[Federal Register: December 28, 2000 (Volume 65, Number 250)]

[Rules and Regulations]

[Page 82461-82510]




Office of the Secretary

45 CFR Parts 160 through 164

Rin: 0991-AB08

Standards for Privacy of Individually Identifiable Health Information

AGENCY: Office of the Assistant Secretary for Planning and Evaluation, DHHS.

ACTION: Final rule.

SUMMARY: This rule includes standards to protect the privacy of individually identifiable health information. The rules below, which apply to health plans, health care clearinghouses, and certain health care providers, present standards with respect to the rights of individuals who are the subjects of this information, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information.

The use of these standards will improve the efficiency and effectiveness of public and private health programs and health care services by providing enhanced protections for individually identifiable health information. These protections will begin to address growing public concerns that advances in electronic technology and evolution in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding individually identifiable health information maintained by health care providers, health plans and their administrative contractors. This rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996.

DATES: The final rule is effective on February 26, 2001.

FOR FURTHER INFORMATION CONTACT: Kimberly Coleman, 1-866-OCR-PRIV (1-866-627-7748) or TTY 1-866-788-4989.


Availability of copies, and electronic access.

Copies: To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 or by fax to (202) 512-2250. The cost for each copy is $8.00. As an alternative, you can view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register.

Electronic Access: This document is available electronically at http://aspe.hhs.gov/admnsimp/ as well as at the web site of the Government Printing Office at http://www.access.gpo.gov/su_docs/aces/ aces140.html.


Table of Contents

§ 160.101 Statutory basis and purpose.

§ 160.102 Applicability.

§ 160.103 Definitions.

§ 160.104 Modifications.

§ 160.201 Applicability

§ 160.202 Definitions.

§ 160.203 General rule and exceptions.

§ 160.204 Process for requesting exception determinations.

§ 160.205 Duration of effectiveness of exception determinations.

§ 160.300 Applicability.

§ 160.302 Definitions.

§ 160.304 Principles for achieving compliance.

(a) Cooperation.

(b) Assistance.

§ 160.306 Complaints to the Secretary.

(a) Right to file a complaint.

(b) Requirements for filing complaints.

(c) Investigation.

§ 160.308 Compliance reviews.

§ 160.310 Responsibilities of covered entities.

(a) Provide records and compliance reports.

(b) Cooperate with complaint investigations and compliance reviews.

(c) Permit access to information.

§ 160.312 Secretarial action regarding complaints and compliance reviews.

(a) Resolution where noncompliance is indicated.

(b) Resolution when no violation is found.

§ 164.102 Statutory basis.

§ 164.104 Applicability.

§ 164.106 Relationship to other parts.

§ 164.500 Applicability.

§ 164.501 Definitions.

§ 164.502 Uses and disclosures of protected health information: general rules.

(a) Standard.

(b) Standard: minimum necessary.

(c) Standard: uses and disclosures of protected health information subject to an agreed upon restriction.

(d) Standard: uses and disclosures of de-identified protected health information.

(e) Standard: disclosures to business associates.

(f) Standard: deceased individuals.

(g) Standard: personal representatives.

(h) Standard: confidential communications.

(i) Standard: uses and disclosures consistent with notice.

(j) Standard: disclosures by whistleblowers and workforce member crime victims.

§ 164.504 Uses and disclosures: organizational requirements.

(a) Definitions.

(b) Standard: health care component.

(c) Implementation specification: application of other provisions.

(d) Standard: affiliated covered entities.

(e) Standard: business associate contracts.

(f) Standard: requirements for group health plans.

(g) Standard: requirements for a covered entity with multiple covered functions.

§ 164.506 Consent for uses or disclosures to carry out treatment, payment, or health care operations.

(a) Standard: consent requirement.

(b) Implementation specifications: general requirements.

(c) Implementation specifications: content requirements.

(d) Implementation specifications: defective consents.

(e) Standard: resolving conflicting consents and authorizations.

(f) Standard: joint consents.

§164.508 Uses and disclosures for which an authorization is required.

(a) Standard: authorizations for uses and disclosures.

(b) Implementation specifications: general requirements.

(c) Implementation specifications: core elements and requirements.

(d) Implementation specifications: authorizations requested by a covered entity for its own uses and disclosures.

(e) Implementation specifications: authorizations requested by a covered entity for disclosures by others.

(f) Implementation specifications: authorizations for uses and disclosures of protected health information created for research that includes treatment of the individual.

§ 164.510 Uses and disclosures requiring an opportunity for the individual to agree or to object.

(a) Standard: use and disclosure for facility directories.

(b) Standard: uses and disclosures for involvement in the individual's care and notification purposes.

§ 164.512 Uses and disclosures for which consent, an authorization, or opportunity to agree or object is not required.

(a) Standard: uses and disclosures required by law.

(b) Standard: uses and disclosures for public health activities.

(c) Standard: disclosures about victims of abuse, neglect or domestic violence.

(d) Standard: uses and disclosures for health oversight activities.

(e) Standard: disclosures for judicial and administrative proceedings.

(f) Standard: disclosures for law enforcement purposes.

(g) Standard: uses and disclosures about decedents.

(h) Standard: uses and disclosures for cadaveric organ, eye or tissue donation purposes.

(i) Standard: uses and disclosures for research purposes.

(j) Standard: uses and disclosures to avert a serious threat to health or safety.

(k) Standard: uses and disclosures for specialized government functions.

(l) Standard: disclosures for workers' compensation.

§ 164.514 Other requirements relating to uses and disclosures of protected health information.

(a) Standard: de-identification of protected health information.

(b) Implementation specifications: requirements for de-identification of protected health information.

(c) Implementation specifications: re-identification.

(d) Standard: minimum necessary requirements.

(e) Standard: uses and disclosures of protected health information for marketing.

(f) Standard: uses and disclosures for fundraising.

(g) Standard: uses and disclosures for underwriting and related purposes.

(h) Standard: verification requirements

§ 164.520 Notice of privacy practices for protected health information.

(a) Standard: notice of privacy practices.

(b) Implementation specifications: content of notice.

(c) Implementation specifications: provision of notice.

(d) Implementation specifications: joint notice by separate covered entities.

(e) Implementation specifications: documentation.

§ 164.522 Rights to request privacy protection for protected health information.

(a) Standard: right of an individual to request restriction of uses and disclosures.

(b) Standard: confidential communications requirements.

§ 164.524 Access of individuals to protected health information.

(a) Standard: access to protected health information.

(b) Implementation specifications: requests for access and timely action.

(c) Implementation specifications: provision of access.

(d) Implementation specifications: denial of access.

(e) Implementation specification: documentation.

§ 164.526 Amendment of protected health information.

(a) Standard: right to amend.

(b) Implementation specifications: requests for amendment and timely action.

(c) Implementation specifications: accepting the amendment.

(d) Implementation specifications: denying the amendment.

(e) Implementation specification: actions on notices of amendment.

(f) Implementation specification: documentation.

§ 164.528 Accounting of disclosures of protected health information.

(a) Standard: right to an accounting of disclosures of protected health information.

(b) Implementation specifications: content of the accounting.

(c) Implementation specifications: provision of the accounting.

(d) Implementation specification: documentation.

§ 164.530 Administrative requirements.

(a) Standard: personnel designations.

(b) Standard: training.

(c) Standard: safeguards.

(d) Standard: complaints to the covered entity.

(e) Standard: sanctions

(f) Standard: mitigation.

(g) Standard: refraining from intimidating or retaliatory acts.

(h) Standard: waiver of rights.

(i) Standard: policies and procedures.

(j) Standard: documentation.

(k) Standard: group health plans.

§ 164.532 Transition provisions.

(a) Standard: effect of prior consents and authorizations.

(b) Implementation specification: requirements for retaining effectiveness of prior consents and authorizations.

§ 164.534 Compliance dates for initial implementation of the privacy standards.

(a) Health care providers.

(b) Health plans.

(c) Health care clearinghouses.

Purpose of the Administrative Simplification Regulations

This regulation has three major purposes:

  1. to protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information;
  2. to improve the quality of health care in the U.S. by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care; and
  3. to improve the efficiency and effectiveness of health care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, and individual organizations and individuals.

