[Federal Register: November 3, 1999 (Volume 64, Number 212)] [Proposed Rules] [Page 59917-59966] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr03no99-67] [[Page 59917]] _______________________________________________________________________ Part IV Department of Health and Human Services _______________________________________________________________________ Office of the Secretary _______________________________________________________________________ 45 CFR Parts 160 Through 164 Standards for Privacy of Individually Identifiable Health Information; Proposed Rule [[Page 59918]] DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160 through 164 RIN 0991-AB08 Standards for Privacy of Individually Identifiable Health Information AGENCY: Office of the Assistant Secretary for Planning and Evaluation, DHHS. ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: This rule proposes standards to protect the privacy of individually identifiable health information maintained or transmitted in connection with certain administrative and financial transactions. The rules proposed below, which would apply to health plans, health care clearinghouses, and certain health care providers, propose standards with respect to the rights individuals who are the subject of this information should have, procedures for the exercise of those rights, and the authorized and required uses and disclosures of this information. The use of these standards would improve the efficiency and effectiveness of public and private health programs and health care services by providing enhanced protections for individually identifiable health information. These protections would begin to address growing public concerns that advances in electronic technology in the health care industry are resulting, or may result, in a substantial erosion of the privacy surrounding individually identifiable health information maintained by health care providers, health plans and their administrative contractors. This rule would implement the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. DATES: Comments will be considered if received as provided below, no later than 5 p.m. on January 3, 2000. ADDRESSES: Submit electronic comments at the following web site: http:/ /aspe.hhs.gov/admnsimp/. Mail comments (1 original, 3 copies, and, if possible, a floppy disk ) to the following address: U.S. Department of Health and Human Services, Assistant Secretary for Planning and Evaluation, Attention: Privacy-P, Room G-322A, Hubert H. Humphrey Building, 200 Independence Avenue SW, Washington, DC 20201. If you prefer, you may deliver your written comments (1 original, 3 copies, and, if possible, a floppy disk) to the following address: Room 442E, 200 Independence Avenue, SW, Washington, DC 20201. See the SUPPLEMENTARY INFORMATION section for further information on comment procedures, availability of copies of this document and electronic access to this document. FOR FURTHER INFORMATION CONTACT: Roxanne Gibson (202) 260-5083. SUPPLEMENTARY INFORMATION: Comment procedures, availability of copies, and electronic access. Comment procedures: All comments should include the full name, address and telephone number of the sender or a knowledgeable point of contact. Written comments should include 1 original and 3 copies. If possible, please send an electronic version of the comments on a 3\1/2\ inch DOS format floppy disk in Adobe Acrobat Portable Document Format (PDF) (preferred) HTML (preferred), ASCII text, or popular word processor format (Microsoft word, Corel WordPerfect). Because of staffing and resource limitations, we cannot accept comments by electronic mail or facsimile (FAX) transmission, and all comments and content are to be limited to the 8.5 wide by 11.0 high vertical (also referred to as ``portrait'') page orientation. Additionally, it is requested that if identical/duplicate comment submissions are submitted both electronically and in paper form that each submission clearly indicate that it is a duplicate submission. In each comment, please specify the section of this proposed rule to which the comment applies. Comments received in a timely fashion will be available for public inspection (by appointment), as they are received, generally beginning approximately three weeks after publication of a document in Room 442E of the Department's offices at 200 Independence Avenue, SW., Washington, DC 20201 on Monday through Friday of each week from 8:30 a.m. to 5 p.m. (phone: 202-260-5083). After the close of the comment period, comments submitted electronically and written comments that we are technically able to convert will be posted on the Administrative Simplification web site (http://aspe.hhs.gov/admnsimp/). Copies: To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, PO Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 or by fax to (202) 512-2250. The cost for each copy is $8.00. As an alternative, you can view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register. Electronic Access: This document is available electronically at http://aspe.hhs.gov/admnsimp/ as well as at the web site of the Government Printing Office at http://www.access.gpo.gov/su__docs/aces/ aces140.html. I. Background A. Need for privacy standards. B. Statutory background. C. Administrative costs. D. Consultations. E. Summary and purpose of the proposed rule. 1. Applicability. 2. General rules. 3. Scalability. 4. Uses and disclosures with individual authorization. 5. Uses and disclosures for treatment, payment and health care operations. 6. Permissible uses and disclosures for purposes other than treatment, payment and health care operations. 7. Individual rights. 8. Administrative requirements and policy development and documentation. 9. Preemption. 10. Enforcement. 11. Conclusion. II. Provisions of the proposed rule. A. Applicability. 1. Covered entities. 2. Covered information. 3. Interaction with other standards. 4. References to other laws. B. Definitions. 1. Act. 2. Covered entity. 3. Health care. 4. Health care clearinghouse. 5. Health care provider. 6. Health information. 7. Health plan. 8. Secretary. 9. Small health plan. 10. Standard. 11. State. 12. Transaction. 13. Business partner. 14. Designated record set. 15. Disclosure. 16. Health care operations. 17. Health oversight agency. 18. Individual. 419. Individually identifiable health information. 20. Law enforcement official. 21. Payment. 22. Protected health information. 23. Psychotherapy notes. 24. Public health authority. 25. Research. [[Page 59919]] 26. Research information unrelated to treatment. 27. Treatment. 28. Use. 29. Workforce. C. General rules. 1. Use and disclosure for treatment, payment, and health care operations. 2. Minimum necessary use and disclosure. 3. Right to restrict uses and disclosures. 4. Creation of de-identified information. 5. Application to business partners. 6. Application to information about deceased persons. 7. Adherence to the notice of information practices. 8. Application to covered entities that are components of organizations that are not covered entities. D. Uses and disclosures with individual authorization. 1. Requirements when the individual has initiated the authorization. 2. Requirements when the covered entity initiates the authorization. 3. Model forms. 4. Plain language requirement. 5. Prohibition on conditioning treatment or payment. 6. Inclusion in the accounting for uses and disclosures. 7. Revocation of an authorization by the individual. 8. Expired, deficient, or false authorization. E. Uses and disclosures permitted without individual authorization. 1. Uses and disclosures for public health activities. 2. Use and disclosure for health oversight activities. 3. Use and disclosure for judicial and administrative proceedings. 4. Disclosure to coroners and medical examiners. 5. Disclosure for law enforcement. 6. Uses and disclosure for governmental health data systems. 7. Disclosure of directory information. 8. Disclosure for banking and payment processes. 9. Uses and disclosures for research. 10. Uses and disclosures in emergency circumstances. 11. Disclosure to next-of-kin. 12. Additional uses and disclosures required by other law. 13. Application to specialized classes. F. Rights of individuals. 1. Rights and procedures for a written notice of information practices. 2. Rights and procedures for access for inspection and copying. 3. Rights and procedures with respect to an accounting of disclosures. 4. Rights and procedures for amendment and correction. G. Administrative requirements. 1. Designation of a privacy official. 2. Training. 3. Safeguards. 4. Internal complaint process. 5. Sanctions. 6. Duty to mitigate. H. Development and documentation of policies and procedures. 1. Uses and disclosures of protected health information. 2. Individual requests for restricting uses and disclosures. 3. Notice of information practices. 4. Inspection and copying. 5. Amendment or correction. 6. Accounting for disclosures. 7. Administrative requirements. 8. Record keeping requirements. I. Relationship to other laws 1. Relationship to State laws. 2. Relationship to other federal laws. J. Compliance and Enforcement. 1. Compliance 2. Enforcement. III. Small Business Assistance 1. Notice to individuals of information practices. 2. Access of individuals to protected health information. 3. Accounting for uses and disclosures. 4. Amendment and correction. 5. Designated Privacy official. 6. Training. 7. Safeguards. 8. Complaints. 9. Sanctions. 10. Documentation of policies and procedures. 11. Minimum Necessary. 12. Business partners. 13. Special disclosures that do not require authorization-- public health, research, etc. 14. Verification. IV. Preliminary Regulatory Impact Analysis A. Relationship of this Analysis to Analyses in Other HIPAA Regulations. B. Summary of Costs and Benefits. C. Need for the Proposed Action. D. Baseline Privacy Protections. 1. Professional Codes of Conduct and the Protection of Health Information. 2. State Laws. 3. Federal Laws. E. Costs. F. Benefits. G. Examination of Alternative Approaches. 1. Creation of de-identified information. 2. General rules. 3. Use and disclosure for treatment, payment, and health care operations. 4. Minimum necessary use and disclosure. 5. Right to restrict uses and disclosures. 6. Application to business partners. 7. Application to information about deceased persons. 8. Uses and disclosures with individual authorization. 9. Uses and disclosures permitted without individual authorization. 10. Clearinghouses and the rights of individuals. 11. Rights and procedures for a written notice of information practices. 12. Rights and procedures for access for inspection and copying. 13. Rights and procedures with respect to an accounting of disclosures. 14. Rights and procedures for amendment and correction. 15. Administrative requirements. 16. Development and documentation of policies and procedures. 17. Compliance and Enforcement. V. Initial Regulatory Flexibility Analysis A. Introduction. B. Economic Effects on Small Entities 1. Number and Types of Small Entities Affected. 2. Activities and Costs Associated with Compliance. 3. The burden on a typical small business. VI. Unfunded Mandates A. Future Costs. B. Particular regions, communities, or industrial sectors. C. National productivity and economic growth. D. Full employment and job creation. E. Exports. VII. Environmental Impact VIII. Collection of Information Requirements IX. Executive Order 12612: Federalism X. Executive Order 13086: Consultation and Coordination with Indian Tribal Governments List of Subjects in 45 CFR Parts 160 and 164 Appendix: Sample Provider Notice of Information Practices I. Background A. Need for Privacy Standards. [Please label comments about this section with the subject: ``Need for privacy standards''] The maintenance and exchange of individually identifiable health information is an integral component of the delivery of quality health care. In order to receive accurate and reliable diagnosis and treatment, patients must provide health care professionals with accurate, detailed information about their personal health, behavior, and other aspects of their lives. Health care providers, health plans and health care clearinghouses also rely on the provision of such information to accurately and promptly process claims for payment and for other administrative functions that directly affect a patient's ability to receive needed care, the quality of that care, and the efficiency with which it is delivered. Individuals who provide information to health care providers and health plans increasingly are concerned about how their information is used within the health care system. Patients want to know that their sensitive information will be protected not only during the course of their treatment but also in the future as that information is maintained and/or transmitted within and outside of the health care system. Indeed, a Wall Street Journal/ABC poll on September 16, 1999 asked Americans what concerned them most in the coming century. ``Loss of personal privacy'' was the first or second concern of 29 percent of respondents. All other issues, such a terrorism, world war, and global warming had scores of 23 percent or less. Efforts to provide legal protection against the inappropriate use of individually identifiable health [[Page 59920]] information have been, to date, undertaken primarily by the States. States have adopted a number of laws designed to protect patients against the inappropriate use of health information. A recent survey of these laws indicates, however, that these protections are quite uneven and leave large gaps in their protection. See Health Privacy Project, ``The State of Health Privacy: An Uneven Terrain,'' Institute for Health Care Research and Policy, Georgetown University (July 1999) (http://www.healthprivacy.org). A clear and consistent set of privacy standards would improve the effectiveness and the efficiency of the health care system. The number of entities who are maintaining and transmitting individually identifiable health information has increased significantly over the last 10 years. In addition, the rapid growth of integrated health care delivery systems requires greater use of integrated health information systems. The expanded use of electronic information has had clear benefits for patients and the health care system as a whole. Use of electronic information has helped to speed the delivery of effective care and the processing of billions of dollars worth of health care claims. Greater use of electronic data has also increased our ability to identify and treat those who are at risk for disease, conduct vital research, detect fraud and abuse, and measure and improve the quality of care delivered in the U.S. The absence of national standards for the confidentiality of health information has, however, made the health care industry and the population in general uncomfortable about this primarily financially driven expansion in the use of electronic data. Many plans, providers, and clearinghouses have taken steps to safeguard the privacy of individually-identifiable health information. Yet they must currently rely on a