department of labor: 67 14775

8/14/2019 Department of Labor: 67 14775

1/41

Wednesday,

March 27, 2002

Part II

Department ofHealth and HumanServices45 CFR Parts 160 and 164

Office of the Secretary; Standards forPrivacy of Individually Identifiable HealthInformation; Proposed Rule

VerDate Mar2002 11:28 Mar 26, 2002 Jkt 197001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\27MRP2.SGM pfrm03 PsN: 27MRP2


2/41

14776 Federal Register / Vol. 67, No. 59 / Wednesday, March 27, 2002/ Proposed Rules

DEPARTMENT OF HEALTH ANDHUMAN SERVICES

Office of the Secretary

45 CFR Parts 160 and 164

RIN 0991AB14

Standards for Privacy of Individually

Identifiable Health Information

AGENCY: Office for Civil Rights, HHS.ACTION: Proposed rule; modification.

SUMMARY: The Department of Health andHuman Services (HHS) proposes tomodify certain standards in the Ruleentitled Standards for Privacy ofIndividually Identifiable HealthInformation (the Privacy Rule). ThePrivacy Rule implements the privacyrequirements of the AdministrativeSimplification subtitle of the HealthInsurance Portability andAccountability Act of 1996.

The purpose of this action is topropose changes that maintain strongprotections for the privacy ofindividually identifiable healthinformation while clarifyingmisinterpretations, addressing theunintended negative effects of thePrivacy Rule on health care quality oraccess to health care, and relievingunintended administrative burdencreated by the Privacy Rule.DATES: To assure consideration, writtencomments mailed to the Department asprovided below must be postmarked nolater than April 26, 2002, and written

comments hand delivered to theDepartment and comments submittedelectronically must be received asprovided below, no later than 5 p.m. onApril 26, 2002.ADDRESSES: Comments will beconsidered only if provided through anyof the following means:

1. Mail written comments (1 originaland, if possible, 3 copies and a floppydisk) to the following address: U.S.Department of Health and HumanServices, Office for Civil Rights,Attention: Privacy 2, Hubert H.Humphrey Building, Room 425A, 200

Independence Avenue, SW.,Washington, DC 20201.2. Deliver written comments (1

original and, if possible, 3 copies and afloppy disk) to the following address:Attention: Privacy 2, Hubert H.Humphrey Building, Room 425A, 200Independence Avenue, SW.,Washington, DC 20201.

3. Submit electronic comments at thefollowing Web site: http://www.hhs.gov/ocr/hipaa/.

See the SUPPLEMENTARY INFORMATIONsection for further information on

comment procedures, availability ofcopies, and electronic access.FOR FURTHER INFORMATION CONTACT:Felicia Farmer 1866OCRPRIV (18666277748) or TTY 18667884989.

SUPPLEMENTARY INFORMATION: Commentprocedures, availability of copies, and

electronic access.Comment Procedures: All commentsshould include the full name, address,and telephone number of the sender ora knowledgeable point of contact.Comments should address only thosesections of the Privacy Rule for whichmodifications are being proposed or forwhich comments are requested.Comments on other sections of thePrivacy Rule will not be considered,except insofar as they pertain to thestandards for which modifications areproposed or for which comments arerequested. Each specific commentshould specify the section of the Privacy

Rule to which it pertains.Written comments should include 1

original and, if possible, 3 copies and anelectronic version of the comments on a312 inch DOS format floppy disk inHTML, ASCII text, or popular wordprocessor format (Microsoft Word, CorelWordPerfect). All comments andcontent must be limited to the 8.5inches wide by 11.0 inches high vertical(also referred to as portrait) pageorientation. Additionally, if identical/duplicate comment submissions aresubmitted both electronically at thespecified Web site and in paper form,

the Department requests that eachsubmission clearly indicate that it is aduplicate submission.

Because of staffing and resourcelimitations, the Department will notaccept comments by telephone orfacsimile (FAX) transmission. Anycomments received through such mediawill be deleted or destroyed, asappropriate, and not be considered aspublic comments. The Department willaccept electronic comments only assubmitted through the Web siteidentified in the ADDRESSES sectionabove. No other form of electronic mail

will be accepted or considered as publiccomment. In addition, when mailingwritten comments, the public isencouraged to submit comments as earlyas possible due to potential delays inmail service.

Inspection of Public Comments:Comments that are timely received inproper form and at one of the addressesspecified above will be available forpublic inspection by appointment asthey are received, generally beginningapproximately three weeks afterpublication of this document, at 200

Independence Avenue, SW.,Washington, DC on Monday throughFriday of each week from 9 a.m. to 4p.m. Appointments may be made bytelephoning 1866OCRPRIV (18666277748) or TTY 18667884989.

Copies: To order copies of the FederalRegister containing this document, sendyour request to: New Orders,

Superintendent of Documents, P.O. Box371954, Pittsburgh, PA 152507954.Specify the date of the issue requestedand enclose a check or money orderpayable to the Superintendent ofDocuments, or enclose your Visa orMaster Card number and expirationdate. Credit card orders can also beplaced by calling the order desk at (202)5121800 (or toll-free at 18665121800) or by fax to (202) 5122250. Thecost for each copy is $10.00.Alternatively, you may view andphotocopy the Federal Registerdocument at most libraries designated

as Federal Depository Libraries and atmany other public and academiclibraries throughout the country thatreceive the Federal Register.

Electronic Access: This document isavailable electronically at the OCRPrivacy Web site athttp://www.hhs.gov/ocr/hipaa/,as wellas at the Web site of the GovernmentPrinting Office at http://www.access.gpo.gov/su_docs/aces/aces140.html.

I. Background

A. Statutory Background

Congress recognized the importanceof protecting the privacy of healthinformation given the rapid evolution ofhealth information systems in theHealth Insurance Portability andAccountability Act of 1996 (HIPAA),Public Law 104191, which became lawon August 21, 1996. HIPAAsAdministrative Simplificationprovisions, sections 261 through 264 ofthe statute, were designed to improvethe efficiency and effectiveness of thehealth care system by facilitating theelectronic exchange of information withrespect to financial and administrative

transactions carried out by health plans,health care clearinghouses, and healthcare providers who transmit informationelectronically in connection with suchtransactions. To implement theseprovisions, the statute directed HHS toadopt a suite of uniform, nationalstandards for transactions, uniquehealth identifiers, code sets for the dataelements of the transactions, security ofhealth information, and electronicsignature.

At the same time, Congressrecognized the challenges to the



3/41

14777Federal Register / Vol. 67, No. 59 / Wednesday, March 27, 2002/ Proposed Rules

confidentiality of health informationpresented by the increasing complexityof the health care industry, and byadvances in the health informationsystems technology andcommunications. Thus, theAdministrative Simplificationprovisions of HIPAA authorized theSecretary to promulgate regulations on

standards for the privacy of individuallyidentifiable health information ifCongress did not enact health careprivacy legislation by August 21, 1999.HIPAA also required the Secretary ofHHS to provide Congress withrecommendations for protecting theconfidentiality of health careinformation. The Secretary submittedsuch recommendations to Congress onSeptember 11, 1997, but Congress wasunable to act within its self-imposeddeadline.

With respect to these regulations,HIPAA provided that the standards,

implementation specifications, andrequirements established by theSecretary not supersede any contraryState law that imposes more stringentprivacy protections. Additionally,Congress required that HHS consultwith the National Committee on Vitaland Health Statistics, a FederalAdvisory committee establishedpursuant to section 306(k) of the PublicHealth Service Act (42 U.S.C. 242k(k)),and the Attorney General in thedevelopment of HIPAA privacystandards.

After a set of standards is adopted bythe Department, HIPAA provides HHS

with authority to modify the standardsas deemed appropriate, but not morefrequently than once every 12 months.However, modifications are permittedduring the first year after adoption ofthe standard if the changes arenecessary to permit compliance with thestandard. HIPAA also provides thatcompliance with modifications tostandards or implementationspecifications must be accomplished bya date designated by the Secretary,which may not be earlier than 180 daysfrom the adoption of the modification.

B. Regulatory and Other Actions to Date

As Congress did not enact legislationregarding the privacy of individuallyidentifiable health information prior toAugust 21, 1999, HHS published aproposed Rule setting forth suchstandards on November 3, 1999 (64 FR59918). The Department received morethan 52,000 public comments inresponse to the proposal. Afterreviewing and considering the publiccomments, HHS issued a final Rule (65FR 82462) on December 28, 2000,establishing Standards for Privacy of

Individually Identifiable HealthInformation (Privacy Rule).