This regulation is the second final regulation to be issued in the package of rules mandated under Title II Subtitle F Section 261-264 of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, titled "Administrative Simplification." Congress called for steps to improve "the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information." To achieve that end, Congress required the Department to promulgate a set of interlocking regulations establishing standards and protections for health information systems. The first regulation in this set, Standards for Electronic Transactions 65 FR 50312, was published on August 17, 2000 (the "Transactions Rule"). This regulation establishing Standards for Privacy of Individually Identifiable Health Information is the second final rule in the package. A rule establishing a unique identifier for employers to use in electronic health care transactions, a rule establishing a unique identifier for providers for such transactions, and a rule establishing standards for the security of electronic information systems have been proposed. See 63 FR 25272 and 25320 (May 7, 1998); 63 FR 32784 (June 16, 1998); 63 FR 43242 (August 12, 1998). Still to be proposed are rules establishing a unique identifier for health plans for electronic transactions, standards for claims attachments, and standards for transferring among health plans appropriate standard data elements needed for coordination of benefits. (See section C, below, for a more detailed explanation of the statutory mandate for these regulations.)

In enacting HIPAA, Congress recognized the fact that administrative simplification cannot succeed if we do not also protect the privacy and confidentiality of personal health information. The provision of high-quality health care requires the exchange of personal, often-sensitive information between an individual and a skilled practitioner. Vital to that interaction is the patient's ability to trust that the information shared will be protected and kept confidential. Yet many patients are concerned that their information is not protected. Among the factors adding to this concern are the growth of the number of organizations involved in the provision of care and the processing of claims, the growing use of electronic information technology, increased efforts to market health care and other products to consumers, and the increasing ability to collect highly sensitive information about a person's current and future health status as a result of advances in scientific research.

Rules requiring the protection of health privacy in the United States have been enacted primarily by the states. While virtually every state has enacted one or more laws to safeguard privacy, these laws vary significantly from state to state and typically apply to only part of the health care system. Many states have adopted laws that protect the health information relating to certain health conditions such as mental illness, communicable diseases, cancer, HIV/AIDS, and other stigmatized conditions. An examination of state health privacy laws and regulations, however, found that "state laws, with a few notable exceptions, do not extend comprehensive protections to people's medical records." Many state rules fail to provide such basic protections as ensuring a patient's legal right to see a copy of his or her medical record. See Health Privacy Project, "The State of Health Privacy: An Uneven Terrain," Institute for Health Care Research and Policy, Georgetown University (July 1999) (http://www.healthprivacy.org) (the "Georgetown Study").

Until now, virtually no federal rules existed to protect the privacy of health information and guarantee patient access to such information. This final rule establishes, for the first time, a set of basic national privacy standards and fair information practices that provides all Americans with a basic level of protection and peace of mind that is essential to their full participation in their care. The rule sets a floor of ground rules for health care providers, health plans, and health care clearinghouses to follow, in order to protect patients and encourage them to seek needed care. The rule seeks to balance the needs of the individual with the needs of the society. It creates a framework of protection that can be strengthened by both the federal government and by states as health information systems continue to evolve.

Need for a National Health Privacy Framework

The Importance of Privacy

Privacy is a fundamental right. As such, it must be viewed differently than any ordinary economic good. The costs and benefits of a regulation must, of course, be considered as a means of identifying and weighing options. At the same time, it is important not to lose sight of the inherent meaning of privacy: it speaks to our individual and collective freedom.

A right to privacy in personal information has historically found expression in American law. All fifty states today recognize in tort law a common law or statutory right to privacy. Many states specifically provide a remedy for public revelation of private facts. Some states, such as California and Tennessee, have a right to privacy as a matter of state constitutional law. The multiple historical sources for legal rights to privacy are traced in many places, including Chapter 13 of Alan Westin's Privacy and Freedom and in Ellen Alderman & Caroline Kennedy, The Right to Privacy (1995).

Throughout our nation's history, we have placed the rights of the individual at the forefront of our democracy. In the Declaration of Independence, we asserted the "unalienable right" to "life, liberty and the pursuit of happiness." Many of the most basic protections in the Constitution of the United States are imbued with an attempt to protect individual privacy while balancing it against the larger social purposes of the nation.

To take but one example, the Fourth Amendment to the United States Constitution guarantees that "the right of the people to be secure in their persons, houses, papers and effects, against unreasonable searches and seizures, shall not be violated." By referring to the need for security of "persons" as well as "papers and effects" the Fourth Amendment suggests enduring values in American law that relate to privacy. The need for security of "persons" is consistent with obtaining patient consent before performing invasive medical procedures. The need for security in "papers and effects" underscores the importance of protecting information about the person, contained in sources such as personal diaries, medical records, or elsewhere. As is generally true for the right of privacy in information, the right is not absolute. The test instead is what constitutes an "unreasonable" search of the papers and effects.

The United States Supreme Court has upheld the constitutional protection of personal health information. In Whalen v. Roe, 429 U.S. 589 (1977), the Court analyzed a New York statute that created a database of persons who obtained drugs for which there was both a lawful and unlawful market. The Court, in upholding the statute, recognized at least two different kinds of interests within the constitutionally protected "zone of privacy." "One is the individual interest in avoiding disclosure of personal matters," such as this regulation principally addresses. This interest in avoiding disclosure, discussed in Whalen in the context of medical information, was found to be distinct from a different line of cases concerning "the interest in independence in making certain kinds of important decisions."

Individuals' right to privacy in information about themselves is not absolute. It does not, for instance, prevent reporting of public health information on communicable diseases or stop law enforcement from getting information when due process has been observed. But many people believe that individuals should have some right to control personal and sensitive information about themselves. Among different sorts of personal information, health information is among the most sensitive. Many people believe that details about their physical self should not generally be put on display for neighbors, employers, and government officials to see. Informed consent laws place limits on the ability of other persons to intrude physically on a person's body. Similar concerns apply to intrusions on information about the person.

Moving beyond these facts of physical treatment, there is also significant intrusion when records reveal details about a person's mental state, such as during treatment for mental health. If, in Justice Brandeis' words, the "right to be let alone" means anything, then it likely applies to having outsiders have access to one's intimate thoughts, words, and emotions. In the recent case of Jaffee v. Redmond, 116 S.Ct. 1923 (1996), the Supreme Court held that statements made to a therapist during a counseling session were protected against civil discovery under the Federal Rules of Evidence. The Court noted that all fifty states have adopted some form of the psychotherapist-patient privilege. In upholding the federal privilege, the Supreme Court stated that it "serves the public interest by facilitating the appropriate treatment for individuals suffering the effects of a mental or emotional problem. The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance."

Many writers have urged a philosophical or common-sense right to privacy in one's personal information. Examples include Alan Westin, Privacy and Freedom (1967) and Janna Malamud Smith, Private Matters: In Defense of the Personal Life (1997). These writings emphasize the link between privacy and freedom and privacy and the "personal life," or the ability to develop one's own personality and self-expression. Smith, for instance, states:

The bottom line is clear. If we continually, gratuitously, reveal other people's privacies, we harm them and ourselves, we undermine the richness of the personal life, and we fuel a social atmosphere of mutual exploitation. Let me put it another way: Little in life is as precious as the freedom to say and do things with people you love that you would not say or do if someone else were present. And few experiences are as fundamental to liberty and autonomy as maintaining control over when, how, to whom, and where you disclose personal material. Id. at 240-241.

In 1890, Louis D. Brandeis and Samuel D. Warren defined the right to privacy as "the right to be let alone." See L. Brandeis, S. Warren, "The Right To Privacy," 4 Harv.L.Rev. 193. More than a century later, privacy continues to play an important role in Americans' lives. In their book, The Right to Privacy, (Alfred A. Knopf, New York, 1995) Ellen Alderman and Caroline Kennedy describe the importance of privacy in this way:

Privacy covers many things. It protects the solitude necessary for creative thought. It allows us the independence that is part of raising a family. It protects our right to be secure in our own homes and possessions, assured that the government cannot come barging in. Privacy also encompasses our right to self-determination and to define who we are. Although we live in a world of noisy self-confession, privacy allows us to keep certain facts to ourselves if we so choose. The right to privacy, it seems, is what makes us civilized.

Or, as Cavoukian and Tapscott observed the right of privacy is: "the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is communicated." See A. Cavoukian, D. Tapscott, "Who Knows: Safeguarding Your Privacy in a Networked World," Random House (1995).

