual. Some commenters requested clarification as to whether business associate contracts were required between a health plan and the health care providers participating in the plan's network. Participation in a plan network in and of itself does not give rise to a business associate relationship to the extent that neither entity is performing functions or activities, or providing services to, the other entity. For example, each covered entity is acting on its own behalf when a provider submits a claim to a health plan, and when the health plan assesses and pays the claim. Discount payment arrangements do not require business associate relationships. However, this does not preclude a covered entity from establishing a business associate relationship with the health plan or another entity in the network for some other purpose. If the health plan and one or more of the providers participating in its network do perform covered functions on behalf of each other, a business associate agreement is required. For example, if one health care provider handles the billing activities of another health care provider in the same network, a business associate contract would be required before protected health information could be disclosed for this activity. Proposed Modifications The Department proposes new transition provisions at Sec. 164.532(d) and (e) to allow covered entities, other than small health plans, to continue to operate under certain existing contracts with business associates for up to one year beyond the April 14, 2003, compliance date of the Privacy Rule. This modification is proposed in response to commenter concerns regarding the insufficient time provided by the two-year period between the effective date and compliance date of the Privacy Rule for covered entities, especially large entities, to reopen and renegotiate all existing vendor and service contracts in order to bring such contracts into compliance with the Privacy Rule's requirements. The additional transition period would be available to a covered entity, other than a small health plan, if, prior to the effective date of this transition provision, the covered entity has an existing contract or other written arrangement with a business associate, and such contract or arrangement is not renewed or modified between the effective date of this provision and the Privacy Rule's compliance date of April 14, 2003. The provisions are intended to allow those covered entities who qualify as described above to continue to disclose protected health information to the business associate, or allow the business associate to create or receive protected health information on its behalf, for up to one year beyond the Privacy Rule's compliance date, regardless of whether the contract meets the applicable contract requirements in the Privacy Rule. The Department proposes to deem such contracts to be compliant with the Privacy Rule until either the covered entity has renewed or modified the contract following the compliance date of the Privacy Rule (April 14, 2003), or April 14, 2004, whichever is sooner. In cases where a contract simply renews automatically without any change in terms or other action by the parties (also known as "evergreen contracts"), the Department intends that such evergreen contracts would be eligible for the extension and that deemed compliance would not terminate when these contracts automatically roll over. Covered entities that were concerned about timely compliance wanted to be able to incorporate the business associate contract requirements at the time they would otherwise be modifying or renewing the contract. Therefore, the extension would only apply until such time as the contract is modified or renewed following the effective date of this modification. Furthermore, the Department proposes to limit the deemed compliance period to one year, as the appropriate balance between maintaining individuals' privacy interests and alleviating the burden on the covered entity. These transition provisions would apply to covered entities only with respect to written contracts or other written arrangements as specified above, and not to oral contracts or other arrangements. In addition, a covered entity that enters into a contract after the effective date of this modification must have a business associate contract that meets the applicable requirements of Secs. 164.502(e) and 164.504(e) by April 14, 2003. The proposed transition provisions would not apply to small health plans, as defined in the Privacy Rule. Small health plans would still be required to have business associate contracts that are in compliance with the Privacy Rule's applicable provisions, by the Privacy Rule's compliance deadline for such covered entities of April 14, 2004. The Department proposes to exclude this subset of covered entities from these provisions because the statute already provides an additional year for these smaller entities to come into compliance, which should be sufficient for compliance with the Privacy Rule's business associate provisions. In addition, the Department believes that the proposed model contract provisions (see the Appendix to the preamble) will assist small health plans and other covered entities in their implementation of the Privacy Rule's business associate provisions by April 14, 2004. Proposed Sec. 164.532(e)(2) provides that, after the Privacy Rule's compliance date, these new provisions would not relieve a covered entity of its responsibilities with respect to making protected health information available to the Secretary, including information held by a business associate, as necessary for the Secretary to determine compliance. Similarly, under proposed Sec. 164.532(e)(2), these provisions would not relieve a covered entity of its responsibilities with respect to an individual's rights to access or amend his or her protected health information held by business associates, or receive an accounting of uses and disclosures by business associates, as provided for by the Privacy Rule's requirements at Secs. 164.524, 164.526, and 164.528. Covered entities would still be required to fulfill individuals' rights with respect to their protected health information, [[Page 14789]] including information held by a business associate of the covered entity. Covered entities must ensure, in whatever manner effective, the appropriate cooperation by their business associates in meeting these requirements. The Department retains without modification the standards and implementation specifications that apply to business associate relationships as set forth at Secs. 164.502(e) and 164.504(e), respectively, of the Privacy Rule. E. Uses and Disclosures of Protected Health Information for Marketing The Privacy Rule defines "marketing" at Sec. 164.501 as a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service, subject to certain limited exceptions. The definition does not limit the type or means of communication that is considered marketing. In general, a covered entity is not permitted to use or disclose protected health information for the purposes of marketing products or services that are not health-related without the express authorization of the individual. Moreover, the Privacy Rule prohibits a covered entity from selling lists of patients or enrollees to third parties, or from disclosing protected health information to a third party for the independent marketing activities of the third party, without the express authorization of the individual. The Department understands that covered entities need to be able to discuss their own health-related products and services, or those of third parties, as part of their everyday business and as part of promoting the health of their patients and enrollees. For example, a health care provider may recommend to a patient a particular brand name drug for the treatment of that patient. Even though these communications also meet the above definition of "marketing," the Privacy Rule does not require an authorization for such communications. Instead, the Privacy Rule addresses these types of health-related communications in two ways. First, the Department did not want to interfere with or unnecessarily burden communications about treatment or about the benefits and services of plans and providers. Therefore, the Privacy Rule explicitly excludes from the definition of "marketing" certain health-related communications that may be part of a covered entity's treatment of the individual or its health care operations, but that may also promote the use or sale of a service or product. For example, communications made by a covered entity for the purpose of describing the participating providers and health plans in a network, or describing the services offered by a provider or the benefits covered by a health plan, are excluded from the definition of "marketing." In addition, communications made by a health care provider as part of the treatment of a patient and for the purpose of furthering that treatment, or made by a covered entity in the course of managing an individual's treatment or recommending an alternative treatment, are not considered marketing under the Privacy Rule. These exceptions do not apply, however, to written communications for which a covered entity is compensated by a third party. The Department intended that covered entities be able to discuss freely their products and services and the products and services of others in the course of managing an individual's health care or providing or discussing treatment alternatives with an individual. Under the Privacy Rule, therefore, covered entities are permitted to use and disclose protected health information for these excepted activities without authorization under Sec. 164.508. Second, the Privacy Rule permits, at Sec. 164.514(e), covered entities to use and disclose protected health information without individual authorization for other health-related communications that meet the definition of "marketing," subject to certain conditions on the manner in which the communications are made. The Privacy Rule does not condition the substance of health-related marketing communications. Rather, it attempts to assure that individuals are aware of the source of the communication and the reason they received such communications, as well as to provide individuals with some control over whether or not they receive these communications in the future. Specifically, the Privacy Rule permits a covered entity to use or disclose protected health information to communicate to individuals about the health-related products or services of the covered entity or of a third party if the communication: (1) Identifies the covered entity as the party making the communication; (2) identifies, if applicable, that the covered entity received direct or indirect remuneration from a third party for making the communication; (3) generally contains instructions describing how the individual may opt out of receiving future communications about health-related products and services; and (4) where protected health information is used to target the communication about a product or service to individuals based on their health status or health condition, explains why the individual has been targeted and how the product or service relates to the health of the individual. The Privacy Rule also requires a covered entity to make a determination, prior to using or disclosing protected health information to target a communication to individuals based on their health status or condition, that the product or service may be beneficial to the health of the type or class of individual targeted to receive the communication. For certain permissible marketing communications, however, the Department did not believe these conditions to be practicable. Therefore, Sec. 164.514(e) also permits, without the above conditions, a covered entity to make a marketing communication that occurs in a face-to-face encounter with the individual, or that involves products or services of only nominal value. These provisions permit a covered entity to discuss services and products, as well as provide sample products without restriction, during a face-to-face communication, or distribute calendars, pens, and other merchandise that generally promote a product or service if they are of only nominal value. Public Comments The Department received many comments on the Privacy Rule's marketing requirements, as well as recommendations from the NCVHS, based on public testimony from trade associations, medical associations, insurance commissioners, academic medical centers, non- profit hospitals, and consumers. Both industry and consumer groups argued that the marketing provisions were complicated and confusing. Covered entities expressed confusion over the Privacy Rule's distinction between health care communications that are excepted from the definition of "marketing" versus those that are marketing but permitted subject to the special conditions in Sec. 164.514(e). For example, commenters questioned if, and if so, when, disease management communications or refill reminders are "marketing" communications subject to the special disclosure and opt-out conditions in Sec. 164.514(e). Commenters also stated that it was unclear how to characterize various health care operations activities, such as general health-related educational and wellness promotional activities, and therefore unclear how to treat such activities under the marketing provisions of the Privacy Rule. The Department also learned of a general dissatisfaction by consumers [[Page 14790]] with the conditions required by Sec. 164.514(e). Many commenters questioned the general effectiveness of the conditions and whether the conditions would properly protect consumers from unwanted disclosure of protected health information to commercial entities, the re-disclosure of the information by these commercial entities, and the intrusion of unwanted solicitations. They did not feel that they were protected by the fact that commercial entities handling the protected health information would be subject to business associate agreements with covered entities. In addition, commenters expressed specific dissatisfaction with the provision at Sec. 164.514(e)(3)(iii) for individuals to opt out of future marketing communications. Many argued for the opportunity to opt out of marketing communications before any marketing occurred. Others requested that the Department limit marketing communications to only those consumers that affirmatively chose to be the target of such communications. Proposed Modifications In response to these concerns, the Department proposes to modify the Privacy Rule to make the marketing provisions clearer and simpler. First, and most significantly, the Department proposes to simplify the Privacy Rule by eliminating the special provisions for marketing health-related products and services at Sec. 164.514(e). Instead, any communication defined as "marketing" in Sec. 164.501 would require authorization by the individual. In contrast to the Privacy Rule, under these proposed modifications, covered entities would no longer be able to make any type of marketing communications without authorization simply by meeting the disclosure and opt-out provisions in the Privacy Rule. The Department believes that requiring authorization for all marketing communications would effectuate greater consumer privacy protection not currently afforded by the disclosure and opt-out conditions of Sec. 164.514(e) of the Privacy Rule. Second, the Department proposes to maintain the substance of the Privacy Rule's definition of "marketing" at Sec. 164.501, with minor clarifications. Specifically, the Department proposes to define "marketing" as "to make a communication about a product or service to encourage recipients of the communication to purchase or use the product or service." The proposed modification retains the substance of the "marketing" definition, but changes the language slightly to avoid the implication that marketing is tied to the intent of the communication. Removing language referencing the purpose of the communication would shift the assessment of whether a communication is marketing from the intent of the speaker to the effect of the communication. If the effect of the communication is to encourage recipients of the communication to purchase or use the product or service, the communication would be marketing. Third, with respect to the exclusions from the definition of "marketing" in Sec. 164.501, the Department has tried to simplify the language to avoid confusion and better conform to other sections of the regulation, particularly in the area of treatment communications, and is proposing one substantive change. The modified language reads as follows: "(1) To describe the entities participating in a health care provider network or health plan network, or to describe if, and the extent to which, a product or service (or payment for such product or service) is provided by a covered entity or included in a plan of benefits; (2) For treatment of that individual; or (3) For case management or care coordination for that individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to that individual." With respect to the third exclusion, the Department is proposing to replace a communication made "in the course of managing the treatment of that individual," with a communication for "case management" or "care coordination" for that individual. The Department is proposing these changes for clarity because "case management" and "care coordination" are the terms that are used in the definition of "health care operations," while "managing the treatment of that individual" is not. These changes are not intended to increase the scope of the marketing exclusions. The Department is proposing to eliminate the distinction in the definition of "marketing" at Sec. 164.501 pertaining to written communications for which a covered entity is compensated by a third party. Under the Privacy Rule, exceptions from the definition of "marketing" are only applicable if the communication is made either orally or in writing when no remuneration from a third party has been paid to a covered entity for making the communication. The Department found that these rules led to confusion and many questions about treatment-related communications, such as prescription refill reminders. Many commenters felt that these restriction rules could burden the ability of providers and patients to communicate freely about treatment. Most commenters did not want any treatment communications to be considered marketing. The Department understands these concerns and wants to avoid situations where a health care provider would be required to obtain an authorization to send out a prescription refill reminder, even if the provider is compensated by a third party for the activity. Therefore, the Department proposes to eliminate this provision in order to facilitate necessary and important treatment communications. None of these proposed modifications change the basic prohibition in the Privacy Rule against covered entities selling lists of patients or enrollees to third parties, or from disclosing protected health information to a third party for the independent marketing activities of a third party, without the express authorization of the individual. The Department received numerous comments suggesting that the Privacy Rule's marketing exceptions in the definition and under Sec. 164.514(e) may not allow for certain common health care communications, such as disease management, wellness programs, prescription refill reminders, and appointment notifications that individuals expect to receive as part of their health care to continue unimpeded. The Department believes that these types of communications are allowed under the exceptions to the definition of "marketing" in the Privacy Rule, and therefore would continue to be allowed under the proposed modification. The Department is interested in comments identifying specific types of communication that should or should not be considered marketing. To reinforce the policy requiring an authorization for most marketing communications, the Department proposes to add a specific marketing provision at Sec. 164.508(a)(3) explicitly requiring an authorization for a use or disclosure of protected health information for marketing purposes. Additionally, if the marketing is expected to result in direct or indirect remuneration to the covered entity from a third party, the Department proposes that the authorization state this fact. As in the Privacy Rule at Sec. 164.514(e)(2), proposed Sec. 164.508(a)(3) would exclude from the marketing authorization requirements face-to-face communications made by a covered entity to an individual. The Department proposes to retain this exception in the Privacy Rule so that the marketing provisions would not interfere with the [[Page 14791]] relationship and dialogue between health care providers and individuals. Similarly, the Department proposes to retain the Privacy Rule's exception to the authorization requirement for a marketing communication that concerns products or services of nominal value, but proposes to replace the language with the common business term "promotional gift of nominal value." Given the above proposal, the Department also proposes to remove Sec. 164.514(e) as unnecessary. Accordingly, conforming changes to remove references to Sec. 164.514(e) are proposed at Sec. 164.502(a)(1)(vi) and in paragraph (6)(v) of the definition of "health care operations" in Sec. 164.501. With the elimination of the special rules in Sec. 164.514(e), the Department thereby proposes to eliminate the requirement that disclosures for health-related marketing are limited to disclosures to business associates hired to assist the covered entity with the communication. Under the proposed rule, this distinction would serve no purpose, because an authorization would be required for such disclosures and thus the individual would know from the face of the authorization who will receive the information. Similarly, this simplification also would eliminate the requirement that a marketing communication identify the covered entity responsible for the communication. Under the proposal, the individual would have authorized the disclosure and thus would know which plans and providers are disclosing health information for marketing purposes. There would be added burden but no benefit in retaining an additional notification requirement. F. Parents as Personal Representatives of Unemancipated Minors \1\ --------------------------------------------------------------------------- \1\ Throughout this section of the preamble, "minor" refers to an unemancipated minor and "parent" refers to a parent, guardian, or other person acting in loco parentis. --------------------------------------------------------------------------- The Privacy Rule is intended to assure that parents have appropriate access to health information about their children. By generally creating new protections and individual rights with respect to individually identifiable health information, the Privacy Rule establishes new rights for parents with respect to the health information about their minor children in the vast majority of cases. In addition, the Department intended that State or other applicable law regarding disclosure of health information about a minor child to a parent should govern where such law exists. Under the Privacy Rule, parents are granted new rights with respect to health information about their minor children as the personal representatives of their minor children. See Sec. 164.502(g). Generally, parents will be able to access and control the health information about their minor children. See Sec. 164.502(g)(3). The Privacy Rule recognizes a limited number of exceptions to this general rule. These exceptions generally track the ability of certain minors to obtain specified health care without parental consent under State or other applicable laws. For example, every State has a law that permits adolescents to be tested for HIV without the consent of a parent. These laws are created to assure that adolescents will seek health care that is essential to their own health, as well as public health. In these exceptional cases, where a minor can obtain a particular health care service without the consent of a parent under State or other applicable law, it is the minor and not the parent who may exercise the privacy rights afforded to individuals under the Privacy Rule. See Sec. 164.502(g)(3)(i)-(ii). The Privacy Rule also allows the minor to exercise control of the protected health information when the parent has