In an era where consumers areincreasingly concerned about theprivacy of their personal information,the Privacy Rule creates for the firsttime national protections for the privacyof their most sensitive informationhealth information. Congress has passed

other laws to protect consumerspersonal information contained in bank,credit card, other financial records, andeven video rentals. These health privacyprotections are intended to provideconsumers with similar assurances thattheir health information, includinggenetic information, will be properlyprotected. Under the Privacy Rule,health plans, health care clearinghouses,and certain health care providers mustguard against misuse of individualsidentifiable health information and limitthe sharing of such information, andconsumers are afforded significant new

rights to understand and control howtheir health information is used anddisclosed.

After publication of the Privacy Rule,HHS received many inquiries andunsolicited comments throughtelephone calls, e-mails, letters, andother contacts about the impact andoperation of the Privacy Rule onnumerous sectors of the health careindustry. Many of these commentersexhibited substantial confusion overhow the Privacy Rule will operate;others expressed great concern over thecomplexity of the Privacy Rule. Inresponse to these communications and

to ensure that the provisions of thePrivacy Rule would protect patientsprivacy without creating unanticipatedconsequences that might harm patientsaccess to health care or quality of healthcare, the Secretary of HHS requestedcomment on the Privacy Rule in March2001 (66 FR 12738). After an expeditedreview of the comments by theDepartment, the Secretary decided thatit was appropriate for the Privacy Ruleto become effective on April 14, 2001,as scheduled (65 FR 12433). At the sametime, the Secretary directed theDepartment immediately to begin the

process of developing guidelines onhow the Privacy Rule should beimplemented and to clarify the impactof the Privacy Rule on health careactivities. In addition, the Secretarycharged the Department with proposingappropriate changes to the Privacy Ruleduring the next year to clarify therequirements and correct potentialproblems that could threaten access to,or quality of, health care. The commentsreceived during the comment period, aswell as other communications from thepublic and all sectors of the health care

industry, including letters, testimony atpublic hearings, and meetings requested

by these parties, have helped to informthe Departments efforts to developproposed modifications and guidanceon the Privacy Rule.

On July 6, 2001, the Departmentissued its first guidance to answercommon questions and clarify certain of

the Privacy Rules provisions. In theguidance, the Department alsocommitted to proposing modificationsto the Privacy Rule to address problemsarising from unintended effects of thePrivacy Rule on health care delivery andaccess. The guidance is available on theHHS Office for Civil Rights (OCR)Privacy Web site at http://www.hhs.gov/ocr/hipaa/.

II. Overview of the Proposed Rule

As described above, through publiccomments, testimony at public hearings,meetings at the request of industry andother stakeholders, as well as othercommunications, the Departmentlearned of a number of concerns aboutthe potential unintended effect certainprovisions would have on health caredelivery and access. In response to theseconcerns, and pursuant to HIPAAsprovisions for modifications to thestandards, the Department is proposingmodifications to the Privacy Rule.

In addition, the National Committeefor Vital and Health Statistics (NCVHS),Subcommittee on Privacy andConfidentiality, held public hearings onthe implementation of the Privacy Ruleon August 2123, 2001, and January 24

25, 2002, and providedrecommendations to the Departmentbased on these hearings. The NCVHSserves as the statutory advisory body tothe Secretary of HHS with respect to thedevelopment and implementation of theRules required by the AdministrativeSimplification provisions of HIPAA,including the privacy standards.Through the hearings, the NCVHSspecifically solicited public input onissues related to certain key standards inthe Privacy Rule: consent, minimumnecessary, marketing, fundraising, andresearch. The resultant public testimony

and subsequent recommendationssubmitted to the Department by theNCVHS also served to inform thedevelopment of these proposedmodifications.

Based on the information receivedthrough the various sources describedabove, the Department proposes tomodify the following areas or provisionsof the Privacy Rule: consent, includingother provisions for uses anddisclosures of protected healthinformation for treatment, payment, andhealth care operations; notice of privacy



4/41


practices for protected healthinformation; minimum necessary usesand disclosures, and oralcommunications; business associates;uses and disclosures for marketing;parents as the personal representativesof unemancipated minors; uses anddisclosures for research purposes; usesand disclosures of protected healthinformation for which authorizationsare required; and de-identification ofprotected health information. Inaddition to these key areas, the proposalincludes changes to certain otherprovisions where necessary to clarifythe Privacy Rule. The Department alsoincludes in the proposed Rule a list oftechnical corrections intended aseditorial or typographical corrections tothe Privacy Rule.

The proposed modificationscollectively are designed to ensure thatprotections for patient privacy are

implemented in a manner thatmaximizes the effectiveness of suchprotections while not compromisingeither the availability or the quality ofmedical care. They reflect a continuingcommitment on the part of theDepartment to strong privacyprotections for medical records and the

belief that privacy is most effectivelyprotected by requirements that are notexceptionally difficult to implement. Ifthere are any ways in which privacyprotections are unduly compromised bythese modifications, the Departmentwelcomes comments and suggestions foralternative ways effectively to protectpatient privacy without adverselyaffecting access to, or the quality of,health care.

Given that the compliance date of thePrivacy Rule for most covered entities isApril 14, 2003, and statutoryrequirements to ensure that affectedparties have sufficient time to come intocompliance require any revisions to

become effective by October 13, 2002,the Department is soliciting publiccomment on these proposedmodifications for only 30 days. As

stated above, the modifications addresspublic concerns already communicatedto the Department through a widevariety of sources since publication ofthe Privacy Rule in December 2000. Forthese reasons, the Department believesthat 30 days should be sufficient for thepublic to state its views fully to theDepartment on the proposedmodifications to the Privacy Rule.

III. Description of ProposedModifications

A. Uses and Disclosures for Treatment,Payment, and Health Care Operations

1. Consent

Treatment and payment for healthcare are core functions of the health careindustry, and uses and disclosures ofindividually identifiable healthinformation for such purposes arecritical to the effective operation of thehealth care system. Health careproviders and health plans must alsouse individually identifiable healthinformation for certain health careoperations, such as administrative,financial, and legal activities, to runtheir businesses, and to support theessential health care functions oftreatment and payment. Equallyimportant are health care operationsdesigned to maintain and improve thequality of health care. In developing the

Privacy Rule, the Departmentconsidered the privacy implications ofuses and disclosures for treatment,payment, and health care operations inconnection with the need for theseactivities to continue. In balancing theneed for these activities and the privacyinterests involved in using anddisclosing protected health informationfor these purposes, the Departmentconsidered the fact that manyindividuals expect that their healthinformation will be used and disclosedas necessary to treat them, bill fortreatment, and, to some extent, operate

the covered entitys health carebusiness. Due to individual expectationswith respect to the use or disclosure ofinformation for such activities and so asnot to interfere with an individualsaccess to quality health care or efficientpayment for such health care, theDepartments goal is to permit theseactivities to occur with little or norestriction.

Consistent with this view, the PrivacyRule generally provides covered entitieswith permission to use and discloseprotected health information asnecessary for treatment, payment, and

health care operations. For certainhealth care providers that have a directtreatment relationship with individuals,such as many physicians, hospitals, andpharmacies, the Privacy Rule requiressuch providers to obtain an individualswritten consent prior to using ordisclosing protected health informationfor these purposes.

To implement the consent standard,the Privacy Rule requires a coveredhealth care provider with a directtreatment relationship with theindividual to obtain a single, one-time,

general permission from the individualprior to using or disclosing protectedhealth information about him or her fortreatment, payment, and health careoperations. An individual may revokehis or her consent at any time, exceptto the extent that the covered entity hastaken action in reliance on the consent.The Privacy Rule contains exceptions to

the consent requirements, under whicha provider may use or disclose protectedhealth information without priorconsent when there is an emergencytreatment situation, when a provider isrequired by law to treat the individual,or when there are substantialcommunication barriers. Additionally,

because the Department realizes that ahealth care provider cannot treat apatient without being able to use anddisclose his or her protected healthinformation for treatment purposes, thePrivacy Rule permits a covered healthcare provider to refuse to treat a patient

who refuses to provide consent. Finally,the Privacy Rule permits other coveredentities to voluntarily obtain consent, inaccordance with these consentprovisions.