Increasing Public Concern About Loss of Privacy

Today, it is virtually impossible for any person to be truly "let alone." The average American is inundated with requests for information from potential employers, retail shops, telephone marketing firms, electronic marketers, banks, insurance companies, hospitals, physicians, health plans, and others. In a 1998 national survey, 88 percent of consumers said they were "concerned" by the amount of information being requested, including 55 percent who said they were "very concerned." See Privacy and American Business, 1998 Privacy Concerns & Consumer Choice Survey (http://www.pandab.org) These worries are not just theoretical. Consumers who use the Internet to make purchases or request "free" information often are asked for personal and financial information. Companies making such requests routinely promise to protect the confidentiality of that information. Yet several firms have tried to sell this information to other companies even after promising not to do so.

Americans' concern about the privacy of their health information is part of a broader anxiety about their lack of privacy in an array of areas. A series of national public opinion polls conducted by Louis Harris & Associates documents a rising level of public concern about privacy, growing from 64 percent in 1978 to 82 percent in 1995. Over 80 percent of persons surveyed in 1999 agreed with the statement that they had "lost all control over their personal information." See Harris Equifax, Health Information Privacy Study (1993) (http://www.epic.org/privacy/medical/polls.html). A Wall Street Journal/ABC poll on September 16, 1999 asked Americans what concerned them most in the coming century. "Loss of personal privacy" was the first or second concern of 29 percent of respondents. All other issues, such a terrorism, world war, and global warming had scores of 23 percent or less.

This growing concern stems from several trends, including the growing use of interconnected electronic media for business and personal activities, our increasing ability to know an individual's genetic make-up, and, in health care, the increasing complexity of the system. Each of these trends brings the potential for tremendous benefits to individuals and society generally. At the same time, each also brings new potential for invasions of our privacy.

Increasing Use of Interconnected Electronic Information Systems

Until recently, health information was recorded and maintained on paper and stored in the offices of community-based physicians, nurses, hospitals, and other health care professionals and institutions. In some ways, this imperfect system of record keeping created a false sense of privacy among patients, providers, and others. Patients' health information has never remained completely confidential. Until recently, however, a breach of confidentiality involved a physical exchange of paper records or a verbal exchange of information. Today, however, more and more health care providers, plans, and others are utilizing electronic means of storing and transmitting health information. In 1996, the health care industry invested an estimated $10 billion to $15 billion on information technology. See National Research Council, Computer Science and Telecommunications Board, "For the Record: Protecting Electronic Health Information," (1997). The electronic information revolution is transforming the recording of health information so that the disclosure of information may require only a push of a button. In a matter of seconds, a person's most profoundly private information can be shared with hundreds, thousands, even millions of individuals and organizations at a time. While the majority of medical records still are in paper form, information from those records is often copied and transmitted through electronic means.

This ease of information collection, organization, retention, and exchange made possible by the advances in computer and other electronic technology affords many benefits to individuals and to the health care industry. Use of electronic information has helped to speed the delivery of effective care and the processing of billions of dollars worth of health care claims. Greater use of electronic data has also increased our ability to identify and treat those who are at risk for disease, conduct vital research, detect fraud and abuse, and measure and improve the quality of care delivered in the U.S. The National Research Council recently reported that "the Internet has great potential to improve Americans' health by enhancing communications and improving access to information for care providers, patients, health plan administrators, public health officials, biomedical researchers, and other health professionals." See "Networking Health: Prescriptions for the Internet," National Academy of Sciences (2000).

At the same time, these advances have reduced or eliminated many of the financial and logistical obstacles that previously served to protect the confidentiality of health information and the privacy interests of individuals. And they have made our information available to many more people. The shift from paper to electronic records, with the accompanying greater flows of sensitive health information, thus strengthens the arguments for giving legal protection to the right to privacy in health information. In an earlier period where it was far more expensive to access and use medical records, the risk of harm to individuals was relatively low. In the potential near future, when technology makes it almost free to send lifetime medical records over the Internet, the risks may grow rapidly. It may become cost-effective, for instance, for companies to offer services that allow purchasers to obtain details of a person's physical and mental treatments. In addition to legitimate possible uses for such services, malicious or inquisitive persons may download medical records for purposes ranging from identity theft to embarrassment to prurient interest in the life of a celebrity or neighbor. The comments to the proposed privacy rule indicate that many persons believe that they have a right to live in society without having these details of their lives laid open to unknown and possibly hostile eyes. These technological changes, in short, may provide a reason for institutionalizing privacy protections in situations where the risk of harm did not previously justify writing such protections into law.

The growing level of trepidation about privacy in general, noted above, has tracked the rise in electronic information technology. Americans have embraced the use of the Internet and other forms of electronic information as a way to provide greater access to information, save time, and save money. For example, 60 percent of Americans surveyed in 1999 reported that they have a computer in their home; 82 percent reported that they have used a computer; 64 percent say they have used the Internet; and 58 percent have sent an e-mail. Among those who are under the age of 60, these percentages are even higher. See "National Survey of Adults on Technology," Henry J. Kaiser Family Foundation (February, 2000). But 59 percent of Americans reported that they worry that an unauthorized person will gain access to their information. A recent survey suggests that 75 percent of consumers seeking health information on the Internet are concerned or very concerned about the health sites they visit sharing their personal health information with a third party without their permission. Ethics Survey of Consumer Attitudes about Health Web Sites, California Health Care Foundation, at 3 (January, 2000).

Unless public fears are allayed, we will be unable to obtain the full benefits of electronic technologies. The absence of national standards for the confidentiality of health information has made the health care industry and the population in general uncomfortable about this primarily financially-driven expansion in the use of electronic data. Many plans, providers, and clearinghouses have taken steps to safeguard the privacy of individually identifiable health information. Yet they must currently rely on a patchwork of State laws and regulations that are incomplete and, at times, inconsistent. States have, to varying degrees, attempted to enhance confidentiality by establishing laws governing at least some aspects of medical record privacy. This approach, though a step in the right direction, is inadequate. These laws fail to provide a consistent or comprehensive legal foundation of health information privacy. For example, there is considerable variation among the states in the type of information protected and the scope of the protections provided. See Georgetown Study, at Executive Summary; Lawrence O. Gostin, Zita Lazzarrini, Kathleen M. Flaherty, Legislative Survey of State Confidentiality Laws, with Specific Emphasis on HIV and Immunization, Report to Centers for Disease Control, Council of State and Territorial Epidemiologists, and Task Force for Child Survival and Development, Carter Presidential Center (1996) (Gostin Study).

Moreover, electronic health data is becoming increasingly "national"; as more information becomes available in electronic form, it can have value far beyond the immediate community where the patient resides. Neither private action nor state laws provide a sufficiently comprehensive and rigorous legal structure to allay public concerns, protect the right to privacy, and correct the market failures caused by the absence of privacy protections (see discussion below of market failure under section V.C). Hence, a national policy with consistent rules is necessary to encourage the increased and proper use of electronic information while also protecting the very real needs of patients to safeguard their privacy.

Advances in Genetic Sciences

Recently, scientists completed nearly a decade of work unlocking the mysteries of the human genome, creating tremendous new opportunities to identify and prevent many of the leading causes of death and disability in this country and around the world. Yet the absence of privacy protections for health information endanger these efforts by creating a barrier of distrust and suspicion among consumers. A 1995 national poll found that more than 85 percent of those surveyed were either "very concerned" or "somewhat concerned" that insurers and employers might gain access to and use genetic information. See Harris Poll, 1995 #34. Sixty-three percent of the 1,000 participants in a 1997 national survey said they would not take genetic tests if insurers and employers could gain access to the results. See "Genetic Information and the Workplace," Department of Labor, Department of Health and Human Services, Equal Employment Opportunity Commission, January 20, 1998. "In genetic testing studies at the National Institutes of Health, thirty-two percent of eligible people who were offered a test for breast cancer risk declined to take it, citing concerns about loss of privacy and the potential for discrimination in health insurance." Sen. Leahy's comments for March 10, 1999 Introduction of the Medical Information Privacy and Security Act.

