[Federal Register: November 3, 1999 (Volume 64, Number 212)]
[Proposed Rules]
[Page 59967-60016]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr03no99-68]

[[pp. 59967-60016]] Standards for Privacy of Individually Identifiable Health
Information

[[Continued from page 59966]]

[[Page 59967]]

so through a business partner arrangement that meets the requirements
of proposed Sec. 164.506(e). Any services offered by the bank that are
not on the list of exempt services in 1179 would be subject to the
terms of this rule.
    We recognize that financial institutions' role in providing
information management systems to customers is evolving and that in the
future, banks and credit card companies could develop and market to
health plans and health care providers software designed specifically
to record and track diagnostic and treatment information along with
payment information. In light of the rapid evolution of information
management technology available to plans and providers, we seek comment
on the types of services that financial institutions are performing or
may soon perform for covered entities, and how these services could be
best addressed by this proposed rule.
    Finally, we note that we would impose no verification requirements
for most routine banking and payment activities. However, if a bank or
financial institution seeks information outside payment processing
transactions (e.g., during a special audit), we would require the
covered entity to take reasonable steps to verify the identity of the
person requesting the disclosure.
9. Uses and Disclosures for Research  (Sec. 164.510(j))
    [Please label comments about this section with the subject:
``Research'']
    In Sec. 164.510(j), we propose to permit covered entities to use
and disclose protected health information for research without
individual authorization, provided that the covered entity receives
documentation that the research protocol has been reviewed by an
Institutional Review Board or equivalent body--a privacy board--and
that the board found that the research protocol meets specified
criteria (regarding protected health information) designed to protect
the subject. Absent such documentation, the subject's protected health
information could be disclosed for research only with the individual's
authorization, pursuant to the authorization requirements in proposed
Sec. 164.508.
    Our proposed requirements for this disclosure build on the
requirements for such disclosure under the Federal regulation that
protects human subjects in research conducted or funded by the Federal
government, the Federal Policy for the Protection of Human Subjects
(often referred to as the ``Common Rule''), first published for several
agencies at 56 FR 28,002-028, 032 (1991), and codified for the
Department of Health and Human Services at 45 CFR part 46.
    a. Importance of research and the need for protected health
information. Much important and sometimes lifesaving knowledge has come
from studies that used individually identifiable health information,
including biomedical and behavioral research, epidemiological studies,
health services research, and statistical activities. This type of
research has lead to dramatic improvements in the nation's health. For
example, the results of such research include the association of a
reduction in the risk of heart disease with dietary and exercise
habits, the association between the use of diethylstilbestrol (DES) by
pregnant women and vaginal cancer in their daughters, and the value of
beta-blocker therapy in reducing re-hospitalizations and in improving
survival among elderly survivors of acute myocardial infarction.
    Likewise, research on behavioral, social, and economic factors that
affect health, and the effect of health on other aspects of life may
require individually identifiable health information. Studies of this
kind can yield important information about treatment outcomes and
patterns of care, disease surveillance and trends, health care costs,
risk factors for disease, functional ability, and service utilization--
which may ultimately lead to improvements in the quality of patient
care, the identification and eradication of public health threats, and
the development of new devices and pharmaceutical products. For
example, such research uncovered the fact that disease screening and
treatment patterns vary with the race of the person, which in turn has
lead to focused outreach programs to improve health. Such research
showed that the results of certain highly invasive surgical treatments
are better when the care is provided in hospitals that performed a high
volume of these procedures.
    It is not always possible for researchers to obtain the consent of
every subject that a researcher may wish to include within a study.
Thousands of records may be involved. Tracking down the subjects may
entail costs that make the research impracticable. The requirement to
obtain consent also may lead to biased study results, because those who
refuse consent may be more or less likely than average to have a
particular health problem or condition. This may be a particular
concern where the research topic involves sensitive or potentially
embarrassing information. At the same time, the privilege of using
individually identifiable health information for research purposes
without individual authorization requires that the information be used
and disclosed under strict conditions that safeguard individuals'
confidentiality.
    b. Definition of research. In proposed Sec. 164.504, we would
define ``research'' as a systematic investigation, including research
development, testing and evaluation, designed to develop or contribute
to generalizable knowledge. This is the definition of ``research'' in
the Common Rule. This definition is well understood in the research
community and elsewhere, and we propose to use it here to maintain
consistency with other federal regulations that affect research.
    For purposes of determining whether an activity is research under
this proposed rule, it would not be relevant whether the information is
given gratis, sold, bartered, rented, or otherwise provided for
commercial gain. The purpose of this proposed rule regarding disclosure
of protected health information for research is to protect the subjects
of the information. Where the activity meets the definition of research
and involves use or disclosure of protected health information, the
rules in this section would apply. We request comments on any aspect of
our proposed definition of research.
    We understand that research and health care operations often look
alike, and may overlap. We have provided definitions for these terms in
Sec. 164.504. We solicit comments on ways to further distinguish
between research and operations, or otherwise clarify the application
of this rule to such activities.
    c. Privacy board review requirement. In Sec. 154.510(j), we would
require covered entities that wish to use or disclose protected health
information for research without individual authorization to obtain
documentation that a privacy board has reviewed the research protocol
and has determined that specified criteria (described below) for waiver
of authorization for use or disclosure of the information have been
met. The board could be an IRB constituted under the Common Rule, or an
equivalent privacy board that meets the requirements in this proposed
rule. We propose to apply these requirements to uses and disclosures of
protected health information by all covered entities, regardless of the
source of funding of the research.
    We propose no requirements for the location or sponsorship of the
IRB or privacy board. The covered entity could