agreed to the minor obtaining confidential treatment (see Sec. 164.502(g)(3)(iii)), and allows a covered health care provider to choose not to treat a parent as a personal representative of the minor when the provider is concerned about abuse or harm to the child. See Sec. 164.502(g)(5). Of course, a covered provider always may disclose health information about a minor to a parent in the most important cases, even if one of the limited exceptions discussed above apply. Disclosure of such information is always permitted as necessary to avert a serious and imminent threat to the health or safety of the minor. See Sec. 164.512(j). The Privacy Rule also states that disclosure of health information about a minor to a parent is permitted if State law authorizes or requires disclosure to a parent, thereby allowing such disclosure where State law determines it is appropriate. See Sec. 160.202, definition of "more stringent." Finally, health information about the minor may be disclosed to the parent if the minor involves the parent in his or her health care and does not object to such disclosure. See Secs. 164.502(g)(3)(i) and 164.510(b). The parent will retain all rights concerning any other health information about his or her minor child that does not meet one of the exceptions. Rationale for Privacy Rule's Provisions Regarding Parents and Minors The Department continues to balance multiple goals in developing standards in the Privacy Rule with respect to parents and minors. First, the standards need to operate in a way that facilitates access to quality health care. This is an overarching goal throughout the Privacy Rule and is equally important here. Thus, the Department wants to ensure that parents have appropriate access to the health information about their minor children to make important health care decisions about them. The Department also wants to make sure that the Privacy Rule does not interfere with a minor's ability to consent to and obtain health care under current State or other applicable law. Second, the Department does not want to interfere with State or other applicable laws related to competency or parental rights, in general, or the role of parents in making health care decisions about their minor children, in particular. Third, the Department does not want to interfere with the professional requirements of State medical boards or other ethical codes of health care providers with respect to confidentiality of health information or health care practices of such providers with respect to adolescent health care. As a result of these competing goals, the Department's approach continues to be that the standards, implementation specifications, and requirements with respect to parents and minors defer to, and are consistent with, State or other applicable law and professional practice. Where State and other applicable law is silent, the Department has attempted to create standards that are consistent with such laws and that permit States the discretion to continue to decide the rights of parents and minors with respect to health information without interference from the federal Privacy Rule. Public Comments Since December 2000, the Department has heard concerns about the impact of the Privacy Rule on both parental and minor rights. Physicians and other health care professionals who treat adolescents support the existing provisions in the Privacy Rule. These commenters assert that these provisions allow health care providers to deliver care in a manner consistent with their ethical and legal obligations, and that they strike the appropriate balance by permitting providers to render confidential care to minors in limited circumstances, while providing States [[Page 14792]] the ultimate discretion to determine the extent of parents' access to information. Other commenters oppose the Privacy Rule on the grounds that the Privacy Rule unduly interferes with parental rights to control health care for their minor children and to access health information about their minor children. They assert that failure to provide parents with access to all health information about their minor children could result in negative health outcomes because parents could be making health care decisions for their children based on incomplete information. Finally, some commenters believe, incorrectly, that the Privacy Rule creates new rights for minors to consent to treatment. The Department issued guidance to clarify that the Privacy Rule does not address access to treatment or the ability to consent to treatment. It is State or other applicable law, and not the Privacy Rule, that governs who can consent to treatment. The Privacy Rule does not in any way alter the ability of a parent to consent to health care for a minor child or the ability of a minor child to consent to his or her own health care. Proposed Modifications The Department has reassessed the parents and minors provisions in the Privacy Rule, and does not propose to change its approach. The Department will continue to defer to State or other applicable law and to remain neutral and preserve the status quo to the extent possible. However, the Department is proposing changes to these standards where they do not operate as intended and are inconsistent with the Department's underlying goals. The Privacy Rule accomplishes the goals of deferring to State law and preserving the status quo when State law is definitive, that is, when State law requires or prohibits disclosure or access. However, when State law provides discretion or is silent, the Privacy Rule may not always accomplish these goals. In particular, the Department has identified two areas in which the standard does not work as intended. First, the language regarding deference to State law that authorizes or prohibits disclosure of health information about a minor to a parent fails to assure that State law governs when the law grants a provider discretion to disclose protected health information to a parent in certain circumstances. Second, the Privacy Rule may prohibit parental access in cases where State law is silent, but where a parent could get access today, consistent with State law. First, in order to assure that State and other applicable laws that address disclosure of health information about a minor to his or her parent govern in all cases, the Department proposes to move the relevant language about the disclosure of health information from the definition of "more stringent" (see Sec. 160.202) to the standards regarding parents and minors (see Sec. 164.502(g)(3)). This change would make it clear that State and other applicable law governs not only when a State explicitly addresses disclosure of protected health information to a parent but also when such law provides discretion to a provider. The language itself is also changed in the proposal to adapt it to the new section. The proposed language in Sec. 164.502(g)(3)(ii) states that a covered entity may disclose protected health information about a minor to a parent if an applicable provision of State or other law, including applicable case law, permits or requires such disclosure, and that a covered entity may not disclose protected health information about a minor to a parent if an applicable provision of State or other law, including applicable case law, prohibits such disclosure. This new language would help clarify when disclosure of health information about a minor to his or her parent is permitted or prohibited based on State or other law. The revision would also clarify that the deference to State or other applicable law includes deference to established case law as well as an explicit provision in a statute or regulation. Second, the Department proposes to add a new paragraph (iii) to Sec. 164.502(g)(3) to establish a neutral policy regarding the right of access of a parent to health information about a minor under Sec. 164.524, in the rare circumstance in which the parent is technically not the personal representative of the minor under the Privacy Rule. This policy would apply particularly where State or other law is silent or unclear. The new paragraph would not change the right of access, but would simply provide that the person who can exercise the right of access to health information under the Privacy Rule must be consistent with State or other applicable law. It would assure that the Privacy Rule would not prevent a covered entity from providing such access, in accordance with the Privacy Rule, to a parent, as if a personal representative of the minor child, if access would be consistent with State or other applicable law. This modification also would not affect a parent's right of access under the Privacy Rule in the vast majority of cases where the parent is the personal representative of the minor. In those cases, the parent could exercise the right of access in accordance with the Privacy Rule. This provision would be relevant only in the rare exceptions in which the parent is not the personal representative of the minor. The Department proposes to use the phrase "consistent with State or other applicable law" with regard to access in the personal representatives section of the Privacy Rule. This is different than the proposed language in the section about personal representatives that relates to disclosures, in which a disclosure to a parent is permitted if such disclosure is permitted or required by an "applicable provision of State or other law, including applicable case law." The language in the disclosure paragraphs requires an explicit law for such disclosure to be permitted by the Privacy Rule. The language in the access paragraphs permits parental access in accordance with the Privacy Rule if such access is consistent with State or other law, regardless of whether such law is explicit. Therefore, if a State permits a minor to obtain care without the consent of a parent, but is silent as to whether the parent can access the related medical records of the minor, as is typically the case, then the provider may provide access to the parent if such access is consistent with State law and could deny access to the parent if such denial of access is consistent with State law. This may be based on interpretation of State consent law or may be based on other law. The provider could not, however, abuse this provision to deny access to both the parent and the minor. This provision would not significantly change the operation of the Privacy Rule with respect to parental access. In cases where the parent is not the personal representative of the minor under the Privacy Rule, the proposed language would not require a provider to grant access to a parent. In these cases, a provider would have discretion to provide access to a parent when permitted to do so under State or other applicable law despite the ability of the minor to obtain health care confidentially or without parental consent under applicable law or professional practice. The Department further assumes that current professional health care provider practices with respect to access by parents and confidentiality of minor's records are consistent with State and other applicable law. In any event, parental access under this section would continue to be subject to any relevant limitations on access in [[Page 14793]] Sec. 164.524. This proposed change provides States with the option of clarifying the interaction between their consent laws and the ability for parents to have access to the health information about the care that their minor children received in accordance with such laws. As such, this change should more accurately reflect current State law. G. Uses and Disclosures for Research Purposes 1. Institutional Review Board (IRB) or Privacy Board Approval of a Waiver of Authorization Much of the biomedical and behavioral research conducted in the U.S. is governed either by the rule entitled "Federal Policy for the Protection of Human Subjects" (the "Common Rule") and/or the Food and Drug Administration's (FDA) human subject protection regulations. Although these regulatory requirements, which apply to federally-funded and to some privately-funded research, include protections to help ensure the privacy of subjects and the confidentiality of information, the intent of the Privacy Rule, among other things, is to supplement these protections by requiring covered entities to implement specific measures to safeguard the privacy of individually identifiable health information. The Common Rule applies to all human research that is supported, conducted, or regulated by any of the seventeen federal agencies that have adopted the Common Rule, including research that uses individually identifiable health information. FDA's human subject protection regulations generally apply to clinical investigations under FDA's jurisdiction, whether or not such research is federally funded. Both sets of regulations have requirements relating to review by an institutional review board (IRB) to ensure that the risks to research participants, including privacy risks, are minimized. As part of this review, generally, IRBs must consider the informed consent document that will be used to inform prospective research participants about the study. Both the Common Rule and FDA regulations have provisions relating to the waiver of informed consent. The Common Rule waiver provisions allow research covered by the Common Rule to be conducted if an IRB determines that certain criteria specified in the Common Rule have been met. FDA's regulations do not contain equivalent waiver provisions since the criteria for a waiver of informed consent are generally not appropriate for clinical research. However, FDA's human subject protection regulations contain exceptions to informed consent for emergency research and for the emergency use of an investigational product. The Common Rule and FDA's regulations explicitly address privacy and confidentiality in the following places: (1) The informed consent document is required to include "a statement describing the extent, if any, to which confidentiality of records identifying the subject will be maintained" (Common Rule Sec. ____.116(a)(5), 21 CFR 50.25(a)(5)); and (2) to approve a study an IRB must determine that "when appropriate, there are adequate provisions to protect the privacy of subjects and to maintain the confidentiality of data" (Common Rule Sec. ____.111(a)(7), 21 CFR 56.111(a)(7)). Privacy Rule The Privacy Rule builds upon these existing federal regulations. The requirements are intended to strike a balance by minimizing the privacy risks of research participants, while not impeding the conduct of vital national and international research. For research participants, this means that they will have more information about how their protected health information may be used for research purposes. The Privacy Rule requires researchers who are subject to the Common Rule or FDA's human subject protection regulations to make some changes to the way they use and disclose protected health information. Researchers who are not currently subject to these requirements may, however, need to make more significant changes to current practice. The Privacy Rule at Secs. 164.508 and 164.512(i) establishes the conditions under which covered entities may disclose protected health information for research purposes. In general, covered entities are permitted to use or disclose protected health information for research either with individual authorization, or without individual authorization in limited circumstances and under certain conditions. A covered entity is permitted to use and disclose protected health information for research purposes with an authorization from the research participant that meets the requirements of Sec. 164.508 of the Privacy Rule. Additional requirements apply to research that is not solely record-based but, rather, involves the treatment of individuals. Specifically, in order for a covered entity to use or disclose protected health information that it creates from a research study that includes treatment of individuals (e.g., a clinical trial), the Privacy Rule at Sec. 164.508(f) requires that additional research-specific elements be included in the authorization form, which describes how protected health information created for the research study will be used or disclosed. The Privacy Rule provides that such an authorization pursuant to Sec. 164.508(f) may be combined with the traditional informed consent document used in research, as well as the consent required under Sec. 164.506 and the notice of privacy practices required under Sec. 164.520. In addition, a covered entity is permitted to condition the provision of the research-related treatment on the individual's authorization for the covered entity to use and disclose protected health information created from the study. The Privacy Rule, however, does not permit an individual authorization form for a research use or disclosure of existing protected health information to be combined with a research informed consent document or an authorization form for research that involves treatment. Alternatively, a covered entity is permitted to use or disclose protected health information for research purposes without authorization by the research participant if the covered entity first obtains either of the following: Documentation of approval of a waiver of authorization from an IRB or a Privacy Board. The Privacy Rule delineates specific requirements for the elements that must be documented, including the Board's determinations with respect to eight defined waiver criteria. Where a review is conducted preparatory to research or where research is conducted on decedent's information, certain representations from the researcher, including that the use or disclosure is sought solely for such a purpose and that the protected health information is necessary for the purpose. Public Comment A number of commenters argued that the waiver criteria in the Privacy Rule were confusing, redundant, and internally inconsistent. These commenters urged the Department to simplify the provisions, especially for entities subject to both the Privacy Rule and the Common Rule. Consequently, these commenters recommended that the Privacy Rule be modified to allow protected health information to be used or disclosed for research without individual authorization if informed consent is obtained as stipulated by the Common Rule or FDA's human subject protection regulations, or waived as [[Page 14794]] stipulated by the Common Rule. Commenters who favored these changes asserted that the existing federal human subject protection regulations adequately protect all of the rights and welfare of human subjects, and therefore, the Privacy Rule's provisions are unnecessary and duplicative for research currently governed by federal regulations. These commenters also argued that the Privacy Rule's waiver criteria and requirements for individual authorization, in effect, inappropriately modify the Common Rule, since the Privacy Rule prohibits covered entities from honoring an IRB's decisions unless the Privacy Rule's requirements are met. Some of these commenters further suggested that the confidentiality provisions of the Common Rule and FDA's human subject protection regulations be reviewed to determine if they adequately protect the privacy of research participants, and if found to be inadequate, these regulations should be modified. The Department understands commenters' recommendations to simplify the Privacy Rule as it applies to research. However, as stated in the preamble to the Privacy Rule and the Department's July 6 guidance, the Department disagrees that the Privacy Rule will modify the Common Rule. The Privacy Rule regulates only the content and conditions of the documentation that covered entities must obtain before using or disclosing protected health information for research purposes. The NCVHS also heard a number of concerns and confusion in testimony at the August 2001 hearing regarding the research provisions in the Privacy Rule. As a result, the NCVHS generally recommended that the Department provide additional guidance in this area. Consistent with this recommendation, the HHS Office for Civil Rights and the HHS Office for Human Research Protections intend to work together to provide interpretations, guidance, and technical assistance to help the research community in understanding the relationship between the Privacy Rule and the Common Rule. The NCVHS also received testimony requesting that uses and disclosures of protected health information for research be characterized as an element of treatment, payment, and health care operations under the Privacy Rule, and thus be permitted without individual authorization. The NCVHS, in their recommendations to the Department, disagreed with this viewpoint, and expressed support for the policy embodied in the Privacy Rule, permitting uses and disclosures for research pursuant to an authorization or an IRB or Privacy Board waiver of authorization. In addition, the NCVHS received testimony regarding the issue of recruiting research subjects. Commenters expressed concern and confusion as to how researchers would be able to recruit research subjects when the Privacy Rule does not permit protected health information to be removed from the covered entity's premises during reviews preparatory to research. The NCVHS recommended that the Department provide guidance on this issue. The Department clarifies that the Privacy Rule's provisions for IRB or Privacy Board waiver of authorization are intended to encompass a partial waiver of authorization for the purposes of allowing a researcher to obtain protected health information necessary to recruit potential research participants. For example, even if an IRB does not waive informed consent and individual authorization for the study itself, it may waive such authorization to permit the disclosure of protected health information to a researcher as necessary for the researcher to be able to contact and recruit individuals as potential research subjects. Many researchers also expressed concerns that the Privacy Rule's de-identification safe harbor was so strict that it would result in more research being subject to IRB review than is currently the case. These commenters requested that the standards for de-identification be changed in order to make de-identification a more plausible option for the sharing of data with researchers. The Privacy Rule's de-identification safe harbor was not designed to be used for research purposes. Rather, the Privacy Rule permits uses and disclosures of protected health information for research purposes with individual authorization, or pursuant to an IRB or Privacy Board waiver of authorization as permitted by Sec. 164.512(i). The Department is aware, however, that some research is conducted today without IRB oversight because the information is not facially identifiable. While the Department is not convinced of the need to modify the safe harbor standard for de-identified information, the Department is requesting comment on an alternative approach that would permit uses and disclosures of a limited data set for research purposes which does not include facially identifiable information but in which certain identifiers remain. See section III.I of the preamble regarding de- identification of protected health information for a detailed discussion of this proposed approach. A number of commenters were concerned about the Privacy Rule's requirement for "a statement of the individual's right to revoke the authorization in writing and the exceptions to the right to revoke * * *", because this provision would prohibit researchers from analyzing the data collected prior to the individual's decision to revoke his or her authorization. The Department is not proposing to modify this provision. The Privacy Rule limits an individual's right to revoke his or her authorization by the extent to which the covered entity has taken action in reliance on the authorization. Therefore, even though a revocation will prohibit a covered entity from further disclosing protected health information for research purposes, the exception to this requirement is intended to allow for certain continued uses of the information as appropriate to preserve the integrity of the research study, e.g., as necessary to account for the individual's withdrawal from the study. The Department believes that researchers have established practices for accommodating an individual's decision to withdraw from a research study. Indeed, the Common Rule at Sec. ____46.116 and FDA's human subject protection regulations at 21 CFR 50.25(a)(8) contain similar provisions that require