The Changing Health Care System

The number of entities who are maintaining and transmitting individually identifiable health information has increased significantly over the last 10 years. In addition, the rapid growth of integrated health care delivery systems requires greater use of integrated health information systems. The health care industry has been transformed from one that relied primarily on one-on-one interactions between patients and clinicians to a system of integrated health care delivery networks and managed care providers. Such a system requires the processing and collection of information about patients and plan enrollees (for example, in claims files or enrollment records), resulting in the creation of databases that can be easily transmitted. This dramatic change in the practice of medicine brings with it important prospects for the improvement of the quality of care and reducing the cost of that care. It also, however, means that increasing numbers of people have access to health information. And, as health plan functions are increasingly outsourced, a growing number of organizations not affiliated with our physicians or health plans also have access to health information.

According to the American Health Information Management Association (AHIMA), an average of 150 people "from nursing staff to x-ray technicians, to billing clerks" have access to a patient's medical records during the course of a typical hospitalization. While many of these individuals have a legitimate need to see all or part of a patient's records, no laws govern who those people are, what information they are able to see, and what they are and are not allowed to do with that information once they have access to it. According to the National Research Council, individually identifiable health information frequently is shared with:

• Consulting physicians;

• Managed care organizations;

• Health insurance companies

• Life insurance companies;

• Self-insured employers;

• Pharmacies;

• Pharmacy benefit managers;

• Clinical laboratories;

• Accrediting organizations;

• State and Federal statistical agencies; and

• Medical information bureaus.

Much of this sharing of information is done without the knowledge of the patient involved. While many of these functions are important for smooth functioning of the health care system, there are no rules governing how that information is used by secondary and tertiary users. For example, a pharmacy benefit manager could receive information to determine whether an insurance plan or HMO should cover a prescription, but then use the information to market other products to the same patient. Similarly, many of us obtain health insurance coverage though our employer and, in some instances, the employer itself acts as the insurer. In these cases, the employer will obtain identifiable health information about its employees as part of the legitimate health insurance functions such as claims processing, quality improvement, and fraud detection activities. At the same time, there is no comprehensive protection prohibiting the employer from using that information to make decisions about promotions or job retention.

Public concerns reflect these developments. A 1993 Lou Harris poll found that 75 percent of those surveyed worry that medical information from a computerized national health information system will be used for many non-health reasons, and 38 percent are very concerned. This poll, taken during the health reform efforts of 1993, showed that 85 percent of respondents believed that protecting the confidentiality of medical records is "absolutely essential" or "very essential" in health care reform. An ACLU Poll in 1994 also found that 75 percent of those surveyed are concerned a "great deal" or a "fair amount"' about insurance companies putting medical information about them into a computer information bank to which others have access. Harris Equifax, Health Information Privacy Study 2,33 (1993) http://www.epic.org/privacy/medical/poll.html. Another survey found that 35 percent of Fortune 500 companies look at people's medical records before making hiring and promotion decisions. Starr, Paul. "Health and the Right to Privacy," American Journal of Law and Medicine, 1999. Vol 25, pp. 193-201.

Concerns about the lack of attention to information privacy in the health care industry are not merely theoretical. In the absence of a national legal framework of health privacy protections, consumers are increasingly vulnerable to the exposure of their personal health information. Disclosure of individually identifiable information can occur deliberately or accidentally and can occur within an organization or be the result of an external breach of security. Examples of recent privacy breaches include:

• A Michigan-based health system accidentally posted the medical records of thousands of patients on the Internet (The Ann Arbor News, February 10, 1999).

• A Utah-based pharmaceutical benefits management firm used patient data to solicit business for its owner, a drug store (Kiplingers, February 2000).

• An employee of the Tampa, Florida, health department took a computer disk containing the names of 4,000 people who had tested positive for HIV, the virus that causes AIDS (USA Today, October 10, 1996).

• The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center in East Hartford, Connecticut (The Hartford Courant, May 14, 1999).

• A patient in a Boston-area hospital discovered that her medical record had been read by more than 200 of the hospital's employees (The Boston Globe, August 1, 2000).

• A Nevada woman who purchased a used computer discovered that the computer still contained the prescription records of the customers of the pharmacy that had previously owned the computer. The pharmacy data base included names, addresses, social security numbers, and a list of all the medicines the customers had purchased. (The New York Times, April 4, 1997 and April 12, 1997).

• A speculator bid $4000 for the patient records of a family practice in South Carolina. Among the businessman's uses of the purchased records was selling them back to the former patients. (New York Times, August 14, 1991).

• In 1993, the Boston Globe reported that Johnson and Johnson marketed a list of 5 million names and addresses of elderly incontinent women. (ACLU Legislative Update, April 1998).

• A few weeks after an Orlando woman had her doctor perform some routine tests, she received a letter from a drug company promoting a treatment for her high cholesterol. (Orlando Sentinel, November 30, 1997).

No matter how or why a disclosure of personal information is made, the harm to the individual is the same. In the face of industry evolution, the potential benefits of our changing health care system, and the real risks and occurrences of harm, protection of privacy must be built into the routine operations of our health care system.

Privacy is Necessary to Secure Effective, High Quality Health Care

While privacy is one of the key values on which our society is built, it is more than an end in itself. It is also necessary for the effective delivery of health care, both to individuals and to populations. The market failures caused by the lack of effective privacy protections for health information are discussed below (see section V.C below). Here, we discuss how privacy is a necessary foundation for delivery of high quality health care. In short, the entire health care system is built upon the willingness of individuals to share the most intimate details of their lives with their health care providers.

The need for privacy of health information, in particular, has long been recognized as critical to the delivery of needed medical care. More than anything else, the relationship between a patient and a clinician is based on trust. The clinician must trust the patient to give full and truthful information about their health, symptoms, and medical history. The patient must trust the clinician to use that information to improve his or her health and to respect the need to keep such information private. In order to receive accurate and reliable diagnosis and treatment, patients must provide health care professionals with accurate, detailed information about their personal health, behavior, and other aspects of their lives. The provision of health information assists in the diagnosis of an illness or condition, in the development of a treatment plan, and in the evaluation of the effectiveness of that treatment. In the absence of full and accurate information, there is a serious risk that the treatment plan will be inappropriate to the patient's situation.

Patients also benefit from the disclosure of such information to the health plans that pay for and can help them gain access to needed care. Health plans and health care clearinghouses rely on the provision of such information to accurately and promptly process claims for payment and for other administrative functions that directly affect a patient's ability to receive needed care, the quality of that care, and the efficiency with which it is delivered.

Accurate medical records assist communities in identifying troubling public health trends and in evaluating the effectiveness of various public health efforts. Accurate information helps public and private payers make correct payments for care received and lower costs by identifying fraud. Accurate information provides scientists with data they need to conduct research. We cannot improve the quality of health care without information about which treatments work, and which do not.

Individuals cannot be expected to share the most intimate details of their lives unless they have confidence that such information will not be used or shared inappropriately. Privacy violations reduce consumers' trust in the health care system and institutions that serve them. Such a loss of faith can impede the quality of the health care they receive, and can harm the financial health of health care institutions.

Patients who are worried about the possible misuse of their information often take steps to protect their privacy. Recent studies show that a person who does not believe his privacy will be protected is much less likely to participate fully in the diagnosis and treatment of his medical condition. A national survey conducted in January 1999 found that one in five Americans believe their health information is being used inappropriately. See California HealthCare Foundation, "National Survey: Confidentiality of Medical Records"(January, 1999) (http://www.chcf.org). More troubling is the fact that one in six Americans reported that they have taken some sort of evasive action to avoid the inappropriate use of their information by providing inaccurate information to a health care provider, changing physicians, or avoiding care altogether. Similarly, in its comments on our proposed rule, the Association of American Physicians and Surgeons reported 78 percent of its members reported withholding information from a patient's record due to privacy concerns and another 87 percent reported having had a patient request to withhold information from their records. For an example of this phenomenon in a particular demographic group, see Drs. Bearman, Ford, and Moody, "Foregone Health Care among Adolescents," JAMA, vol. 282, no. 23 (999); Cheng, T.L., et al., "Confidentiality in Health Care: A Survey of Knowledge, Perceptions, and Attitudes among High School Students," JAMA, vol. 269, no. 11 (1993), at 1404-1407.