The consent requirement for healthcare providers with direct treatmentrelationships was a significant changefrom the Departments initial proposalpublished in November 1999. At thattime, the Department proposed topermit all covered entities to use anddisclose protected health information tocarry out treatment, payment, andhealth care operations without any

requirement that the covered entitiesobtain an individuals consent for suchuses and disclosures, subject to a fewlimited exceptions. Further, theDepartment had proposed to prohibitcovered entities from obtaining anindividuals consent for uses anddisclosures of protected healthinformation for these purposes, unlessrequired by other applicable law.Instead, the Department relied on theprinciple of fair notice, coupled withregulatory limits on the use anddisclosure of health information, to

balance the individuals privacy

interests against the need not to impedethe delivery of quality health care.Providing individuals with fair noticeabout the information practices andresponsibilities of their plans andproviders, and their rights with respectto information about them, is a privacyprinciple as important as the principleof consent. Indeed, consents oftenprovide individuals with little actualcontrol over information. When anindividual is required to sign a blanketconsent at the point of treatment as acondition of treatment or payment, that



5/41


consent is often not voluntary. Instead,therefore, the Department proposed torequire most covered entities to createand provide to individuals a noticedescribing all of the entitys informationpractices, including their practices withrespect to uses and disclosures ofprotected health information to carryout treatment, payment, and health care

operations.The Department received a strong

public response opposing this proposal.Health care providers and patientsargued that consent providesindividuals with a sense of control overhow their information will be used anddisclosed, is a current practice of manyhealth care providers, and is expected

by patients. Providers explained thatthey would face an ethical conflict froma prohibition on obtaining consent. Theconsent requirement for direct treatmentproviders was a direct response to thesecomments.

Public Comments

The Department received manycomments in March 2001, as well asrecommendations from the NCVHS

based on public testimony, about theconsent provisions in the Privacy Rule.There were some proponents of consentthat urged the Department to retain,expand, or strengthen the consentprovisions. There were also manyopponents of consent that raised anumber of issues and serious concernsthat the consent requirements willimpede access to, and the delivery of,

quality health care. Most significantly,many covered entities described anarray of circumstances when they needto use or disclose protected healthinformation for treatment, payment, orhealth care operations purposes prior tothe initial face-to-face contact with thepatient, and therefore, prior to obtainingconsent.

Consistent with the comments thatthe Department received after the initialnotice of proposed rulemaking (NPRM),proponents of the consent requirementargued that consent is integral toproviding individuals the opportunity

to be active participants in their ownhealth care and can bolster patient trustin providers. One of the most significantvalues that proponents placed onconsent was that it defines an initialmoment when patients can focus oninformation practices and raisequestions about privacy concerns. Someproponents recommended that theconsent requirement be extended tohealth plans because these entities maynot have the same duty and legalobligation as health care providers tomaintain confidentiality.

Others urged the Department tostrengthen consent by eliminating theability of providers to conditiontreatment on the receipt of consent.There were also some commenters thatthought that consent should be requiredmore frequently. They claimed that theconsent provisions will be ineffective toprovide individuals with control over

how their information will be used ordisclosed because it is general and onlymust be obtained one time. They arguedthat an individual may have differingdegrees of concern about the privacy ofhealth information, depending on thenature of the information raised in theparticular encounter with the provider,and that an initial, one-time consentcannot account for such variation.

At the same time, most coveredentities were concerned aboutsignificant practical problems thatresulted from the consent requirementsin the Privacy Rule. Commenters raised

numerous examples of obstacles that theprior consent provisions will pose totimely access to health care. Health careproviders commented that they oftenuse health information about anindividual for necessary treatment,payment, and health care operationsactivities prior to the first face-to-facecontact with the individual. Under thePrivacy Rule, these routine and oftenessential activities are not permittedunless the provider first obtains consentfrom the individual. Although theconsent only needs to be obtained onetime, there may be problems for newpatients who have not yet provided

consent, for existing patients who havenot yet provided consent after thecompliance date of the Privacy Rule, forpatients who have revoked consent, andfor patients who may have providedconsent, but the provider cannot findsuch documentation.

These concerns were primarily raisedby pharmacists and pharmacies, but thesame issue exists in any referral or newpatient situation. Pharmacists informedus that they typically use individuallyidentifiable health information, receivedfrom a physician, to fill a prescription,search for potential drug interactions,

and determine eligibility and obtainauthorization for payment, before theindividual arrives at the pharmacy topick up the prescription. The consentrequirement would delay such activityfor any first-time customers and formany more customers immediatelyfollowing the compliance date of thePrivacy Rule. Tracking consents inlarge, multi-state pharmacy chains canresult in delays as well. At best, anindividual will experience significantdelays in obtaining his or herprescription if a pharmacist cannot fill

the prescription until the individual ispresent to sign a consent. Even greaterdelays may be experienced byindividuals too ill to pick up their ownprescriptions. Although the PrivacyRule permits a friend or neighbor topick up the prescription, that personmay not have the legal authority to signa consent on the individuals behalf.

Thus, a number of trips back and forthto the pharmacy may be needed toobtain the prior consent. This problemis greatly magnified in rural areas,where persons may travel much longerdistances to see health care providers,including pharmacists.

Similarly, a hospital receivesinformation about a patient from areferring physician and routinely usesthis information to schedule andprepare for procedures before theindividual presents at the hospital forsuch procedure. The Privacy Rulesrequirement that a covered entity obtain

an individuals consent prior to using ordisclosing their information is animpediment to these activities andcould require an individual to make anadditional trip to the hospital simply toprovide consent. The Department didnot intend that the Privacy Ruleinterfere with such activities.

Commenters also raised concerns thatproviders who do not provide treatmentin person may be unable to provide care

because they are unable to obtain priorwritten consent to use protected healthinformation at the first service delivery.This was a special concern with respectto providers who care for individuals

over the telephone. For example,providers who cover for other providersduring non-business hours or providerswho had not yet had the opportunity toobtain a patients consent wereconcerned that they would not be ableto respond to telephone calls fromindividuals in need of treatment

because they were not able to obtainconsent over the telephone. Nurses whostaff telephone centers that providehealth care assessment and advice, butwho never see patients, had similarconcerns.

Other concerns related to treatment

were expressed about the limitations ofthe exceptions to the consentrequirement in the Privacy Rule. Forexample, emergency medical providerswere unclear as to whether all activitiesin which they engage qualify for theemergency treatment exception to theconsent requirement. As a result of thisconfusion, they were concerned that, ifa situation was urgent, they would haveto try to obtain consent to comply withthe Privacy Rule even if that would beinconsistent with current practice ofemergency medicine. These providers



6/41


also were concerned about therequirement that a provider mustattempt to obtain consent as soon asreasonably practicable after anemergency. Emergency medicalproviders explained that they typicallydo not have ongoing relationships withindividuals and that the requirement toattempt to obtain consent after the

emergency would require significantefforts and administrative burden ontheir part, and would be viewed asharassment by individuals.

Providers who do not provideemergency care and who are not likelymeet one of the consent exceptions wereconcerned that they may be put in theuntenable position of having to decidewhether to withhold treatment when anindividual does not provide consent orproceed to use information to treat theindividual in violation of the consentrequirements.

Covered entities were also concernedthat the difficultly in tracking consentsmay hamper treatment. The PrivacyRule permits an individual to revoke hisor her consent. Large institutionalproviders claimed that, since tracking ofpatient consents and revocations would

be very difficult and expensive, inpractice, they would need to obtainconsent for each patient encounter,rather than just one-time as allowed bythe Privacy Rule. Covered entities wereconcerned that, if an individual revokesconsent, they would have to eliminateall protected health information aboutthat individual from their systems inorder to ensure that it was not used

inadvertently for routine health careoperations purposes, which wouldhinder their quality improvementactivities and other health careoperations. Additionally, testimony

before the NCVHS revealed a concernthat the ability of a patient to revokeconsent might prevent health careproviders from accessing protectedhealth information that is critical for thetreatment of an individual in anemergency treatment situation where anew consent is not obtained.

The Department also heard manyconcerns about the transition provisions

related to the use and disclosure ofprotected health information fortreatment, payment, or health careoperations. The Privacy Rule permitscovered health care providers that arerequired to obtain consent for treatment,payment, or health care operations tocontinue, after the compliance date ofthe Privacy Rule, to use and discloseprotected health information theycreated or received prior to thecompliance date of the Privacy Rule forthese purposes if they have obtainedconsent, authorization, or other express

legal permission to use or disclose suchinformation for any of these purposes,even if such permission does not meetthe consent requirements under thePrivacy Rule. Many providers informedthe Department that they currently werenot required to obtain consent for thesepurposes, that these transitionprovisions would result in significant

operational problems, and the inabilityto access health records would have anadverse effect on quality activities.