[[Page 59968]]

create such a board, and could rely on it to review proposals for uses
and disclosure of records. An outside researcher could come to the
covered entity with the necessary documentation from his or her own
university IRB. A covered entity could engage the services of an
outside IRB or privacy board to obtain the necessary documentation. The
documentation would have to be reviewed by the covered entity prior to
a use or disclosure subject to this provision.
    Under our proposal, we would require that the documentation
provided by the IRB or privacy board state: (1) That the waiver of
authorization has been approved by the IRB or privacy board; (2) that
the board either is an IRB established in accordance with the HHS
regulations (45 CFR 46.107) or equivalent regulations of another
federal agency, or is a privacy board whose members (i) have
appropriate expertise for review of records research protocols, (ii) do
not have a conflict of interest with respect to the research protocol,
and (iii) include at least one person not affiliated with the
institution conducting the research; (3) that the eight criteria for
waiver of authorization (described below) are met by the protocol; and
(4) the date of board approval of the waiver of authorization. We would
also require that the documentation be signed by the chair of the IRB
or privacy board.
    i. Application to disclosures and uses regardless of funding
source.
    The Common Rule describes conditions under which research may be
conducted when obtaining authorization is not possible. Those
conditions are intended to ensure that research on human subjects,
including research using their health records, is conducted in a manner
that minimizes or eliminates the risk of harm to individuals. The
Common Rule has been adopted by seventeen Federal agencies,<SUP>3</SUP>
representing most of the federal agencies sponsoring human subjects
research.
---------------------------------------------------------------------------

    \3\ The following 17 Departments and Agencies have adopted the
Common Rule: (1) Department of Agriculture; (2) Department of
Commerce; (3) Department of Defense; (4) Department of Education;
(5) Department of Energy; (6) Department of Health and Human
Services; (7) Department of Housing and Urban Development; (8)
Department of Justice; (9) Department of Transportation; (10)
Department of Veterans Affairs; (11) International Development
Cooperative Agency: Agency for International Development; (12)
Consumer Product Safety Commission; (13) Environmental Protection
Agency; (14) National Aeronautics and Space Administration; (15)
National Science Foundation; (16) Social Security Administration;
(17) Central Intelligence Agency. In addition, the White House
Office of Science and Technology Policy is a signatory to the Common
Rule, but its policy is not codified in the Code of Federal
Regulations.
---------------------------------------------------------------------------