The absence of strong national standards for medical privacy has widespread consequences. Health care professionals who lose the trust of their patients cannot deliver high-quality care. In 1999, a coalition of organizations representing various stakeholders including health plans, physicians, nurses, employers, disability and mental health advocates, accreditation organizations as well as experts in public health, medical ethics, information systems, and health policy adopted a set of "best principles" for health care privacy that are consistent with the standards we lay out here. (See the Health Privacy Working Group, "Best Principles for Health Privacy" (July, 1999) (Best Principles Study). The Best Principles Study states that -

To protect their privacy and avoid embarrassment, stigma, and discrimination, some people withhold information from their health care providers, provide inaccurate information, doctor-hop to avoid a consolidated medical record, pay out-of-pocket for care that is covered by insurance, and - in some cases - avoid care altogether.

Best Principles Study, at 9. In their comments on our proposed rule, numerous organizations representing health plans, health providers, employers, and others acknowledged the value of a set of national privacy standards to the efficient operation of their practices and businesses.

Breaches of Health Privacy Harm More than Our Health Status

A breach of a person's health privacy can have significant implications well beyond the physical health of that person, including the loss of a job, alienation of family and friends, the loss of health insurance, and public humiliation. For example:

• A banker who also sat on a county health board gained access to patients' records and identified several people with cancer and called in their mortgages. See the National Law Journal, May 30, 1994.

• A physician was diagnosed with AIDS at the hospital in which he practiced medicine. His surgical privileges were suspended. See Estate of Behringer v. Medical Center at Princeton, 249 N.J. Super. 597.

• A candidate for Congress nearly saw her campaign derailed when newspapers published the fact that she had sought psychiatric treatment after a suicide attempt. See New York Times, October 10, 1992, Section 1, page 25.

• A 30-year FBI veteran was put on administrative leave when, without his permission, his pharmacy released information about his treatment for depression. (Los Angeles Times, September 1, 1998)

• Consumer Reports found that 40 percent of insurers disclose personal health information to lenders, employers, or marketers without customer permission. "Who's reading your Medical Records," Consumer Reports, October 1994, at 628, paraphrasing Sweeny, Latanya, "Weaving Technology and Policy Together to Maintain Confidentiality," The Journal Of Law Medicine and Ethics (Summer & Fall 1997) Vol. 25, Numbers 2,3.

The answer to these concerns is not for consumers to withdraw from society and the health care system, but for society to establish a clear national legal framework for privacy. By spelling out what is and what is not an allowable use of a person's identifiable health information, such standards can help to restore and preserve trust in the health care system and the individuals and institutions that comprise that system. As medical historian Paul Starr wrote: "Patients have a strong interest in preserving the privacy of their personal health information but they also have an interest in medical research and other efforts by health care organizations to improve the medical care they receive. As members of the wider community, they have an interest in public health measures that require the collection of personal data." (P. Starr, "Health and the Right to Privacy," American Journal of Law & Medicine, 25, nos. 2&3 (1999) 193-201). The task of society and its government is to create a balance in which the individual's needs and rights are balanced against the needs and rights of society as a whole.

National standards for medical privacy must recognize the sometimes competing goals of improving individual and public health, advancing scientific knowledge, enforcing the laws of the land, and processing and paying claims for health care services. This need for balance has been recognized by many of the experts in this field. Cavoukian and Tapscott described it this way: "An individual's right to privacy may conflict with the collective rights of the public. . .We do not suggest that privacy is an absolute right that reigns supreme over all other rights. It does not. However, the case for privacy will depend on a number of factors that can influence the balance - the level of harm to the individual involved versus the needs of the public."

The Federal Response

There have been numerous federal initiatives aimed at protecting the privacy of especially sensitive personal information over the past several years -- and several decades. While the rules below are likely the largest single federal initiative to protect privacy, they are by no means alone in the field. Rather, the rules arrive in the context of recent legislative activity to grapple with advances in technology, in addition to an already established body of law granting federal protections for personal privacy.

In 1965, the House of Representatives created a Special Subcommittee on Invasion of Privacy. In 1973, this Department's predecessor agency, the Department of Health, Education and Welfare issued The Code of Fair Information Practice Principles establishing an important baseline for information privacy in the U.S. These principles formed the basis for the federal Privacy Act of 1974, which regulates the government's use of personal information by limiting the disclosure of personally-identifiable information, allows consumers access to information about them, requires federal agencies to specify the purposes for collecting personal information, and provides civil and criminal penalties for misuse of information.

In the last several years, with the rapid expansion in electronic technology -- and accompanying concerns about individual privacy -- laws, regulations, and legislative proposals have been developed in areas ranging from financial privacy to genetic privacy to the safeguarding of children on-line. For example, the Children's Online Privacy Protection Act was enacted in 1998, providing protection for children when interacting at web-sites. In February, 2000, President Clinton signed Executive Order 13145, banning the use of genetic information in federal hiring and promotion decisions. The landmark financial modernization bill, signed by the President in November, 1999, likewise contained financial privacy protections for consumers. There also has been recent legislative activity on establishing legal safeguards for the privacy of individuals' Social Security numbers, and calls for regulation of on-line privacy in general.

These most recent laws, regulations, and legislative proposals come against the backdrop of decades of privacy-enhancing statutes passed at the federal level to enact safeguards in fields ranging from government data files to video rental records. In the 1970s, individual privacy was paramount in the passage of the Fair Credit Reporting Act (1970), the Privacy Act (1974), the Family Educational Rights and Privacy Act (1974), and the Right to Financial Privacy Act (1978). These key laws were followed in the next decade by another series of statutes, including the Privacy Protection Act (1980), the Electronic Communications Privacy Act (1986), the Video Privacy Protection Act (1988), and the Employee Polygraph Protection Act (1988). In the last ten years, Congress and the President have passed additional legal privacy protection through, among others, the Telephone Consumer Protection Act (1991), the Driver's Privacy Protection Act (1994), the Telecommunications Act (1996), the Children's Online Privacy Protection Act (1998), the Identity Theft and Assumption Deterrence Act (1998), and Title V of the Gramm-Leach-Bliley Act (1999) governing financial privacy.

In 1997, a Presidential advisory commission, the Advisory Commission on Consumer Protection and Quality in the Health Care Industry, recognized the need for patient privacy protection in its recommendations for a Consumer Bill of Rights and Responsibilities (November 1997). In 1997, Congress enacted the Balanced Budget Act (Public Law 105-34), which added language to the Social Security Act (18 U.S.C. 1852) to require Medicare+Choice organizations to establish safeguards for the privacy of individually identifiable patient information. Similarly, the Veterans Benefits section of the U.S. Code provides for confidentiality of medical records in cases involving drug abuse, alcoholism or alcohol abuse, HIV infection, or sickle cell anemia (38 U.S.C. 7332).

As described in more detail in the next section, Congress recognized the importance of protecting the privacy of health information by enacting the Health Insurance Portability and Accountability Act of 1996. The Act called on Congress to enact a medical privacy statute and asked the Secretary of Health and Human Services to provide Congress with recommendations for protecting the confidentiality of health care information. The Congress further recognized the importance of such standards by providing the Secretary with authority to promulgate regulations on health care privacy in the event that lawmakers were unable to act within the allotted three years.

Finally, it also is important for the U.S. to join the rest of the developed world in establishing basic medical privacy protections. In 1995, the European Union (EU) adopted a Data Privacy Directive requiring its 15 member states to adopt consistent privacy laws by October 1998. The EU urged all other nations to do the same or face the potential loss of access to information from EU countries.

Statutory Background

History of the Privacy Component of the Administrative Simplification Provisions

The Congress addressed the opportunities and challenges presented by the rapid evolution of health information systems in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on August 21, 1996. Sections 261 through 264 of HIPAA are known as the Administrative Simplification provisions. The major part of these Administrative Simplification provisions are found at section 262 of HIPAA, which enacted a new part C of title XI of the Social Security Act (hereinafter we refer to the Social Security Act as the "Act" and we refer to all other laws cited in this document by their names).

In section 262, Congress primarily sought to facilitate the efficiencies and cost savings for the health care industry that the increasing use of electronic technology affords. Thus, section 262 directs HHS to issue standards to facilitate the electronic exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information electronically in connection with such transactions.

At the same time, Congress recognized the challenges to the confidentiality of health information presented by the increasing complexity of the health care industry, and by advances in health information systems technology and communications. Section 262 thus also directs HHS to develop standards to protect the security, including the confidentiality and integrity, of health information.