the informed consent document include a statement that "* * * the subject may discontinue participation at any time without penalty or loss of benefits to which the subject is otherwise entitled." However, the Department understands that these practices may not be uniform and may vary depending on the nature of the research being conducted, with respect to the continued use or disclosure of data collected prior to the participant's withdrawal. If covered entities were permitted to continue using or disclosing protected health information for the research project even after an individual had revoked his or her authorization, this would undermine the primary objective of the authorization requirements to be a voluntary, informed choice of the individual. The Department believes that limiting uses and disclosures following revocation of an authorization to those necessary to preserve the integrity of the research appropriately balances the individual's right of choice and the researcher's reliance on the authorization. However, the Department solicits comment on other means of achieving this balance. [[Page 14795]] Specific comments, including testimony to the NCVHS, are addressed below where relevant to the corresponding proposed modifications to the Privacy Rule. Proposed Modifications to Waiver Criteria The Department understands commenters' concerns that several of the Privacy Rule's criteria for the waiver of a research participant's authorization are confusing and redundant, or inconsistent and conflicting with the Common Rule's requirements for the waiver of an individual's informed consent. However, since the Common Rule's criteria for the waiver of informed consent do not explicitly require IRBs to consider issues related to the privacy of prospective research participants, the Department disagrees with the recommendation to exempt from the Privacy Rule research uses and disclosures that are made with a waiver of informed consent pursuant to the Common Rule. In response to commenter concerns, the Department proposes the following modifications to the waiver criteria to maintain uniform standards in the Privacy Rule for all research, whether or not the research is subject to the Common Rule, as well as to ensure that the Privacy Rule's waiver process works more seamlessly with the Common Rule's waiver process. The Department, in reassessing the waiver criteria defined by the Common Rule, believes that only two of the Common Rule waiver criteria are practicable when focused solely on patient privacy. Accordingly, the Department proposes to retain the following two criteria in the Privacy Rule that are comparable to two of the Common Rule criteria: (1) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals; and (2) the research could not practicably be conducted without the waiver or alteration. The criterion in the Common Rule to determine that the rights and welfare of subjects will not adversely be affected, when limited to privacy, seems to conflict with the criterion regarding assessing minimal privacy risk; it is not clear how both criteria can be met when the focus is solely on privacy. The Department therefore proposes to delete the criterion in the Privacy Rule that the alteration or waiver will not adversely affect the privacy rights and the welfare of the individuals. Moreover, the Department understands commenters' concerns that substantial overlap and potential inconsistency may exist among three of the Privacy Rule's criteria and the criterion that the use or disclosure involves no more than a minimal risk to the individuals. The Department believes that the three criteria in the Privacy Rule that focus on (1) plans to protect identifiers from improper use and disclosure, (2) plans to destroy the identifiers at the earliest opportunity, and (3) adequate written assurances against redisclosure, essentially help to define when the research use or disclosure poses only a minimal risk to the individual's privacy interests, rather than operate as stand-alone criteria. As such, the Department proposes to require the assessment of these three factors as part of the waiver criterion for assessment of minimal privacy risk. This provision does not preclude the IRB or Privacy Board from assessing other criteria as necessary to determine minimal privacy risk, e.g., whether the safeguards included in the protocol are appropriate to the sensitivity of the data. In addition, the Department agrees with commenters that the following waiver criterion is unnecessarily duplicative of other provisions to protect patients' confidentiality interests, and therefore, proposes to eliminate it: the privacy risks to individuals whose protected health information is to be used or disclosed are reasonable in relation to the anticipated benefits, if any, to the individual, and the importance of the knowledge that may reasonably be expected to result from the research. Lastly, the Department proposes to retain the criterion that the research could not practicably be conducted without access to and use of the protected health information. The Privacy Rule permits a covered entity to reasonably rely on a researcher's documentation of approval of these waiver criteria, and a description of the data needed for the research as approved by an IRB or Privacy Board, to satisfy it's obligation with respect to limiting the disclosure to the minimum necessary. In sum, the Department proposes that the following wavier criteria replace the waiver criteria listed in the Privacy Rule at Sec. 164.512(i)(2)(ii): (1) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements: (a) an adequate plan to protect the identifiers from improper use and disclosure; (b) an adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and (c) adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research project, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; (2) The research could not practicably be conducted without the waiver or alteration; and (3) The research could not practicably be conducted without access to and use of the protected health information. The Department believes that the proposed modifications to the waiver criteria in the Privacy Rule would eliminate both the redundancies in the waiver criteria and the conflicts these provisions pose to research conducted pursuant to the Common Rule. 2. Research Authorizations Several commenters argued that certain authorization requirements in the Privacy Rule at Sec. 164.508 are problematic as applied to research uses and disclosures. Generally, commenters raised concerns that the requirements for individual authorization for uses and disclosures for research purposes are unduly complex and burdensome. In response to these concerns, the Department proposes to make a number of modifications to simplify the authorization requirements, both generally and in certain circumstances as they specifically apply to uses and disclosures of protected health information for research. The discussion below focuses on the proposed modifications specific to uses and disclosures for research. See section III.H of the preamble for a discussion of the Department's general proposal to modify the Privacy Rule's authorization requirements. In particular, the Department proposes a single set of requirements that generally apply to all types of authorizations, including those for research purposes. This modification would eliminate the specific provisions at Sec. 164.508(f) for authorizations for uses and disclosures of protected health information created for research that includes treatment of the individual. As a result, an authorization for such purposes would not require any additional elements above and beyond those required for authorizations in general at Sec. 164.508(c). To conform to this proposed change, the Department also proposes to modify the requirements for prohibiting [[Page 14796]] conditioning of authorizations at Sec. 164.508(b)(4)(i) to remove the reference to Sec. 164.508(f). A covered health care provider, thus, would be able to condition the provision of research-related treatment on provision of an authorization for the use and disclosure of protected health information for the particular research study. Additionally, the Department proposes to modify Sec. 164.508(b)(3)(i) to reflect its intent to eliminate the special authorization requirements for research studies that involve treatment in Sec. 164.508(f), as well as to clarify that the Privacy Rule would allow an authorization for the use or disclosure of protected health information for research to be combined with any other legal permission related to the research study, including another authorization or consent to participate in the research. The Department heard from several provider groups who thought the authorization provisions as they relate to research to be too complex. These commenters argued in favor of permitting covered entities to combine all of the research authorizations required by the Privacy Rule with the informed consent to participate in research. To simplify the requirements in response to these concerns, the Department proposes to modify the Privacy Rule to allow for the combining of such permissions. Finally, the Department proposes to include provisions specific to authorizations for research within the core element proposed at Sec. 164.508(c)(1)(v) for an expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. First, the Department proposes to explicitly provide that the statement "end of the research study" or similar language is sufficient to meet this requirement for an expiration date or event where the authorization is for a use or disclosure of protected health information for research. This modification is proposed in response to commenter concerns that the particular end date of a research study may not be known and questions regarding whether the end of a research study is an "event". In addition, such a statement would also be sufficient to encompass additional time, even after the conclusion of the research, to allow for the use of protected health information as necessary to meet record retention requirements to which the researcher is subject. The Department, therefore, proposes to clarify that including such a statement on the research authorization would fulfill the requirement to include an expiration event. Similarly, the Department proposes to explicitly provide that the statement "none" or similar language is sufficient to meet this provision if the authorization is for a covered entity to use or disclose protected health information for the creation or maintenance of a research database or repository. The Department proposes this modification in response to commenter concerns that the Privacy Rule's requirement for an "expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure" will create a significant obstacle for the development of research databases or repositories. Commenters stated that research databases and repositories are often retained indefinitely, and the requirement that an authorization include an expiration date or event was found to be counter to the purpose of developing such research resources. The Department understands these concerns and, therefore, proposes to permit an individual's authorization to use or disclose protected health information for the creation and maintenance of a research database or repository to be valid without an expiration date or event. The Department emphasizes that this provision is intended to apply only in the limited circumstances where a use or disclosure is sought solely for the creation or maintenance of a database or repository, and does not extend to authorizations for further research or any other purpose. Therefore, subsequent research using the information maintained in the database or repository pursuant to an authorization would require that the authorization include the term "end of the research study" or other explicit expiration date or event. 3. Research Transition Provisions The Privacy Rule includes at Sec. 164.532 different transition requirements for research that includes treatment (i.e., clinical trials) and for research that does not include treatment (i.e., records research). For research that includes treatment, the Privacy Rule states that as long as legal permission was obtained to use or disclose protected health information for a specific research project, that legal permission will continue to be valid until the completion of the research project; a new permission will not be required to use or disclose protected health information that was created or received either before or after the compliance date. However, for research that does not include treatment, a legal permission obtained before the compliance date will only be valid for the use and disclosure of protected health information obtained before the compliance date. The Privacy Rule does not prescribe the form of the express legal permission in either case. Express legal permission could be a signed agreement by the individual to participate in a privately-funded research study. The Privacy Rule does not explicitly address transition provisions for research studies ongoing after the compliance date where the legal permission of the individual had not been sought. This point was noted by several of those who commented on the Privacy Rule's transition provisions as they apply to research. Some of these commenters recommended that the Privacy Rule be revised to grandfather in the research use and disclosure of all protected health information that existed prior to the compliance date. These commenters expressed concern that much data would be lost to the research community since it would often be infeasible or impossible to obtain individuals' permission to use this archival information. Given the confusion about the transition provisions and to assure that ongoing, vital research will not be impeded, the Department reassessed the relevant provisions and proposes that there be no distinction between research that includes treatment and research that does not, and no distinction between requirements for research conducted with patients' informed consent versus research conducted with an IRB-approved waiver of patients' informed consent. Therefore, the Department proposes to permit a covered entity to use or disclose for a specific research study protected health information that is created or received either before or after the compliance date (if there is no agreed-to restriction in accordance with Sec. 164.522(a)), if the covered entity has obtained, prior to the compliance date an authorization or other express legal permission from an individual to use or disclose protected health information for the research study. In addition, the Department proposes to grandfather in research in which the individual has signed an informed consent to participate in the research study, or an IRB has waived informed consent for the research study, in accordance with the Common Rule or FDA's human subject protection regulations. These proposed provisions are intended to apply once any of the permissions described above has been granted, regardless of whether the [[Page 14797]] research study actually has begun by the compliance date or not, provided that the permission was obtained prior to the compliance date. In addition, with respect to the informed consent of the individual, the Department proposes not to limit the transition provisions to an informed consent pursuant to the Common Rule, but rather intends to allow for the transition of an informed consent for privately-funded research. Research studies that do not obtain such express legal permission, informed consent, or IRB waiver prior to the compliance date must obtain either authorization, as required by Sec. 164.508, or a waiver of authorization from an IRB or Privacy Board, as required by Sec. 164.512(i). H. Uses and Disclosures for Which Authorization Is Required The Privacy Rule permits covered entities to use and disclose protected health information for treatment, payment, and health care operations (subject to the individual's consent, if applicable) and as necessary for public policy purposes, such as public health and safety, health oversight activities, and enforcement. Covered entities must obtain an individual's voluntary and informed authorization before using or disclosing protected health information for any purpose that is not otherwise permitted or required under the Privacy Rule. The Privacy Rule provides for the individual's voluntary authorization for uses and disclosure of his or her protected health information by prohibiting, with very limited exceptions, covered entities from conditioning treatment, payment, or eligibility for benefits or enrollment in a health plan, on obtaining an authorization. Furthermore, in Sec. 164.508(b)(5), the Privacy Rule permits individuals, with limited exceptions, to revoke an authorization at any time. These provisions are intended to prevent covered entities from coercing individuals into signing an authorization that is not necessary for their health care. To help ensure that individuals give their authorization for the use or disclosure of their protected health information on an informed basis, the Privacy Rule, under Sec. 164.508(c), sets out core elements that must be included in any authorization. These core elements are intended to provide individuals with information needed to make an informed decision about giving their authorization. This information includes specific details about the use or disclosure, as well as providing the individual fair notice about his or her rights with respect to the authorization and the potential for the information to be redisclosed. The Privacy Rule requires authorizations to provide individuals with additional information for specific circumstances under the following three sets of implementation specifications: in Sec. 164.508(d), for authorizations requested by a covered entity for its own uses and disclosures; in Sec. 164.508(e), for authorizations requested by a covered entity for disclosures by others; and in Sec. 164.508(f), for authorizations for research that includes treatment of the individual. Additionally, the authorization must be written in plain language so individuals can understand the information presented in the authorization. Public Comments The Department received a number of comments raising various issues regarding implementation of the authorization requirements. A majority of commenters said the authorization provisions of the Privacy Rule are too complex and confusing. Some commented that the sets of implementation specifications are not discrete, creating the potential for the implementation specifications for specific circumstances to conflict with the required core elements. Others expressed confusion generally about which authorization requirements they would be required to implement. Commenters also have raised concerns about the revocation provisions in Sec. 164.508(b)(5). The Privacy Rule provides an exception to the individual's right to revoke an authorization where the authorization is obtained as a condition of obtaining insurance coverage, or where other law provides the insurer the right to contest a claim under the policy. The Department intended this provision to permit insurers to obtain necessary protected health information during contestability periods under State law. For example, an individual may not revoke an authorization for the disclosure of protected health information to a life insurer for the purpose of investigating material misrepresentation if the individual's policy is still subject to the contestability period. However, commenters were concerned because other law also provides the insurer with the right to contest the policy itself, not just a claim under the policy, and the Privacy Rule does not provide an explicit exception to allow for this right. Proposed Modifications In response to these concerns, the Department is proposing modifications to the Privacy Rule to simplify the authorization provisions, while preserving the provisions for ensuring that authorizing the use or disclosure of protected health information is a voluntary and informed decision. The Department proposes to consolidate the implementation specifications into a single set of criteria to simplify these provisions, prevent confusion, and eliminate the potential for conflicts between the authorization requirements. Thus, under the proposed modifications, the specifications for the elements and requirements of an authorization would be consolidated under Sec. 164.508(c). Paragraphs (d), (e), and (f) in this section would be eliminated. Paragraph (c)(1) would require all authorizations to contain the following core elements: (1) A description of the information to be used or disclosed, (2) the identification of the persons or class of persons authorized to make the use or disclosure of the protected health information, (3) the identification of the persons or class of persons to whom the covered entity is authorized to make the use or disclosure, (4) a description of each purpose of the use or disclosure, (5) an expiration date or event, (6) the individual's signature and date, and (7) if signed by a personal representative, a description of his or her authority to act for the individual. The Department also proposes to add new language to clarify that when the individual initiates the authorization for his or her own purposes, the purpose may be described as "at the request of the individual." Thus, individuals would not have to reveal the purpose of the requested disclosure if they chose not to do so. Paragraph (c)(2) would require authorizations to contain the following notifications: (1) A statement that the individual may revoke the authorization in writing, and either a statement regarding the right to revoke, and instructions on how to exercise such right, or to the extent this information is included in the covered entity's notice, a reference to the notice, (2) a statement that treatment, payment, enrollment, or eligibility for benefits may not be conditioned on obtaining the authorization if such conditioning is prohibited by the Privacy Rule, or, if conditioning is permitted by the Privacy Rule, a statement about the consequences of refusing to sign the authorization, and (3) a statement about the potential for the protected health information to be subject to redisclosure [[Page 14798]] by the recipient. The Department also proposes to limit the requirement that a covered entity disclose any remuneration that will result from obtaining an authorization, to authorizations for marketing purposes. Therefore, the remuneration disclosure requirement appears only in the new Sec. 164.508(a)(3) on marketing authorizations. These modifications would permit covered entities to use a single authorization form, and make it easier to use for the individual and the covered entity, as well as third parties. The Department also proposes to add language to the revocation exceptions in Sec. 164.508(b)(5)(ii) to include an exception with respect to the insurer's right to contest the policy under other law. This proposed modification would recognize, without expanding upon, an insurer's right to contest the policy under existing law. Other proposed modifications concerning authorizations for research are discussed in section III.G of the preamble. Finally, the Department proposes a number of technical conforming modifications throughout this section of the Privacy Rule to accommodate the modifications to this section, as well as the proposed modifications to the consent provision. Specifically, the Department proposes to modify the exception to the minimum necessary standard in the Privacy Rule at Sec. 164.502(b)(2), which exempts from the standard uses or disclosures made pursuant to an authorization under Sec. 164.508, except for authorizations requested by the covered entity under Sec. 164.508(d), (e), or (f). By simplifying the authorization requirements, the proposed modifications described above would eliminate the special authorizations required by Sec. 164.508(d), (e), or (f) in the Privacy Rule. To be consistent with the proposed approach, the Department proposes to eliminate the reference to such authorizations in the exception at Sec. 164.502(b)(2), thereby expanding the exception to exempt from the minimum necessary standard uses and disclosures made pursuant to an authorization for any purpose. The Department also proposes modifications at Secs. 164.508(a)(2)(i)(A), (B), and (C) to place limits on the use and disclosure of psychotherapy notes without authorization to carry