patchwork of State laws and regulations that are incomplete and, at times, inconsistent. The establishment of a consistent foundation of privacy standards would, therefore, encourage the increased and proper use of electronic information while also protecting the very real needs of patients to safeguard their privacy. The use of these standards will most clearly benefit patients who are, in increasing numbers, indicating that they are apprehensive about the use and potential use of their health information for inappropriate purposes. A national survey released in January 1999 indicated that one-fifth of Americans already believe that their personal health information has been used inappropriately. See California HealthCare Foundation, ``National Survey: Confidentiality of Medical Records,'' January 1999 (conducted by Princeton Survey Research Associates) (http://www.chcf.org). Of even greater concern, one-sixth of respondents indicated that they had taken some form of action to avoid the misuse of their information, including providing inaccurate information, frequently changing physicians, or avoiding care. The use of these standards will help to restore patient confidence in the health care system, providing benefits to both patients and those who serve them. In order to administer their plans and provide services, private and public health plans, health care providers, and health care clearinghouses must assure their customers (such as patients, insurers, providers, and health plans) that the health care information they collect, maintain, use, or transmit will remain confidential. The protection of this information is particularly important where it is individually identifiable. Individuals have an important and legitimate interest in the privacy of their health information, and that interest is threatened where there is improper use or disclosure of the information. The risk of improper uses and disclosures has increased as the health care industry has begun to move from primarily paper-based information systems to systems that operate in various electronic forms. The ease of information collection, organization, retention, and exchange made possible by the advances in computer and other electronic technology afford many benefits to the health care industry and patients. At the same time, these advances have reduced or eliminated many of the logistical obstacles that previously served to protect the confidentiality of health information and the privacy interests of individuals. Congress recognized the need for minimum national health care privacy standards to protect against inappropriate use of individually identifiable health information by passing the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which called for the enactment of a privacy statute within three years of the date of enactment. The legislation also called for the Secretary of Health and Human Services to develop and send to the Congress recommendations for protecting the confidentiality of health care information, which she did on September 11, 1997. The Congress further recognized the importance of such standards by providing the Secretary of Health and Human Services with authority to promulgate health privacy regulations in lieu of timely action by the Congress. The need for patient privacy protection also was recognized by the President's Advisory Commission on Consumer Protection and Quality in the Health Care Industry in its recommendations for a Consumer Bill of Rights and Responsibilities (November, 1997). B. Statutory Background. [Please label comments about this section with the subject: ``Statutory background''] The Congress addressed the opportunities and challenges presented by the health care industry's increasing use of and reliance on electronic technology in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which was enacted on August 21, 1996. Sections 261 through 264 of HIPAA are known as the Administrative Simplification provisions. The major part of these Administrative Simplification provisions are found at section 262 of HIPAA, which enacted a new part C of title XI of the Social Security Act (hereinafter we refer to the Social Security Act as the ``Act'' and we refer to all other laws cited in this document by their names). In section 262, Congress recognized and sought to facilitate the efficiencies and cost savings for the health care industry that the increasing use of electronic technology affords. Thus, section 262 directs HHS to issue standards to facilitate the electronic exchange of information with respect to financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit electronically in connection with such transactions. HHS proposed such standards in a series of Notices of Proposed Rulemaking (NPRM) published on May 7, 1998 (63 FR 25272 and 25320), and June 16, 1998 (63 FR 32784). At the same time, Congress recognized the challenges to the confidentiality of health information presented by the advances in electronic technology and communication. Section 262 thus also directs HHS to develop standards to protect the security, including the confidentiality and integrity, of such information. HHS issued an NPRM proposing security standards on August 12, 1998 (63 FR 43242). Congress has recognized that privacy standards must accompany the electronic data interchange standards and that the increased ease of transmitting and sharing individually [[Page 59921]] identifiable health information must be accompanied by an increase in the privacy and confidentiality. In fact, a significant portion of the first Administrative Simplification section that was debated on the floor of the Senate in 1994 (as part of the Health Security Act) was made up of privacy provision. Although the requirement for the issuance of concomitant privacy standards remained as part of the bill passed by the House of Representatives, in conference the requirement for privacy standards was removed from the standard-setting authority of title XI (section 1173 of the Act) and placed in a separate section of HIPAA, section 264. Subsection (b) of section 264 required the Secretary of HHS to develop and submit to the Congress recommendations for: (1) The rights that an individual who is a subject of individually identifiable health information should have. (2) The procedures that should be established for the exercise of such rights. (3) The uses and disclosures of such information that should be authorized or required. The Secretary's Recommendations were submitted to the Congress on September 11, 1997, and are summarized below. Section 264(c)(1) provides that: If legislation governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act (as added by section 262) is not enacted by (August 21, 1999), the Secretary of Health and Human Services shall promulgate final regulations containing such standards not later than (February 21, 2000). Such regulations shall address at least the subjects described in subsection (b). As the Congress did not enact legislation governing standards with respect to the privacy of individually identifiable health information prior to August 21, 1999, HHS has now, in accordance with this statutory mandate, developed proposed rules setting forth standards to protect the privacy of such information. These privacy standards have been, and continue to be, an integral part of the suite of Administrative Simplification standards intended to simplify and improve the efficiency of the administration of our health care system. Part C of title XI consists of sections 1171 through 1179 of the Act. These sections define various terms and impose several requirements on HHS, health plans, health care clearinghouses, and health care providers who conduct the identified transactions electronically. The first section, section 1171 of the Act, establishes definitions for purposes of part C of title XI for the following terms: code set, health care clearinghouse, health care provider, health information, health plan, individually identifiable health information, standard, and standard setting organization. Section 1172 of the Act makes the standard adopted under part C applicable to: (1) Health plans, (2) health care clearinghouses, and (3) health care providers who transmit health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (hereinafter referred to as the ``covered entities''). Section 1172 also contains requirements concerning the adoption of standards, including the role of standard setting organizations and required consultations, summarized below. Section 1173 of the Act requires the Secretary to adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically. Section 1173(a)(1) describes the transactions that are covered, which include the nine transactions listed in section 1173(a)(2) and other transactions determined appropriate by the Secretary. The remainder of section 1173 sets out requirements for the specific standards the Secretary is to adopt: unique health identifiers, code sets, security standards, electronic signatures, and transfer of information among health plans. Of particular relevance to this proposed rule is section 1173(d), the security standard provision. The security standard authority applies to both the transmission and the maintenance of health information and requires the entities described in section 1172(a) to maintain reasonable and appropriate safeguards to ensure the integrity and confidentiality of the information, protect against reasonably anticipated threats or hazards to the security or integrity of the information or unauthorized uses or disclosures of the information, and to ensure compliance with part C by the entity's officers and employees. In section 1174 of the Act, the Secretary is required to establish standards for all of the above transactions, except claims attachments, by February 21, 1998. A proposed rule for most of the transactions was published in 1998 with the final rule expected by the end of 1999. The delay was caused by the deliberate consensus building process working with industry and the large number of comments received (about 17,000). Generally, after a standard is established, it may not be changed during the first year after adoption except for changes that are necessary to permit compliance with the standard. Modifications to any of these standards may be made after the first year, but not more frequently than once every 12 months. The Secretary also must ensure that procedures exist for the routine maintenance, testing, enhancement and expansion of code sets and that there are crosswalks from prior versions. Section 1175 of the Act prohibits health plans from refusing to process, or from delaying processing of, a transaction that is presented in standard format. It also establishes a timetable for compliance: each person to whom a standard or implementation specification applies is required to comply with the standard within 24 months (or 36 months for small health plans) of its adoption. A health plan or other entity may, of course, comply voluntarily before the effective date. The section also provides that compliance with modifications to standards or implementation specifications must be accomplished by a date designated by the Secretary, which date may not be earlier than 180 days from the notice of change. Section 1176 of the Act establishes civil monetary penalties for violation of the provisions in part C of title XI of the Act, subject to several limitations. Penalties may not be more than $100 per person per violation and not more than $25,000 per person for violations of a single standard for a calendar year. The procedural provisions of section 1128A of the Act apply to actions taken to obtain civil monetary penalties under this section. Section 1177 establishes penalties for any person that knowingly uses a unique health identifier, or obtains or discloses individually identifiable health information in violation of the part. The penalties include: (1) A fine of not more than $50,000 and/or imprisonment of not more than 1 year; (2) if the offense is ``under false pretenses,'' a fine of not more than $100,000 and/or imprisonment of not more than 5 years; and (3) if the offense is with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, a fine of not more than $250,000 and/ or imprisonment of not more than 10 years. We note that these penalties do not affect any other penalties that may be imposed by other federal programs. [[Page 59922]] Under section 1178 of the Act, the requirements of part C, as well as any standards or implementation specifications adopted thereunder, preempt contrary State law. There are three exceptions to this general rule of preemption: State laws that the Secretary determines are necessary for certain purposes set forth in the statute; State laws that the Secretary determines address controlled substances; and State laws relating to the privacy of individually identifiable health information that are contrary to and more stringent than the federal requirements. There also are certain areas of State law (generally relating to public health and oversight of health plans) that are explicitly carved out of the general rule of preemption and addressed separately. Section 1179 of the Act makes the above provisions inapplicable to financial institutions or anyone acting on behalf of a financial institution when ``authorizing, processing, clearing, settling, billing, transferring, reconciling, or collecting payments for a financial institution.'' Finally, as explained above, section 264 requires the Secretary to issue standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a)(1). Section 264 also contains a preemption provision that provides that contrary provisions of State laws that are more stringent than the federal standards, requirements, or implementation specifications will not be preempted. C. Administrative Costs Section 1172(b) of the Act provides that ``(a)ny standard adopted under this part (part C of title XI of the Act) shall be consistent with the objective of reducing the administrative costs of providing and paying for health care.'' As is more fully discussed in the Regulatory Impact and Regulatory Flexibility analyses below, we recognize that the proposed privacy standards would entail substantial initial and ongoing administrative costs for entities subject to the rules. However, as the analyses also indicate, even if the rules proposed below are considered in isolation, they should produce administrative and other cost savings that should more than offset such costs on a national basis. It is also the case that the privacy standards, like the security standards authorized by section 1173(d) of the Act, are necessitated by the technological advances in information exchange that the remaining Administrative Simplification standards facilitate for the health care industry. The same technological advances that make possible enormous administrative cost savings for the industry as a whole have also made it possible to breach the security and privacy of health information on a scale that was previously inconceivable. The Congress recognized that adequate protection of the security and privacy of