[Please label comments about this section with the subject: “Safeguards”]
In proposed § 164.518(c), we would require covered entities to put in place administrative, technical, and physical safeguards to protect against any reasonably anticipated threats or hazards to the privacy of the information, and unauthorized uses or disclosures of the information. We proposed similar requirements for certain electronic information in the Notice of Proposed Rulemaking entitled the Security and Electronic Signature Standards (HCFA-0049-P), which can be found at 63 FR 43241. We are proposing parallel and consistent requirements for safeguarding the privacy of protected health information.
As noted in section II.E. above, for many permitted disclosures the covered entity would be responding to a request for disclosure of protected health information. For most categories of permitted disclosures, when the request for disclosure of protected health information is from a person with whom the covered entity does not routinely do business, we would require the covered entity to verify the identity of the requestor. In addition, for certain categories of disclosures, covered entities would also be required to verify the requestor’s legal authority to make the request.
Under § 164.514, a covered entity would be required to give individuals access to protected health information about them (under most circumstances). The covered entity would also be required to take reasonable steps to verify the identity of the individual making the request for access. We do not propose to mandate particular identification requirements (e.g., drivers licence, photo ID, etc), but rather would leave this to the discretion of the covered entity.
Covered entities would be required to verify both the identity of persons requesting protected health information and their authority for requesting such information when the request is from a person with whom the covered entity does not routinely do business and the disclosure would be permitted by the following subsections of § 164.510: under § 164.510(b) for public health, under § 164.510(c) for oversight, under § 164.510(e) to coroners and medical examiners, under § 164.510(f) for law enforcement, under § 164.510(g) for governmental health data systems, under § 164.510(m) for special classes, and for disclosures required by other laws under § 164.510(n). Covered entities would be required to verify the identity of the requester by examination of reasonable evidence, such as a written statement of identity on agency letterhead, an identification badge, or similar proof of official status. Similarly, covered entities would be required to verify the legal authority supporting the request by examination of reasonable evidence, such as a written request provided on agency letterhead that describes the legal authority for requesting the release. Unless § 164.510 explicitly requires written evidence of legal process or other authority before a disclosure may be made, a public official’s proof of identity and the official’s oral statement that the request is authorized by law would be presumed to constitute the required reasonable evidence of legal authority. Where § 164.510 does require written evidence of legal process or authority, only the required written evidence will suffice.
We considered specifying the type of documentation or proof that would be acceptable, but decided that the burden of such specific regulatory requirements on covered entities would be unnecessary. Therefore, we propose only a general requirement for reasonable verification of identity and legal authority.
In § 164.522, we would require disclosure to the Secretary for purposes of enforcing this regulation. When a covered entity is asked by the Secretary to disclose protected health information for compliance purposes, the covered entity should verify the same information that it would verify for any other law enforcement or oversight request for disclosure.
In some circumstances a person or entity acting on behalf of a government agency may make a request for disclosure of protected health information under these subsections. For example, public health agencies may contract with a nonprofit agency to collect and analyze certain data. In such cases the covered entity would be required to verify the requestor’s identity and authority through examination of reasonable documentation that the requestor is acting on behalf of the government agency. Reasonable evidence would include a written request provided on agency letterhead that describes the legal authority for requesting the release and states that the person or entity is acting under the agency’s authority, or other documentation, including a contract, a memorandum of understanding, or purchase order that confirms that the requestor is acting on behalf of the government agency.
For disclosures permitted under § 164.510(k) for emergency circumstances and under § 164.510(l) to next-of-kin, legal authority for the request would not be an issue. Therefore covered entities would only be required to verify the identity of the person requesting the disclosure. Where protected health information is requested by next-of-kin, covered entities would be required to make reasonable verbal attempts to establish the identity of the person making the request. Written proof would not be required. Covered entities could rely on prior acquaintance with the next-of-kin; verbal verification of identity would not be required at each encounter. Where protected health information is requested in an emergency, the covered entity would similarly not be required to demand written proof that the person requesting the protected health information is legally authorized. Reasonable reliance on verbal representations would be appropriate in such situations.
When another person is acting as the individual through power of attorney or other legal authority, covered entities would also be required to make reasonable attempts to ascertain that the person making the request has the necessary legal authority or relationship in order to make the disclosure. For example, a health care provider could require a copy of a power of attorney, or could ask questions to determine that an adult acting for a young child has the requisite relationship to the child.
Most disclosures under § 164.510(i) are routine transactions with banking and other financial institutions. As noted above, for routine transactions there would be no verification requirements. However, should such financial institution make a special request for information in addition to the information routinely provided for payment purposes (e.g., pursuant to a fraud or similar investigation), the covered entity would be required to obtain reasonable evidence of the identity of the person requesting the information.
The conditions for disclosures for judicial and administrative proceedings and research are discussed in § 164.510 (d) and § 164.510(j), respectively. Conditions for permitted disclosures under § 164.510(h) for facility directories include no verification requirements.
In Section § 164.518(c)(4), we would address the issue of disclosures by employees or others of protected health information in whistleblower cases. We would clarify that under the proposed rule, a covered entity would not be held in violation because a member of their workforce or a person associated with a business partner of the covered entity discloses protected health information that such person believes is evidence of a civil or criminal violation, and the disclosure is: (1) made to relevant oversight agencies and law enforcement or (2) made to an attorney to allow the attorney to determine whether a violation of criminal or civil law has occurred or to assess the remedies or actions at law that may be available to the person disclosing the information.