out treatment, payment or health care operations. The modifications clarify that this information is not permitted to be used or disclosed without individual authorization for purposes of another entity. The Department proposes to delete Sec. 164.508(b)(4)(iii), relating to a health plan conditioning payment of a claim on the provision of an authorization, since this provision will be rendered moot under the proposed modifications to the consent provision. Additionally, the Department proposes to delete Sec. 164.508(b)(2)(iv) of the Privacy Rule, because it is redundant with Sec. 164.508(b)(1)(i), and to modify Sec. 164.508(b)(1)(i) to clarify that an authorization is valid only if it meets the requirements of paragraphs (c)(1) and (c)(2). odifications are also proposed at Sec. 164.508(b)(1)(v) of the Privacy Rule (newly designated as Sec. 164.508(b)(2)(iv) in the proposed Rule) to clarify that an authorization that violates paragraph (b)(4) (prohibiting the conditioning of authorizations) is not a valid authorization. These proposed modifications also expressly provide that an authorization is needed for purposes of marketing. See section III.G of the preamble for a detailed discussion of the proposed modifications regarding marketing. I. De-Identification of Protected Health Information At Sec. 164.514(a)-(c), the Privacy Rule permits a covered entity to de-identify protected health information so that such information may be used and disclosed freely, without being subject to the Privacy Rule's protections. Health information is de-identified, or not individually identifiable, under the Privacy Rule, if it does not identify an individual and if the covered entity has no reasonable basis to believe that the information can be used to identify an individual. In order to meet this standard, the Privacy Rule provides two alternative methods for covered entities to de-identify protected health information. First, a covered entity may demonstrate that it has met the standard if a person with appropriate knowledge and experience applying generally acceptable statistical and scientific principles and methods for rendering information not individually identifiable makes and documents a determination that there is a very small risk that the information could be used by others to identify a subject of the information. The preamble to the Privacy Rule refers to two government reports that provide guidance for applying these principles and methods, including describing types of techniques intended to reduce the risk of disclosure that should be considered by a professional when de-identifying health information. These techniques include removing all direct identifiers, reducing the number of variables on which a match might be made, and limiting the distribution of records through a "data use agreement" or "restricted access agreement" in which the recipient agrees to limits on who can use or receive the data. Alternatively, covered entities may choose to use the Privacy Rule's safe harbor method for de-identification. Under the safe harbor method, covered entities must remove all of a list of 18 enumerated identifiers and have no actual knowledge that the information remaining could be used alone or in combination to identify a subject of the information. The identifiers that must be removed include direct identifiers, such as name, street address, social security number, as well as other identifiers, such as birth date, admission and discharge dates, and five-digit zip code. The safe harbor does allow for the disclosure of all geographic subdivisions no smaller than a State, as well as the initial three digits of a zip code if the geographic unit formed by combining all zip codes with the same initial three digits contains more than 20,000 people. In addition, age, if less than 90, gender, ethnicity, and other demographic information not listed may remain in the information. The safe harbor is intended to provide covered entities with a simple, definitive method that does not require much judgment by the covered entity to determine if the information is adequately de-identified. The Privacy Rule also allows for the covered entity to assign a code or other means of record identification to allow de-identified information to be re-identified by the covered entity, if the code is not derived from or related to information about the subject of the information, e.g., derivation of the individual's social security number, and is not otherwise capable of being translated so as to identify the individual. The covered entity also may not use or disclose the code for any other purpose, and may not disclose the mechanism, e.g., algorithm or other tool, for re-identification. The Department is cognizant of the increasing capabilities and sophistication of electronic data matching used to link data elements from various sources, and from which, therefore, individuals may be identified. Given this increasing risk to individuals' privacy, the Department included in the Privacy Rule the above stringent standards for determining when information may flow unprotected. The Department also wanted the standards to be flexible enough so the Privacy Rule would not be a disincentive for covered entities to use or disclose de- identified [[Page 14799]] information wherever possible. The Privacy Rule, therefore, strives to balance an individuals' privacy interests with providing a sufficient level of information to make de-identified databases useful. Public Comments The Department heard a number of concerns from commenters regarding the de-identification standard in the Privacy Rule. These comments generally were raised in the context of using and disclosing information for research, public health purposes, or for certain health care operations. Commenters were concerned that the safe harbor method for de-identifying protected health information was so stringent that it required removal of many of the data elements that were essential to their analyses for these purposes. The comments, however, demonstrated little consensus as to which data elements were needed for such analyses, with many commenters requesting elements, such as birth date, neighborhood, account numbers, medical record numbers, and device identifiers. In addition, commenters largely were silent with regard to the feasibility of using the Privacy Rule's alternative statistical method to de-identify information. The Department is aware, however, of a general view of covered entities that the statistical method is beyond their capabilities. With regard to health care operations, a number of state hospital associations were concerned that the Privacy Rule will prevent them from collecting patient information from area hospitals in order to conduct and disseminate analyses that are useful for hospitals in making decisions about quality and efficiency improvements. These commenters explained that the Privacy Rule's stringent provisions for de-identification would not allow for the necessary data elements to be collected for such analyses. Specifically, commenters identified the following critical elements that would be restricted from disclosure by the Privacy Rule's de-identification standard: Five-digit zip code, city, county or neighborhood; the dates on which the injury or illness was treated and the patient released from the hospital; and the month of birth (noted by commenters as especially important for very young children). In addition, commenters argued that the Privacy Rule's provisions for data aggregation by a business associate, while allowing for the collection and aggregation of identifiable data from multiple hospitals for quality and efficiency purposes, would not allow state hospital associations to disclose all the desired analyses back to the contributing hospitals because some identifiers would remain in the data. These commenters emphasized the importance to hospitals to have access to information about community health care needs and the ability to compare their community to others in the state so that they may adequately respond to and fulfill such needs. In addition, commenters identified a problem with hospitals themselves sharing aggregated information with other hospitals for health care operations purposes. The Privacy Rule prohibits covered entities from disclosing protected health information for the health care operations purposes of other covered entities. As described in section III.A.2 of the preamble regarding Uses and Disclosures for Treatment, Payment, and Health Care Operations, the Department is proposing to modify this restriction and allow covered entities to disclose protected health information for another covered entity's health care operations under some circumstances. However, two conditions on the sharing of individually identifiable information for health care operations may continue to pose a problem. The proposed modifications would condition the sharing on both entities being covered entities and both entities having a relationship with the individual. Hospitals wishing to exchange patient information with each other or with other community health care providers would not satisfy these conditions in all cases. Many researchers expressed similar concerns, explaining that the Privacy Rule's de-identification safe harbor was so strict that it would result in more research being done on identifiable health information and, thereby, being subject to IRB review than is currently the case. Under the Common Rule, research that uses "identifiable private information" must undergo IRB review. However, there is no agreed-upon definition of "identifiable private information" and IRBs determine on a case-by-case basis what constitutes "identifiable private information." Consistent with this variability, the comments did not demonstrate consensus on what identifiers should be permitted to be retained for research purposes. In addition, commenters also expressed concerns with respect to public health reporting. For example, some product manufacturers subject to the jurisdiction of FDA were concerned that they would not be able to operate post-marketing surveillance registries, to which health care providers report problems. Commenters stated that even though they do not need information with direct identifiers, the Privacy Rule's strict de-identification standard would not allow the reporting of useful information into the registry. Additionally, a number of commenters described the de-identification standard as hampering many research and health care operations activities that also serve a public health purpose, e.g., the tracking of the emergence of disease that could be the result of bioterrorism. The Department also heard from some consumer advocates who supported the elimination of barriers they believe are imposed by the de-identification standard to important medical research. In order to ensure privacy is protected, but at the same time not render impossible research using de-identified information, these commenters recommended that the Department permit the use of information for research that is facially de-identified, i.e., stripped of direct identifiers, so long as the research entity provides assurances that it will not use or disclose the information for purposes other than research and will not identify or contact the individuals who are the subjects of the information. Solicitation of Comment The Department is aware of the importance of the activities described by the commenters but is not currently convinced of the need to modify the safe harbor standard for de-identified information. Instead, the Department requests comment on an alternative approach that would permit uses and disclosures of a limited data set which does not include facially identifiable information but in which certain identifiers would remain. The Department is not considering permitting the disclosure of any such limited data set for general purposes, but rather is considering permitting disclosure of such information for research, public health, and health care operations purposes. The limited data set would not include the following information, which the Department considers direct identifiers: name, street address, telephone and fax numbers, e-mail address, social security number, certificate/license number, vehicle identifiers and serial numbers, URLs and IP addresses, and full face photos and any other comparable images. The limited data set would include the following identifiable information: admission, discharge, and service dates; date of death; age (including age 90 or over); and five-digit zip code. The [[Page 14800]] Department solicits comment on whether another one or more geographic units smaller than State, such as city, county, precinct, neighborhood or other unit, would be needed in addition to, or be preferable to, five-digit zip code. In addition, to address concerns raised by commenters regarding access to birth date for research or other studies relating to young children or infants, the Department clarifies that the Privacy Rule does not prohibit age of an individual from being expressed as an age in months, days, or hours. Given that the limited data set would include all ages, including age in months, days, or hours, if preferable, the Department requests comment on whether date of birth is needed and, if so, whether the entire date is needed, or just the month and year. In addition, to further protect privacy, the Department would propose to condition the disclosure of the limited data set on covered entities obtaining from the recipients a data use or similar agreement, in which the recipient would agree to limit the use of the limited data set to the specified purposes in the Privacy Rule, and limit who can use or receive the data, as well as agree not to re-identify the data or contact the individuals. Commenters seemed to indicate that recipients would be amenable to such conditions. The Department solicits public comment on the feasibility and acceptability of the above approach for the described purposes, and whether or not the limitations and conditions would be sufficiently protective of patient privacy. Proposed Modifications In addition to the solicitation of comment above, the Department proposes a technical modification to the safe harbor provisions. A number of commenters expressed confusion regarding what was believed to be conflicting provisions within the de-identification standard. Commenters argued that, on the one hand, the Privacy Rule treats information as de-identified if all listed identifiers on the information are stripped, including any unique, identifying number, characteristic, or code. Yet, the Privacy Rule permits a covered entity to assign a code or other record identification to the information so that it may be re-identified by the covered entity at some later date. The Department did not intend the re-identification code to be considered one of the enumerated identifiers. Therefore, the Department proposes to clarify its intent by explicitly excepting the re- identification code or other means of record identification permitted by Sec. 164.514(c) from the listed identifiers at Sec. 164.514(b)(2)(i)(R). J. Technical Corrections and Other Clarifications In addition to the modifications described above, the Department proposes to make the following clarifications: 1. Changes of Legal Ownership. The Privacy Rule's definition of health care operations, at Sec. 164.501, includes business management and general administrative activities of the entity, including, due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity. In the preamble to the Privacy Rule, the Department explained that this language was included to remedy an omission in the 1999 proposed Rule by add[ing] to the definition of health care operations disclosures of protected health information for due diligence to a covered entity that is a potential successor in interest. This provision includes disclosures pursuant to the sale of a covered entity's business as a going concern, mergers, acquisitions, consolidations, and other similar types of corporate restructuring between covered entities, including a division of a covered entity, and to an entity that is not a covered entity but will become a covered entity if the reorganization or sale is completed. 65 FR at 82609 (December 28, 2000) (response to comment); see also 65 FR at 82491 (similar language); 65 FR at 82652 ("We clarify in the definition of health care operations that a covered entity may sell or transfer its assets, including protected health information, to a successor in interest that is or will become a covered entity.") Despite language in the preamble to the contrary, the definition of health care operations in the Privacy Rule does not expressly provide for the transfer of protected health information upon sale or transfer to a successor in interest. Instead, the definition of "health care operations" only mentions disclosures of protected health information for "due diligence" purposes when a sale or transfer to a successor in interest is contemplated. "Due diligence" is generally understood to mean the "[a] prospective buyer's or broker's investigation and analysis of a target company, a piece of property, or a newly issued security." Black's Law Dictionary (7th ed. 1999) available in Westlaw, DIBLACK database. The Department proposes to add language to paragraph (6) of the definition of "health care operations" to clarify the intent to permit the transfer of records to a covered entity upon a sale, transfer, merger, or consolidation. This proposed change would prevent the Privacy Rule from interfering with necessary treatment or payment activities upon the sale of a covered entity or its assets. The Department also proposes to use the terms "sale, transfer, consolidation or merger" to eliminate the term "successor in interest" from this paragraph. The Department intended this provision to apply to any sale, transfer, merger or consolidation and believes the current language may not sufficiently accomplish this goal. The proposed language's use of the terms "sale, transfer, merger and consolidation" is based on language used in model State laws addressing the disclosure of personal or privileged information collected or received in connection with an insurance transaction. The Department retains the limitation that such disclosures are health care operations only to the extent the entity receiving the protected health information is a covered entity or will become a covered entity as a result of the sale, transfer, merger, or consolidation. In addition, the proposed modification does not affect any responsibility of covered entities either under other law or ethical obligation to notify individuals appropriately of a sale, transfer, merger, or consolidation. 2. Group Health Plan Disclosures of Enrollment and Disenrollment Information to Plan Sponsors. The Department proposes to modify the Privacy Rule to make express the Department's policy, which was explained in the preamble to the Privacy Rule, that group health plans are permitted to share enrollment and disenrollment information with plan sponsors without amending plan documents. Under the Privacy Rule, a group health plan, as well as a health insurance issuer or HMO providing health insurance or health coverage to the group health plan, are covered entities. Neither employers nor other plan sponsors are defined as covered entities. The Department recognizes the legitimate need of the plan sponsor to have access to health information of these covered entities in certain situations. Therefore, the Privacy Rule at Sec. 164.504(f) permits a group health plan, and health insurance issuers or HMOs with respect to the group health plan, to disclose protected health information to the plan sponsor provided that, among other requirements, the plan documents are [[Page 14801]] amended to appropriately reflect and restrict the plan sponsor's uses and disclosures of such information. There are two exceptions where the Privacy Rule permits group health plans (or health insurance issuers or HMOs, as appropriate) to disclose information to a plan sponsor without requiring amendment of plan documents. First, Sec. 164.504(f) permits such disclosures when the information needed by the plan sponsor is summary health information. Second, as explained in the preamble to the Privacy Rule, a plan sponsor is permitted to perform enrollment functions on behalf of its employees without meeting the requirements of Sec. 164.504(f), as such functions are considered outside of the plan administration functions. Therefore, a group health plan is also permitted to disclose enrollment or disenrollment information to the plan sponsor without amending the plan documents as required by Sec. 164.504(f). However, this policy regarding disclosures of enrollment or disenrollment information was addressed only in the preamble to the Privacy Rule and not explicitly in the regulation itself. As a result, the policy seems to have been overlooked and the absence of a specific provision in the regulation itself has caused misinterpretation within industry. To remedy this misunderstanding and make its policy clear, the Department proposes to add an explicit exception at Sec. 164.504(f)(1)(iii) to clarify that group health plans (or health insurance issuers or HMOs, as appropriate) are permitted to disclose enrollment or disenrollment information to a plan sponsor without meeting the plan document amendment and other related requirements. 3. Definition of "Individually Identifiable Health Information." The Department proposes to move the definition of "individually identifiable health information" from Sec. 164.501 to Sec. 160.103 to clarify that the definition is relevant to all of the provisions in Parts 160 through 164. 4. Accounting of Disclosures of Protected Health Information. Under the Privacy Rule at Sec. 164.528, individuals have the right to receive an accounting of disclosures of protected health information made by the covered entity, with certain exceptions. These exceptions, or instances where a covered entity is not required to account for disclosures, include disclosures made by the covered entity to carry out treatment, payment, or health care operations, as well as disclosures to individuals of protected health information about them. The accounting is required to include the following: (1) disclosures of protected health information that occurred during the six years prior to the date of the request for an accounting, including disclosures to or by a business associate of the covered entity; (2) for each disclosure: the date of the disclosure; the name of the entity or person who received the protected health information; if known, the address of such entity or person; a brief description of the protected health information disclosed; and a brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure, or in lieu of such a statement, a copy of the individual's written authorization pursuant to Sec. 164.508 or a copy of a written request for a disclosure under Secs. 164.502(a)(2)(ii) or 164.512. For multiple disclosures of protected health information to the same person, the Privacy Rule allows covered entities to provide individuals with an accounting that contains only the following information: (1) For the first disclosure, a full accounting, with the elements described in (2) above; (2) the frequency, periodicity, or number of disclosures made during the accounting period; and (3) the date of the last such disclosure made during the accounting period. A number of commenters raised concerns that the high costs and administrative burdens associated with the accounting requirements would deter covered entities from disclosing protected health information. In response to these concerns, the Department proposes to expand the exceptions to the standard at Sec. 164.528(a)(1) to include disclosures made pursuant to an authorization as provided in Sec. 164.508. Covered entities would no longer be required to account for any disclosures authorized by the individual in accordance with Sec. 164.508. The Department is proposing to alleviate burden in this way because it is believed that an accounting of disclosures made pursuant to such permissions is unnecessary because such disclosures are already known by the individual, in as much as the individual was required to sign the forms authorizing the disclosures. Accordingly, the Department proposes to make two conforming amendments at Secs. 164.528(b)(2)(iv) and (b)(3) to delete references in the accounting content requirements to disclosures made pursuant to an authorization. 