Congress has long recognized the need for protection of health information privacy generally, as well as the privacy implications of electronic data interchange and the increased ease of transmitting and sharing individually identifiable health information. Congress has been working on broad health privacy legislation for many years and, as evidenced by the self-imposed three year deadline included in the HIPAA, discussed below, believes it can and should enact such legislation. A significant portion of the first Administrative Simplification section debated on the floor of the Senate in 1994 (as part of the Health Security Act) consisted of privacy provisions. In the version of the HIPAA passed by the House of Representatives in 1996, the requirement for the issuance of privacy standards was located in the same section of the bill (section 1173) as the requirements for issuance of the other HIPAA Administrative Simplification standards. In conference, the requirement for privacy standards was moved to a separate section in the same part of HIPAA, section 264, so that Congress could link the Privacy standards to Congressional action.

Section 264(b) requires the Secretary of HHS to develop and submit to the Congress recommendations for:

• The rights that an individual who is a subject of individually identifiable health information should have.

• The procedures that should be established for the exercise of such rights.

• The uses and disclosures of such information that should be authorized or required.

The Secretary's Recommendations were submitted to the Congress on September 11, 1997. Section 264(c)(1) provides that:

If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by [August 21, 1999], the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than [February 21, 2000]. Such regulations shall address at least the subjects described in subsection (b).

As the Congress did not enact legislation regarding the privacy of individually identifiable health information prior to August 21, 1999, HHS published proposed rules setting forth such standards on November 3, 1999, 64 FR 59918, and is now publishing the mandated final regulation.

These privacy standards have been, and continue to be, an integral part of the suite of Administrative Simplification standards intended to simplify and improve the efficiency of the administration of our health care system.

The Administrative Simplification Provisions, and Regulatory Actions To Date

Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose several requirements on HHS, health plans, health care clearinghouses, and health care providers who conduct the identified transactions electronically.

The first section, section 1171 of the Act, establishes definitions for purposes of part C of title XI for the following terms: code set, health care clearinghouse, health care provider, health information, health plan, individually identifiable health information, standard, and standard setting organization.

Section 1172 of the Act makes the standard adopted under part C applicable to: (1) health plans, (2) health care clearinghouses, and (3) health care providers who transmit health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (hereinafter referred to as the "covered entities"). Section 1172 also contains procedural requirements concerning the adoption of standards, including the role of standard setting organizations and required consultations, summarized in subsection F and section VI, below.

Section 1173 of the Act requires the Secretary to adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically. Section 1173(a)(1) describes the transactions to be promulgated, which include the nine transactions listed in section 1173(a)(2) and other transactions determined appropriate by the Secretary. The remainder of section 1173 sets out requirements for the specific standards the Secretary is to adopt: unique health identifiers, code sets, security standards, electronic signatures, and transfer of information among health plans. Of particular relevance to this proposed rule is section 1173(d), the security standard provision. The security standard authority applies to both the transmission and the maintenance of health information, and requires the entities described in section 1172(a) to maintain reasonable and appropriate safeguards to ensure the integrity and confidentiality of the information, protect against reasonably anticipated threats or hazards to the security or integrity of the information or unauthorized uses or disclosures of the information, and to ensure compliance with part C by the entity's officers and employees.

In section 1174 of the Act, the Secretary is required to establish standards for all of the above transactions, except claims attachments, by February 21, 1998. The statutory deadline for the claims attachment standard is February 21, 1999.

As noted above, a proposed rule for most of the transactions was published on May 7, 1998, and the final Transactions Rule was promulgated on August 17, 2000. The delay was caused by the deliberate consensus building process, working with industry, and the large number of comments received (about 17,000). In addition, in a series of Notices of Proposed Rulemakings, HHS published other proposed standards, as described above. Each of these steps was taken in concert with the affected professions and industries, to ensure rapid adoption and compliance.

Generally, after a standard is established, it may not be changed during the first year after adoption except for changes that are necessary to permit compliance with the standard. Modifications to any of these standards may be made after the first year, but not more frequently than once every 12 months. The Secretary also must ensure that procedures exist for the routine maintenance, testing, enhancement, and expansion of code sets and that there are crosswalks from prior versions.

Section 1175 of the Act prohibits health plans from refusing to process, or from delaying processing of, a transaction that is presented in standard format. It also establishes a timetable for compliance: each person to whom a standard or implementation specification applies is required to comply with the standard within 24 months (or 36 months for small health plans) of its adoption. A health plan or other entity may, of course, comply voluntarily before the effective date. The section also provides that compliance with modifications to standards or implementation specifications must be accomplished by a date designated by the Secretary, which date may not be earlier than 180 days from the notice of change.

Section 1176 of the Act establishes civil monetary penalties for violation of the provisions in part C of title XI of the Act, subject to several limitations. Penalties may not be more than $100 per person per violation and not more than $25,000 per person for violations of a single standard for a calendar year. The procedural provisions of section 1128A of the Act apply to actions taken to obtain civil monetary penalties under this section.

Section 1177 establishes penalties for any person that knowingly uses a unique health identifier, or obtains or discloses individually identifiable health information in violation of the part. The penalties include: (1) a fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if the offense is "under false pretenses," a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/or imprisonment of not more than 10 years.

Under section 1178 of the Act, the requirements of part C, as well as any standards or implementation specifications adopted thereunder, preempt contrary state law. There are three exceptions to this general rule of preemption: state laws that the Secretary determines are necessary for certain purposes set forth in the statute; state laws that the Secretary determines address controlled substances; and state laws relating to the privacy of individually identifiable health information that are contrary to and more stringent than the federal requirements. There also are certain areas of state law (generally relating to public health and oversight of health plans) that are explicitly carved out of the general rule of preemption and addressed separately.

Section 1179 of the Act makes the above provisions inapplicable to financial institutions (as defined by section 1101 of the Right to Financial Privacy Act of 1978) or anyone acting on behalf of a financial institution when "authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution."

Finally, as explained above, section 264 requires the Secretary to issue standards with respect to the privacy of individually identifiable health information. Section 264 also contains a preemption provision that provides that contrary provisions of state laws that are more stringent than the federal standards, requirements, or implementation specifications will not be preempted.

Our Approach to This Regulation


A number of facts informed our approach to this regulation. Determining the best approach to protecting privacy depends on where we start, both with respect to existing legal expectations and also with respect to the expectations of individuals, health care providers, payers and other stakeholders. From the comments we received on the proposed rule, and from the extensive fact finding in which we engaged, a confused picture developed. We learned that stakeholders in the system have very different ideas about the extent and nature of the privacy protections that exist today, and very different ideas about appropriate uses of health information. This leads us to seek to balance the views of the different stakeholders, weighing the varying interests on each particular issue with a view to creating balance in the regulation as a whole.

For example, we received hundreds of comments explaining the legitimacy of various uses and disclosure of health information. We agree that many uses and disclosures of health information are "legitimate," but that is not the end of the inquiry. Neither privacy, nor the important social goals described by the commenters, are absolutes. In this regulation, we are asking health providers and institutions to add privacy into the balance, and we are asking individuals to add social goals into the balance.

The vast difference among regulated entities also informed our approach in significant ways. This regulation applies to solo practitioners, and multi-national health plans. It applies to pharmacies and information clearinghouses. These entities differ not only in the nature and scope of their businesses, but also in the degree of sophistication of their information systems and information needs. We therefore designed the core requirements of this regulation to be flexible and "scalable." This is reflected throughout the rule, particularly in the implementation specifications for making the 'minimum necessary' uses and disclosures, and in the administrative policies and procedures requirements.

We also are informed by the rapid evolution in industry organization and practice. Our goal is to enhance privacy protections in ways that do not impede this evolution. For example, we received many comments asking us to assign a status under this regulation based on a label or title. For example, many commenters asked whether "disease management" is a "health care operation," or whether a "pharmacy benefits manager" is a covered entity. From the comments and our fact-finding, however, we learned that these terms do not have consistent meanings today; rather, they encompass diverse activities and information practices. Further, the statutory definitions of key terms such as 'health care provider' and 'health care clearinghouse' describe functions, not specific types of persons or entities. To respect both the Congressional approach and industry evolution, we design the rule to follow activities and functions, not titles and labels.

Similarly, many comments asked whether a particular person would be a "business associate" under the rule, based on the nature of the person's business. Whether a business associate arrangement must exist under the rule, however, depends on the relationship between the entities and the services being performed, not on the type of persons or companies involved.