Allegations of civil and criminal wrongdoing come from a variety of sources. Sometimes an individual not otherwise involved in law enforcement uncovers evidence of wrongdoing, and wishes to bring that evidence to the attention of appropriate authorities. Persons with access to protected health information sometimes discover evidence of billing fraud or similar violations; important evidence of unlawful activities may be available to employees of covered entities, such as billing clerks or nurses.
Some whistleblower activities can be accomplished without individually identifiable health information. There are, however, instances in which only identifiable information will suffice to demonstrate that an allegation of wrongdoing merits the investment of legal or investigatory resources. A billing clerk who suspects that a hospital has engaged in fraudulent billing practices may need to use billing records for a set of specific cases to demonstrate the basis of his suspicion to an oversight agency.
The persons who find such evidence are likely to be employees of the suspect entity. Congress and the states have recognized the importance of whistleblowing activities by acting to protect whistleblowers from retaliation. Federal statutes that include protections for whistleblowers who contact appropriate authorities include the Clear Air Act, the Federal Water Pollution Control Act, the Toxic substances control Act, and the Safe Drinking Water Act. Congress also passed the Whistleblower Protection Act, to protect federal employees who complain about improper personnel practices at federal agencies. At least eleven states have passed whistleblower protection laws that protect both private and public employees who provide evidence of wrongdoing to the appropriate authorities, and many more states have laws that provide such protections only for public employees.
The qui tam provisions of the Federal False Claims Act go further, and provide a mechanism for the individual to prosecute a case against a person who has allegedly defrauded the government. Like traditional whistleblower actions, qui tam actions were created by the Congress to further the public interest in effective government. Qui tam suits are an important way that individuals can protect the public interest, by investing their own time and resources to help reduce fraud. And, also like whistleblower actions, the individual may need protected health information to convince an attorney that a viable qui tam case exists.
We would note that this section would not apply to information requested by oversight agencies, law enforcement officials, or attorneys, even prior to initiation of an investigation or law suit. It would apply only to a disclosure initiated by a member of an entity’s workforce or a person associated with one of its business partners.
We are concerned that a person, in the guise of “whistleblowing,” might, maliciously or otherwise, disclose protected health information without any actual basis to believe that there has been a violation of the law. We are concerned, however, with adding qualifying language that may restrict such disclosures and, therefore, impede the pursuit of law violators. We seek comments regarding whether this provision should include any limitations (e.g., a requirement that only the minimum amount of information necessary for these purposes can be disclosed).
In proposed § 164.518(d), we would require covered plans and providers to have some mechanism for receiving complaints from individuals regarding the covered plan’s or provider’s compliance with the requirements of this proposed rule. The covered plan or provider would be required to accept complaints about any aspect of their practices regarding protected health information. For example, individuals would be able to file a complaint when they believe that protected health information relating to them has been used or disclosed improperly, that an employee of the plan or provider has improperly handled the information, that they have wrongfully been denied access to or opportunity to amend the information, or that the entity’s notice does not accurately reflect its information practices. We would not require that the entity develop a formal appeals mechanism, nor that “due process” or any similar standard be applied. We would not require that covered entities respond in any particular manner or time frame. We are proposing two basic requirements for the complaint process. First, the covered plan or provider would be required to identify a contact person or office in the notice of information practices for receiving complaints. This person or office could either be responsible for handling the complaints or could put the individual in touch with the appropriate person within the entity to handle the particular complaint. See proposed § 164.512. This person could, but would not have to be, the entity’s privacy official. See § 164.518(a)(2). Second, the covered plan or provider would be required to maintain a record of the complaints that are filed and a brief explanation of the resolution, if any.
Covered plans and providers could implement this requirement through a variety of mechanisms based on their size and capabilities. For example, a small practice could assign a clerk to log in written and/or verbal complaints as they are received, and assign one physician to review all complaints monthly, address the individual situations and make changes to policies or procedures as appropriate. Results of the physician's review of individual complaints then could be logged by the clerk. A larger provider or health plan could choose to implement a formal appeals process with standardized time frames for response.
We considered requiring covered plans and providers to provide a formal internal appeal mechanism, but rejected that option as too costly and burdensome for some entities. We also considered eliminating this requirement entirely, but rejected that option because a complaint process would give covered plans or providers a way to learn about potential problems with privacy policies or practices, or training issues. We also hope that providing an avenue for covered plans or providers to address complaints would lead to increased consumer satisfaction. We believe this approach strikes a reasonable balance between allowing covered plans or providers flexibility and accomplishing the goal of promoting attention to improvement in privacy practices. If an individual and a covered plan or provider are able to resolve the individual’s complaint, there may be no need for the individual to file a complaint with the Secretary under proposed § 164.522(b). However, an individual has the right to file a complaint with the Secretary at any time. An individual may file a complaint with the Secretary before, during, after, or concurrent with filing a compliant with the covered plan or provider or without filing a complaint with the covered plan or provider.
We are considering whether modifications of these complaint procedures for intelligence community agencies may be necessary to address the handling of classified information and solicit comment on the issue.