5. Uses and Disclosures Regarding FDA-regulated Products and Activities. The Department recognizes the importance of public health activities and, in the Privacy Rule, allows information to be used and disclosed for these purposes without requiring individual consent or authorization. The recent anthrax attacks and the threat of other forms of bio-terrorism have served to underscore the vital necessity of a strong and effective public health system. The Rule allows covered entities to disclose protected health information to public health authorities for a broad array of public health purposes, including reporting of diseases, injuries, vital statistics, and for the conduct of public health surveillance and interventions. The Rule permits public health reporting to private persons who are contractors for or agents of the public health authority. The Rule also recognizes the essential role of manufacturers and other private persons in carrying out the Food and Drug Administration's (FDA) public health mission. The Privacy Rule, at Sec. 164.512(b)(1)(iii), specifically permits covered entities to disclose protected health information, without individual authorization, to a person who is subject to the jurisdiction of the FDA for the following specified purposes: (1) To report adverse events, defects or problems, or biological product deviations with respect to products regulated by the FDA (if the disclosure is made to the person required or directed to report such information to the FDA), (2) to track products (if the disclosure is made to the person required or directed to report such information to the FDA), (3) for product recalls, repairs, or replacement, and (4) for conducting post-marketing surveillance to comply with FDA requirements or at the direction of the FDA. The Department received a number of comments on the provisions for public health activities related to FDA-regulated products. The majority of these commenters were concerned that the Privacy Rule constrains important public health surveillance and reporting activities by impeding the flow of needed information to those subject to the FDA's jurisdiction. In particular, commenters noted that limiting disclosures to those that are "required or directed" by FDA does not reflect the breadth of public health activities that are currently being conducted by the private sector on a voluntary basis or under the general auspices of--but not at the direction of--FDA. In general, commenters were concerned that such limitations would stifle current reporting practices. For example, the [[Page 14802]] FDA currently obtains the vast majority of its information about drugs and devices indirectly from health care providers who voluntarily report known adverse events or problems to the manufacturer of the product. The manufacturer may or may not be required to report such adverse events to FDA. Commenters assert that the present language of the Privacy Rule will have a "chilling effect" on these important communications due to uncertainty over the manufacturer's obligation to report to the FDA. Some concern was expressed about the potential liability of a covered entity for a disclosure to an employee of the manufacturer who is not "a person subject to the jurisdiction of the FDA" or to the wrong manufacturer. The Department seeks to assure covered entities that use of the term "a person" was not intended to limit reporting to a single individual within an entity, but to allow reporting to flow as it does today between health care providers and representatives of manufacturers or other companies. Moreover, the Department seeks to clarify that covered entities may continue to disclose protected health information to the companies identified on the product labels as the manufacturer registered with the FDA to distribute the product. To eliminate the "chilling effect" of the Rule, some commenters requested that the Department include in the Rule a "good-faith" safe harbor to protect covered entities from enforcement actions arising from unintentional violations of the Privacy Rule. For example, a health care provider would not have violated the Rule if the disclosure was made in the good faith belief that the entity to whom the adverse event was reported was responsible for the FDA-regulated product, even if it turned out to be the wrong manufacturer. Finally, a number of commenters, including some that are subject to the FDA's jurisdiction, suggested that: identifiable health information is not necessary for some or all of these public health reporting purposes; that identifiable health information is not reported to FDA; and that for purposes of post-marketing surveillance, information without direct identifiers (such as name, mailing address, phone number, social security number, and email address) should suffice. The Department recognizes that there must be a balance between the need for public health activities that benefit every individual by safeguarding the effectiveness, safety, and quality of the products regulated by the FDA, and the privacy interests of specific individuals. However, the comments did not offer a consensus as to which activities could be performed without identifiable information or which identifiers, if any, were needed. In Section III.I of this preamble regarding De- identification issues, the Department is soliciting comments on a limited data set for use for specific purposes, including public health. The Department also requests comments as to whether this limited data set should be required or permitted for some or all public health purposes or if a special rule should be developed for public health reporting. The Department did not intend the Privacy Rule to discourage or prevent the reporting of adverse events or otherwise disrupt the flow of essential information that FDA and persons subject to the jurisdiction of FDA need in order to carry out their important public health activities. Therefore, the Department proposes a number of changes to eliminate uncertainties identified by the commenters, and, thereby, encourage covered entities to continue to report and cooperate in these essential public health activities. The proposed modifications attempt to recognize and preserve current public health activities of persons subject to the jurisdiction of the FDA while not diminishing the health information privacy protections for individuals. Specifically, the Department proposes to remove from Sec. 164.512(b)(1)(iii)(A) and (B) the phrase "if the disclosure is made to a person required or directed to report such information to the Food and Drug Administration" and to remove from subparagraph (D) the phrase "to comply with requirements or at the direction of the Food and Drug Administration." In lieu of this language, HHS proposes to describe at the outset the public health purposes for which disclosures may be made. The proposed language reads: "A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA-regulated product or activity." The Department proposes to retain the listing of specific activities identified in paragraphs (A), (B), (C), and (D), to give covered entities additional assurance that public health disclosures for these activities are permissible under the Privacy Rule. The listing, however, is no longer an exclusive list of FDA-related public health activities, but rather is a list of examples of the most common activities. Additionally, language has been added to paragraph (C) to include "lookback" activities which are necessary for tracking blood and plasma products, as well as quarantining tainted blood or plasma and notifying recipients of such tainted products. The privacy of individuals' health information would continue to be protected through the limitations placed on the permissible disclosures for FDA purposes. Specifically, such disclosures must relate to FDA- regulated products or activities for which the person using or receiving the information has responsibility, and for activities related to the safety, effectiveness, or quality of such FDA-regulated product or activity. The Department is not proposing a good-faith safe harbor at this time because it believes that these proposed modifications will adequately address the concerns and uncertainties facing covered entities. However, the Department is interested in hearing from affected parties as to whether the proposed modifications are adequate or if additional measures are necessary for health care providers or others to continue to report this vital information about FDA-regulated products or activities. 6. Hybrid Entities. The Privacy Rule defines covered entities that primarily engage in activities that are not covered functions--i.e., functions that relate to the entity's operation as a health plan, health care provider, or health care clearinghouse--as hybrid entities. See Sec. 164.504(a). In order to limit the burden on such entities, most of the requirements of the Privacy Rule only apply to the health care component(s) of the hybrid entity and not to the parts of the entity that do not engage in covered functions. The health care component(s) include those components of the entity that perform covered functions and other components of the entity that support those covered functions, in the same way such support may be provided by a business associate. A covered entity that is a hybrid entity is required to define and designate those parts of the entity that engage in the covered functions and "business associate" functions and that are, therefore, part of the health care component(s). The health care component is designed to include components that engage in "business associate" functions because it is impossible for the entity to contract with itself and the authorization requirement would limit the ability to engage in necessary health care operations functions. The hybrid entity is also required to create adequate separation (i.e., fire walls) between the health care component(s) and other components of [[Page 14803]] the entity. Transfer of protected health information held by the health care component to other components of the hybrid entity is a disclosure under the Privacy Rule and is only allowed to the same extent as such disclosure would be permitted to a separate entity. Examples of hybrid entities are: (1) corporations that are not in the health care industry, but that operate on-site health clinics, and (2) insurance carriers that have multiple lines of business which include both health insurance and other insurance lines such as general liability or property and casualty insurance. A "hybrid entity" is defined in the Privacy Rule as an entity "whose covered functions are not its primary functions." (emphasis added). In the preamble to the Privacy Rule, the Department explained that the use of the term "primary" in the definition of a "hybrid entity" was not intended to operate with mathematical precision. The Department intended a common sense evaluation of whether the covered entity mostly operates as a health plan, health care provider, or health care clearinghouse. If an entity's primary activity was engaging in covered functions, then the whole entity would be a covered entity and the hybrid entity provisions would not apply. However, if the covered entity primarily conducted non-health activities, it would qualify as a hybrid entity and would be required to comply with the Privacy Rule with respect to its health care component(s). Commenters expressed concern that the policy guidance in the preamble was insufficient as long as the Privacy Rule itself limited the hybrid entity provisions to entities that primarily conducted non-health related activities. There were particular concerns in cases in which the health plan line of business was the primary business, and the line of business that is one of the excepted benefits, e.g., workers' compensation insurance, was only a small portion of the business. There were also concerns about what "primary" meant if not a mathematical calculation and how the entity would know whether or not it was a hybrid entity based on the guidance in the preamble. As a result of these comments, the Department proposes to delete the term "primary" from the definition of "hybrid entity" in Sec. 164.504(a). In order to avoid the problem of line drawing, the Department proposes to permit any covered entity to be a hybrid entity if it is a single legal entity that performs both covered and non- covered functions, regardless of whether the non-covered functions represent that entity's primary function, a substantial function, or even a small portion of the entity's activities. The Department proposes to permit covered entities that could qualify as hybrid entities to choose whether or not they want to be hybrid entities. Elimination of the requirement in the definition of "hybrid entity" that covered functions not be the "primary" functions of the covered entity would greatly increase the proportion of covered entities that are hybrid entities. In order to avoid the burden of requiring many more covered entities to designate the health care components and create fire walls within their entity when it is administratively simpler to treat the entire entity as a covered entity, the proposal would allow the covered entity to choose whether it will be a hybrid entity or not. To accomplish this objective, the proposed definition of "hybrid entity" would require that in order to be a hybrid entity, a covered entity that otherwise qualifies must designate health care components. If a covered entity does not designate health care components, the entire entity would be a covered entity. There are advantages and disadvantages to being a hybrid entity. Whether or not the advantages outweigh the disadvantages will be a decision of each covered entity that may qualify as a hybrid entity and will be influenced by factors such as how the entity is organized and the proportion of the entity that must be included in the health care component. Where the non-covered functions of the entity are only a small portion of the entity, it will likely be more efficient to simply consider the entire entity as a covered entity. Nonetheless, the Department is proposing to permit flexibility for covered entities to choose whether or not to be treated as a covered entity entirely or as a hybrid entity. The Department also proposes to simplify the definition of "health care component" in Sec. 164.504(a) to make clear that a health care component is whatever the covered entity designates as the health care component, consistent with the provisions regarding designation in Sec. 164.504(c)(3)(iii). The specific language regarding which components make up a health care component would be in the implementation specification that addresses designation of health care components. The Department proposes to move this specific language because it provides requirements and directions that are more appropriately placed in an implementation specification. The Department proposes that health care components may include: (1) Components of the covered entity that engage in covered functions, and (2) any component that engages in activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities. With respect to the components that perform covered functions, the Department also clarifies that a hybrid entity must include in its health care component(s) any component that would meet the definition of "covered entity" if it were a separate legal entity. "Covered functions" are those functions of a covered entity that make the entity a health plan, health care provider, or health care clearinghouse. However, there was some ambiguity as to whether a component of a covered entity that is a health care provider, but that does not conduct standard electronic transactions, must be included in the health care component. The proposed language would clarify that any component that would be a covered entity if it were a separate legal entity must be included in the health care component. Under these proposed changes, a component that is a health care provider and that engages in standard electronic transactions must be included in the health care component, but a component that is a health care provider but that does not engage in standard electronic transactions may, but would not be required to, be included in the health care component of the hybrid entity. The decision would be left to the covered entity in the second case. For example, in a university setting, the single legal entity may operate hospital facilities that bill electronically and research laboratories that do not engage in any electronic billing. The modification would clarify that the university as a hybrid entity need only include the hospital facilities that bill electronically in the health care component. The modification also would make clear that the university has the option to include the components, such as the research laboratory, that function as a health care provider, but not as a covered health care provider. A covered entity that chooses to include a non-covered health care provider in their health care component would be required to ensure that the non- covered health care provider, as well as the rest of the health care component, is in compliance with the Privacy Rule. There is also a conforming change in the proposed language in Sec. 164.504(c)(1)(ii) to make it clear that a reference to a "covered health care provider" in the Privacy Rule could [[Page 14804]] include the functions of a health care provider who does not engage in electronic transactions, if the covered entity chooses to include such functions in the health care component. With respect to the language regarding components that engage in "business associate" functions, the Department does not make any substantive change. The components of a hybrid that may provide services to the component that performs covered functions, such as a portion of the legal or accounting departments of the entity, may be included in the health care component so protected health information can be shared with such components of the entity without requiring business associate agreements or individual authorizations. The related language in paragraph (2)(ii) of the definition of "health care component" in the Privacy Rule that requires the "business associate" functions include the use of protected health information is not included in this proposed Rule because it is redundant. It is important to note that a covered entity may include components that engage in "business associate" functions in its health care component or not. It is not a violation of the Privacy Rule to fail to include such a component in the health care component designation. However, a disclosure of protected health information from the health care component to such other component if it is not part of the health care component is the same as a disclosure outside the covered entity and is a violation unless it is permitted by the Privacy Rule. Because an entity cannot have a business associate contract with itself, such a disclosure likely would require individual authorization. Finally, to avoid needless application of the hybrid entity provisions to a covered entity's activities as an employer, rather than as a health plan, health care provider, or health care clearinghouse, the Department proposes to modify the definition of "protected health information" in Sec. 164.501. The preamble to the Privacy Rule makes clear that the Privacy Rule does not treat employment records as protected health information. To avoid any confusion or misinterpretation on this point, the Department proposes to expressly exclude employment records held by a covered entity in its role as employer from the definition of "protected health information." In that way, employment records will be treated in the same manner as student medical records covered by FERPA, which the Privacy Rule excludes from the definition of "protected health information." This change will limit the need for a covered entity, whose primary activities are covered functions, to designate itself as a hybrid entity simply to carve out employment records. It is important to note that the exception from the definition of "protected health information" for employment records only applies to individually identifiable health information in those records that are held by a covered entity in its role as employer. The exception does not apply to individually identifiable health information held by a covered entity when carrying out its health plan or health care provider functions. Such information would be protected health information. The Department specifically is soliciting comments on whether the term "employment records" is clear or whether it needs to be more fully explained. It would be particularly helpful if commenters could identify certain types of records that should be included or excluded from "employment records." 7. Technical Corrections. The Privacy Rule contained some technical and typographical errors. Therefore, the Department proposes to make the following corrections: a. In Sec. 160.102(b), beginning in the second line, "section 201(a)(5) of the Health Insurance Portability Act of 1996, (Pub. L. 104-191)," is replaced with "42 U.S.C. 1320a-7c(a)(5)". b. In Sec. 160.203(b), in the second line, "health information" is replaced with "individually identifiable health information". c. In Sec. 164.102, "implementation standards" is corrected to read "implementation specifications." d. In Sec. 164.501, in the definition of "protected health information", "Family Educational Right and Privacy Act" is corrected to read "Family Educational Rights and Privacy Act." e. In Sec. 164.508(b)(1)(ii), in the fifth line, the word "be" is deleted. f. In Sec. 164.508(b)(3)(iii), a comma is added after the words "psychotherapy notes". g. In Sec. 164.510(b)(3), in the third line, the word "for" is deleted. h. In Sec. 164.512(b)(1)(v)(A), in the fourth line, the word "a" is deleted. i. In Sec. 164.512(b)(1)(v)(C), in the eighth line, the word "and" is added after the semicolon. j. In Sec. 164.512(f)(3), paragraphs (ii) and (iii) are redesignated as (i) and (ii), respectively. k. In Sec. 164.512(g)(2), in the seventh line, the word "to" is added after the word "directors." l. In Sec. 164.512(i)(1)(iii)(A), in the second line, the word "is" after the word "sought" is deleted. m. In Sec. 164.522(a)(1)(v), in the sixth line, "Secs. 164.502(a)(2)(i)" is corrected to read "Secs. 164.502(a)(2)(ii)". n. In Sec. 164.530(i)(4)(ii)(A), in the second line, "the requirements" is replaced with the word "specifications". IV. Preliminary Regulatory Impact Analysis Federal law (5 U.S.C. 804(2), as added by section 251 of Pub. L. 104-21), specifies that a "major rule" is any rule that the Office of anagement and Budget finds is likely to result in: An annual effect on the economy of $100 million or more; A major increase in costs or prices for consumers, individual industries, federal, State, or local government agencies, or geographic regions; or Significant adverse effects in competition, employment, investment productivity, innovation, or on the ability of United States based enterprises to compete with foreign-based enterprises in domestic and export markets. The impact of the modifications proposed in this rulemaking would be a net reduction of costs associated with the Privacy Rule of approximately $100 million. Therefore, this Rule is a major rule as defined in 5 U.S.C. 804(2). Executive Order 12866 directs agencies to assess all costs and benefits of available regulatory alternatives and, when regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects; distributive impacts; and equity). According to Executive Order 12866, a regulatory action is "significant" if it meets any one of a number of specified conditions, including having an annual effect on the economy of $100 million or more, adversely affecting in a material way a sector of the economy, competition, or jobs, or if it raises novel legal or policy issues. The purpose of the regulatory impact analysis is to assist decision-makers in understanding the potential ramifications of a regulation as it is being developed. The analysis is also intended to assist the public in understanding the general economic ramifications of the regulatory changes. The Privacy Rule included a regulatory impact analysis (RIA), which estimated the cost of the Privacy Rule at $17.6 billion over ten years. 