    However, a significant amount of research involving protected
health information is currently conducted in the absence of these
federal protections. Pharmaceutical companies, health plans, and
colleges and universities conduct research supported by private funds.
Identifiable information currently is being disclosed and used by these
entities without individual authorization without any assessment of
risk or of whether individual privacy interests are being adequately
protected.
    The Secretary's Recommendations call for the extension of the
Common Rule principles for waiver of authorization for research uses
and disclosures of identifiable health information to all research. The
Recommendations also propose additional principles that directly
address waiver of authorization for research use of such information.
The Recommendations would require an external board to review proposals
for research on health information under criteria designed to ensure
that the need for waiver of authorization is real, that the public
interest in the research outweighs the individual's privacy interest,
and that privacy will be protected as much as possible. In addition,
the Secretary's Recommendations proposed important restrictions on use
and re-disclosure of information by researchers, and requirements for
safeguarding protected information, that are not currently applied
under the Common Rule.
    Under the Secretary's Recommendations, these requirements would
apply to researchers who want to use or obtain identifiable information
without first obtaining the authorization of the individual who is the
subject of the information. However, under HIPAA, we do not have the
authority to regulate researchers unless the researcher is also acting
as a provider, as in a clinical trial. We can only directly regulate
health care providers, health plans, and health care clearinghouses.
This means that for most research-related disclosures of health
information, we can directly regulate the entities that disclose the
information, but not the recipients of the information. Therefore, in
order to implement the principles in the Secretary's Recommendations,
we must impose any protections on the health plans and health care
providers that use and disclose the information, rather than on the
researcher seeking the information.
    We understand that this approach involves imposing burdens on
covered entities rather than on researchers. However, our jurisdiction
under this statute leaves us the choice of taking this approach, or
failing to provide any protection for individuals whose information is
made the subject of research, or requiring individual authorization
whenever a covered entity wants to disclose protected health
information for research. The second approach would provide no
protection for individuals, and the third approach would make much
important research impossible. Therefore, we are proposing a mechanism
that we believe imposes as little burden as possible on the covered
entity while providing enhanced protection for individuals. This is not
the approach we advocate for new federal privacy legislation, where we
would propose that standards be applied directly to researchers, but it
would be a useful and appropriate approach under the HIPAA legislative
authority.
    We considered a number of other approaches for protecting
information from research subjects, particularly when covered entities
use protected health information internally for research. We considered
approaches that would apply fewer requirements for internal research
uses of protected health information; for example, we considered
permitting covered entities to use protected health information for
research without any additional review. We also considered options for
a more limited review, including requiring that internal uses for
research using protected health information be reviewed by a designated
privacy official or by an internal privacy committee. Another option
that we considered would require covered entities to have an IRB or
privacy board review their administrative procedures, either for
research or more generally, but not to require such review for each
research project. See the preamble section II.E.9.
    We are not recommending these approaches because we are concerned
about applying fewer protections to subjects of private sector research
than are applied to subjects of federally-funded research subject to
Common Rule protections, where IRB review is required for internal
research uses of protected health information. At the same time, we
recognize that the proposed rule would place new requirements on
research uses and disclosures for research projects not federally-
funded. We solicit comment on the approach that we are proposing,
including on whether the benefits of the IRB or privacy board reviews
would outweigh the burdens associated with

[[Page 59969]]