Our approach is also significantly informed by the limited jurisdiction conferred by HIPAA. In large part, we have the authority to regulate those who create and disclose health information, but not many key stakeholders who receive that health information from a covered entity. Again, this led us to look to the balance between the burden on covered entities and need to protect privacy in determining our approach to such disclosures. In some instances, we approach this dilemma by requiring covered entities to obtain a representation or documentation of purpose from the person requesting information. While there would be advantages to legislation regulating such third persons directly, we cannot justify abandoning any effort to enhance privacy.

It also became clear from the comments and our fact-finding that we have expectations as a society that conflict with individuals' views about the privacy of health information. We expect the health care industry to develop treatment protocols for the delivery of high quality health care. We expect insurers and the government to reduce fraud in the health care system. We expect to be protected from epidemics, and we expect medical research to produce miracles. We expect the police to apprehend suspects, and we expect to pay for our care by credit card. All of these activities involve disclosure of health information to someone other than our physician.

While most commenters support the concept of health privacy in general, many go on to describe activities that depend on the disclosure of health information and urge us to protect those information flows. Section III, in which we respond to the comments, describes our approach to balancing these conflicting expectations.

Finally, we note that many commenters were concerned that this regulation would lessen current privacy protections. It is important to understand this regulation as a new federal floor of privacy protections that does not disturb more protective rules or practices. Nor do we intend this regulation to describe a set of a "best practices." Rather, this regulation describes a set of basic consumer protections and a series of regulatory permissions for use and disclosure of health information. The protections are a mandatory floor, which other governments and any covered entity may exceed. The permissions are just that, permissive -- the only disclosures of health information required under this rule are to the individual who is the subject of the information or to the Secretary for enforcement of this rule. We expect covered entities to rely on their professional ethics and use their own best judgements in deciding which of these permissions they will use.

Combining Workability with New Protections

This rule establishes national minimum standards to protect the privacy of individually identifiable health information in prescribed settings. The standards address the many varied uses and disclosures of individually identifiable health information by health plans, certain health care providers and health care clearinghouses. The complexity of the standards reflects the complexity of the health care marketplace to which they apply and the variety of subjects that must be addressed. The rule applies not only to the core health care functions relating to treating patients and reimbursing health care providers, but also to activities that range from when individually identifiable health information should be available for research without authorization to whether a health care provider may release protected health information about a patient for law enforcement purposes. The number of discrete provisions, and the number of commenters requesting that the rule recognize particular activities, is evidence of the significant role that individually identifiable health information plays in many vital public and private concerns.

At the same time, the large number of comments from individuals and groups representing individuals demonstrate the deep public concern about the need to protect the privacy of individually identifiable health information. The discussion above is rich with evidence about the importance of protecting privacy and the potential adverse consequences to individuals and their health if such protections are not extended.

The need to balance these competing interests - the necessity of protecting privacy and the public interest in using identifiable health information for vital public and private purposes - in a way that is also workable for the varied stakeholders causes much of the complexity in the rule. Achieving workability without sacrificing protection means some level of complexity, because the rule must track current practices and current practices are complex. We believe that the complexity entailed in reflecting those practices is better public policy than a perhaps simpler rule that disturbed important information flows.

Although the rule taken as a whole is complicated, we believe that the standards are much less complex as they apply to particular actors. What a health plan or covered health care provider must do to comply with the rule is clear, and the two-year delayed implementation provides a substantial period for trade and professional associations, working with their members, to assess the effects of the standards and develop policies and procedures to come into compliance with them. For individuals, the system may look substantially more complicated because, for the first time, we are ensuring that individuals will receive detailed information about how their individually identifiable health information may be used and disclosed. We also provide individuals with additional tools to exercise some control over those uses and disclosures. The additional complexity for individuals is the price of expanding their understanding and their rights.

The Department will work actively with members of the health care industry, representatives of individuals and others during the implementation of this rule. As stated elsewhere, our focus is to develop broader understanding of how the standards work and to facilitate compliance. We intend to provide guidance and check lists as appropriate, particularly to small businesses affected by the rule. We also will work with trade and professional associations to develop guidance and provide technical assistance so that they can help their members understand and comply with these new standards. If this effort is to succeed, the various public and private participants inside and outside of the health care system will need to work together to assure that the competing interests described above remain in balance and that an ethic that recognizes their importance is established.


The Secretary has decided to delegate her responsibility under this regulation to the Department's Office for Civil Rights (OCR). OCR will be responsible for enforcement of this regulation. Enforcement activities will include working with covered entities to secure voluntary compliance through the provision of technical assistance and other means; responding to questions regarding the regulation and providing interpretations and guidance; responding to state requests for exception determinations; investigating complaints and conducting compliance reviews; and, where voluntary compliance cannot be achieved, seeking civil monetary penalties and making referrals for criminal prosecution.


Current law and practice

The issue that drew the most comments overall is the question of when individuals' permission should be obtained prior to use or disclosure of their health information. We learned that individuals' views and the legal view of 'consent' for use and disclosure of health information are different and in many ways incompatible. Comments from individuals revealed a common belief that, today, people must be asked permission for each and every release of their health information. Many believe that they "own" the health records about them. However, current law and practice do not support this view.

Current privacy protection practices are determined in part by the standards and practices that the professional associations have adopted for their members. Professional codes of conduct for ethical behavior generally can be found as opinions and guidelines developed by organizations such as the American Medical Association, American Nurses' Association, the American Hospital Association, the American Psychiatric Association, and the American Dental Association. These are generally issued though an organization's governing body. The codes do not have the force of law, but providers often recognize them as binding rules.

Our review of professional codes of ethics revealed partial, but loose, support for individuals' expectations of privacy. For example, the American Medical Association's Code of Ethics recognizes both the right to privacy and the need to balance it against societal needs. It reads in part: "conflicts between a patient's right to privacy and a third party's need to know should be resolved in favor of the patient, except where that would result in serious health hazard or harm to the patient or others." AMA Policy No 140.989. See also, Mass. Med. Society, Patient Privacy and Confidentiality (1996), at 14:

Patients enter treatment with the expectation that the information they share will be used exclusively for their clinical care. Protection of our patients' confidences is an integral part of our ethical training.

These codes, however, do not apply to many who obtain information from providers. For example, the National Association of Insurance Commissioners model code, "Health Information Privacy Model Act"(1998), applies to insurers but has not been widely adopted. Codes of ethics are also often written in general terms that do not provide guidance to providers and plans confronted with specific questions about protecting health information.

State laws are a crucial means of protecting health information, and today state laws vary dramatically. Some states defer to the professional codes of conduct, others provide general guidelines for privacy protection, and others provide detailed requirements relating to the protection of information relating to specific diseases or to entire classes of information. Cf., D.C. Code Ann. §2-3305.14(16) and Haw. Rev. Stat. 323C, et seq. In general, state statutes and case law addressing consent to use of health information do not support the public's strong expectations regarding consent for use and disclosure of health information. Only about half of the states have a general law that prohibits disclosure of health information without patient authorization and some of these are limited to hospital medical records.

Even when a state has a law limiting disclosure of health information, the law typically exempts many types of disclosure from the authorization requirement. Georgetown Study, Key Findings; Lisa Dahm, "50-State Survey on Patient Health Care Record Confidentiality," American Health Lawyers Association (1999). One of the most common exemptions from a consent requirement is disclosure of health information for treatment and related purposes. See, e.g., Wis.Stat. § 164.82; Cal. Civ. Code 56:10; National Conference of Commissioners on Uniform State Laws, Uniform Health-Care Information Act, Minneapolis, MN, August 9, 1985. Some states include utilization review and similar activities in the exemption. See, e.g., Ariz. Rev. Stat. § 12-2294. Another common exemption from consent is disclosure of health information for purposes of obtaining payment. See, e.g., Fla. Stat. Ann. § 455.667; Tex. Rev. Civ. Stat. Art. 4495, § 5.08(h); 410 Ill. Comp. Stat. 50/3(d). Other common exemptions include disclosures for emergency care, and for disclosures to government authorities (such as a department of public health). See Gostin Study, at 1-2; 48-51. Some states also exempt disclosure to law enforcement officials (e.g., Massachusetts, Ch. 254 of the Acts of 2000), coroners (Wis. Stat. § 146.82), and for such purposes as business operations, oversight, research, and for directory information. Under these exceptions, providers can disclose health information without any consent or authorization from the patient. When states require specific, written authorization for disclosure of health information, the authorizations are usually only required for certain types of disclosures or certain types of information, and one authorization can suffice for multiple disclosures over time.