health information is a sine qua non of the increased efficiency of information exchange brought about by the electronic revolution, by enacting the security and privacy provisions of the law. Thus, even if the rules proposed below were to impose net costs, which we do not believe they do, they would still be ``consistent with'' the objective of reducing administrative costs for the health care system as a whole. D. Consultations [Please label comments about this section with the subject: ``Consultations''] The Congress explicitly required the Secretary to consult with specified groups in developing the standards under sections 262 and 264. Section 264(d) of HIPAA specifically requires the Secretary to consult with the National Committee on Vital and Health Statistics (NCVHS) and the Attorney General in carrying out her responsibilities under the section. Section 1172(b)(3) of the Act, which was enacted by section 262, requires that, in developing a standard under section 1172 for which no standard setting organization has already developed a standard, the Secretary must, before adopting the standard, consult with the National Uniform Billing Committee (NUBC), the National Uniform Claim Committee (NUCC), the Workgroup for Electronic Data Interchange (WEDI), and the American Dental Association (ADA). Section 1172(f) also requires the Secretary to rely on the recommendations of the NCVHS and consult with other appropriate federal and State agencies and private organizations. We engaged in the required consultations including the Attorney General, NUBC, NUCC, WEDI and the ADA. We consulted with the NCVHS in developing the Recommendations, upon which this proposed rule is based. In addition we are continuing to consult with this committee by requesting the committee to review this proposed rule and provide comments, and recommendations will be taken into account in developing the final regulation. We consulted with representatives of the National Congress of American Indians, the National Indian Health Board, and the self governance tribes. We also met with representatives of the National Governors' Association, the National Conference of State Legislatures, the National Association of Public Health Statistics and Information Systems, and a number of other State organizations to discuss the framework for the proposed rule, issues of special interests to the States, and the process for providing comments on the proposed rule. In addition to the required consultations, we met with numerous individuals, entities, and agencies regarding the regulation, with the goal of making these standards as compatible as possible with current business practices, while still enhancing privacy protection. Relevant federal agencies participated in an interagency working group, with additional representatives from all operating divisions and many staff offices of HHS. The following federal agencies and offices were represented on the interagency working group: the Department of Justice, the Department of Commerce, the Social Security Administration, the Department of Defense, the Department of Veterans Affairs, the Department of Labor, the Office of Personnel Management, and the Office of Management and Budget. The interagency working group developed the policies of the proposed rules set forth below. E. Summary and Purpose of the Proposed Rule [Please label comments about this section with the subject: ``Summary and purpose''] The following outlines the provisions and operations of this proposed rule and is intended to provide a framework for the following preamble. A more detailed discussion of the authority, rationale, and implementation can be found in Section II of the preamble, Provisions of the Proposed Rule. As described in more detail in preamble section I.B, above, the HIPAA requires the Secretary of HHS to promulgate a series of standards relating to the electronic exchange of health information. Collectively these are known as the Administrative Simplification provisions. In addition to those standards, the Secretary was required to develop and submit to the Congress recommendations for the privacy rights that an individual who is a subject of individually identifiable health information should have, the procedures that should be established for the exercise of such rights, and the [[Page 59923]] uses and disclosures of such information that should be authorized. On September 11, 1997, the Secretary presented to the Congress her Recommendations for protecting the ``Confidentiality of Individually- Identifiable Health Information'' (the ``Recommendations''), as required by section 264 (a) of HIPAA. In those Recommendations, the Secretary called for new federal legislation to create a national floor of standards that provide fundamental privacy rights for patients, and that define responsibilities for those who use and disclose identifiable health information. The Recommendations elaborated on the components that should be included in privacy legislation. These components included new restrictions on the use and disclosure of health information, the establishment of new consumer rights, penalties for misuse of information, and redress for those harmed by misuse of their information. The Recommendations served, to the extent possible under the HIPAA legislative authority, as a template for the rules proposed below. They are available on the HHS website at http://aspe.hhs.gov/ admnsimp/pvcrec.htm. The Secretary's Recommendations set forth the a framework for federal privacy legislation. Such legislation should: Allow for the smooth flow of identifiable health information for treatment, payment, and related operations, and for specified additional purposes related to health care that are in the public interest. Prohibit the flow of identifiable information for any additional purposes, unless specifically and voluntarily authorized by the subject of the information. Put in place a set of fair information practices that allow individuals to know who is using their health information, and how it is being used. Establish fair information practices that allow individuals to obtain access to their records and request amendment of inaccurate information. Require persons who hold identifiable health information to safeguard that information from inappropriate use or disclosure. Hold those who use individually identifiable health information accountable for their handling of this information, and to provide legal recourse to persons harmed by misuse. We believed then, and still believe, that there is an urgent need for legislation to establish comprehensive privacy standards for all those who pay and provide for health care, and those who receive information from them. This proposed rule implements many of the policies set forth in the Recommendations. However, the HIPAA legislative authority is more limited in scope than the federal statute we recommend, and does not always permit us to propose the policies that we believe are optimal. Our major concerns with the scope of the HIPAA authority include the limited number of entities to whom the proposed rule would be applicable, and the absence of strong enforcement provisions and a private right of action for individuals whose privacy rights are violated. The Recommendations call for legislation that applies to health care providers and payers who obtain identifiable health information from individuals and, significantly, to those who receive such information from providers and payers. The Recommendations follow health information from initial creation by a health plan or health care provider, through various uses and disclosures, and would establish protections at each step: ``We recommend that everyone in this chain of information handling be covered by the same rules.'' However, the HIPAA limits the application of our proposed rule to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (the ``covered entities''). Unfortunately, this leaves many entities that receive, use and disclose protected health information outside of the system of protection that we propose to create. In particular, the proposed regulation does not directly cover many of the persons who obtain identifiable health information from the covered entities. In this proposed rule we are, therefore, faced with creating new regulatory permissions for covered entities to disclose health information, but cannot directly put in place appropriate restrictions on how many likely recipients of such information may use and re-disclose such information. For example, the Secretary's Recommendations proposed that protected health information obtained by researchers not be further disclosed except for emergency circumstances, for a research project that meets certain conditions, and for oversight of research. In this proposed rule, however, we cannot impose such restrictions. Additional examples of persons who receive this information include workers compensation carriers, researchers, life insurance issuers, employers and marketing firms. We also do not have the authority to directly regulate many of the persons that covered entities hire to perform administrative, legal, accounting, and similar services on their behalf, and who would obtain health information in order to perform their duties. This inability to directly address the information practices of these groups leaves an important gap in the protections provided by the proposed rule. In addition, only those providers who engage in the electronic administrative simplification transactions can be covered by this rule. Any provider who maintains a solely paper information system would not be subject to these privacy standards, thus leaving another gap in the system of protection we propose to create. The need to match a regulation limited to a narrow range of covered entities with the reality of information sharing among a wide range of entities leads us to consider limiting the type or scope of the disclosures permitted under this regulation. The disclosures we propose to allow in this rule are, however, necessary for smooth operation of the health care system and for promoting key public goals such as research, public health, and law enforcement. Any limitation on such disclosures could do more harm than good. Requirements to protect individually identifiable health information must be supported by real and significant penalties for violations. We recommend federal legislation that would include punishment for those who misuse personal health information and redress for people who are harmed by its misuse. We believe there should be criminal penalties (including fines and imprisonment) for obtaining health information under false pretenses, and for knowingly disclosing or using protected health information in violation of the federal privacy law. We also believe that there should be civil monetary penalties for other violations of the law and that any individual whose rights under the law have been violated, whether negligently or knowingly, should be permitted to bring an action for actual damages and equitable relief. Only if we put the force of law behind our rhetoric can we expect people to have confidence that their health information is protected, and ensure that those holding health information will take their responsibilities seriously. In HIPAA, Congress did not provide such enforcement authority. There is no private right of action for individuals to enforce their rights, and we are concerned that the penalty structure [[Page 59924]] does not reflect the importance of these privacy protections and the need to maintain individuals' trust in the system. For these and other reasons, we continue to call for federal legislation to ensure that privacy protection for health information will be strong and comprehensive. 1. Applicability a. Entities covered. Under section 1172(a) of the Act, the provisions of this proposed rule apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act (the ``covered entities''). The terms health plan, health care provider, and health care clearinghouse are defined in proposed Sec. 160.103. As noted above, because we do not have the authority to apply these standards directly to any entity that is not a covered entity, the proposed rule does not directly cover many of the persons who obtain identifiable health information from the covered entities. Examples of persons who receive this information include contractors, third-party administrators, researchers, public health officials, life insurance issuers, employers and marketing firms. We would attempt to fill this gap in our legislative authority in part by requiring covered entities to apply many of the provisions of rule to the entities with whom they contract for administrative and other services. The proposed provision is outlined in more detail below in the discussion of business partners. b. Protected health information. We propose to apply the requirements of this rule to the subset of individual identifiable health information which is maintained or transmitted by covered entities and which is or has been in electronic form. The provisions of the rule would apply to the information itself, referred to as protected health information in this rule, and not to the particular records in which the information is contained. Once information has been maintained or transmitted electronically by a covered entity, the protections would follow the information in whatever form, including paper records, in which it exists (while it is held by a covered entity). We understand that our proposal would create a situation in which some health information would be protected while other similar information (e.g., health information contained in paper records that has not been maintained or transmitted electronically) would not be protected. We are concerned about the potential confusion that such a system might entail, but we believe that applying the provisions of the rule to information only in electronic form would result in no real protection for health care consumers. We have requested comment on whether we should extend the scope of the rule to all individually identifiable health information, including purely paper records, maintained by covered entities. Although we are concerned that extending our regulatory coverage to all records might be inconsistent with the intent of the provisions in the HIPAA, we believe that we do have the authority to do so and that there are sound rationale for providing a consistent level of protection to all individually identifiable health information held by covered entities. 