Concerns also were raised regardingthe exception to the consentrequirement for cases where a provideris required by law to treat an individual.For example, providers that are required

by law to treat were concerned about themixed messages to patients andinterference with the physician-patientrelationship that would result whenthey are required to ask for consent touse or disclose protected healthinformation for treatment, payment, or

health care operations, but if the patientsays no, they are permitted to use ordisclose the information for suchpurposes anyway.

There also was confusion about theinteraction of the consent provisionsand the provisions regarding parentsand minors. Testimony received by theNCVHS indicated uncertainty as to thevalidity of a consent signed by a parentfor his or her minor child once the childreaches the age of majority. The NCVHSrequested clarification regardingwhether a child must sign a newconsent upon reaching the age ofmajority.

The NCVHS hearings andrecommendations focused on practicalimplementation issues, including theunintended consequences of the consentprovisions, but did not address whetherthe Privacy Rule should or should notrequire consent. The NCVHS generallyrecommended that the Departmentconsider circumstances in whichprotected health information could beused and disclosed without anindividuals prior written consent andmodify the Privacy Rule accordingly.The Committee specificallyrecommended that the Privacy Rule

should be amended to includeprovisions for allowing covered entitiesto use and disclose protected healthinformation prior to the initial face-to-face contact with an individual.

Proposed Modifications

The Department is concerned by themultitude of comments and examplesdemonstrating that the consentrequirements result in unintendedconsequences that impede the provisionof health care in many criticalcircumstances and that other such

unintended consequences may existwhich have yet to be brought to itsattention. However, the Departmentunderstands that the opportunity todiscuss privacy practices and concernsis an important component of privacy,and that the confidential relationship

between a patient and a health careprovider includes the patients ability to

be involved in discussions anddecisions related to the use anddisclosure of any protected healthinformation about him or her.

Accordingly, the Departmentproposes an approach that protectsprivacy interests by affording patientsthe opportunity to engage in importantdiscussions regarding the use anddisclosure of their health information,while allowing activities that areessential to provide access to qualityhealth care to occur unimpeded.Specifically, the Department proposes tomake optional the obtaining of consent

to use and disclose protected healthinformation for treatment, payment, orhealth care operations on the part of allcovered entities, including providerswith direct treatment relationships.Under this proposal, health careproviders with direct treatmentrelationships with individuals would nolonger be required to obtain anindividuals consent prior to using anddisclosing information about him or herfor treatment, payment, and health careoperations. They, like other coveredentities, would have regulatorypermission for such uses anddisclosures.

In order to preserve flexibility and thevaluable aspects of the consentrequirement, the Department proposeschanges that would: (1) Permit allcovered entities to obtain consent if theychoose, (2) strengthen the noticerequirements to preserve theopportunity for individuals to discussprivacy practices and concerns withproviders, and (3) enhance theflexibility of the consent process forthose covered entities that choose toobtain consent. See section III.B. of thepreamble below for the relateddiscussion of proposed modifications to

the Privacy Rules notice requirements.Other individual rights would not beaffected by this proposal. Althoughcovered entities would not be requiredto obtain an individuals consent, anyuses or disclosures of protected healthinformation for treatment, payment, orhealth care operations would still needto be consistent with the coveredentitys notice of privacy practices.Also, the removal of the consentrequirement only applies to consent fortreatment, payment, and health careoperations; it does not alter the



7/41


requirement to obtain an authorizationunder 164.508 for uses and disclosuresof protected health information nototherwise permitted by the PrivacyRule. The functions of treatment,payment, and health care operationswere all given carefully limiteddefinitions in the Privacy Rule, and theDepartment intends to enforce strictly

the requirement for obtaining anindividuals authorization, inaccordance with 164.508, for uses anddisclosure of protected healthinformation for other purposes nototherwise permitted or required by thePrivacy Rule. Furthermore, individualswould retain the right to requestrestrictions, in accordance with 164.522(a).

Although consent for use anddisclosure of protected healthinformation for treatment, payment, andhealth care operations would no longer

be mandated, the Department is

proposing to allow covered entities tohave a consent process if they wish todo so. The Department heard from somecommenters that obtaining consent wasan integral part of the ethical and otherpractice standards for many health careprofessionals. The Department,therefore, would not prohibit coveredentities from obtaining consent.

Under this proposal, a consent couldapply only to uses and disclosures thatare otherwise permitted by the PrivacyRule. A consent obtained through thisvoluntary process would not besufficient to permit a use or disclosurewhich, under the Privacy Rule, requires

an authorization or is otherwiseexpressly conditioned. For example, aconsent could not be obtained in lieu ofan authorization or a waiver ofauthorization by an IRB or PrivacyBoard to disclose protected healthinformation for research purposes.

The Department proposes to allowcovered entities that choose to have aconsent process complete discretion indesigning this process. The commentshave informed the Department that oneconsent process and one set ofprinciples will likely be unworkable. Asa result, these proposed standards

would leave complete flexibility to eachcovered entity. Covered entities thatchose to obtain consent could rely onindustry practices to design a voluntaryconsent process that works best for theirpractice area and consumers.

To effectuate these changes to theconsent standard, the Departmentproposes to replace the consentprovisions in 164.506 with a newprovision at 164.506(a) that wouldprovide regulatory permission forcovered entities to use or discloseprotected health information for

treatment, payment, and health careoperations, and a new provision at 164.506(b) that would allow coveredentities to obtain consent if they chooseto, and make clear that such consentmay not permit a use or disclosure ofprotected health information nototherwise permitted or required by thePrivacy Rule. Additionally, the

Department proposes a number ofconforming modifications throughoutthe Privacy Rule to accommodate theproposed approach. The mostsubstantive corresponding changes areproposed at 164.502 and 164.532.Section 164.502(a)(1) provides a list ofthe permissible uses and disclosures ofprotected health information, and refersto the corresponding section of thePrivacy Rule for the detailedrequirements. The Department collapsesthe provisions at 164.502(a)(1)(ii) and(iii) that address uses and disclosures ofprotected health information for

treatment, payment, and health careoperations and modifies the language toeliminate the consent requirement forthese purposes.

Section 164.532 consists of thetransition provisions. In 164.532, theDepartment deletes references to 164.506 and to consent, authorization,or other express legal permissionobtained for uses and disclosures ofprotected health information fortreatment, payment, and health careoperations prior to the compliance dateof the Privacy Rule. The proposal topermit a covered entity to use ordisclose protected health information

for these purposes without consent orauthorization would apply to anyprotected health information held by acovered entity whether created orreceived before or after the compliancedate. Therefore, transition provisionswould not be necessary.

The Department also proposesconforming changes to the definition ofmore stringent in 160.202, 164.500(b)(1)(v), 164.508(a)(2)(i)and (b)(3)(i), the introductory text of 164.510 and 164.512, the title of 164.512, and 164.520(b)(1)(ii)(B) toreflect that consent is no longer

required.2. Disclosures for Treatment, Payment,or Health Care Operations of AnotherEntity

The Privacy Rule permits a coveredentity to use and disclose protectedhealth information for treatment,payment, or health care operations(subject to a consent in some cases).Uses and disclosures for treatment are

broad because the definition oftreatment incorporates the interactionamong more than one entity;

specifically, coordination andmanagement of health care amonghealth care providers or by a health careprovider with a third party,consultations between health careproviders, and referrals of a patient forhealth care from one health careprovider to another. As a result, coveredentities are permitted to disclose

protected health information fortreatment regardless of to whom thedisclosure is made, as well as todisclose protected health informationfor the treatment activities of anotherhealth care provider.

However, for payment and health careoperations, the Privacy Rule generallylimits a covered entitys uses anddisclosures of protected healthinformation to those that are necessaryfor its own payment and health careoperations activities. This limitation isexplicitly stated in the preamblediscussions in the Privacy Rule of the

definitions ofpayment and healthcare operations. The Privacy Rule alsoprovides that a covered entity mustobtain authorization to discloseprotected health information for thepayment or health care operations ofanother entity. The Departmentintended these requirements to beconsistent with individuals privacyexpectations. See 164.506(a)(5) and164.508(e).