The states that do not have laws prohibiting disclosure of health information impose no specific requirements for consent or authorization prior to release of health information. There may, however, be other controls on release of health information. For instance, most health care professional licensure laws include general prohibitions against 'breaches of confidentiality.' In some states, patients can hold providers accountable for some unauthorized disclosures of health information about them under various tort theories, such as invasion of privacy and breach of a confidential relationship. While these controls may affect certain disclosure practices, they do not amount to a requirement that a provider obtain authorization for each and every disclosure of health information.

Further, patients are typically not given a choice; they must sign the "consent" in order to receive care. As the Georgetown Study points out, "In effect, the authorization may function more as a waiver of consent -- the patient may not have an opportunity to object to any disclosures." Georgetown Study, Key Findings.

In the many cases where neither state law nor professional ethical standards exist, the only privacy protection individuals have is limited to the policies and procedures that the health care entity adopts. Corporate privacy policies are often proprietary. While several professional associations attached their privacy principles to their comments, health care entities did not. One study we found indicates that these policies are not adequate to provide appropriate privacy protections and alleviate public concern. The Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure made multiple findings highlighting the need for heightened privacy and security, including:

Finding 5: The greatest concerns regarding the privacy of health information derives from widespread sharing of patient information throughout the health care industry and the inadequate federal and state regulatory framework for systematic protection of health information.

For the Record: Protecting Electronic Health Information, National Academy Press, Washington DC, 1997.

Consent under this rule

In the NPRM, we expressed concern about the coercive nature of consents currently obtained by providers and plans relating to the use and disclosure of health information. We also expressed concern about the lack of information available to the patient during the process, and the fact that patients often were not even presented with a copy of the consent that they have signed. These and other concerns led us to propose that covered entities be permitted to use and disclose protected health information for treatment, payment and health care operations without the express consent of the subject individual.

In the final rule, we alter our proposed approach and require, in most instances, that health care providers who have a direct treatment relationship with their patients obtain the consent of their patients to use and disclose protected health information for treatment, payment and health care operations. While our concern about the coerced nature of these consents remains, many comments that we received from individuals, health care professionals, and organizations that represent them indicated that both patients and practitioners believe that patient consent is an important part of the current health care system and should be retained.

Providing and obtaining consent clearly has meaning for patients and practitioners. Patient advocates argued that the act of signing focuses the patient's attention on the substance of the transaction and provides an opportunity for the patient to ask questions about or seek modifications in the provider's practices. Many health care practitioners and their representatives argued that seeking a patient's consent to disclose confidential information is an ethical requirement that strengthens the physician-patient relationship. Both practitioners and patients argued that the approach proposed in the NPRM actually reduced patient protections by eliminating the opportunity for patients to agree to how their confidential information would be used and disclosed.

While we believe that the provisions in the NPRM that provided for detailed notice to the patient and the right to request restrictions would have provided an opportunity for patients and providers to discuss and negotiate over information practices, it is clear from the comments that many practitioners and patients believe the approach proposed in the NPRM is not an acceptable replacement for the patient providing consent. To encourage a more informed interaction between the patient and the provider during the consent process, the final rule requires that the consent form that is presented to the patient be accompanied by a notice that contains a detailed discussion of the provider's health information practices. The consent form must reference the notice and also must inform the patient that he or she has the right to ask the health care provider to request certain restrictions as to how the information of the patient will be used or disclosed. Our goal is to provide an opportunity for and to encourage more informed discussions between patients and providers about how protected health information will be used and disclosed within the health care system.

We considered and rejected other approaches to consent, including those that involved individuals providing a global consent to uses and disclosures when they sign up for insurance. While such approaches do require the patient to provide consent, it is not really an informed one or a voluntary one. It is also unclear how a consent obtained at the enrollment stage would be meaningfully communicated to the many providers who create the health information in the first instance. The ability to negotiate restrictions or otherwise have a meaningful discussion with the front-line provider would be independent of, and potentially in conflict with, the consent obtained at the enrollment stage. In addition, employers today are moving toward simplified enrollment forms, using check-off boxes and similar devices. The opportunity for any meaningful consideration or interaction at that point is slight. For these and other reasons, we decided that, to the extent a consent can accomplish the goal sought by individuals and providers, it must be focused on the direct interaction between an individual and provider.

The comments and fact-finding indicate that our approach will not significantly change the administrative aspect of consent as it exists today. Most direct treatment providers today obtain some type of consent for some uses and disclosures of health information. Our regulation will ensure that those consents cover the routine uses and disclosures of health information, and provide an opportunity for individuals to obtain further information and have further discussion, should they so desire.

Administrative Costs

Section 1172(b) of the Act provides that "[a]ny standard adopted under this part [part C of title XI of the Act] shall be consistent with the objective of reducing the administrative costs of providing and paying for health care." The privacy and security standards are the platform on which the remaining standards rest; indeed, the design of part C of title XI makes clear that the various standards are intended to function together. Thus, the costs of privacy and security are properly attributable to the suite of administrative simplification regulations as a whole, and the cost savings realized should likewise be calculated on an aggregated basis, as is done below. Because the privacy standards are an integral and necessary part of the suite of Administrative Simplification standards, and because that suite of standards will result in substantial administrative cost savings, the privacy standards are "consistent with the objective of reducing the administrative costs of providing and paying for health care."

As more fully discussed in the Regulatory Impact and Regulatory Flexibility analyses below, we recognize that these privacy standards will entail substantial initial and ongoing administrative costs for entities subject to the rules. It is also the case that the privacy standards, like the security standards authorized by section 1173(d) of the Act, are necessitated by the technological advances in information exchange that the remaining Administrative Simplification standards facilitate for the health care industry. The same technological advances that make possible enormous administrative cost savings for the industry as a whole have also made it possible to breach the security and privacy of health information on a scale that was previously inconceivable. The Congress recognized that adequate protection of the security and privacy of health information is a sine qua non of the increased efficiency of information exchange brought about by the electronic revolution, by enacting the security and privacy provisions of the law. Thus, as a matter of policy as well as law, the administrative standards should be viewed as a whole in determining whether they are "consistent with" the objective of reducing administrative costs.


The Congress required the Secretary to consult with specified groups in developing the standards under sections 262 and 264. Section 264(d) of HIPAA specifically requires the Secretary to consult with the National Committee on Vital and Health Statistics (NCVHS) and the Attorney General in carrying out her responsibilities under the section. Section 1172(b)(3) of the Act, which was enacted by section 262, requires that, in developing a standard under section 1172 for which no standard setting organization has already developed a standard, the Secretary must, before adopting the standard, consult with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), the Workgroup for Electronic Data Interchange (WEDI), and the American Dental Association (ADA). Section 1172(f) also requires the Secretary to rely on the recommendations of the NCVHS and consult with other appropriate federal and state agencies and private organizations.

We engaged in the required consultations including the Attorney General, NUBC, NUCC, WEDI and the ADA. We consulted with the NCVHS in developing the Recommendations, upon which this proposed rule is based. We continued to consult with this committee by requesting the committee to review the proposed rule and provide comments prior to its publication, and by reviewing transcripts of its public meeting on privacy and related topics. We consulted with representatives of the National Congress of American Indians, the National Indian Health Board, and the self governance tribes. We also met with representatives of the National Governors' Association, the National Conference of State Legislatures, the National Association of Public Health Statistics and Information Systems, and a number of other state organizations to discuss the framework for the proposed rule, issues of special interests to the states, and the process for providing comments on the proposed rule.

Many of these groups submitted comments to the proposed rule, and those were taken into account in developing the final regulation.

In addition to the required consultations, we met with numerous individuals, entities, and agencies regarding the regulation, with the goal of making these standards as compatible as possible with current business practices, while still enhancing privacy protection. During the open comment period, we met with dozens of groups.

Relevant federal agencies participated in the interagency working groups that developed the NPRM and the final regulation, with additional representatives from all operating divisions and many staff offices of HHS. The following federal agencies and offices were represented on the interagency working groups: the Department of Justice, the Department of Commerce, the Social Security Administration, the Department of Defense, the Department of Veterans Affairs, the Department of Labor, the Office of Personnel Management, and the Office of Management and Budget.

Go to Regulation Preamble, next section

Go to Regulation Text