2. General Rules The purpose of our proposal is to define and limit the circumstances in which an individual's protected heath information may be used or disclosed by others. We are proposing to make the use and exchange of protected health information relatively easy for health care purposes, and more difficult for purposes other than health care. Covered entities would be prohibited from using or disclosing protected health information except as provided in the proposed rule. Under the rule, covered entities could use or disclose protected health information with individual authorization, as provided in proposed Sec. 164.508. Covered entities could use or disclose protected health information without authorization for treatment, payment and health care operations, as provided in Sec. 164.506(a). (The terms ``treatment,'' ``payment'' and ``health care operations'' are defined in proposed Sec. 164.504). Covered entities also would be permitted to use or disclose a patient's protected health information without authorization for specified public and public policy-related purposes, including public health, research, health oversight, law enforcement, and use by coroners, as provided in proposed Sec. 164.510. Covered entities would be permitted to use and disclose protected health information when required to do so by other law, such as mandatory reporting under state law or pursuant to a search warrant. Covered entities would be required by this rule to disclose protected health information for only two purposes: to permit individuals to inspect and copy protected health information about them, pursuant to proposed Sec. 164.514, and for enforcement of this rule pursuant to proposed Sec. 164.522. Under our proposal, most uses and disclosures of an individual's protected health information would not require explicit authorization by the individual, but would be restricted by the provisions of the rule. As discussed in section II.C. of this preamble, we propose to substitute regulatory protections for the pro forma authorizations that are used today. The rules would create a sphere of privacy protection that includes covered entities who engage in treatment or payment, and the business partners they hire to assist them. While written consent for these activities would not be required, new restrictions on both internal uses and external disclosures would be put in place to protect the information. Our proposal is based on the principle that a combination of strict limits on how plans and providers can use and disclose identifiable health information, adequate notice to patients about how such information will be used, and patients' rights to inspect, copy and amend protected health information about them, will provide patients with better privacy protection and more effective control over the dissemination of their information than alternative approaches to patient protection and control. A central aspect of this proposal is the principle of ``minimum necessary'' disclosure. (See proposed Sec. 164.506(a)). With certain exceptions, permitted uses and disclosures of protected health information would be restricted to the minimum amount of information necessary to accomplish the purpose for which the information is used or disclosed, taking into consideration practical and technological limitations (including the size and nature of the covered entity's business) and costs. While we recognize that there are legitimate uses of protected health information for which patient authorization should not be required, the privilege of this access carries with it an obligation to safeguard the information. Covered entities would be required to take steps to limit the amount of protected health information used or disclosed to the information necessary to meet the purpose of the use or disclosure. These policies could include limiting access to the information to a subset of employees who need to use the information in the course of their work, and limiting the amount of information disclosed from a record to the information needed by the recipient to fulfill the purpose of the disclosure. We propose that individuals be able to request that a covered entity restrict the protected health information that [[Page 59925]] results from that encounter (with the exception of encounters for emergency treatment) from further use or disclosure for treatment, payment, and health care operations. (See proposed Sec. 164.506(c)). Covered entities would not be required to agree to restrictions requested by individuals; the rule would only enforce a restriction that has been agreed to by the covered entity and the individual. Today's health care system is a complex business involving multiple individuals and organizations engaging in a variety of commercial relationships. An individual's privacy should not be compromised when a covered entity engages in such normal business relationships. To accomplish this result, the rule would, with narrow exceptions, require covered entities to ensure that the business partners with which they share protected health information understand--through contract requirements `` that they are subject to standards regarding use and disclosure of protected health information and agree to abide by such rules. (See proposed Sec. 164.506(e)). Other than for purposes of treatment consultation or referral, we would require a contract to exist between the covered entity and the business partner that would, among other specified provisions, limit the business partner's uses and disclosures of protected health information to those permitted by the contract and would impose certain security, inspection and reporting requirements on the business partner. We do not intend to interfere with business relationships in the health care industry, but rather to ensure that the privacy of the information shared in these relationships is protected. Business partners would not be permitted to use or disclose protected health information in ways that would not be permitted by the covered entity itself. 3. Scalability The privacy standards would need to be implemented by all covered entities, from the smallest provider to the largest, multi-state health plan. For this reason, we propose the privacy principles and standards that covered entities must meet, but leave the detailed policies and procedures for meeting these standards to the discretion of each covered entity. We intend that implementation of these standards be flexible and scalable, to account for nature of each covered entity's business, as well as the covered entity's size and resources. A single approach to implementation of these requirements would be neither economically feasible nor effective in safeguarding health information privacy. Instead, we would require that each covered entity assess its own needs and devise and implement privacy policies appropriate to its size, its information practices, and its business requirements. Examples of how implementation of these standards are scalable are provided in the relevant sections of this preamble. (See, also, the discussion in preamble sections II.C. and III.) 4. Uses and Disclosures With Individual Authorization The rule would require that covered entities have authorization from individuals before using or disclosing their protected health information for any purpose not otherwise recognized by this rule. In Sec. 164.508, we propose rules for obtaining authorizations. Authorizations are needed in a wide array of circumstances. Entities not covered by this rule often want access to individually identifiable health information . For example, a potential employer may require health information as part of a background check for security purposes, or the patient may request a plan or provider to disclose information to obtain eligibility for disability benefits or to an attorney for use in a law suit. Covered entities may also seek such an authorization in order to use protected health information for a purpose not otherwise permitted under this rule. For example, a health plan may wish to use a person's records for developing a marketing strategy. The proposed authorization requirements are intended to ensure that an individual's authorization is truly voluntary. We would prohibit covered entities from conditioning treatment or payment on the individual agreeing to disclose information for other purposes. We also would require authorizations to clearly and specifically describe the information to be disclosed. If an authorization is sought so that a covered entity may sell, barter, or otherwise exchange the information for purposes other than treatment, payment, or health care operations, the covered entity would have to disclose this fact on the authorization form. We would also require authorizations to be revocable. We do not seek to limit the purposes for which authorization of records disclosure may be sought, but rather to ensure that these authorizations are voluntary, fair, and enforceable. While the provisions of this proposed rule are intended to make authorizations for treatment and payment purposes unnecessary, some States may continue to require them. This rule would not supersede such State requirements generally, but would impose a new requirement that such State-mandated authorizations must be physically separate from an authorization for other purposes described in this rule. 5. Uses and Disclosures for Treatment, Payment and Health Care Operations Under this rule, covered entities with limited exceptions would be permitted to use and disclose protected health information without individual authorization for treatment and payment purposes, and for related purposes that we have defined as health care operations. (See Sec. 164.506.) We would construe the terms ``treatment'' and ``payment'' broadly. In section II.B. of this preamble, we describe the types of activities that would be considered health care operations. 6. Permissible Uses and Disclosures for Purposes Other Than Treatment, Payment and Health Care Operations Individually identifiable health information is needed to support certain national priority activities, such as reducing health care fraud, improving the quality of treatment through research, protecting the public health, and responding to emergency situations. In many cases, the need to obtain authorization for use of health information would create significant obstacles in efforts to fight crime, understand disease, and protect public health. We examined the many uses that the health professions, related industries, and the government make of health information and we are aware of the concerns of privacy and consumer advocates about these uses. After balancing privacy and other social values, we are proposing rules that would permit use or disclosure of health information without individual authorization for the following national priority activities and activities that allow the health care system to operate smoothly: Oversight of the health care system Public health functions Research Judicial and administrative proceedings Law enforcement Emergency circumstances To provide information to next-of-kin For identification of the body of a deceased person, or the cause of death For government health data systems For facility patient directories To banks, to process health care payments and premiums For management of active duty military and other special classes of individuals [[Page 59926]] Where other law requires such disclosure and no other category of permissible disclosures would allow the disclosure The rule would specify conditions that would need to be met in order for the use or disclosure of protected health information to be permitted for each of these purposes. (See Sec. 164.514) We have proposed conditions tailored to the need for each type of use or disclosure, and to the types of organizations involved in each such activity. These uses and disclosures, and the conditions under which they may occur, are discussed in section II. F of this preamble. The uses and disclosures that would be permitted under proposed rule would be just that--permissible. Thus, for disclosures that are not compelled by other law, providers and payers would be free to disclose or not, according to their own policies and ethical principles. We propose these rules as a basic set of legal controls, but ethics and professional practice may dictate more guarded disclosure policies. At the same time, nothing in this rule would provide authority for a covered entity to restrict or refuse to make a disclosure mandated by other law. 7. Individual Rights We are proposing to establish several basic rights for individuals with respect to their protected health information. We propose that individuals be able to obtain access to protected health information about them, which would include a right to inspect and obtain a copy of such information. See proposed Sec. 164.514. The right of access would extend to an accounting of disclosures of the protected health information for purposes other than treatment, payment, and health care operations. See proposed Sec. 164.515. In Sec. 164.512, we also propose that individuals have a right to receive a written notice of information practices from covered entities. While the primary purpose of this notice would be to inform individuals about the uses and disclosures that a covered entity would intend to make with the information, the notice also would serve to limit the activities of the covered entity--an otherwise lawful use or disclosure that does not appear in the entity's notice would not be permitted. The covered entity's uses and disclosures could be stated in broad terms, but an entity would not be able to make a use or disclosure that is not included in its notice. The covered entity could modify its notice at any time and apply revised practices to existing and new information held by the covered entity. In addition, we propose that individuals have the right to request amendment or correction of protected health information that is inaccurate or incomplete. See proposed Sec. 164.516. We are proposing procedural requirements and deadlines to implement each of these individual rights. 8. Administrative Requirements and Policy Development and Documentation In our Recommendations, we call for a federal law that requires holders of identifiable health information to implement safeguards to protect it from inappropriate access, use or disclosure. No legislation or rule can effectively specify how to do this for every holder of health information. But federal rules can and should require those who hold identifiable health information to develop and implement basic administrative procedures to protect that information and protect the rights of the individual with respect to that information. To accomplish this goal, we propose that covered entities be required to designate a privacy official, develop a privacy training program for employees, implement safeguards to protect health information from intentional or accidental misuse, provide some means for individuals to lodge complaints about the covered entity's information practices, and develop a system of sanctions for employees and business partners who violate the entity's policies or procedures. (See proposed Sec. 164.518.). We also propose, in Sec. 164.520, to require covered entities to maintain documentation of their policies and procedures for complying with the requirements of this proposed rule. The purpose of these requirements is to ensure that covered entities make explicit decisions about who would have access to protected health information, how that information would be used within the entity, and when that information would or would not be disclosed to other entities. 