Public Comments

A number of commenters raisedspecific concerns with the restrictionthat a covered entity is permitted to use

and disclose protected healthinformation only for its own paymentand health care operations activities.These commenters presented a numberof examples where such a restrictionwould impede the ability of certaincovered entities to obtainreimbursement for health care, toconduct certain quality assurance orimprovement activities, such asaccreditation, or to monitor fraud andabuse.

With regard to payment, theDepartment received specific concernsabout the difficultly that the Privacy

Rule will place on certain providerstrying to obtain information needed forreimbursement for health care.Specifically, ambulance serviceproviders explained that they normallyreceive the information they need toseek payment for treatment from thehospital emergency departments towhich they transport their patients,since it is usually not possible at thetime the service is rendered for theambulance service provider to obtainsuch information directly from theindividual. Nor is it practicable or



8/41


feasible in all cases for the hospital toobtain the individuals authorization toprovide payment information to theambulance service provider after thefact. This disclosure of protected healthinformation from the hospital to theambulance service provider is notpermitted under the Privacy Rulewithout an authorization from the

patient because it is a disclosure by thehospital for the payment activities of theambulance service provider.

In addition, commenters stated thatphysicians and other covered entitiesoutsource their billing, claims, andreimbursement functions to accountsreceivable management companies.These collectors often attempt to recoverpayments from a patient for carerendered by multiple health careproviders. Commenters were concernedthat the Privacy Rule will prevent thesecollectors, as business associates ofmultiple providers, from using a

patients demographic informationreceived from one provider in order tofacilitate collection for anotherproviders payment purposes.

With regard to health care operations,the Department also received commentsabout the difficultly that the PrivacyRule will place on health plans trying toobtain information needed for qualityassessment activities. Health plansinformed the Department that they needto obtain individually identifiablehealth information from health careproviders for the plans own quality-related activities, accreditation, andperformance measures, e.g., Health Plan

Employer Data and Information Set(HEDIS). Commenters explained that theinformation provided to plans forpayment purposes (e.g., claims orencounter information) may not besufficient for quality assessment oraccreditation purposes. Plans mayreceive even less information from theircapitated providers.

The NCVHS also received specificpublic testimony with regard to thisissue as part of public hearings held inAugust 2001. The NCVHS subsequentlyrecommended to the Department thatthe Privacy Rule be amended to allow

for uses and disclosures for quality-related activities among covered entitieswithout individual writtenauthorization.


Based on concerns raised bycomments, the Department proposes tomodify 164.506 to permit a coveredentity to disclose protected healthinformation for the payment activities ofanother covered entity or health careprovider, and for certain health careoperations of other covered entities.

This proposal would broaden the usesand disclosures that are permitted aspart of treatment, payment, and healthcare operations so as not to interfereinappropriately with access to qualityand effective health care, while limitingthis expansion in order to continue toprotect the privacy expectations ofindividuals. It would be a limited

expansion of the information that isallowed to flow between entities,without an authorization, as part oftreatment, payment, and certain healthcare operations.

The Department proposes thefollowing. First, the Departmentexplicitly includes in 164.506(c)(1)language stating that a covered entitymay use or disclose protected healthinformation for its own treatment,payment, or health care operationswithout prior consent or authorization.

Second, in 164.506(c)(2), theDepartment includes language to clarifyits intent that a covered entity mayshare protected health information forthe treatment activities of another healthcare provider. For example, a primarycare provider, who is a covered entityunder the Privacy Rule, may send acopy of an individuals medical recordto a specialist who needs theinformation to treat the same individual.No authorization would be required.

Third, with respect to payment, theDepartment proposes, in 164.506(c)(3),to explicitly permit a covered entity todisclose protected health information toanother covered entity or health careprovider for the payment activities of

that entity. The Department recognizesthat not all health care providers whoneed protected health information toobtain payment are covered entities, andtherefore, proposes to allow disclosuresof protected health information to bothcovered and non-covered health careproviders. The Department is unawareof any similar barrier with respect toplans that are not covered under thePrivacy Rule to obtain the protectedhealth information they need forpayment purposes, but solicits commenton whether such barriers exist.Therefore, the Department proposes to

limit disclosures under this provision tothose health plans that are covered bythe Privacy Rule.

Fourth, in 164.506(c)(4), theDepartment proposes to permit acovered entity to disclose protectedhealth information about an individualto another covered entity for certainhealth care operations purposes of thecovered entity that receives theinformation. The proposal would permitsuch disclosures only for the activitiesdescribed in paragraphs (1) and (2) ofthe definition ofhealth care

operations, as well as for health carefraud and abuse detection andcompliance programs (as provided for inparagraph (4) of the definition ofhealth care operations). The activitiesthat fall into paragraphs (1) and (2) ofthe definition ofhealth careoperations include quality assessmentand improvement activities, population-

based activities relating to improvinghealth or reducing health care costs,case management, conducting trainingprograms, and accreditation,certification, licensing, or credentialingactivities. This provision is intended toallow information to flow from onecovered entity to another for activitiesimportant to providing quality andeffective health care.

The proposed expansion forpermissible disclosures for health careoperations without authorization ismore limited than the permissibledisclosures for treatment and payment

in two ways. First, in contrast totreatment and payment, the proposallimits the types of health careoperations that are covered by thisexpansion. The Department proposesthis limitation because it recognizes thathealth care operations is a broad termand that individuals are less aware ofthe business-related activities thatinvolve the use and disclosure ofprotected health information. Inaddition, many commenters and theNCVHS focused their comments oncovered entities needs to shareprotected health information for quality-related health care operations activities.

Second, in contrast to the treatmentand payment provisions in this section,the proposal for disclosures of protectedhealth information for health careoperations of another entity limitsdisclosures to other covered entities. Bylimiting disclosure for such purposes toentities that are required to comply withthe Privacy Rule, the protected healthinformation would continue to beprotected. The Department believes thatthis would create the appropriate

balance between meeting anindividuals privacy expectations andmeeting a covered entitys need for

information for quality-related healthcare operations.These proposed modifications to

allow disclosures for health careoperations of another entity arepermitted only to the extent that eachentity has, or has had, a relationshipwith the individual who is the subjectof the information being requested.Where the relationship between theindividual and the covered entity hasended, a disclosure of protected healthinformation about the individual onlywould be allowed if related to the past



9/41


relationship. The Department believesthat this limitation is necessary in orderto protect the privacy expectations ofthe individual. An individual shouldexpect that two providers that areproviding treatment to the individual,and the health plan that pays for theindividuals health care, would haveprotected health information about the

individual for health care operationspurposes. However, an individualwould not expect a health plan withwhich the individual has norelationship to be able to obtainidentifiable information from his or herhealth care provider. Therefore, thisproposed limitation would minimizethe effect on privacy interests, while notinterfering with covered entities abilityto continue to provide access to qualityand effective health care.

These provisions do not eliminate acovered entitys responsibility to applythe Privacy Rules minimum necessary

provisions to both the disclosure of andrequest for information for payment andhealth care operations purposes. Inaddition, the Department continues tostrongly encourage the use of de-identified information whereverfeasible.

The Department, however, is awarethat the above proposal could pose

barriers to disclosures for quality-relatedhealth care operations to plans andhealth care providers that are notcovered entities, or to entities that donot have a relationship with theindividual. For example, the proposalcould be a problem for hospitals that

share aggregated but identifiableinformation with other hospitals forhealth care operations purposes, whenthe recipient hospital does not have arelationship with the individual who isthe subject of the information beingdisclosed. While the Department

believes the proposed modificationstrikes the right balance betweenprivacy expectations and coveredentities need for information for suchpurposes, the Department is consideringpermitting the disclosure of informationthat is not facially identifiable forquality-related purposes, subject to a

data use or similar agreement. Thiswould permit uses and disclosures forsuch purposes of a limited data set thatdoes not include facially identifiableinformation, but in which certainidentifiers remain. The Department isrequesting comment on whether thisapproach would strike a proper balance.See section III.I of the preambleregarding de-identification of protectedhealth information for a detaileddiscussion of this proposed approach.