65 FR 82462, 82758. The changes to the Privacy Rule proposed by this notice of proposed rulemaking are a result of comment by the industry and the public at large identifying a number of unintended consequences of the Privacy [[Page 14805]] Rule that could adversely affect access to, or the quality of health care delivery. These proposed changes should facilitate implementation and compliance with the Privacy Rule, and lower the costs and burdens associated with the Privacy Rule while maintaining the confidentiality of protected health information. The proposed changes would affect five areas of the Privacy Rule that will have an economic impact: (1) Consent; (2) notice; (3) marketing; (4) research; and (5) business associates. In addition, the proposal contains a number of changes that, though important, can be categorized as clarifications of intended policy. For example, the modifications would permit certain uses and disclosures of protected health information that are incidental to an otherwise permitted use or disclosure. This change would recognize such practices as the need for physicians to talk to patients in semi-private hospital rooms or nurses to communicate with others in public areas, and avoids the costs covered entities might have incurred to reconfigure facilities as necessary to ensure absolute privacy for these common treatment-related communications. This and other modifications in this proposal (other than those described below) clarify the intent of the standards in the Privacy Rule and, as such, do not change or alter the associated costs that were estimated for the Privacy Rule. There are no new costs or savings by these changes, and therefore, there is no cost estimate made here for them. A. Summary of Costs and Benefits in Final Regulatory Impact Statement The Privacy Rule was estimated to produce net costs of $17.6 billion, with net present value costs of $11.8 billion (2003 dollars) over ten years (2003-2012). The Department estimates the modifications in this proposal would lower the net cost of the Privacy Rule by approximately $100 million over ten years. Measuring both the economic costs and benefits of health information privacy was recognized as a difficult task. The paucity of data and incomplete information on current industry privacy and information system practices made cost estimation a challenge. Benefits were difficult to measure because they are, for the most part, inherently intangible. Therefore, the regulatory impact analysis in the Privacy Rule focused on the key policy areas addressed by the privacy standards, some of which would be affected by the proposed modifications in this rulemaking. B. Proposed Modifications To Prevent Barriers to Access to or Quality of Health Care The changes proposed in this rulemaking are intended to address the possible adverse effects of the final privacy standards on an individual's access to, or the quality of, health care. The modifications touch on five of the key policy areas addressed by the final regulatory impact analysis, including consent, research, marketing, notice, and business associates. Consent Under the Privacy Rule, a covered health care provider with a direct treatment relationship with an individual must obtain the individual's prior written consent for use or disclosure of protected health information for treatment, payment, or health care operations, subject to a limited number of exceptions. Other covered health care providers and health plans may obtain such a consent if they so choose. The initial cost of the consent requirement was estimated to be $42 million. Based on assumptions for growth in the number of patients, the total costs for ten years was estimated to be $103 million. See 65 FR 82771 (December 28, 2000).\2\ --------------------------------------------------------------------------- \2\ The total cost for consent in the regulatory impact analysis showed an initial cost of $166 million and $227 million over ten years. Included in these total numbers is the cost of tracking patient requests to restrict the disclosure of their health information. This right is not changed in these modifications. The numbers here represent the costs associated with the consent functions that are proposed to be repealed. --------------------------------------------------------------------------- The proposed modifications would eliminate the consent requirement. The consent requirement posed many difficulties for an individual's access to health care, and was problematic for operations essential for the quality of the health care delivery system. However, any health care provider or health plan may choose to obtain an individual's consent for treatment, payment, and health care operations. The elimination of the consent requirement reduces the initial cost of the privacy standards by $42 million in the first year and by $103 million over ten years. As explained in detail in section III.A.1. above, many comments that the Department received in March 2001 and testimony before the NCVHS revealed that the consent requirements in the Privacy Rule create unintended barriers to timely provision of care, particularly with respect to use and disclosure of health information prior to a health care provider's first face-to-face contact with the individual. These and other barriers discussed above would have entailed costs not anticipated in the economic analyses in the Privacy Rule. These comments also revealed that the consent requirements create administrative burdens, for example, with respect to tracking the status and revocation of consents, that were not foreseen and thus not included in that economic analysis. Therefore, while the estimated costs of the consent provisions were $103 million, comments have suggested that the costs were likely to be much higher. If these comments are accurate, the cost savings associated with retracting the consent provisions would, therefore, also be significantly higher than $103 million. Notice In eliminating the consent requirement, the Department proposes to preserve the opportunity for a covered health care provider with a direct treatment relationship with an individual to engage in a meaningful communication about the provider's privacy practices and the individual's rights by strengthening the notice requirements. Under the Privacy Rule, these health care providers are required to distribute to individuals their notice of privacy practices no later than the date of the first service delivery after the compliance date. The modifications would not change this distribution requirement, but would add a new documentation requirement. A covered health care provider with a direct treatment relationship would be required to make a good faith effort to obtain the individual's acknowledgment of receipt of the notice provided at the first service delivery. The form of the acknowledgment is not prescribed and can be as unintrusive as retaining a copy of the notice initialed by the individual. If the provider's good faith effort fails, documentation of the attempt is all that would be required. Since the modification would not require any change in the form of the notice or its distribution, the ten-year cost estimate of $391 million for these areas in the Privacy Rule's impact analysis remains the same. See 65 FR 82770 (December 28, 2000). However, the additional effort by direct treatment providers in obtaining and documenting the individual's acknowledgment of receipt of the notice would add costs. This new requirement would attach only to the initial provision of notice by a direct treatment provider to an individual after the compliance date. Under the proposed modification, providers would have considerable flexibility on how to achieve this. Some providers could [[Page 14806]] choose to obtain the required written acknowledgment on a separate piece of paper, while others could take different approaches, such as an initialed check-off sheet or a signature line on the notice itself with the provider keeping a copy. In the original analysis, the Department estimated that the consent cost would be $0.05 per page based on the fact that the consent had to be a stand alone document requiring a signature. This proposed modification to the notice requirement would provide greater flexibility and, therefore, greater opportunity to reduce costs compared to the consent requirement. The Department estimates that the additional cost of the signature requirement, on average, would be $0.03 per notice. Based on data obtained from the Medical Expenditure Panel Survey (MEPS), which estimate the number of patient visits in a year, the Department estimates that in the first year there would be 816 million notices distributed, including the new additional information needed to acknowledge receipt of the notice. Over the next nine years, the Department estimates, again based on MEPS data, that there would be 5.3 billion visits to health care providers by new patients (established patients will not need to receive another copy of the notice). At $0.03 per document, the first year cost would be $24 million and the total cost over ten years would be $184 million. Business Associates The Privacy Rule requires a covered entity to have a written contract, or other arrangement that documents satisfactory assurances that a business associate will appropriately safeguard protected health information in order to disclose protected health information to the business associate. The regulatory impact analysis for the Privacy Rule provided cost estimates for two aspects of this requirement. In the Privacy Rule, $103 million in first-year costs was estimated for development of a standard business associate contract language. (There were additional costs associated with these requirements related to the technical implementation of new data transfer protocols, but these are not affected by the changes being proposed here.) In addition, $197 million in first-year costs and $697 million in total costs over ten years were estimated in the Privacy Rule for the review and oversight of existing business associate contracts. The modifications do not change the standards for business associate contracts or the implementation specifications with respect to the covered entity's responsibilities for managing the contracts. However, as part of this proposal, the Department is including model business associate contract language. This model is only suggested language and is not a complete contract. The model language is designed to be adapted to the business arrangement between the covered entity and the business associate and to be incorporated into a contract drafted by the parties. The final regulatory impact analysis assumed the development of such standard language by trade and professional associations. While this has, in fact, been occurring, the Department continues to receive requests for model contract language, particularly from small health care providers. The Department expects that trade and professional associations will continue to provide assistance to their members. However, the model contract language in this proposal will simplify their efforts by providing a base from which they can develop language. The Department had estimated $103 million in initial year costs for this activity based on the assumption it would require one hour per non-hospital provider and two hours for hospitals and health plans to develop contract language and to tailor the language to the particular needs of the covered entity. The additional time for hospitals and health plans reflected the likelihood that these covered entities would have a more extensive number of business associate relationships. Because there will be less effort expended than originally estimated in the Privacy Rule, the Department estimates a reduction in contract development time by one-third because of the availability of the model language. Thus, the Department now estimates that this activity will take 40 minutes for non-hospital providers and 80 minutes for hospitals and health plans. The Department estimates that the savings from the proposed business associate contract language would be approximately $35 million in the first year. The Department is also proposing in this rulemaking to give covered entities additional time to review their existing business associate contracts and to conform written contracts to the privacy standards. Under the proposal, a covered entity's written business associate contracts, existing at the time the modifications become effective, would be deemed to comply with the privacy standards until such time as the contracts are renewed or modified or until April 14, 2004, whichever is earlier. The effect of this proposal would be to spread first year costs over an additional year, with a corresponding postponement of the costs estimated for the out years. However, the Department has no reliable information as to the number of contracts potentially affected by the modification or how long a delay may occur. Therefore, the Department does not compute any cost savings to this modification. arketing Under Sec. 164.514(e) of the Privacy Rule, certain health-related communications are subject to special conditions on marketing communications, if they also serve to promote the use or sale of a product or service. These marketing conditions require that particular disclosures be made as part of the marketing materials sent to individuals. Absent these disclosures, protected health information can only be used or disclosed in connection with such marketing communications with the individual's authorization. The Department is aware that the Privacy Rule's Sec. 164.514(e) conditions for health- related communications create a potential burden on covered entities to make difficult assessments regarding many of their communications. The proposed modifications to the marketing provisions would relieve the burden on covered entities by making most marketing subject to an authorization requirement and eliminating the Sec. 164.514(e) conditions on marketing communications. In developing the final impact analysis for the Privacy Rule, the Department was unable to estimate the cost of the marketing provisions. There was too little data and too much variation in current practice to estimate how the Privacy Rule might affect marketing. The same remains true today. However, the proposed modifications would relieve burden on the covered entities in making communications for treatment and certain health care operations relative to the requirements in the Privacy Rule. Although the Department cannot provide a quantifiable estimate, the effect of these proposed changes will be to lower costs relative to the Privacy Rule. Research In the final impact analysis for the Privacy Rule, the Department estimated the total cost of the provisions requiring documentation of an Institutional Review Board (IRB) or Privacy Board waiver of individual authorization for the use or disclosure of protected health information for a research purpose as $40 million for the first year and $585 [[Page 14807]] million for the ten-year period. The costs were estimated based on the time that an IRB or privacy board would need to consider a request for a waiver under the criteria provided in the Privacy Rule. See 65 FR 82770-82771 (December 28, 2000). The proposed modification would simplify and reduce the number of criteria required for an IRB or Privacy Board to approve a waiver of authorization in three ways. First, the proposal would simplify the criteria for waivers to better conform to the Common Rule's waiver criteria for informed consent to participate in the research study. Second, the proposal would simplify the accounting procedures for research by eliminating the need to account for disclosures based on individual authorization. Third, the proposal would simplify the authorization process for research to facilitate the combining of the informed consent for participation in the research itself with all authorizations required under the Privacy Rule. Therefore, the Department estimates that the net effect of these modifications would be to reduce the time necessary to assemble the necessary waivers and for an IRB or Privacy Board to consider and act on waiver requests by one quarter. The Department estimates these simplifications would reduce the expected costs first year costs by $10 million and the ten year costs by $146 million, relative to the Privacy Rule. Since this initial estimate is based on limited information available to the Department, the Department requests information to better assess this cost savings. Privacy Rule Modifications--Ten-Year Cost Estimates ---------------------------------------------------------------------------------------------------------------- Change due to Policy Original Cost Modification modification ---------------------------------------------------------------------------------------------------------------- Consent.............................. $103 million........... Provision removed...... -$103 million.\1\ Notice............................... $391 million........... Good faith effort to +$184 million. obtain acknowledgment of receipt. arketing............................ Not scored due to lack Fewer activities Reduction in cost but of data. constitute marketing. magnitude cannot be estimated. Business Associates.................. $103 million for Model language provided -$35 million. contract modifications. Research............................. $585 million........... Waiver requirements -$146 million. simplified. Net Change........................... ....................... ....................... -$100 million. ---------------------------------------------------------------------------------------------------------------- \1\ As noted above in the discussion on consent, while the estimated costs of the consent provisions were $103 million, comments have suggested that the costs were likely to be much higher. If these comments are accurate, the cost savings associated with retracting the consent provisions would, therefore, also be significantly higher than $103 million. C. Costs to the Federal Government The proposed changes in this Rule will result in small savings to the federal government relative to the costs that would have occurred under the Privacy Rule. Although there will be some increase in costs for the new requirements for obtaining acknowledgment for receipt of the notice, these costs are partially offset by the savings in the elimination of the consent. As discussed above, to the extent comments are accurate that the costs for the consent provisions are much higher than estimated, the cost savings associated with the retraction of these provisions would, therefore, be significantly higher. The Department does not believe the federal government engages in significant marketing as defined in the Privacy Rule. The federal government will have business associates under the Privacy Rule, and therefore, the model language proposed in this rulemaking will be of benefit to federal departments and agencies. The Department has not estimated the federal government's portion of the $35 million savings it estimated for this change. Similarly, the federal government, which conducts and sponsors a significant amount of research that is subject to IRBs, will realize some savings as a result of the research modifications proposed in this rulemaking. The Department does not have sufficient information, however, to estimate the federal government's portion of the total $146 million savings with respect to research modifications. D. Costs to State and Local Government The proposed changes also may affect the costs to state and local governments. However, these effects likely will be small. As with the federal government, state and local governments will have any costs of the additional notice requirement offset by the savings realized by the elimination of the consent requirement. As discussed above, to the extent comments are accurate that the costs for the consent provisions are much higher than estimated, the cost savings associated with the retraction of these provisions would, therefore, be significantly higher. State and local governments could realize savings from the model language for business associates and the changes in research, but the savings are likely to be small. The Department does not have sufficient information to estimate the state and local government's share of the net savings from the proposed changes. E. Benefits The benefits of these modifications would be lower costs, and enhanced implementation and compliance with the Privacy Rule without compromising the protection of individually identifiable health information or access to quality health care. F. Alternatives In July 2001, the Department clarified the Privacy Rule in guidance, where feasible, to resolve some of the issues raised by commenters. Issues that could not adequately be addressed through guidance because of the need for a regulatory change are addressed in this proposed Rule. The Department examined a number of alternatives to these proposed provisions. One alternative was to not make any changes to the Privacy Rule, but this option was rejected for the reasons explained throughout the preamble. The Department also considered various alternatives to specific provisions in the development of this proposed Rule. These alternatives are generally discussed above, where appropriate. V. Preliminary Regulatory Flexibility Analysis The Department also examined the impact of this proposed Rule as required [[Page 14808]] by the Small Business Regulatory Enforcement and Fairness Act (SBREFA) (5 U.S.C. 601, et seq.). SBREFA requires agencies to determine whether a rule will have a significant economic impact on a substantial number of small entities. The law does not define the thresholds to use in implementing the law and the Small Business Administration discourages establishing quantitative criteria. However, the Department has long used two criteria--the number of entities affected and the impact on revenue and costs--for assessing whether a regulatory flexibility analysis is necessary. Department guidelines state that an impact of three to five percent should be considered a significant economic impact. Based on these criteria, the Department has determined that a regulatory flexibility analysis is not required. As described in the Regulatory Flexibility Analysis for the Privacy Rule, most covered entities are small businesses--approximately 465,000. See Table A, 65 FR 82780 (December 28, 2000). Lessening the burden for small entities, consistent with the intent of protecting privacy, was an important consideration in developing these modifications. However, as discussed in the Preliminary Regulatory Impact Analysis, above, the net affect of the proposed changes is an overall savings of approximately $100 million over ten years. Even if all of this savings were to accrue to small entities (an over estimation), the impact per small entity would be de minimis. VI. Collection of Information Requirements Under the Paperwork Reduction Act (PRA) of 1995, the Department is required to provide 60-day notice in the Federal Register and solicit public comment before a collection of information requirement is submitted to the Office of Management and Budget (OMB) for review and approval. In order to fairly evaluate whether an information collection should be approved by OMB, section 3506(c)(2)(A) of the PRA requires that the Department solicit comment on the following issues: The need for the information collection and its usefulness in carrying out the proper functions of the agency. The accuracy of the estimate of the information collection burden. The quality, utility, and clarity of the information to be collected. Recommendations to minimize the information collection burden on the affected public, including automated collection techniques. In accordance with these requirements, the Department is soliciting public comments on the model business associate contract language displayed in the Appendix to this proposed Rule. The Department provides these model business associate contract provisions in response to numerous requests for guidance. These provisions are designed to help covered entities more easily comply with the business associate contract requirements of the Privacy Rule. However, use of these model provisions is not required for compliance with the Privacy Rule. Nor is the model language a complete contract. Rather, the model language is designed to be adapted to the business arrangement between the covered entity and the business associate and to be incorporated into a contract drafted by the parties. Section 164.506--Consent for Treatment, Payment, and Health Care Operations Under the Privacy Rule, a covered health care provider that has a direct treatment