9. Preemption The HIPAA provides that the rule promulgated by the Secretary may not preempt state laws that are in conflict with the regulatory requirements and that provide greater privacy protections. The HIPAA also provides that standards issued by the Secretary will not supercede certain other State laws, including: State laws relating to reporting of disease or injury, child abuse, birth or death, public health surveillance, or public health investigation or intervention; State regulatory reporting; State laws which the Secretary finds are necessary to prevent fraud and abuse, to ensure appropriate State regulation of insurance, for State reporting on health care delivery or costs, or for other purposes; or, State laws which the Secretary finds address controlled substances. These provisions are discussed in more detail in preamble section II.I.1. This proposed rule also must be read in conjunction with other federal laws and regulations that address the use and disclosure of health information. These issues are discussed in preamble section II.I.2. In general, the rule that we are proposing would create a federal floor of privacy protection, but would not supercede other applicable law that provide greater protection to the confidentiality of health information. In general, our rule would not make entities subject to a state laws to which they are not subject today. 10. Enforcement The HIPAA grants the Secretary the authority to impose civil monetary penalties against covered entities which fail to comply with the requirements of this rule, and also establishes criminal penalties for certain wrongful disclosures of protected health information. The civil fines are capped at $25,000 for each calendar year for each provision that is violated. The criminal penalties are graduated, increasing if the offense is committed under false pretenses, or with intent to sell the information or reap other personal gain. The statute does not provide for a private right of action for individuals. We propose to create a complaint system to permit individuals to make complaints to the Secretary about potential violations of this rule. We also propose that covered entities develop a process for receiving complaints from individuals about the entities' privacy practices. (See Sec. 164.522.) Our intent would be to work with covered entities to achieve voluntary compliance with the proposed standards. 11. Conclusion Although the promise of these proposed standards cannot become reality for many patients because of the gaps in our authority, we believe they would provide important new protections. By placing strict boundaries around the ways covered entities could use and disclose information, these rules would protect health information at its primary sources: health plans and health care providers. By requiring covered entities to inform patients about how their information is being used and [[Page 59927]] shared, by requiring covered entities to provide access to that information, and by ensuring that authorizations would be truly voluntary, these rules would provide patients with important new tools for understanding and controlling information about them. By requiring covered entities to document their privacy practices, this rule would focus attention on the importance of privacy, and reduce the ways in which privacy is compromised through inattention or misuse. With the Secretary's recommenda-tions and these proposed rules, we are attempting to further two important goals: to allow the free flow of health information needed to provide and promote high quality health care, while assuring that individuals' health information is properly protected. We seek a balance that permits important uses of information privacy of people who seek care and healing. We believe our Recommendations find that balance, and have attempted to craft this proposed rule to strike that balance as well. We continue to believe, however, that federal legislation is the best way to guarantee these protections. The HIPAA legislative authority does not allow full implementation of our recommended policies in this proposed rule. The legislation limits the entities that can be held responsible for their use of protected health information, and the ways in which the covered entities can be held accountable. For these and other reasons, we continue to call upon Congress to pass comprehensive federal privacy legislation. Publication of this proposed rule does not diminish our firm conviction that such legislation should be enacted as soon as possible. II. Provisions of the Proposed Rule We propose to establish a new subchapter C to title 45 of the Code of Federal Regulations. Although the rules proposed below would only establish two new parts (parts 160 and 164), we anticipate the new subchapter C will eventually contain three parts, part 160, 162, and 164, with parts 161 and 163 being reserved for future expansion, if needed. Part 160 will contain general requirements and provisions applicable to all of the regulations issued under sections 262 and 264 of Public Law 104-191 (the Administrative Simplification provisions of HIPAA). We anticipate that Part 162 will contain the Administrative Simplification regulations relating to transactions, code sets and identifiers. The new part 164 will encompass the rules relating to the security standards authorized by section 1173(d), the electronic signature standard authorized by section 1173(e), and the privacy rules proposed below. The new part 164 will be composed of two subparts: subparts A and E, with B, C, and D being reserved. Subpart A will consist of general provisions and subpart E will consist of the final privacy rules. Because the new part 160 will apply to the privacy rules, as well as the other Administrative Simplification rules, it is set out below. A. Applicability [Please label comments about this section with the subject: ``Applicability''] The discussion below describes the entities and the information that would be subject to the proposed regulation. 1. Covered Entities The standards in this proposed regulation would apply to all health plans, all health care clearinghouses, and all health care providers that transmit health information in an electronic form in connection with a standard transaction. In this proposed rule, these entities are referred to as ``covered entities.'' See definition at proposed Sec. 160.103. A health plan is defined by section 1171 to be an individual or group plan that provides for, or pays the cost of, medical care. The statute expressly includes a significant group of employee welfare benefit plans, state-regulated insurance plans, managed care plans, and essentially all government health plans, including Medicare, Medicaid, the veterans health care program, and plans participating in the Federal Employees Health Benefits Program. See discussion of the definition in section II.B. A health care provider would be a provider of services as defined in section 1861(u) of the Act, 42 U.S.C. 1395x, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes, bills or is paid for health care services or supplies in the normal course of business. See discussion of the definition in section II.B. Health care providers would be subject to the provisions of the rule if they transmit health information in electronic form in connection with a standard transaction. Standard transactions include claims and equivalent encounter information, eligibility and enrollment transactions, premium payments, claims attachments, and others. See proposed Sec. 160.103. Health care providers who themselves do not directly conduct electronic transactions would become subject to the provisions of the proposed rule if another entity, such as a billing agent or hospital, transmits health information in electronic form in connection with a standard transaction on their behalf. A health care clearinghouse would be a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements. See section 1171(2) of the Act. For purposes of this rule, we would consider billing services, repricing companies, community health management information systems or community health information systems, ``value- added'' networks, switches and similar organizations to be health care clearinghouses for purposes of this part only if they actually perform the same functions as a health care clearinghouse. See discussion of the definition in section II.B. 2. Covered Information We propose to apply the standards in this proposed regulation to individually identifiable health information that is or has been electronically transmitted or maintained by a covered entity, including such information when it is in non-electronic form (e.g., printed on paper) or discussed orally. In this proposed regulation, such information is referred to as ``protected health information.'' See discussion of the definition in section II.B. Under HIPAA, our authority to promulgate privacy standards extends to all individually identifiable health information, in any form, maintained or transmitted by a covered entity. For reasons discussed below, we are proposing to limit the application of the proposed standards to protected health information. Below we invite comment on whether we should apply the standards to a broader set of individually identifiable health information in the future. Under the proposal, the standards apply to information, not to specific records. Thus, once protected health information is transmitted or maintained electronically, the protections afforded by this regulation would apply to the information in any form and continue to apply as the information is printed, discussed orally or otherwise changed in form. It would also apply to the original paper version of information that is at some point transmitted electronically. The authority for, and implications of, this scope are discussed in detail in this section, below. This proposed regulation would not apply to information that has never been electronically maintained or transmitted by a covered entity. a. Legislative authority. Under HIPAA, we have authority to promulgate a [[Page 59928]] privacy standard that applies to all individually identifiable health information transmitted or maintained by a covered entity, including information in a non-electronic form. We recognize that there may be an expectation that we would apply privacy standards only to information that is electronically maintained and transmitted. Our prior proposals under HIPAA have addressed only electronically maintained and transmitted information. See Notices of Proposed Rulemaking (NPRM) published on May 7, 1998 (63 FR 25272 and 25320), June 16, 1998 (63 FR 32784), and the proposed security standards published on August 12, 1998 (63 FR 43242). In considering the appropriate reach of the proposed privacy standards, however, we determined that limiting the standards to electronic information would not be consistent with the requirement in HIPAA for the Secretary to address privacy, confidentiality and security concerns relating to individually identifiable health information. The HIPAA statute, taken as a whole, contemplates an information protection system that assures the privacy, confidentiality and integrity of health information. Two provisions in subtitle F of HIPAA address privacy and confidentiality concerns: section 264, titled ``Recommendations with Respect to Privacy of Certain Health Information'' and section 1173(d), titled ``Security Standards for Health Information.'' See 42 U.S.C. 1320d-1320d-8, enacted as sections 262 and 264 of HIPAA. In enacting HIPAA, Congress recognized that the increased accessibility of health information made possible by the widespread and growing use of electronic media and the new federal mandate for increased standardization of data, requires enhanced privacy and confidentiality protections. The House Report links privacy and security concerns stating: ``The standards adopted would protect the privacy and confidentiality of health information. Health information is considered relatively ``safe'' today, not because it is secure, but because it is difficult to access. These standards improve access and establish strict privacy protections.'' House Report No. 496, 104th Cong., 2d. Sess., at 99. Section 264(c) authorizes the Secretary to protect the privacy of individually identifiable health information transmitted in connection with the standard transactions. Section 1173(d) authorizes the Secretary to prescribe requirements that address the security, integrity, and confidentiality of health information maintained or transmitted, in any form or medium, by the covered entities. Neither the privacy authority in section 264(c) nor the security authority in 1173(d) exclusively limit the scope of protection to electronic information. Section 264(c) of HIPAA requires the Secretary to issue a regulation setting privacy standards for individually identifiable health information ``transmitted in connection with the transactions described in section 1173(a).'' This statutory language is not on its face limited to electronic transmissions of individually identifiable health information, although electronic transmissions of such information are clearly within its scope. Moreover, the section requires the regulations to address ``at least'' the subjects of the Secretary's Recommendations, which focus on individually identifiable health information, without reference to whether the information is electronic or not. The security provision also is not limited by its terms to electronically maintained information. Rather, section 1173(d) applies throughout to ``health information,'' a statutorily defined term that clearly covers information in both its electronic and non-electronic forms. In HIPAA, when Congress intended to limit health information to its electronic form, it did so explicitly. Section 1172(a)(3) of the statute says that the standards apply to health plans and to health care providers who transmit health information in electronic form in connection with the standard transactions (emphasis added); by contrast, the section 1173(d) requirements for information maintained or transmitted are not similarly qualified. Further support for the premise that the standards may reach information that is maintained or transmitted non-electronically is found within section 1173(d) itself. That section explicitly distinguishes within one subsection (Sec. 1173(d)(1)(A)) between ``record systems used to maintain health information'' and ``computerized record systems.'' Thus, the conclusion may be drawn that the record systems covered by the Sec. 1173(d) security standards are intended to include record systems other than those that are exclusively electronic or ``computerized.'' Finally, the section that generally defines the HIPAA standard transactions, section 1173(a), is not limited by its terms to transactions that are electronic. Rather, although all of the transactions described can be performed electronically, all take paper and some take oral forms as well. Indeed, the purpose of the standards, including the security and privacy standards, is stated as ``to enable electronic