Related to the above modifications,and in response to comments

evidencing confusion on this matter, theDepartment proposes in 164.506(c)(5)to make it clear that covered entitiesparticipating in an organized health carearrangement (OHCA) may shareprotected health information for thehealth care operations of the OHCA. ThePrivacy Rule allows legally separatecovered entities that are integrated

clinically or operationally to beconsidered an OHCA for purposes of thePrivacy Rule if protected healthinformation must be shared among thecovered entities for the jointmanagement and operations of thearrangement. See the definition oforganized health care arrangement in 164.501. Additionally, the PrivacyRule, in the definition ofhealth careoperations, permits the sharing ofprotected health information in anOHCA for such activities. TheDepartment proposes to remove thelanguage regarding OHCAs from the

definition ofhealth care operations asunnecessary because such language nowwould appear in 164.506(c)(5).

In addition, the Department proposesa conforming change to delete the wordcovered in paragraph (1)(i) of thedefinition ofpayment. This changewould be necessary because theproposal would permit disclosures tonon-covered providers for their paymentactivities.

B. Notice of Privacy Practices forProtected Health Information

The Privacy Rule requires mostcovered entities to provide individuals

with adequate notice of the uses anddisclosures of protected healthinformation that may be made by thecovered entity, and of the individualsrights, and the covered entitysresponsibilities, with respect toprotected health information. See 164.520. Content requirements for thenotice are specified in the Privacy Rule.There are also specific requirements,which vary based on the type of coveredentity, for providing such notice toindividuals.

For example, a covered health careprovider that has a direct treatment

relationship with an individual mustprovide the notice by the date of thefirst service delivery and, if suchprovider maintains a physical servicedelivery site, must post the notice in aclear and prominent location. Inaddition, whenever the notice isrevised, the provider must make thenotice available upon request. If thecovered provider maintains a website,the notice must also be availableelectronically on the web site. If the firstservice delivery to an individual iselectronic, the covered provider must

furnish electronic notice automaticallyand contemporaneously in response tothe individuals first request for service.


In order to preserve some of the mostimportant benefits of the consentrequirement, the Department proposesto modify the notice requirements at

164.520(c)(2) to require that a coveredhealth care provider with a directtreatment relationship make a good faitheffort to obtain an individuals writtenacknowledgment of receipt of theproviders notice of privacy practices.Other covered entities, such as healthplans, would not be required to obtainthis acknowledgment from individuals,

but could do so if they chose.The Department believes that

promoting individuals understandingof privacy practices is an essentialcomponent of providing notice toindividuals. In addition, the Department

believes it is just good business practiceto provide individuals with fair noticeabout how their information will beused, disclosed, and protected. Thisproposal would strengthen the noticeprocess by incorporating into the noticeprocess the initial moment between acovered health care provider and anindividual, where individuals mayfocus on information practices andprivacy rights and discuss any concernsrelated to the privacy of their protectedhealth information. This expressacknowledgment would also providethe opportunity for an individual tomake a request for additional

restrictions on the use or disclosure ofhis or her protected health informationor for additional confidential treatmentof communications, as permitted under 164.522.

The Department intends the proposednotice acknowledgment requirement to

be simple and not impose a significantburden on either the covered health careprovider or the individual. First, therequirement for good faith efforts toobtain a written acknowledgment onlyapplies to covered providers with directtreatment relationships. This is the samegroup of covered entities that would

have been required to obtain consentunder the Privacy Rule. The Departmentbelieves that these are the coveredentities that have the most directrelationships with individuals, andtherefore, the entities for which therequirement will provide the greatestprivacy benefit to individuals with theleast burden to covered entities.

Second, the Department designed thetiming of the proposed good faithacknowledgment requirement to limitthe burden on covered entities bygenerally making it consistent with the



10/41


timing for notice distribution. Therefore,with one exception, a covered healthcare provider would be required tomake good faith efforts to obtain awritten acknowledgment of the notice atthe time of first service deliverythesame time that the notice must beprovided. The Department understands,however, that providing notice and

obtaining an acknowledgment is notpracticable during emergency treatmentsituations. In these situations, theDepartment proposes in 164.520(c)(2)to delay the requirement for provision ofnotice until reasonably practicable afterthe emergency treatment situation, andexempt health care providers fromhaving to make a good faith effort toobtain the acknowledgment inemergency treatment situations.

Third, the proposal does not prescribein detail the form the acknowledgmentmust take. Rather, the Departmentproposes to require only that the

acknowledgment be in writing, andintends to allow each covered healthcare provider to choose the form andother details of the acknowledgmentthat are best suited to the entityspractices and that will not pose animpediment to the delivery of timely,quality health care. While theDepartment believes that requiring theindividuals signature is preferable

because an individual is likely to paymore attention or more carefully read adocument that he or she signs, theproposal does not require anindividuals signature on the notice. Anacknowledgment under this proposed

modification also may be obtained, forexample, by having the individual signa separate list or simply initial a coversheet of the notice to be retained by thecovered entity. The proposal would notlimit the manner in which a coveredentity obtains the individualsacknowledgment of receipt of thenotice.

Most importantly, the proposedmodification would require only thegood faith effort of the provider toobtain the individualsacknowledgment. The Departmentunderstands that an individual may

refuse to sign or otherwise fail toprovide his or her acknowledgment.Unlike the Privacy Rules consentrequirement, an individuals failure orrefusal to acknowledge the notice,despite a covered entitys good faithefforts to obtain such signature, wouldnot interfere with the providers abilityto deliver timely and effectivetreatment. Failure by a covered entity toobtain an individuals acknowledgment,assuming it otherwise documented itsgood faith effort, would not beconsidered a violation of the Privacy

Rule. Compliance with this requirementwould be achieved in a particular caseif the provider with a direct treatmentrelationship either: (1) Obtained awritten acknowledgment, or (2) made agood faith effort to obtain suchacknowledgment and documented suchefforts and the reason for failure. Suchreason for failure simply may be, for

example, that the individual refused tosign after being requested to do so. Inaddition to the individuals failure orrefusal to acknowledge receipt of thenotice, this proposed provision isintended to allow covered health careproviders flexibility to deal with avariety of circumstances in whichobtaining an acknowledgment isproblematic.

The requirement for a good faith effortto obtain the individualsacknowledgment would apply, exceptin emergency treatment situations, tothe provision of notice on the first

delivery of service, regardless ofwhether such service is provided inperson or electronically. Whenelectronic notice is provided as part ofthe first service delivery, the systemshould be capable of capturing theindividuals acknowledgment of receiptelectronically. The Department does notanticipate that a notification of receiptwould be difficult or costly to design.

Documentation requirements underthis proposal would be required tocomply with the documentationrequirements in 164.530(j). Inaddition, nothing in the proposedrequirements described above would

relieve any covered entity from its dutyto provide the notice in plain languageso that the average reader canunderstand the notice. As stated in thepreamble to the Privacy Rule, theDepartment encourages covered entitiesto consider alternative means ofcommunicating with certainpopulations, such as with individualswho cannot read or who have limitedEnglish proficiency.

C. Minimum Necessary and OralCommunications

The Privacy Rule at 164.502(b)

generally requires covered entities tomake reasonable efforts to limit the useor disclosure of, and requests for,protected health information to theminimum necessary to accomplish theintended purpose. Protected healthinformation includes individuallyidentifiable health information in anyform, including information transmittedorally, or in written or electronic form.See the definition ofprotected healthinformation at 164.501. Theminimum necessary standard isintended to make covered entities

evaluate their practices and enhanceprotections as needed to limitunnecessary or inappropriate access to,and disclosures of, protected healthinformation.

The Privacy Rule sets forthrequirements at 164.514(d) forimplementing the minimum necessarystandard with regard to a covered

entitys uses, disclosures, and requests.Essentially, a covered entity is requiredto develop and implement policies andprocedures appropriate to the entitys

business practices and workforce thatreasonably minimize the amount ofprotected health information used,disclosed, and requested; and, for usesof protected health information, thatalso limit who has access to suchinformation. Specifically, for uses ofprotected health information, thepolicies and procedures must identifythe persons or classes of persons withinthe covered entity who need access to

the information to carry out their jobduties, the categories or types ofprotected health information needed,and conditions appropriate to suchaccess. For routine or recurring requestsand disclosures, the policies andprocedures may be standard protocols.Non-routine requests for and disclosuresof protected health information must bereviewed individually.

With regard to disclosures, thePrivacy Rule permits a covered entity torely on the judgment of certain partiesrequesting the disclosure as to theminimum amount of information that isneeded. For example, a covered entity is

permitted to reasonably rely onrepresentation from a public healthofficial that the protected healthinformation requested is the minimumnecessary for a public health purpose.Similarly, a covered entity is permittedto reasonably rely on the judgment ofanother covered entity requesting adisclosure that the informationrequested is the minimum amount ofinformation reasonably necessary tofulfill the purpose for which the requesthas been made. See 164.514(d)(3)(iii).