relationship with individuals must, except in certain circumstances, obtain an individual's consent to use or disclose protected health information to carry out treatment, payment, and health care operations. The modifications would eliminate this requirement. While the consent requirement is subject to the PRA, the Department believes that the burden associated with the requirement is exempt from the PRA as stipulated under 5 CFR 1320.3(b)(2). Therefore, the modification does not affect the paperwork burden associated with the Privacy Rule. Section 164.520--Notice of Privacy Practices for Protected Health Information The modifications would impose a good faith effort on direct treatment providers to obtain an individual's acknowledgment of receipt of the notice of privacy practices for protected health information and to document such acknowledgment or, in the absence of such acknowledgment, the entity's good faith efforts to obtain it. In addition, a covered entity would have to retain the acknowledgment or documentation of the good faith effort as required by Sec. 164.530(j). The Department is continuing to work on estimating the burden imposed by the Privacy Rule. The estimate for the acknowledgment of receipt of the notice will be reflected in the paperwork reduction package to be submitted to OMB as required by the PRA. The Department has submitted a copy of this proposed Rule to OMB for its review of the information collection requirements described above. These requirements are not effective until they have been approved by OMB. If you comment on any of these information collection and record keeping requirements, please mail copies directly to the following: Center for Medicaid and Medicare Services, Information Technology Investment Management Group, Division of CMS Enterprise Standards, Room C2-26-17, 7500 Security Boulevard, Baltimore, MD 21244-1850. ATTN: John Burke, HIPAA Privacy; and Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10235, New Executive Office Building, Washington, DC 20503, ATTN: Allison Herron Eydt, CMS Desk Officer. VII. Unfunded Mandates Section 202 of the Unfunded Mandates Reform Act of 1995 also requires that agencies assess anticipated costs and benefits before issuing any rule that may result in an expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $110 million in a single year. A final cost-benefit analysis was published in the Privacy Rule of December 28, 2000 (65 FR 82462, 82794). In developing the final Privacy Rule, the Department adopted the least burdensome alternatives, consistent with achieving the Rule's goals. The Department does not believe that the modifications in the proposed Rule would qualify as an unfunded mandate under the statute. VIII. Environmental Impact The Department has determined under 21 CFR 25.30(k) that this action is of a type that does not individually or cumulatively have a significant effect on the human environment. Therefore, neither an environmental assessment nor an environmental impact statement is required. IX. Executive Order 13132: Federalism Executive Order 13132 establishes certain requirements that an agency must meet when it promulgates a proposed rule (and subsequent Privacy Rule) that imposes substantial direct requirement costs on State and local governments, preempts State law, or otherwise has Federalism implications. The federalism implications of the Privacy Rule were assessed as required by Executive Order 13132 and published in the Privacy Rule of [[Page 14809]] December 28, 2000 (65 FR 82462, 82797). The proposed change with the most direct effect on federalism principles concerns the clarifications regarding the rights of parents and minors under State law. The modifications would make clear the intent of the Department to defer to State law with respect to such rights. Therefore, the Department believes that the modifications in this proposed Rule would not significantly affect the rights, roles and responsibilities of States. Appendix to the Preamble--Model Business Associate Contract Provisions Introduction The Department of Health and Human Services provides these model business associate contract provisions in response to numerous requests for guidance. This is only model language. These provisions are designed to help covered entities more easily comply with the business associate contract requirements of the Privacy Rule. However, use of these model provisions is not required for compliance with the Privacy Rule. The language may be amended to more accurately reflect business arrangements between the covered entity and the business associate. These or similar provisions may be incorporated into an agreement for the provision of services between the entities or they may be incorporated into a separate business associate agreement. These provisions only address concepts and requirements set forth in the Privacy Rule and alone are not sufficient to result in a binding contract under State law and do not include many formalities and substantive provisions that are required or typically included in a valid contract. Reliance on this model is not sufficient for compliance with state law and does not replace consultation with a lawyer or negotiations between the parties to the contract. Furthermore, a covered entity may want to include other provisions that are related to the Privacy Rule but that are not required by the Privacy Rule. For example, a covered entity may want to add provisions in a business associate contract in order for the covered entity to be able to rely on the business associate to help the covered entity meet its obligations under the Privacy Rule. In addition, there may be permissible uses or disclosures by a business associate that are not specifically addressed in these model provisions. For example, the Privacy Rule does not preclude a business associate from disclosing protected health information to report unlawful conduct in accordance with Sec. 164.502(j). However, there is not a specific model provision related to this permissive disclosure. These and other types of issues will need to be worked out between the parties. odel Business Associate Contract Provisions \1\ --------------------------------------------------------------------------- \1\ Words or phrases contained in brackets are intended as either optional language or as instructions to the users of these model provisions and are not intended to be included in the contractual provisions. --------------------------------------------------------------------------- Definitions (alternative approaches) Catch-all definition: Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in 45 CFR 160.103 and 164.501. Examples of specific definitions: (a) Business Associate. "Business Associate" shall mean [Insert Name of Business Associate]. (b) Covered Entity. "Covered Entity" shall mean [Insert Name of Covered Entity]. (c) Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR 164.501 and shall include a person who qualifies as a personal representative in accordance with 45 CFR 164.502(g). (d) Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually Identifiable Health Information at 45 CFR part 160 and part 164, subparts A and E. (e) Protected Health Information. "Protected Health Information" shall have the same meaning as the term "protected health information" in 45 CFR 164.501, limited to the information created or received by Business Associate from or on behalf of Covered Entity. (f) Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in 45 CFR 164.501. (g) Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services or his designee. Obligations and Activities of Business Associate (a) Business Associate agrees to not use or further disclose Protected Health Information other than as permitted or required by the Agreement or as Required By Law. (b) Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the Protected Health Information other than as provided for by this Agreement. (c) Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known to Business Associate of a use or disclosure of Protected Health Information by Business Associate in violation of the requirements of this Agreement. [This provision may be included if it is appropriate for the Covered Entity to pass on its duty to mitigate damages by a Business Associate.] (d) Business Associate agrees to report to Covered Entity any use or disclosure of the Protected Health Information not provided for by this Agreement. (e) Business Associate agrees to ensure that any agent, including a subcontractor, to whom it provides Protected Health Information received from, or created or received by Business Associate on behalf of Covered Entity agrees to the same restrictions and conditions that apply through this Agreement to Business Associate with respect to such information. (f) Business Associate agrees to provide access, at the request of Covered Entity, and in the time and manner designated by Covered Entity, to Protected Health Information in a Designated Record Set, to Covered Entity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR 164.524. [Not necessary if business associate does not have protected health information in a designated record set.] (g) Business Associate agrees to make any amendment(s) to Protected Health Information in a Designated Record Set that the Covered Entity directs or agrees to pursuant to 45 CFR 164.526 at the request of Covered Entity or an Individual, and in the time and manner designated by Covered Entity. [Not necessary if business associate does not have protected health information in a designated record set.] (h) Business Associate agrees to make internal practices, books, and records relating to the use and disclosure of Protected Health Information received from, or created or received by Business Associate on behalf of, Covered Entity available to the Covered Entity, or at the request of the Covered Entity to the Secretary, in a time and manner designated by the Covered Entity or the Secretary, for purposes of the Secretary determining Covered Entity's compliance with the Privacy Rule. (i) Business Associate agrees to document such disclosures of Protected Health Information and information related to such disclosures as would be required for Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. (j) Business Associate agrees to provide to Covered Entity or an Individual, in time and manner designated by Covered Entity, information collected in accordance with Section [Insert Section Number in Contract Where Provision (i) Appears] of this Agreement, to permit Covered Entity to respond to a request by an Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR 164.528. Permitted Uses and Disclosures by Business Associate General Use and Disclosure Provisions (alternative approaches) Specify purposes: Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information on behalf of, or to provide services to, Covered Entity for the following purposes, if such use or disclosure of Protected Health Information would not violate the Privacy Rule if done by Covered Entity: [List Purposes]. Refer to underlying services agreement: Except as otherwise limited in this Agreement, Business Associate may use or disclose Protected Health Information to perform functions, activities, or services for, or on behalf of, Covered Entity as specified in [Insert Name of Services Agreement], provided that such use or disclosure would not violate the Privacy Rule if done by Covered Entity. [[Page 14810]] Specific Use and Disclosure Provisions [only necessary if parties wish to allow Business Associate to engage in such activities] (a) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information for the proper management and administration of the Business Associate or to carry out the legal responsibilities of the Business Associate. (b) Except as otherwise limited in this Agreement, Business Associate may disclose Protected Health Information for the proper management and administration of the Business Associate, provided that disclosures are required by law, or Business Associate obtains reasonable assurances from the person to whom the information is disclosed that it will remain confidential and used or further disclosed only as required by law or for the purpose for which it was disclosed to the person, and the person notifies the Business Associate of any instances of which it is aware in which the confidentiality of the information has been breached. (c) Except as otherwise limited in this Agreement, Business Associate may use Protected Health Information to provide Data Aggregation services to Covered Entity as permitted by 42 CFR 164.504(e)(2)(i)(B). Obligations of Covered Entity Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions [provisions dependent on business arrangement] (a) Covered Entity shall provide Business Associate with the notice of privacy practices that Covered Entity produces in accordance with 45 CFR 164.520, as well as any changes to such notice. (b) Covered Entity shall provide Business Associate with any changes in, or revocation of, permission by Individual to use or disclose Protected Health Information, if such changes affect Business Associate's permitted or required uses and disclosures. (c) Covered Entity shall notify Business Associate of any restriction to the use or disclosure of Protected Health Information that Covered Entity has agreed to in accordance with 45 CFR 164.522. Permissible Requests by Covered Entity Covered Entity shall not request Business Associate to use or disclose Protected Health Information in any manner that would not be permissible under the Privacy Rule if done by Covered Entity. [Include an exception if the Business Associate will use or disclose protected health information for, and the contract includes provisions for, data aggregation or management and administrative activities of Business Associate]. Term and Termination (a) Term. The Term of this Agreement shall be effective as of [Insert Effective Date], and shall terminate when all of the Protected Health Information provided by Covered Entity to Business Associate, or created or received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity, or, if it is infeasible to return or destroy Protected Health Information, protections are extended to such information, in accordance with the termination provisions in this Section. (b) Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate, Covered Entity shall provide an opportunity for Business Associate to cure the breach or end the violation and terminate this Agreement [and the ____ Agreement/ sections ____ of the ____ Agreement] if Business Associate does not cure the breach or end the violation within the time specified by Covered Entity, or immediately terminate this Agreement [and the ____ Agreement/sections ____ of the ____ Agreement] if Business Associate has breached a material term of this Agreement and cure is not possible. [Bracketed language in this provision may be necessary if there is an underlying services agreement. Also, opportunity to cure is permitted, but not required by the Privacy Rule.] (c) Effect of Termination. (1) Except as provided in paragraph (2) of this section, upon termination of this Agreement, for any reason, Business Associate shall return or destroy all Protected Health Information received from Covered Entity, or created or received by Business Associate on behalf of Covered Entity. This provision shall apply to Protected Health Information that is in the possession of subcontractors or agents of Business Associate. Business Associate shall retain no copies of the Protected Health Information. (2) In the event that Business Associate determines that returning or destroying the Protected Health Information is infeasible, Business Associate shall provide to Covered Entity notification of the conditions that make return or destruction infeasible. Upon mutual agreement of the Parties that return or destruction of Protected Health Information is infeasible, Business Associate shall extend the protections of this Agreement to such Protected Health Information and limit further uses and disclosures of such Protected Health Information to those purposes that make the return or destruction infeasible, for so long as Business Associate maintains such Protected Health Information. iscellaneous (a) Regulatory References. A reference in this Agreement to a section in the Privacy Rule means the section as in effect or as amended, and for which compliance is required. (b) Amendment. The Parties agree to take such action as is necessary to amend this Agreement from time to time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and the Health Insurance Portability and Accountability Act, Public Law 104-191. (c) Survival. The respective rights and obligations of Business Associate under Section [Insert Section Number Related to "Effect of Termination"] of this Agreement shall survive the termination of this Agreement. (d) Interpretation. Any ambiguity in this Agreement shall be resolved in favor of a meaning that permits Covered Entity to comply with the Privacy Rule. List of Subjects 45 CFR Part 160 Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Medicaid, edical research, Medicare, Privacy, Reporting and record keeping requirements. 45 CFR Part 164 Electronic transactions, Employer benefit plan, Health, Health care, Health facilities, Health insurance, Health records, Medicaid, edical research, Medicare, Privacy, Reporting and record keeping requirements. Dated: March 12, 2002. Tommy G. Thompson, Secretary. For the reasons set forth in the preamble, the Department proposes to amend 45 CFR Subtitle A, Subchapter C, as follows: PART 160--GENERAL ADMINISTRATIVE REQUIREMENTS 1. The authority citation for part 160 continues to read as follows: Authority: Sec. 1171 through 1179 of the Social Security Act, (42 U.S.C. 1320d-1329d-8) as added by sec. 262 of Pub. L. 104-191, 110 Stat. 2021-2031 and sec. 264 of Pub. L. 104-191 (42 U.S.C. 1320d-2(note)). Sec. 160.102 [Amended] 2. Amend Sec. 160.102(b), by removing the phrase "section 201(a)(5) of the Health Insurance Portability Act of 1996, (Pub. L. 104-191)" and adding in its place the phrase "the Social Security Act, 42 U.S.C. 1320a-7c(a)(5)". 3. In Sec. 160.103 add the definition of "individually identifiable health information" in alphabetical order to read as follows: Sec. 160.103 Definitions. * * * * * Individually identifiable health information is information that is a subset of health information, including demographic information collected from an individual, and: (1) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) Relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the [[Page 14811]] information can be used to identify the individual. * * * * * 4. In Sec. 160.202 revise paragraphs (2) and (4) of the definition of "more stringent" to read as follows: Sec. 160.202 Definitions. * * * * * More stringent means * * * (2) With respect to the rights of an individual, who is the subject of the individually identifiable health information, regarding access to or amendment of individually identifiable health information, permits greater rights of access or amendment, as applicable. * * * * * (4) With respect to the form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information, for use or disclosure of individually identifiable health information, provides requirements that narrow the scope or duration, increase the privacy protections afforded (such as by expanding the criteria for), or reduce the coercive effect of the circumstances surrounding the express legal permission, as applicable. * * * * * Sec. 160.203 [Amended] 5. Amend Sec. 160.203(b) by adding the words "individually identifiable" before the word "health". PART 164--SECURITY AND PRIVACY Subpart E--Privacy of Individually Identifiable Health Information 1. The authority citation for part 164 continues to read as follows: Authority: 42 U.S.C. 1320d-2 and 1320d-4, sec. 264 of Pub. L. 104-191, 110 Stat. 2033-2034 (42 U.S.C. 1320d-2(note)). Sec. 164.102 [Amended] 2. Amend Sec. 164.102 by removing the words "implementation standards" and adding in its place the words "implementation specifications." Sec. 164.500 [Amended] 3. In Sec. 164.500, remove "consent," from paragraph (b)(1)(v). Sec. 164.501 [Amended] 4. Amend Sec. 164.501 as follows: a. In the definition of "health care operations" remove from the introductory text of the definition ", and any of the following activities of an organized health care arrangement in which the covered entity participates" and revise paragraphs (6)(iv) and (v). b. Remove the definition of "individually identifiable health information". c. Revise the definition of "marketing". d. In paragraph (1)(ii) of the definition of "payment," remove the word "covered". e. Revise paragraph (2) of the definition of "protected health information". The revisions read as follows: Sec. 164.501 Definitions. * * * * * Health care operations means * * * (6) * * * (iv) The sale, transfer, merger, or consolidation of all or part of a covered entity with another covered entity, or an entity that following such activity will become a covered entity and due diligence related to such activity; and (v) Consistent with the applicable requirements of Sec. 164.514, creating de-identified health information and fundraising for the benefit of the covered entity. * * * * * Marketing means to make a communication about a product or service to encourage recipients of the communication to purchase or use the product or service. Marketing excludes a communication made to an individual: (1) To describe the entities participating in a health care provider network or health plan network, or to describe if, and the extent to which, a product or services (or payment for such product or service) is provided by a covered entity or included in a plan of benefits; (2) For treatment of that individual; or (3) For case management or care coordination for that individual, or to direct or recommend alternative treatments, therapies, health care providers, or settings of care to that individual. * * * * * Protected health information means * * * (2) Protected health information excludes individually identifiable health information in: (i) Education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) Records described at 20 U.S.C. 1232g(a)(4)(B)(iv); and (iii) Employment records held by a covered entity in its role as employer. * * * * * 5. Amend Sec. 164.502 as follows: a. Revise paragraphs (a)(1)(ii), (iii), and (vi). b. Revise paragraph (b)(2)(ii). c. Redesignate paragraphs (b)(2)(iii) through (v) as paragraphs (b)(2)(iv) through (vi). d. Add a new paragraph (b)(2)(iii). e. Redesignate paragraphs (g)(3)(i) through (iii) as (g)(3)(i)(A) through (C) and redesignate paragraph (g)(3) as (g)(3)(i). f. Add new paragraphs (g)(3)(ii) and (iii). The revisions and additions read as follows: Sec. 164.502 Uses and disclosures of protected health information: general rules. (a) Standard. * * * (1) Permitted uses and disclosures. * * * (ii) For treatment, payment, or health care operations, as permitted by and in compliance with Sec. 164.506; (iii) As incident to a use or disclosure otherwise permitted or required by this subpart, provided that the covered entity has complied with the applicable requirements of Sec. 164.502(b), Sec. 164.514(d), and Sec. 164.530(c) with respect to such otherwise permitted or required uses or disclosures; * * * * * (vi) As permitted by and in compliance with this section, Sec. 164.512, or Sec. 164.514(f) and (g). * * * * * (b) Standard: Minimum necessary. * * * (2) Minimum necessary does not apply. * * * (ii) Uses or disclosures made to the individual, as permitted under paragraph (a)(1)(i) of this section or as required by paragraph (a)(2)(i) of this section; (iii) Uses or disclosures made pursuant to an authorization under Sec. 164.508; * * * * * (g)(1) Standard: Personal representatives. * * * (3) Implementation specification: unemancipated minors. (i) * * * (ii) Notwithstanding the provisions of paragraph (g)(3)(i) of this section: (A) A covered entity may disclose protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis if an applicable provision of State or other law, including applicable case law, permits or requires such disclosure; and (B) A covered entity may not disclose protected health information about an unemancipated minor to a parent, guardian, or other person acting in loco parentis if an applicable provision of State or other law, including applicable case law, prohibits such disclosure. [[Page 14812]] (iii) Notwithstanding the provisions of paragraph (g)(3)(i) of this section, a covered entity must, consistent