exchange.'' This purpose would not preclude (and in fact would support) requirements that relate to non-electronic media where they support the overall goal of enabling electronic information exchange. Thus, we believe that the statute authorizes a privacy regulation covering health information in any form or medium maintained or transmitted by the covered entities. Although we believe that HIPAA authorizes the Secretary to issue regulations covering individually identifiable health information in any form, the proposed privacy standards in this NPRM are directed to protecting only individually identifiable health information that is or at some point has been electronically maintained or transmitted by a covered entity. Those standards do not cover health information that has never been in electronic form. We are proposing this approach because we believe that it focuses most directly on the primary concern raised by HIPAA: the fact that growing use of computerization in health care, including the rapid growth of electronic transfers of health information, gives rise to a substantial concern about the confidentiality of the health care information that is part of this growing electronic commerce. At the same time, could not adequately address the confidentiality concerns associated with electronic transfers of health information unless we address the resulting uses and disclosures of such information, in whatever form. Indeed, the protection offered by this standard would be devoid of meaning if all non-electronic records and transmissions were excluded. In that event, access to ``protected'' health information would become merely a matter of obtaining the information in a paper or oral form. Such a narrow reading of the statute would lead to a system in which individually identifiable health information transmitted as part of a claim would be protected only until the information was printed or read aloud, at which point protection would disappear. Previously protected information could be freely printed and redistributed, regardless of limits on further electronic redistribution. The statutory language does not compel such an anomalous result. In developing our proposal, we considered other approaches for determining the information that would be subject to the privacy standards. We [[Page 59929]] considered but rejected limiting the scope of the proposal to information in electronic form. For the reasons discussed above, such a narrow interpretation would render the standards nearly meaningless. We also considered applying the privacy standards to all individually identifiable health information in any form maintained or transmitted by a covered entity. There are clear advantages to this approach, including permitting covered entities to treat all individually identifiable health information under the same standards. We rejected that approach in favor of our proposed approach which we believe is more focused at the public concerns over health information confidentiality in an electronic communications age. We also were concerned about imposing additional burden with respect to health information that was less likely to present privacy concerns: paper records that are never reduced to electronic form are less likely to become disseminated broadly throughout the health care system. We invite comment on the approach that we are proposing and on whether alternate approaches to determining the health information that would be subject to this regulation would be more appropriate. We also considered making use of other statutory authorities under which we impose general operating or management conditions for programs (e.g., Medicare, grant programs) to enhance these proposed privacy protections. Doing so could enable us to apply these privacy standards to a wider range of entities than are currently affected, such as health care providers who do not transmit standard transactions electronically. We use many other authorities now to impose confidentiality and privacy requirements, although the current rules lack consistency. It is not clear whether using these other authorities would create more uniform protections or expanded enforcement options. Therefore we request comment on the concept of drawing on other authorities to amplify the protections of these privacy standards. b. Application to records containing protected and unprotected health information. Once transmitted or maintained electronically, protected health information is often mixed with unprotected health information in the same record. For example, under the proposed rules, information from a medical record that is electronically transmitted by a provider to a health plan and then returned to the original record would become protected health information, even though the rest of the information contained in the paper record may not be subject to these privacy rules. We reiterate that under the proposed rule, the protections would apply to the information itself, not to the particular record in which it is contained or transmitted. Therefore, an entity could not maintain duplicate records and only apply the protections to the information contained in the record that is electronically maintained or transmitted. For example, once an individual's name and diagnostic code is transmitted electronically between covered entities (or business partners), that information must be protected by both the transmitting and receiving entities in every record, written, electronic or other, in which it appears. We recognize that this approach may require some additional administrative attention to mixed records (records containing protected and unprotected health information) to ensure that the handling of protected health information conforms with these regulations. We considered ways to limit application of these protections to avoid such potential administrative concerns. However, these regulations would have little effect if not applicable to otherwise protected health information simply because it was combined with unprotected health information--any information could be lawfully disclosed simply by including some additional information. Likewise, these regulations would have no meaning if entities could then avoid applying the protections merely by maintaining separate duplicate records. A way to limit these rules to avoid application to mixed information without sacrificing basic protections is not apparent. Unlike the potential issues inherent in the protection of oral information, there may be relatively simple ways to reduce possible confusion in protecting mixed records. The risk of inappropriate use or disclosure of protected health information in a mixed record can be eliminated simply by handling all information in mixed records as if it were protected. It also may be possible to develop a ``watermark'' analogous to a copyright label, designating which written information is protected. We welcome comments on how best to protect information in mixed records, without creating unnecessary administrative burdens. Finally, we recognize that these rules may create awkward boundaries and enforcement ambiguities, and seek comment on how best to reduce these ambiguities while maintaining the basic protections mandated by the statute. 3. Interaction With Other Standards The privacy standards in this proposed regulation would be closely integrated with other standards that have been proposed under the HIPAA Administrative Simplification title. This is particularly true with respect to the proposed security standards published on August 12, 1998 (63 FR 43242). We understand that we are proposing a broader scope of applicability with respect to covered information under these privacy standards than we have previously proposed under the security standard. We intend to solicit additional comments regarding the scope of information that should be addressed under the security standard in the near future. We also recognize that in this NPRM we are publishing slightly different definitions for some of the concepts that were defined in previously published NPRMs for the other standards. The differences resulted from the comments received on the previous NPRMs as well as the conceptual work done in the development of this NPRM. As we publish the final rules, we will bring all the definitions into conformance. 4. References to Other Laws The provisions we propose in this rule would interact with numerous other laws. For example, proposed Sec. 164.510 provides standards for certain uses or disclosures that are permitted in this rule, and in some cases references activities that are authorized by other applicable law, such as federal, State, tribal or territorial laws. In cases where this rule references ``law'' or ``applicable law'' we intend to encompass all applicable laws, decisions, rules, regulations, administrative procedures or other actions having the effect of law. We do not intend to exclude any applicable legal requirements imposed by a governmental body authorized to regulate in a given area. Where particular types of law are at issue, such as in the proposed provisions for preemption of State laws in subpart B of part 160, or permitted disclosures related to the Armed Forces in Sec. 164.510(m), we so indicate by referring to the particular type of law in question (e.g., ``State law'' or ``federal law''). When we describe an action as ``authorized by law,'' we mean that a legal basis exists for the activity. The phrase ``authorized by law'' is a term of art that includes both actions that are permitted and actions that are required by law. When we specifically discuss an action that is ``required'' or ``mandated,'' we mean that a law compels (or conversely, prohibits) the performance [[Page 59930]] of the activity in question. For example, in the health oversight context, disclosure of health information pursuant to a valid Inspector General subpoena, grand jury subpoena, civil investigative demand, or a statute or regulation requiring production of information justifying a claim would constitute a disclosure required by law. B. Definitions. (Secs. 160.103 and 164.504) [Please label comments about this section with the subject: ``Definitions''] Section 1171 of the Act defines several terms and our proposed rules would, for the most part, simply restate the law or adopt definitions previously defined in the other HIPAA proposed rules. In some instances, we propose definitions from the Secretary's Recommendations. We also propose some new definitions for convenience and efficiency of exposition, and others to clarify the application and operation of this rule. We describe the proposed definitions and discuss the rationale behind them, below. Most of the definitions would be defined in proposed Secs. 160.103 and 164.504. The definitions at proposed Sec. 160.103 apply to all Administrative Simplification standards, including this privacy rule and the security standard. The definitions proposed in Sec. 164.504 would apply only to this privacy rule. Certain other definitions are specific to particular sections of the proposed rule and are provided in those sections. The terms that are defined at proposed Sec. 160.103 follow: 1. Act. We would define ``Act'' to mean the Social Security Act, as amended. This definition would be added for convenience. 2. Covered entity. This definition would be provided for convenience of reference and would mean the entities to which part C of title XI of the Act applies. These are the entities described in section 1172(a)(1): Health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction referred to in section 1173(a)(1) of the Act (a ``standard transaction''). In the preamble we occasionally refer to health plans and the health care providers described above as ``covered plans,'' ``covered providers,'' or ``covered plans and providers.'' We note that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. The provider could not circumvent these requirements by assigning the task to its agent, since the agent would be deemed to be acting as the provider. 3. Health care. We would define the term ``health care'' as it is defined in the Secretary's Recommendations. Health care means the provision of care, services, or supplies to a patient and includes any: (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body; (2) sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription; or (3) procurement or banking of blood, sperm, organs, or any other tissue for administration to patients. 4. Health care clearinghouse. We would define ``health care clearinghouse'' as defined by section 1171(2) of the Act. The Act defines a ``health care clearinghouse'' as a ``public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.'' In practice, clearinghouses receive transactions from health care providers, health plans, other health care clearinghouses, or business partners of such entities, and other entities, translate the data from a given format into one acceptable to the entity receiving the transaction, and forward the processed transaction to that entity. There are currently a number of private clearinghouses that contract or perform this function for health care providers. For purposes of this rule, we would consider billing services, repricing companies, community health management information systems or community health information systems, ``value-added'' networks, switches and similar organizations to be health care clearinghouses for purposes of this part only if they actually perform the same functions as a health care clearinghouse. We would note that we are proposing to exempt clearinghouses from a number of the provisions of this rule that would apply to other covered entities (see Secs. 164.512, 164.514 and 164.516 below), because in most cases we do not believe that clearinghouses would be dealing directly with individuals. In many instances, clearinghouses would be considered business partners under this rule and would be bound by their contracts with covered plans and providers. See proposed Sec. 164.506(e). We would adopt this position with the caveat that the exemptions would be void for any clearinghouse that had direct contact with individuals in a capacity other than that of a business partner. 