The Privacy Rule contains someexceptions to the minimum necessary

standard. The minimum necessaryrequirements do not apply to uses ordisclosures that are required by law,disclosures made to the individual orpursuant to an authorization initiated bythe individual, disclosures to orrequests by a health care provider fortreatment purposes, uses or disclosuresthat are required for compliance withthe regulations implementing the otheradministrative simplification provisionsof HIPAA, or disclosures to theSecretary of HHS for enforcementpurposes. See 164.502(b)(2).



11/41


The Department received much,varied commentary both on theminimum necessary provisions, as wellas on the Privacy Rules protections oforal communications. The followingdiscussion addresses the concernsidentified by commenters that werecommon to both the Privacy Rulesstandards for minimum necessary as

well as protecting oral communications,and describes the Departments proposalfor modifying the Privacy Rule inresponse to these concerns. In addition,the Department proposes to modifycertain other paragraphs within 164.514(d) to clarify the Departmentsintent with respect to these provisions.The Department also discusses some ofthe other concerns that have beenreceived, which the Departmentattempted to address in its July 6guidance on the Privacy Rule. Lastly,the Department describes therecommendations provided to the

Department by the NCVHS as a result ofpublic testimony received onimplementation of the minimumnecessary standard, as well as theDepartments response to theserecommendations.

Public CommentsIncidental Uses andDisclosures

During the March 2001, commentperiod on the Privacy Rule, theDepartment received a number ofcomments raising concerns andquestions as to whether the PrivacyRules restrictions on uses anddisclosures will prohibit covered

entities from engaging in certaincommon and essential health carecommunications and practices in usetoday. Commenters were concerned thatthe Department is imposing through thePrivacy Rule absolute, strict standardsthat would not allow for the incidentalor unintentional disclosure that couldoccur as a by-product of engaging inthese health care communications andpractices. It was argued that the PrivacyRule will, in effect, prohibit suchpractices and, therefore, impede manyactivities and communications essentialto effective and timely treatment of

patients.These concerns were raised both inthe context of applying the PrivacyRules protections to oralcommunications, as well as inimplementing the minimum necessarystandard. For example, with regard tooral communications, commentersexpressed concern over whether healthcare providers may continue to engagein confidential conversations with otherproviders or with patients, if there werea possibility that they could beoverheard. As examples, commenters

specifically questioned whether healthcare staff can continue to: coordinateservices at hospital nursing stationsorally; discuss a patients condition overthe phone with the patient or anotherprovider, if other people are nearby;discuss lab test results with a patient orother provider in a joint treatment area;call out a patients name in a waiting

room; or discuss a patients conditionduring training rounds in an academicor training institution.

Many covered entities also expressedconfusion and concern that the PrivacyRule will stifle or unnecessarily burdenmany of their current health carepractices. For example, commentersquestioned whether they will beprohibited from using sign-in sheets inwaiting rooms or maintaining patientcharts at bedside, or whether they willneed to isolate X-ray lightboards ordestroy empty prescription vials. Theseconcerns seemed to stem from a

perception that covered entities will berequired to prevent any incidentaldisclosure such as those that may occurwhen a visiting family member or otherperson not authorized to accessprotected health information happens towalk by medical equipment or othermaterial containing individuallyidentifiable health information, or whenindividuals in a waiting room sign theirname on a log sheet and glimpse thenames of other patients.

Proposed ModificationsIncidentalUses and Disclosures

The Department, in its July 6

guidance, clarified that the Privacy Ruleis not intended to impede customaryand necessary health carecommunications or practices, nor torequire that all risk of incidental use ordisclosure be eliminated to satisfy itsstandards. So long as reasonablesafeguards are employed, the burden ofimpeding such communications are notoutweighed by any benefits that mayaccrue to individuals privacy interests.The guidance assured that the PrivacyRule would be modified to clarify thatsuch communications and practicesmay continue, if reasonable safeguards

are taken to minimize the chance ofincidental disclosure to others.Accordingly, the Department

proposes to modify the Privacy Rule toadd a new provision at 164.502(a)(1)(iii) which explicitlypermits certain incidental uses anddisclosures that occur as a result of anotherwise permitted use or disclosureunder the Privacy Rule. An incidentaluse or disclosure would be a secondaryuse or disclosure that cannot reasonably

be prevented, is limited in nature, andthat occurs as a by-product of an

otherwise permitted use or disclosureunder the Privacy Rule. The Departmentproposes that an incidental use ordisclosure be permissible only to theextent that the covered entity hasapplied reasonable safeguards asrequired by 164.530(c), andimplemented the minimum necessarystandard, where applicable, as required

by 164.502(b) and 164.514(d).Under this proposal, an incidental use

or disclosure that occurs as a result ofa failure to apply reasonable safeguardsor the minimum necessary standard, asappropriate, is not a permissible use ordisclosure and is, therefore, a violationof the Privacy Rule. For example, acovered entity that asks for a patientshealth history on the waiting room sign-in sheet is not abiding by the minimumnecessary requirements and, therefore,any incidental disclosure of suchinformation that results from thispractice would be an unlawful

disclosure under the Privacy Rule.Further, this proposed modification isnot intended to excuse erroneous usesor disclosures or those that result frommistake or neglect. The Departmentwould not consider such uses anddisclosures to be incidental as they donot occur as a by-product of anotherwise permissible use or disclosure.For example, an impermissibledisclosure would occur when a coveredentity mistakenly sends protected healthinformation via electronic mail to thewrong recipient or when protectedhealth information is erroneously madeaccessible to others through the entitys

web site.Proposed Modifications to theMinimum Necessary Standard

Section 164.502(b)(2) sets forth theexceptions to the minimum necessarystandard in the Privacy Rule. TheDepartment proposes to separate 164.502(b)(2)(ii) into twosubparagraphs ( 164.502(b)(2)(ii) and(iii)) to eliminate confusion regardingthe exception to the minimum necessarystandard for uses or disclosures madepursuant to an authorization under 164.508 and those for disclosures

made to the individual. Additionally, toconform to the proposal to eliminate thespecial authorizations required by thePrivacy Rule at 164.508(d), (e), and (f)(see section III.H for the relevantpreamble discussion regardingauthorization), the Department proposesto expand the exception forauthorizations to apply generally to anyauthorization executed pursuant to 164.508. Therefore, the proposalwould exempt from the minimumnecessary standard any uses ordisclosures for which the covered entity



12/41


has received an authorization that meetsthe requirements of 164.508.

The Privacy Rule at 164.514(d) liststhe standard and the specificrequirements for implementing theminimum necessary standard. TheDepartment proposes to modify 164.514(d)(1) to delete the termreasonably ensure in response to

concerns that the term connotes anabsolute, strict standard and, therefore,is inconsistent with how theDepartment has described the minimumnecessary requirements as beingreasonable and flexible to the uniquecircumstances of the covered entity. Inaddition, the Department generallyrevises the language to be moreconsistent with the description ofstandards elsewhere in the Privacy Rule.

The Privacy Rule at 164.514(d)(4)consists of the implementationspecifications for applying theminimum necessary standard to arequest for protected health information.The Department intended theseprovisions to be consistent with therequirements set forth in 164.514(d)(3)for applying the minimum necessarystandard to disclosures of protectedhealth information, so that coveredentities would be able to addressrequests and disclosures in a similarmanner. However, with respect torequests not made on a routine andrecurring basis, the Department omittedfrom 164.514(d)(4) the requirementthat a covered entity may implementthis standard by developing criteriadesigned to limit its request for

protected health information to theminimum necessary to accomplish theintended purpose. The Departmentproposes to add such a provision tomake the implementation specificationsfor applying the minimum necessarystandard to requests for protected healthinformation by a covered entity moreconsistent with the implementationspecifications for disclosures.

Other Comments on the MinimumNecessary Standard

In addition to the commentsdescribed above regarding incidental

uses or disclosures, the Departmentreceived many other varied commentsexpressing both support of, andconcerns about, the minimum necessarystandard. The Department, in its July 6,2001, guidance, attempted to addressmany of the commenters concerns byclarifying the Departments intent withrespect to the minimum necessaryprovisions. For example, manycommenters expressed concerns aboutthe costs and burden to covered entitiesin implementing the standard. Anumber of these commenters questioned

whether they will be required toredesign office space or implementexpensive upgrades to computersystems.