the proposed requirements. We also solicit comment on whether
alternative approaches could adequately protect the privacy interests
of research subjects. We are interested in the extent to which the
proposed rule could affect the amount and quality of research
undertaken by covered entities or by researchers receiving information
from covered entities. People commenting on the proposed rule also may
wish to address the appropriateness of applying different procedures or
different levels of protection to federally and nonfederally-funded
research. We would note that, as discussed below, privacy boards or
IRBs could adopt procedures for ``expedited review'' similar to those
provided in the Common Rule (Common Rule Sec. ____.110) for review of
records research that involves no more than minimal risk. The
availability of expedited review may affect the burden associated with
the proposed approach.
    ii. Documentation of privacy board approval. We considered several
options for applying Common Rule principles to research not reviewed by
Common Rule IRBs through imposing requirements on covered entities. We
chose the use of the privacy board because it gives covered entities
the maximum flexibility consistent with protecting research subjects.
Under this approach, each covered entity that wants to use or disclose
protected health information for research without individual
authorization could obtain the required documentation directly from an
existing privacy board, an internal privacy board created by the
covered entity, or from a privacy board used by the researcher.
    We considered prohibiting disclosure of protected health
information for research unless covered entities enter into contracts,
enforceable under law, which would require the researcher to meet the
review criteria. Under this approach, the covered entity would be
required to enter into a contract with the researcher in order to be
permitted to disclose protected health information without individual
authorization. In the contract, the researcher would agree to meet the
criteria described below, as well as the additional restrictions on
reuse and disclosure and the physical safeguards (also described
below), in exchange for obtaining the information from the covered
entity.
    We did not adopt this approach because of the potentially
burdensome administrative costs that could stem from the need to
negotiate the contracts and ensure that they are legally enforceable
under law. In addition, the covered entity may have little incentive to
enforce these contracts. However, we seek comments on whether the
benefits of this approach outweigh the burdens, whether we could expect
the burdens to be eased by the development of model contracts by local
universities or professional societies, and whether covered entities
could be expected to enforce these contracts. We also seek comments on
whether covered entities could be given a choice between the
documentation approach proposed in this NPRM and a contract approach.
We are particularly interested in comments on this approach, because it
appears to be the only mechanism for including restrictions on reuse
and disclosure by researchers in this proposed rule.
    iii. Use of boards that are not IRBs. The Secretary's
Recommendations state that privacy protections for private sector
records research should be modeled on the existing Common Rule
principles. The cornerstone of the Common Rule approach to waiver of
authorization is IRB approval. At the same time, we understand that
Common Rule IRBs are not the only bodies capable of performing an
appropriate review of records research protocols. In working with the
Congress to develop comprehensive privacy legislation, we have explored
the use of limited purpose privacy boards to review research involving
use or disclosure of health information. If the review criteria and
operating rules of the privacy board are sufficiently consistent with
the principles stated in the Secretary's Recommendations to afford the
same level of protection, there would be no need to insist that the
review board be a formal Common Rule IRB.
    Among the Common Rule requirements for IRB membership, as stated in
45 CFR 46.107, are the following:
    <bullet> Each IRB must have members with varying backgrounds and
appropriate professional competence as necessary to review research
protocols.
    <bullet> Each IRB must include at least one member who is not
affiliated with the institution or related to a person who is
affiliated with the institution.
    <bullet> No IRB member may participate in review of any project in
which the member has a conflict of interest.
    We propose to require that a covered entity could not use or
disclose protected health information for research without individual
authorization if the board that approved the waiver of authorization
does not meet these three criteria.
    We considered applying the additional criteria for IRB membership
stated in the Common Rule. However, many of the additional criteria are
relevant to research generally, but less relevant for a board whose
sole function is to review uses or disclosures of health information.
In addition, the Common Rule IRB membership criteria are more detailed
than the criteria for privacy board membership we propose here. Since
our legislative authority reaches to covered entities, but not to the
privacy board directly, we decided that imposing additional or more
detailed requirements on privacy boards would impose added burdens on
covered entities that did not clearly bring concomitant increases in
patient protections. We continue to support more complete application
of Common Rule criteria directly to these privacy boards through
federal legislation. We believe the approach we propose here strikes
the appropriate balancing between protecting individuals' privacy
interests and keeping burdens on covered entities to a minimum.
    d. Criteria. In Sec. 164.510(j)(2)(iii), we propose to prohibit the
use or disclosure of protected health information for research without
individual authorization unless the covered entity has documentation
indicating that the following criteria are met:
    <bullet> The use or disclosure of protected health information
involves no more than minimal risk to the subjects;
    <bullet> The waiver or alteration will not adversely affect the
rights and welfare of the subjects;
    <bullet> The research could not practicably be carried out without
the waiver or alteration;
    <bullet> Whenever appropriate, the subjects will be provided with
additional pertinent information after participation;
    <bullet> The research would be impracticable to conduct without the
protected health information;
    <bullet> The research project is of sufficient importance to
outweigh the intrusion into the privacy of the individual whose
information would be disclosed;
    <bullet> There is an adequate plan to protect the identifiers from
improper use and disclosure; and
    <bullet> There is an adequate plan to destroy the identifiers at
the earliest opportunity consistent with conduct of the research,
unless there is a health or research justification for retaining the
identifiers.
    The first four criteria are in the Common Rule. (The Common Rule
Sec. ____.116(d)).<SUP>4</SUP> These criteria were