5. Health care provider. Section 1171(3) of the Act defines ``health care provider'' as a ``provider of medical services as defined in section 1861(u) of the Act, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes health care services or supplies.'' We are proposing to define ``health care provider'' as the Act does, and clarify that a health care provider is limited to any person or organization that furnishes, bills, or is paid for, health care services or supplies in the normal course of business. This definition would include a researcher who provides health care to the subjects of research, free clinics, and a health clinic or licensed health care professional located at a school or business. Section 1861(u) of the Act contains the Medicare definition of a provider, which encompasses institutional providers, such as hospitals, skilled nursing facilities, home health agencies, and comprehensive outpatient rehabilitation facilities. Section 1861(s) of the Act defines other Medicare facilities and practitioners, including assorted clinics and centers, physicians, clinical laboratories, various licensed/certified health care practitioners, and suppliers of durable medical equipment. The last portion of the proposed definition encompasses appropriately licensed or certified health care practitioners or organizations, including pharmacies and nursing homes and many types of therapists, technicians, and aides. It also would include any other individual or organization that furnishes health care services or supplies in the normal course of business. An individual or organization that bills and/or is paid for health care services or supplies in the normal course of business, such as a group practice or an ``on-line'' pharmacy accessible on the Internet, is also a health care provider for purposes of this statute. For a more detailed discussion of the definition of health care provider, we refer the reader to our proposed rule (Standard Health Care Provider Identifier) published on May 7, 1998, in the Federal Register (63 FR 25320). 6. Health information. We would define ``health information'' as it is defined in section 1171(4) of the Act. ``Health information'' would mean any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or [[Page 59931]] university, or health care clearinghouse; and that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. In this paragraph we attempt to clarify the relationship between the defined terms ``health information,'' ``individually identifiable health information'' and ``protected health information.'' The term ``health information'' encompasses the universe of information governed by the administrative simplification requirements of the Act. For example, under section 1173 of the Act, the Secretary is to adopt standards to enable the electronic exchange of all health information. However, protection of personal privacy is primarily a concern for the subset of health information that is ``individually identifiable health information,'' as defined by the Act (see below). For example, a tabulation of the number of students with asthma by school district would be health information, but since it normally could not be used to identify any individuals, it would not usually create privacy concerns. The definition of individually identifiable health information omits some of the persons or organizations that are described as creating or receiving ``health information.'' Some sections of the Act refer specifically to individually identifiable health information, such as section 1177 in setting criminal penalties for wrongful use or disclosure, and section 264 in requesting recommendations for privacy standards. Finally, we propose the phrase ``protected health information'' (Sec. 164.504) to refer to the subset of individually identifiable health information that is used or disclosed by the entities that are subject to this rule. 7. Health plan. We would define ``health plan'' essentially as section 1171(5) of the Act defines it. Section 1171 of the Act refers to several definitions in section 2791 of the Public Health Service Act, 42 U.S.C. 300gg-91, as added by Public Law 104-191. For clarity, we would incorporate the referenced definitions as currently stated into our proposed definitions. As defined in section 1171(5), a ``health plan'' is an individual plan or group health plan that provides, or pays the cost of, medical care (see section 2791(a) of the Public Health Service Act (PHS Act)). This definition would include, but is not limited to, the 15 types of plans listed in the statute, as well as any combination of them. The term would include, when applied to public benefit programs, the component of the government agency that administers the program. Church plans and government plans are included to the extent that they fall into one or more of the listed categories. Health plan'' includes the following singly or in combination: a. ``Group health plan'' (as currently defined by section 2791(a) of the PHS Act). A group health plan is a plan that has 50 or more participants (as the term ``participant'' is currently defined by section 3(7) of ERISA) or is administered by an entity other than the employer that established and maintains the plan. This definition includes both insured and self-insured plans. Section 2791(a)(1) of the PHS Act defines ``group health plan'' as an employee welfare benefit plan (as defined in current section 3(1) of ERISA) to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, or otherwise. b. ``Health insurance issuer'' (as currently defined by section 2791(b) of the PHS Act). Section 2971(b) of the PHS Act defines a ``health insurance issuer'' as an insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance. c. ``Health maintenance organization'' (as currently defined by section 2791(b) of the PHS Act). Section 2791(b) of the PHS Act currently defines a ``health maintenance organization'' as a federally qualified health maintenance organization, an organization recognized as such under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such a health maintenance organization. These organizations may include preferred provider organizations, provider sponsored organizations, independent practice associations, competitive medical plans, exclusive provider organizations, and foundations for medical care. d. Part A or Part B of the Medicare program (title XVIII of the Act). e. The Medicaid program (title XIX of the Act). f. A ``Medicare supplemental policy'' as defined under section 1882(g)(1) of the Act. Section 1882(g)(1) of the Act defines a ``Medicare supplemental policy'' as a health insurance policy that a private entity offers a Medicare beneficiary to provide payment for expenses incurred for services and items that are not reimbursed by Medicare because of deductible, coinsurance, or other limitations under Medicare. The statutory definition of a Medicare supplemental policy excludes a number of plans that are similar to Medicare supplemental plans, such as health plans for employees and former employers and for members and former members of trade associations and unions. A number of these health plans may be included under the definitions of ``group health plan'' or ``health insurance issuer,'' as defined in paragraphs ``a'' and ``b'' above. g. A ``long-term care policy,'' including a nursing-home fixed indemnity policy. A ``long-term care policy'' is considered to be a health plan regardless of how comprehensive it is. h. An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. This includes plans that are referred to as multiple employer welfare arrangements (``MEWAs''). i. The health care program for active military personnel under title 10 of the United States Code. See paragraph ``k'', below, for further discussion. j. The veterans health care program under chapter 17 of title 38 of the United States Code. This health plan primarily furnishes medical care through hospitals and clinics administered by the Department of Veterans Affairs (VA) for veterans enrolled in the VA health care system. k. The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) as defined in 10 U.S.C. 1072(4). We note that the Act's definition of ``health plan'' omits several types of health care provided by the Department of Defense (DOD). Sections 1171(5)(I) and 1171(5)(K) cover only the health care program for active duty personnel (see 10 U.S.C. 1074(a)) and the CHAMPUS program (see 10 U.S.C. 1079, 1086). What is omitted is health care provided in military treatment facilities to military retirees (see 10 U.S.C. 1074(b)), to dependents of active duty personnel and to dependents of retirees (see 10 U.S.C. 1076), to Secretarial designees such as members of Congress, Justices of the Supreme Court, and to foreign military personnel under NATO status of forces agreements. Health care provided by the DOD in military facilities to the aforementioned persons is not included as a ``health plan'' under HIPAA. However, these facilities would still be considered to be health care providers. l. The Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601, et. [[Page 59932]] seq.). This program furnishes services, generally through its own health care providers, primarily to persons who are eligible to receive services because they are of American Indian or Alaskan Native descent. m. The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89. This program consists of health insurance plans offered to active and retired federal employees and their dependents. Although section 1171(5)(M) of the Act refers to the ``Federal Employees Health Benefit Plan,'' this and any other rules adopting administrative simplification standards will use the correct name, the Federal Employees Health Benefits Program. One health plan does not cover all federal employees; over 350 health plans provide health benefits coverage to federal employees, retirees, and their eligible family members. Therefore, we will use the correct name, The Federal Employees Health Benefits Program, to make clear that the administrative simplification standards apply to all health plans that participate in the Program. n. An approved State child health plan for child health assistance that meets the requirements of section 2103 of the Act, which established the Children's Health Insurance Program (CHIP). o. A Medicare Plus Choice organization as defined in 42 CFR 422.2, with a contract under 42 CFR part 422, subpart K. p. Any other individual plan or group health plan, or combination thereof, that provides or pays for the cost of medical care. This category implements the language at the beginning of the statutory definition of the term ``health plan'': ``The term 'health plan' means an individual or group plan that provides, or pays the cost of, medical care * * * Such term includes the following, and any combination thereof * * *'' This statutory language is general, not specific. Moreover, the statement that the term ``health plan'' ``includes'' the specified plans implies that the term also covers other plans that meet the stated criteria. One approach to interpreting this introductory language in the statute would be to make coverage decisions about plans that may meet these criteria on a case-by-case basis. Instead we propose to clarify its coverage by adding this category to the proposed definition of ``health plan''; we seek public comment on its application. The Secretary would determine which plans that meet the criteria in the preceding paragraph are health plans for purposes of title II of HIPAA. Consistent with the other parts of HIPAA, the provisions of this rule generally would not apply to certain types of insurance entities, such as workers' compensation and automobile insurance carriers, other property and casualty insurers, and certain forms of limited benefits coverage, even when such arrangements provide coverage for health care services. 29 U.S.C. 1186(c). We note that health care providers would be subject to the provisions of this rule with respect to the health care they provide to individuals, even if such providers seek or receive reimbursement from an insurance entity that is not a covered entity under these rules. However, nothing in this rule would be intended to prevent a health care provider from disclosing protected health information to a non-covered insurance entity for the purpose of obtaining payment for services. Further, under proposed Sec. 164.510(n), this rule would permit disclosures by health care providers of protected health information to such insurance entities and to other persons when mandated by applicable law for the purposes of determining eligibility for coverage or benefits under such insurance arrangements. For example, a State workers' compensation law that requires disclosure of protected health information to an insurer or employer for the purposes of determining an individual's eligibility for medical or other benefits, or for the purpose of determining fitness for duty, would not be disturbed by this rule. 8. Secretary. This term means the Secretary of Health and Human Services and any other officer or employee of the Department of Health and Human Services to whom the authority involved has been delegated. It is provided for ease of reference. 9. Small health plan. The HIPAA does not define a ``small health plan,'' but instead explicitly leaves the definition to be determined by the Secretary. We propose to adopt the size classification used by the Small Business Administration. We would therefore define a ``small health plan'' as a health plan with annual receipts of $5 million or less. 31 CFR 121.201. This differs from the definition of ``small health plan'' in prior proposed Administrative Simplification rules. We will conform the definitions in the final Administrative Simplification rules. 10. Standard. The term ``standard'' would mean a prescribed set of rules, conditions, or requirements concerning classification of components, specification of materials, performance or operations, or delineation of procedures in describing products, systems, services, or practices. This definition is a general one, to accommodate the varying functions of the specific standards proposed in the other HIPAA regulations, as well as the rules proposed below. 