The Departments guidanceemphasized that the minimumnecessary standard is a reasonablenessstandard, intended to be flexible toaccount for the characteristics of the

entitys business and workforce. Thestandard is not intended to override theprofessional judgment of the coveredentity. The Department clarified thatfacility redesigns and expensivecomputer upgrades are not specificallyrequired by the minimum necessarystandard. Covered entities may,however, need to make certainadjustments to their facilities, asreasonable, to minimize access orprovide additional security. Forexample, covered entities may decide toisolate and/or lock file cabinets orrecords rooms, or provide additional

security, such as passwords, oncomputers that maintain protectedhealth information.

A number of commenters, especiallyhealth care providers, also expressedconcern that the minimum necessaryrestrictions on uses within the entitywill jeopardize patient care andexacerbate medical errors by impedingaccess to information necessary fortreatment purposes. These commentersurged the Department to expand thetreatment exception to cover uses ofprotected health information within theentity. Other commenters urged theDepartment to exempt all uses and

disclosures for treatment, payment, andhealth care operations purposes fromthe minimum necessary standard.

The Privacy Rule is not intended toimpede access by health careprofessionals to information necessaryfor treatment purposes. As theDepartment explained in its guidance, acovered entity is permitted to developpolicies and procedures that allow forthe appropriate individuals within theentity to have access to protected healthinformation, including entire medicalrecords, as appropriate, so that thoseworkforce members are able to provide

timely and effective treatment.With regard to payment and healthcare operations, the Department remainsconcerned, as stated in the preamble tothe Privacy Rule, that, without theminimum necessary standard, coveredentities may be tempted to disclose anentire medical record when only a fewitems of information are necessary, toavoid the administrative step ofextracting or redacting information. TheDepartment also believes that thisstandard will cause covered entities toassess their privacy practices, give the

privacy interests of their patients andenrollees greater attention, and makeimprovements that might otherwise not

be made. For these reasons, theDepartment continues to believe that theprivacy benefits of retaining theminimum necessary standard for thesepurposes outweigh the burdensinvolved.

In addition, the NCVHSSubcommittee on Privacy andConfidentiality solicited publictestimony on implementation of theminimum necessary standard of thePrivacy Rule at its August 2001 publichearings. The testimony reflected a widerange of views, from those whocommented that the Privacy Ruleprovides sufficient protections onindividually identifiable healthinformation without the minimumnecessary standard, to those whoexpressed strong support for thestandard as an integral part of the

Privacy Rule. A number of panelistswelcomed the flexibility of the standard,while others expressed concern that thevagueness of the standard might restrictthe necessary flow of information,impede care, and lead to an increase indefensive information practices thatwould lead to the withholding ofimportant information for fear ofliability. Testimony also reflecteddiffering views on the cost andadministrative burden of implementingthe standard. Some expressed muchconcern regarding the increased costand burden, while others argued thatthe cost will be barely discernable.

The NCVHS developedrecommendations on the minimumnecessary standard based on thetestimony and written commentsprovided at the hearings. In itsrecommendations, the NCVHS stronglyreaffirmed the importance of theminimum necessary principle, but alsogenerally recommended that HHSprovide additional clarification andguidance to industry regarding theminimum necessary requirements toassist with effective implementation ofthese provisions, while allowing for thenecessary flow of information and

minimizing defensive informationpractices. While the NCVHS pointed outthat many panelists at the hearing foundthe Departments July 6 guidancehelpful in addressing questions aboutthe minimum necessary standard, theCommittee heard that many questionsstill remain within the industry.Therefore, the NCVHS specificallyrequested further guidance by theDepartment on the reasonable relianceprovisions, and the requirement thatcovered entities develop policies andprocedures for addressing routine uses



13/41


of information. In addition, the NCVHSrecommended that the Departmentprovide education to address theincreasing concerns about liability anddefensive information practices thatmay lessen the flow of information andimpede care. The NCVHS generallyrecommended that the Department issueadvisory opinions, publish best

practices, and make available modelpolicies, procedures, and forms to assistin alleviating the cost andadministrative burden that will beincurred when developing policies andprocedures as required by the minimumnecessary provisions.

The Department agrees with theNCVHS about the need for furtherguidance on the minimum necessarystandard and intends to issue furtherguidance to clarify issues causingconfusion and concern in the industry,as well as provide additional technicalassistance materials to help covered

entities implement the provisions.D. Business Associates

The Privacy Rule at 164.502(e)permits a covered entity to discloseprotected health information to a

business associate who performs afunction or activity on behalf of, orprovides a service to the covered entitythat involves the creation, use, ordisclosure of, protected healthinformation, provided that the coveredentity obtains satisfactory assurancesthat the business associate willappropriately safeguard the information.The Department recognizes that most

covered entities do not perform or carryout all of their health care activities andfunctions by themselves, but ratheracquire the services or assistance of avariety of other persons or entities.Given this framework, the Departmentintended these provisions to allow such

business relationships to continue whileensuring that identifiable healthinformation created or shared in thecourse of the relationships wasprotected.

The Privacy Rule requires that thesatisfactory assurances obtained fromthe business associate be in the form of

a written contract (or other writtenarrangement as between governmentalentities) between the covered entity andthe business associate that contains theelements specified at 164.504(e). Forexample, the agreement must identifythe uses and disclosures of protectedhealth information the businessassociate is permitted or required tomake, as well as require the businessassociate to put in place appropriatesafeguards to protect against a use ordisclosure not permitted by the contractor agreement.

The Privacy Rule also provides that,where a covered entity knows of amaterial breach or violation by the

business associate of the contract oragreement, the covered entity isrequired to take reasonable steps to curethe breach or end the violation, and ifsuch steps are unsuccessful, toterminate the contract or arrangement. If

termination of the contract orarrangement is not feasible, a coveredentity then is required to report theproblem to the Secretary of HHS. Acovered entity that violates thesatisfactory assurances it provided as a

business associate of another coveredentity will be in noncompliance withthe Privacy Rules business associateprovisions.

The Privacy Rules definition ofbusiness associate at 160.103includes some of the functions oractivities, and all of the types ofservices, that make a person or entity

who engages in them a businessassociate, if such activity or serviceinvolves protected health information.For example, a third party administrator(TPA) is a business associate of a healthplan to the extent the TPA assists thehealth plan with claims processing oranother covered function. Similarly,accounting services performed by anoutside consultant give rise to a

business associate relationship whenprovision of the service entails access tothe protected health information held bya covered entity.

The Privacy Rule excepts from thebusiness associate standard certain uses

or disclosures of protected healthinformation. That is, in certainsituations, a covered entity is notrequired to have a contract or otherwritten agreement in place beforedisclosing protected health informationto a business associate or allowingprotected health information to becreated by the business associate on its

behalf. Specifically, the standard doesnot apply to: disclosures by a coveredentity to a health care provider fortreatment purposes; disclosures to theplan sponsor by a group health plan, ora health insurance issuer or HMO with

respect to a group health plan, to theextent that the requirements of 164.504(f) apply and are met; or to thecollection and sharing of protectedhealth information by a health plan thatis a public benefits program and anagency other than the agencyadministering the health plan, wherethe other agency collects protectedhealth information for, or determines,eligibility or enrollment with respect tothe government program, and wheresuch activity is authorized by law. See 164.502(e)(1)(ii).

Public Comments

The Department has received manycomments on the business associateprovisions of the Privacy Rule. Themajority of commenters expressed someconcern over the anticipatedadministrative burden and cost toimplement the business associateprovisions. Some commenters statedthat covered entities might have existingcontracts that are not set to terminate orexpire until after the compliance date ofthe Privacy Rule. Many of thesecommenters expressed specific concernthat the two-year compliance perioddoes not provide enough time to reopenand renegotiate what could be hundredsor more contracts for large coveredentities. A number of these commentersurged the Department to grandfather inexisting contracts until such contractscome up for renewal instead ofrequiring that all contracts be incompliance with the business associate

provisions by the compliance date of thePrivacy Rule. In response to thesecomments, the Department intends torelieve some of the burden on coveredentities in complying with the businessassociate provisions, both by proposingto grandfather certain existing contractsfor a specified period of time, as well aspublishing model contract language.These proposed changes are discussed

below in this section under ProposedModifications.

In addition, commen