with State or other applicable law, provide a right of access, as set forth in Sec. 164.524 to either: (A) A parent, guardian, or other person acting in loco parentis, as the personal representative of the unemancipated minor; (B) The unemancipated minor; or (C) Both. * * * * * 6. Amend Sec. 164.504 as follows: a. In paragraph (a), revise the definitions of "health care component" and "hybrid entity". b. Revise paragraph (c)(1)(ii). c. Revise paragraph (c)(3)(iii). d. Revise paragraph (f)(1)(i). e. Add paragraph (f)(1)(iii). The revisions and addition read as follows: Sec. 164.504 Uses and disclosures: Organizational requirements. (a) Definitions. * * * Health care component means a component or combination of components of a hybrid entity designated by the hybrid entity in accordance with paragraph (c)(3)(iii) of this section. Hybrid entity means a single legal entity: (1) That is a covered entity; (2) Whose business activities include both covered and non-covered functions; and (3) That designates health care components in accordance with paragraph (c)(3)(iii) of this section. * * * * * (c)(1) Implementation specification: Application of other provisions. * * * (ii) A reference in such provision to a "health plan," "covered health care provider," or "health care clearinghouse" refers to a health care component of the covered entity if such health care component performs the functions of a health plan, health care provider, or health care clearinghouse, as applicable; and * * * * * (3) Implementation specifications: Responsibilities of the covered entity. * * * (iii) The covered entity is responsible for designating the components that are part of one or more health care components of the covered entity and documenting the designation as required by Sec. 164.530(j), provided that if the covered entity designates a health care component or components, it must include any component that would meet the definition of covered entity if it were a separate legal entity. Health care component(s) may include a component that performs: (A) covered functions; and (B) activities that would make such component a business associate of a component that performs covered functions if the two components were separate legal entities. * * * * * (f)(1) Standard: Requirements for group health plans. (i) Except as provided under paragraph (f)(1)(ii) or (iii) of this section or as otherwise authorized under Sec. 164.508, a group health plan, in order to disclose protected health information to the plan sponsor or to provide for or permit the disclosure of protected health information to the plan sponsor by a health insurance issuer or HMO with respect to the group health plan, must ensure that the plan documents restrict uses and disclosures of such information by the plan sponsor consistent with the requirements of this subpart. * * * * * (iii) The group health plan, or a health insurance issuer or HMO with respect to the group health plan, may disclose to the plan sponsor information on whether the individual is participating in the group health plan, or is enrolled in or has disenrolled from a health insurance issuer or HMO offered by the plan to the plan sponsor. * * * * * 7. Revise Sec. 164.506 to read as follows: Sec. 164.506 Uses and disclosures to carry out treatment, payment, or health care operations. (a) Standard: Permitted uses and disclosures. Except with respect to uses or disclosures that require an authorization under Sec. 164.508(a)(2) and (3), a covered entity may use or disclose protected health information for treatment, payment, or health care operations as set forth in paragraph (c) of this section, provided that such use or disclosure is consistent with other applicable requirements of this subpart. (b) Standard: Consent permitted. (1) A covered entity may obtain consent of the individual to use or disclose protected health information to carry out treatment, payment, or health care operations. (2) Consent of an individual under this paragraph shall not be effective to permit a use or disclosure of protected health information that is not otherwise permitted or required by this subpart. (c) Implementation specifications: Treatment, payment, or health care operations. (1) A covered entity may use or disclose protected health information for its own treatment, payment, or health care operations. (2) A covered entity may disclose protected health information for treatment activities of another health care provider. (3) A covered entity may disclose protected health information to another covered entity or health care provider for the payment activities of the entity that receives the information. (4) A covered entity may disclose protected health information to another covered entity for health care operations activities of the entity that receives the information, if both entities have a relationship with the individual who is the subject of the protected health information being requested, and the disclosure is: (i) For a purpose listed in paragraph (1) or (2) of the definition of health care operations; or (ii) For the purpose of health care fraud and abuse detection or compliance. (5) A covered entity that participates in an organized health care arrangement may disclose protected health information about an individual to another covered entity that participates in the organized health care arrangement for any health care operations activities of the organized health care arrangement. 8. Amend Sec. 164.508 as follows: a. Remove "consistent with consent requirements in Sec. 164.506" in paragraph (a)(2)(i). b. Add "the" before "originator" in paragraph (a)(2)(i)(A). c. Remove the word "in" after the term "covered entity" and add in its place the words "for its own" in paragraph (a)(2)(i)(B). d. Add the words "itself in" after the word "defend" in paragraph (a)(2)(i)(C). e. Add paragraph (a)(3). f. Revise paragraphs (b)(1)(i). g. Remove the word "be" in paragraph (b)(1)(ii). h. Remove ", (d), (e), or (f)" from paragraph (b)(2)(ii). i. Remove paragraph (b)(2)(iv). j. Redesignate paragraphs (b)(2)(v) and (vi) as paragraphs (b)(2)(iv) and (v). k. Add "or (4)" after "(b)(3)" in redesignated paragraph (b)(2)(iv). l. Revise paragraphs (b)(3)(i). m. Add a comma after the term "psychotherapy notes" in paragraph (b)(3)(iii). n. Remove "under paragraph (f) of" and add in its place "for the use or disclosure of protected health information for such research under" in paragraph (b)(4)(i). [[Page 14813]] o. Add the word "and" at the end of paragraph (b)(4)(ii)(B). p. Remove paragraph (b)(4)(iii). q. Redesignate paragraph (b)(4)(iv) as paragraph (b)(4)(iii). r. Add "or the policy itself" after the word "policy" in paragraph (b)(5)(ii). s. Remove paragraphs (d), (e), and (f). t. Revise paragraph (c). The revisions and addition read as follows: Sec. 164.508 Uses and disclosures for which an authorization is required. (a) Standard: Authorizations for uses and disclosures. * * * (3) Authorization required: Marketing. (i) Notwithstanding any other provision of this subpart other than Sec. 164.532, a covered entity must obtain an authorization for any use or disclosure of protected health information for marketing, except if the communication is in the form of: (A) A face-to-face communication made by a covered entity to an individual; or (B) A promotional gift of nominal value provided by the covered entity. (ii) If the marketing is expected to result in direct or indirect remuneration to the covered entity from a third party, the authorization must state that such remuneration is expected. * * * * * (b) Implementation specifications: General requirements. * * * (1) Valid authorizations. (i) A valid authorization is a document that meets the requirements in paragraphs (c)(1) and (2) of this section. * * * * * (3) Compound authorizations. * * * (i) An authorization for the use or disclosure of protected health information for a specific research study may be combined with any other type of written permission for the same research study, including another authorization for the use or disclosure of protected health information for such research or a consent to participate in such research; * * * * * (c) Implementation specifications: Core elements and requirements. (1) Core elements. A valid authorization under this section must contain at least the following elements: (i) A description of the information to be used or disclosed that identifies the information in a specific and meaningful fashion. (ii) The name or other specific identification of the person(s), or class of persons, authorized to make the requested use or disclosure. (iii) The name or other specific identification of the person(s), or class of persons, to whom the covered entity may make the requested use or disclosure. (iv) A description of each purpose of the requested use or disclosure. The statement "at the request of the individual" is a sufficient description of the purpose when an individual initiates the authorization and does not, or elects not to, provide a statement of the purpose. (v) An expiration date or an expiration event that relates to the individual or the purpose of the use or disclosure. The following statements meet the requirements for an expiration date or an expiration event if the appropriate conditions apply: (A) The statement "end of the research study" or similar language is sufficient if the authorization is for a use or disclosure of protected health information for research. (B) The statement "none" or similar language is sufficient if the authorization is for the covered entity to use or disclose protected health information for the creation and maintenance of a research database or research repository. (vi) Signature of the individual and date. If the authorization is signed by a personal representative of the individual, a description of such representative's authority to act for the individual must also be provided. (2) Required statements. In addition to the core elements, the authorization must contain statements adequate to place the individual on notice of all of the following: (i) The individual's right to revoke the authorization in writing, and either: (A) The exceptions to the right to revoke and a description of how the individual may revoke the authorization; or (B) To the extent that the information in paragraph (c)(2)(i)(A) of this section is included in the notice required by Sec. 164.520, a reference to the covered entity's notice. (ii) The ability or inability to condition treatment, payment, enrollment or eligibility for benefits on the authorization, by stating either: (A) The covered entity may not condition treatment, payment, enrollment or eligibility for benefits on whether the individual signs the authorization when the prohibition on conditioning of authorizations in paragraph (b)(4) of this section applies; or (B) The consequences to the individual of a refusal to sign the authorization when, in accordance with paragraph (b)(4) of this section, the covered entity can condition treatment, enrollment in the health plan, or eligibility for benefits on failure to obtain such authorization. (iii) The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by this rule. (3) Plain language requirement. The authorization must be written in plain language. (4) Copy to the individual. If a covered entity seeks an authorization from an individual for a use or disclosure of protected health information, the covered entity must provide the individual with a copy of the signed authorization. 9. Amend Sec. 164.510 as follows: a. Revise the first sentence of the introductory text. b. Remove the word "for" from paragraph (b)(3). The revision reads as follows: Sec. 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object. A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. * * * * * * * * 10. Amend Sec. 164.512 as follows: a. Revise the section heading and the first sentence of the introductory text. b. Revise paragraph (b)(1)(iii). c. In paragraph (b)(1)(v)(A) remove the word "a" before the word "health." d. Add the word "and" after the semicolon at the end of paragraph (b)(1)(v)(C). e. Redesignate paragraphs (f)(3)(ii) and (iii) as (f)(3)(i) and (ii). f. In the second sentence of paragraph (g)(2) add the word "to" after the word "directors." g. In paragraph (i)(1)(iii)(A) remove the word "is" after the word "disclosure." h. Revise paragraph (i)(2)(ii). The revisions read as follows: Sec. 164.512 Uses and disclosures for which an authorization or opportunity to agree or object is not required. A covered entity may use or disclose protected health information without the written authorization of the individual, as described in Sec. 164.508, or the opportunity for the individual to agree or object as described in Sec. 164.510, in the situations covered by this section, [[Page 14814]] subject to the applicable requirements of this section. * * * * * * * * (b) Standard: uses and disclosures for public health activities. (1) Permitted disclosures. * * * (iii) A person subject to the jurisdiction of the Food and Drug Administration (FDA) with respect to an FDA-regulated product or activity for which that person has responsibility, for the purpose of activities related to the quality, safety or effectiveness of such FDA- regulated product or activity. Such purposes include: (A) To collect or report adverse events (or similar activities with respect to food or dietary supplements), product defects or problems (including problems with the use or labeling of a product), or biological product deviations; (B) To track FDA-regulated products; (C) To enable product recalls, repairs, or replacement, or lookback (including locating and notifying individuals who have received products that have been recalled, withdrawn, or are the subject of lookback); or (D) To conduct post marketing surveillance; * * * * * (i) Standard: Uses and disclosures for research purposes. * * * (2) Documentation of waiver approval. * * * (ii) Waiver criteria. A statement that the IRB or privacy board has determined that the alteration or waiver, in whole or in part, of authorization satisfies the following criteria: (A) The use or disclosure of protected health information involves no more than a minimal risk to the privacy of individuals, based on, at least, the presence of the following elements; (1) An adequate plan to protect the identifiers from improper use and disclosure; (2) An adequate plan to destroy the identifiers at the earliest opportunity consistent with conduct of the research, unless there is a health or research justification for retaining the identifiers or such retention is otherwise required by law; and (3) Adequate written assurances that the protected health information will not be reused or disclosed to any other person or entity, except as required by law, for authorized oversight of the research study, or for other research for which the use or disclosure of protected health information would be permitted by this subpart; (B) The research could not practicably be conducted without the waiver or alteration; and (C) The research could not practicably be conducted without access to and use of the protected health information. * * * * * 11. Amend Sec. 164.514 as follows: a. Revise paragraph (b)(2)(i)(R). b. Revise paragraph (d)(1). c. Revise paragraph (d)(4)(iii). d. Remove and reserve paragraph (e). The revisions read as follows: Sec. 164.514 Other requirements relating to uses and disclosures of protected health information. * * * * * (b) Implementation specifications: Requirements for de- identification of protected health information. * * * (2)(i) * * * (R) Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and * * * * * (d)(1) Standard: minimum necessary requirements. In order to comply with Sec. 164.502(b) and this section, a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section with respect to a request for or the use and disclosure of protected health information. * * * * * (4) Implementation specifications: Minimum necessary requests for protected health information. * * * (iii) For all other requests, a covered entity must: (A) Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and (B) Review requests for disclosure on an individual basis in accordance with such criteria. * * * * * (e) [Removed and Reserved] * * * * * 12. Amend Sec. 164.520 as follows: a. Remove the word "consent or" from paragraph (b)(1)(ii)(B). b. Revise paragraph (c)(2)(i). c. Redesignate paragraphs (c)(2)(ii) and (iii) as (c)(2)(iii) and (iv). d. Add new paragraph (c)(2)(ii). e. Amend redesignated paragraph (c)(2)(iv) by removing "(c)(2)(ii)" and adding in its place "(c)(2)(iii)'. f. Revise paragraph (c)(3)(iii) by adding a sentence at the end. g. Revise paragraph (e). The revisions and addition read as follows: Sec. 164.520 Notice of privacy practices for protected health information. * * * * * (c) Implementation specifications: provision of notice. * * * (2) Specific requirements for certain covered health care providers. * * * (i) Provide the notice: (A) No later than the date of the first service delivery, including service delivered electronically, to such individual after the compliance date for the covered health care provider; or (B) In an emergency treatment situation, as soon as reasonably practicable after the emergency treatment situation. (ii) Except in an emergency treatment situation, make a good faith effort to obtain a written acknowledgment of receipt of the notice provided in accordance with paragraph (c)(2)(i) of this section, and if not obtained, document its good faith efforts to obtain such acknowledgment and the reason why the acknowledgment was not obtained; * * * * * (3) Specific requirements for electronic notice. * * * (iii) * * * The requirements in paragraph (c)(2)(ii) of this section apply to electronic notice. * * * * * (e) Implementation specifications: Documentation. A covered entity must document compliance with the notice requirements, as required by Sec. 164.530(j), by retaining copies of the notices issued by the covered entity and, if applicable, any written acknowledgments of receipt of the notice or documentation of good faith efforts to obtain such written acknowledgment, in accordance with paragraph (c)(2)(ii) of this section. Sec. 164.522 [Amended] 13. Amend Sec. 164.522 by removing the reference to "164.502(a)(2)(i)" in paragraph (a)(1)(v), and adding in its place "164.502(a)(2)(ii)". 14. Amend Sec. 164.528 as follows: a. In paragraph (a)(1)(i), remove "Sec. 164.502" and add in its place "Sec. 164.506". b. Redesignate paragraphs (a)(1)(iii) through (vi) as (a)(1)(iv) through (vii). c. Add paragraph (a)(1)(iii). d. Revise paragraph (b)(2)(iv) in its entirety. e. Remove "or pursuant to a single authorization under Sec. 164.508," from paragraph (b)(3). The addition and revision read as follows: Sec. 164.528 Accounting of disclosures of protected health information. (a) Standard: Right to an accounting of disclosures of protected health information. [[Page 14815]] (1) * * * (iii) Pursuant to an authorization as provided in Sec. 164.508. * * * * * (b) Implementation specifications: Content of the accounting. * * * (2) * * * (iv) A brief statement of the purpose of the disclosure that reasonably informs the individual of the basis for the disclosure or, in lieu of such statement, a copy of a written request for a disclosure under Secs. 164.502(a)(2)(ii) or 164.512, if any. * * * * * 15. Amend Sec. 164.530 as follows: a. Redesignate paragraph (c)(2) as (c)(2)(i). b. Add paragraph (c)(2)(ii). c. Remove the words "the requirements" from paragraph (i)(4)(ii)(A) and add in their place the word "specifications." The addition reads as follows: Sec. 164.530 Administrative requirements. * * * * * (c) Standard: Safeguards. * * * (2) Implementation specifications: Safeguards. (i) * * * (ii) A covered entity must reasonably safeguard protected health information to limit incidental uses or disclosures made pursuant to an otherwise permitted or required use or disclosure. * * * * * 16. Revise Sec. 164.532 to read as follows: Sec. 164.532 Transition Provisions. (a) Standard: Effect of prior authorizations. Notwithstanding Secs. 164.508 and 164.512(i), a covered entity may use or disclose protected health information, consistent with paragraphs (b) and (c) of this section, pursuant to an authorization or other express legal permission obtained from an individual permitting the use or disclosure of protected health information, informed consent of the individual to participate in research, or a waiver of informed consent by an IRB. (b) Implementation specification: Effect of prior authorization for purposes other than research. Notwithstanding any provisions in Sec. 164.508, a covered entity may use or disclose protected health information that it created or received prior to the applicable compliance date of this subpart pursuant to an authorization or other express legal permission obtained from an individual prior to the applicable compliance date of this subpart, provided that the authorization or other express legal permission specifically permits such use or disclosure and there is no agreed-to restriction in accordance with Sec. 164.522(a). (c) Implementation specification: Effect of prior permission for research. Notwithstanding any provisions in Secs. 164.508 and 164.512(i), a covered entity may use or disclose, for a specific research study, protected health information that it created or received either before or after the applicable compliance date of this subpart, provided that there is no agreed-to restriction in accordance with Sec. 164.522(a) and that the covered entity has obtained, prior to the applicable compliance date, either: (1) The authorization or other express legal permission from an individual to use or disclose protected health information for the research study; (2) The informed consent of the individual to participate in the research study; or (3) A waiver, by an IRB, of informed consent for the research study, in accordance with 7 CFR 1c.116(d), 10 CFR 745.116(d), 14 CFR 1230.116(d), 15 CFR 27.116(d), 16 CFR 1028.116(d), 21 CFR 50.24, 22 CFR 225.116(d), 24 CFR 60.116(d), 28 CFR 46.116(d), 32 CFR 219.116(d), 34 CFR 97.116(d), 38 CFR 16.116(d), 40 CFR 26.116(d), 45 CFR 46.116(d), 45 CFR 690.116(d), or 49 CFR 11.116(d), provided that a covered entity must obtain authorization in accordance with Sec. 164.508 if, after the compliance date, informed consent is sought from an individual participating in the research study. (d) Standard: Effect of prior contracts or other arrangements with business associates. Notwithstanding any other provisions of this subpart, a covered entity, other than a small health plan, may disclose protected health information to a business associate and may allow a business associate to create, receive, or use protected health information on its behalf pursuant to a written contract or other written arrangement with such business associate that does not comply with Secs. 164.502(e) and 164.504(e) consistent with the requirements, and only for such time, set forth in paragraph (e) of this section. (e) Implementation specification: Deemed compliance.--(1) Qualification. Notwithstanding other sections of this subpart, a covered entity, other than a small health plan, is deemed to be in compliance with the documentation and contract requirements of Secs. 164.502(e) and 164.504(e), with respect to a particular business associate relationship, for the time period set forth in paragraph (e)(2) of this section, if: (i) Prior to the effective date of this provision, such covered entity has entered into and is operating pursuant to a written contract or other written arrangement with a business associate for such business associate to perform functions or activities or provide services that make the entity a business associate; and (ii) The contract or other arrangement is not renewed or modified from the effective date of this provision and until the compliance date set forth in Sec. 164.534. (2) Limited deemed compliance period. A prior contract or other arrangement that meets the qualification requirements in paragraph (e) of this section, shall be deemed compliant until the earlier of: (i) The date such contract or other arrangement is renewed or modified on or after the compliance date set forth in Sec. 164.534; or (ii) April 14, 2004. (3) Covered entity responsibilities. Nothing in this section shall alter the requirements of a covered entity to comply with part 160, subpart C of this subchapter and Secs. 164.524, 164.526, and 164.528 with respect to protected health information held by a business associate. [FR Doc. 02-7144 Filed 3-21-02; 12:00 pm] BILLING CODE 4153-01-P