11. State. This term would include the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, and Guam. This definition follows the statutory definition of ``State'' in section 1101(a) of the Act. 12. Transaction. We would define ``transaction,'' as we have done in other Administrative Simplification regulations, to mean the exchange of information between two parties to carry out financial or administrative activities related to health care. A transaction would be (1) any of the transactions listed in section 1173(a)(2) of the Act, and (2) any transaction determined appropriate by the Secretary in accordance with Section 1173(a)(1) of the Act. A ``transaction'' would mean any of the following: a. Health claims or equivalent encounter information. This transaction could be used to submit health care claim billing information, encounter information, or both, from health care providers to payers, either directly or via intermediary billers and claims clearinghouses. b. Health care payment and remittance advice. This transaction could be used by a health plan to make a payment to a financial institution for a health care provider (sending payment only), to send an explanation of benefits remittance advice directly to a health care provider (sending data only), or to make payment and send an explanation of benefits remittance advice to a health car provider via a financial institution (sending both payment and data). c. Coordination of benefits. This transaction could be used to transmit health care claims and billing payment information between payers with different payment responsibilities where coordination of benefits is required or between payers and regulatory agencies to monitor the furnishing, billing, and/or payment of health care services within a specific health care/insurance industry segment. d. Health claims status. This transaction could be used by health care providers and recipients of health care products or services (or their authorized agents) to request the status of a health care claim or encounter from a health plan. e. Enrollment and disenrollment in a health plan. This transaction could be used to establish communication [[Page 59933]] between the sponsor of a health benefit and the payer. It provides enrollment data, such as subscriber and dependents, employer information, and primary care health care provider information. A sponsor would be the backer of the coverage, benefit, or product. A sponsor could be an employer, union, government agency, association, or insurance company. The health plan would refer to an entity that pays claims, administers the insurance product or benefit, or both. f. Eligibility for a health plan. This transaction could be used to inquire about the eligibility, coverage, or benefits associated with a benefit plan, employer, plan sponsor, subscriber, or a dependent under the subscriber's policy. It also could be used to communicate information about or changes to eligibility, coverage, or benefits from information sources (such as insurers, sponsors, and payers) to information receivers (such as physicians, hospitals, third party administrators, and government agencies). g. Health plan premium payments. This transaction could be used by, for example, employers, employees, unions, and associations to make and keep track of payments of health plan premiums to their health insurers. This transaction could also be used by a health care provider, acting as liaison for the beneficiary, to make payment to a health insurer for coinsurance, copayments, and deductibles. h. Referral certification and authorization. This transaction could be used to transmit health care service referral information between health care providers, health care providers furnishing services, and payers. It could also be used to obtain authorization for certain health care services from a health plan. i. First report of injury. This transaction could be used to report information pertaining to an injury, illness, or incident to entities interested in the information for statistical, legal, claims, and risk management processing requirements. j. Health claims attachments. This transaction could be used to transmit health care service information, such as subscriber, patient, demographic, diagnosis, or treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a health care services review. k. Other transactions as the Secretary may prescribe by regulation. Under section 1173(a)(1)(B) of the Act, the Secretary may adopt standards, and data elements for those standards, for other financial and administrative transactions deemed appropriate by the Secretary. These transactions would be consistent with the goals of improving the operation of the health care system and reducing administrative costs. In addition to the above terms, a number of terms are defined in proposed Sec. 164.504, and are specific to the proposed privacy rules. They are as follows: 13. Business partner. This term would mean a person to whom a covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. Such term includes any agent, contractor or other person who receives protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence. It would not include a person who is an employee, a volunteer or other person associated with the covered entity on a paid or unpaid basis. 14. Designated record set. This term would be defined as a group of records under the control of a covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual, and which is used by the covered entity to make decisions about the individual. The concept of a ``designated record set'' is derived from the Privacy Act's concept of a ``system of records.'' Under the Privacy Act, federal agencies must provide an individual with access to ``information pertaining to him which is contained in [a system of records].'' 5 U.S.C. 552a(d)(1). A ``system of records'' is defined as ``a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual.'' 5 U.S.C. 552a(a)(5). Under this rule, we would substitute the term ``covered entity'' for ``agency'' and limit the information to that used by the covered entity to make decisions about the individual. We would define a ``record'' as ``any item, collection, or grouping of protected health information maintained, collected, used, or disseminated by a covered entity.'' Under the Privacy Act, ``the term 'record' means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph.'' 5 U.S.C. 552a(a)(4). For purposes of this rule we propose to limit the information to protected health information, as defined in this rule. ``Protected health information'' already incorporates the concept of identifiability, and therefore our definition of ``record'' is much simpler. For health plans, designated record sets would include, at a minimum, the claims adjudication, enrollment, and patient accounting systems. For health care providers, designated record sets would include, at a minimum, the medical records and billing records. Designated record set would also include a correspondence system, a complaint system, or an event tracking system if decisions about individuals are made based, in whole or in part, on information in those systems. Files used to backup a primary data system or the sequential files created to transmit a batch of claims to a clearinghouse are clear examples of data files which would not fall under this definition. We note that a designated record set would only exist for types of records that a covered entity actually ``retrieves'' by an identifier, and not records that are only ``retrievable'' by an identifier. In many cases, technology will permit sorting and retrieving by a variety of fields and therefore the ``retrievable'' standard would be relatively meaningless. 15. Disclosure. This term would be defined as the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. 16. Health care operations. We propose the term ``health care operations'' to clarify the activities we consider to be ``compatible with and directly related to'' treatment and payment and therefore would not require authorization from the individual for use or disclosure of protected health information. Under our proposal, ``health care operations'' means the following services or activities if provided by or on behalf of a covered health plan or health care provider for the purposes of carrying out the management functions of such plan or provider necessary for the support of treatment or payment: Conducting quality assessment and improvement activities, including evaluating outcomes, and developing clinical guidelines; [[Page 59934]] Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which undergraduate and graduate students and trainees in all areas of health care learn under supervision to practice as health care providers (e.g., residency programs, grand rounds, nursing practicums), accreditation, certification, licensing or credentialing activities; Insurance rating and other insurance activities relating to the renewal of a contract for insurance, including underwriting, experience rating, and reinsurance, but only when the individuals are already enrolled in the health plan conducting such activities and only when the use or disclosure of such protected health information relates to an existing contract of insurance (including the renewal of such a contract); Conducting or arranging for auditing services, including fraud and abuse detection and compliance programs; and Compiling and analyzing information in anticipation of, or for use in, civil or criminal legal proceedings. Our definition proposes to limit health care operations to functions and activities performed by a health plan or provider or by a business partner on behalf of a health plan or a provider. Our definition anticipates that in order for treatment and payment to occur, protected health information would be used within entities, would be shared with business partners, and in some cases would be shared between covered entities (or their business partners). However, a health care operation should not result in protected health information being disclosed to an entity that is not the covered entity (or a business partner of such entity) on whose behalf the operation is being performed. For example, a health plan may request a health care provider to provide protected health information to the health plan, or to a business partner of the health plan, as part of an outcomes evaluation effort relating to providers affiliated with that plan. This would be a health care operation. We are aware that the health care industry is changing and that these categories, though broad, may need to be modified to reflect different conditions in the future. 17. Health oversight agency. We would define the term ``health oversight agency'' as it is defined in the Secretary's Recommendations. See section II.E. below for further discussion. 18. Individual. We would define ``individual'' to mean the person who is the subject of protected health information. We would define the term to include, with respect to the signing of authorizations and other rights (such as access, copying, and correction), various types of legal representatives. The term would include court-appointed guardians or persons with a power of attorney, including persons making health care decisions for incapacitated persons, persons acting on behalf of a decedent's estate, where State or other applicable law authorizes such legal representatives to exercise the person's rights in such contexts, and parents subject to certain restrictions explained below. We would define this term to exclude foreign military and foreign diplomatic personnel and their dependents who receive health care provided or paid for by the DOD or other federal agency or entity acting on its behalf, and overseas foreign national beneficiaries of health care provided by the DOD or other federal agency, or non- governmental organization acting on its behalf. a. Disclosures pursuant to a power of attorney. The definition of an individual would include legal representatives, to the extent permitted under State or other applicable law. We considered several issues in making this determination. A ``power of attorney'' is a legal agreement through which a person formally grants authority to another person to make decisions on the person's behalf about financial, health care, legal, and/or other matters. In granting power of attorney, a person does not give up his or her own right to make decisions regarding the health care, financial, legal, or other issues involved in the legal agreement. Rather, he or she authorizes the other person to make these decisions as well. In some cases, an individual gives another person power of attorney over issues not directly related to health care (e.g., financial matters) while informally relying on a third person (either implicitly or through verbal agreement) to make health care decisions on his or her behalf. In such situations, the person with power of attorney could seek health information from a health plan or provider in order to complete a task related to his or her power of attorney. For example, a person with financial power of attorney may request health information from a health plan or provider in order to apply for disability benefits on the individual's behalf. In developing proposed rules to address these situations, we considered two options: (1) Allowing health plans and health care providers to disclose health information without authorization directly to the person with power of attorney over issues not directly related to health care; and (2) prohibiting health plans or health care providers from disclosing health information without authorization directly to such persons and stating that disclosure without authorization is permitted only to persons designated formally (through power of attorney for health care) or informally as the patient's health care decision-maker. We believe that both options have merit. The first option recognizes that the responsibilities of persons with power of attorney often are broad, and that even when the power of attorney agreement does not relate directly to health care, the person with power of attorney at times has a legitimate need for health information in order to carry out his or her legal responsibility. The second option recognizes that when an individual is competent to make health care decisions, it is appropriate for him or her (or, if the individual wishes, for the informally designated health care decision maker) to decide whether the covered entity should disclose health information to someone with power of attorney over issues not directly related to health care. In light of the fact that laws vary by State regarding power of attorney and that implementation of either option could be in the individual's interest, we would allow health plans and health care providers to disclose protected health information without authorization directly to persons with power of attorney to handle any issue on the individual's behalf, in accordance with State or other applicable laws regarding this issue. This definition also accounts for situations in which a competent individual has granted one person power of attorney over health care issues yet, in practice, relies on another person to make health care decisions. We recognize that, by giving power of attorney for health care issues to one person and involving another person informally in making treatment decisions, the individual is, in the first instance, formally granting consent to release his or her health information and, in practice, granting consent to release medical information to the second person. Therefore, we would allow a health plan or provider, pursuant to State or other applicable law, to disclose protected health information without authorization to a person with power of attorney for the patient's health care and to a person [[Page 59935]] informally designated as the patient's health care decision maker. b. Disclosures pertaining to incapacitated individuals. Covered entities would be permitted to disclose protected health information to any person making health care decisions for an incapacitated person under State or other applicable law. This definition defers to current laws regarding health care decision-making when a patient is not a minor and is incapable of making his or her own decisions. We propose to permit information to follow such decision-making authority. It is our intent not to disturb existing practices regarding incapacitated patients. Applicable laws vary significantly regarding the categories of persons who can make health care decisions when a patient is incapable of making them. For example, some State laws establish a hierarchy of persons who may make medical decisions for the incapacitated person (e.g., first a person with power of attorney, if not then next-of-kin, if none then close friend, etc.). In other States, health care providers may exercise professional judgment about which person would make health care decis