[[Page 59970]]

designed for research generally, and not specifically to protect
individuals' privacy interests regarding medical records research. For
this reason, the Secretary's Recommendations include the last four
criteria, which were developed specifically for research on medical
records.
---------------------------------------------------------------------------

    \4\ It should be noted that for the Department of Defense, 10
U.S.C. 980 prohibits the waiver of informed consent. Only those
studies that qualify for exemption per 45 CFR 46.101(b), or studies
that do not meet the 45 CFR part 46 definition of human subjects
research can be performed in the absence of a process to provide
informed consent to prospective subjects. This proposed rule would
not affect DOD's implementation of 10 U.S.C. 980.
---------------------------------------------------------------------------

    As part of the IRB or privacy board's review of the use of
protected health information under the research protocol, we assume
that in case of a clinical trial, it would also review whether any
waiver of authorization could also include waiver of the subject's
right of access to such information during the course of the trial. See
Sec. 164.514(b)(iv).
    We recognize that the fourth criterion may create awkward
situations for some researchers. Where authorization has been waived,
it may be difficult to later approach individuals to give them
information about the research project. However, in some cases the
research could uncover information that would be important to provide
to the individual (e.g., the possibility that they are ill and should
seek further examination or treatment). For this reason, we are
including this criterion in the proposed rule.
    We also recognize that the fifth criterion, which would ask the
board to weigh the importance of the research against the intrusion of
privacy, would require the board to make a more subjective judgment
than that required by the other criteria. This balancing, we feel, goes
to the heart of the privacy interest of the individual. We understand,
however, that some may view this criterion as a potential impediment to
certain types of research. We solicit comment on the appropriateness of
the criterion, the burden it would place on privacy boards and IRBs,
and its potential effects on the ability of researchers to obtain
information for research.
    The Secretary's Recommendations propose that a researcher who
obtains protected health information this way should be prohibited from
further using or disclosing it except when necessary to lessen a
serious and imminent threat to the health or safety of an individual or
to the public health, or for oversight of the research project, or for
a new research project approved by an IRB or similar board. In addition
the Recommendations propose an obligation on researchers to destroy the
identifiers unless an IRB or similar board determines that there is a
research or health justification for retaining them and an adequate
plan to protect them from improper disclosure.
    We do not have the authority under HIPAA to place such requirements
directly on researchers. While criteria to be met in advance can be
certified in documentation through board review of a research protocol,
a board would have no way to assess or certify a researcher's behavior
after completion of the protocol (e.g., whether the researcher was
engaging in improper reuse or disclosure of the information, or whether
the researcher had actually destroyed identifiers). We instead propose
to require the researcher to show a plan for safeguarding the
information and destroying the identifiers, which the privacy board or
IRB can review and evaluate in determining whether the requested
disclosure is proper. We solicit comment on how to include ongoing
protections for information so disclosed under this legislative
authority without placing excessive burdens on covered entities.
    We note that privacy boards or IRBs could adopt procedures for
``expedited review'' similar to those provided in the Common Rule
(Common Rule Sec. ______.110) Under the Common Rule's expedited review
procedure, review of research that involves no more than minimal risk,
and involves only individuals' medical records may be carried out by
the IRB chairperson or by one or more reviewers designated by the
chairperson from among the members of the IRB. The principle of
expedited review could be extended to other privacy boards for
disclosures for records-based research. Like expedited review under the
Common Rule, a privacy board could choose to have one or more members
review the proposed research.
    e. Additional provisions of this proposed rule affecting research.
    i. Research including health care.
    To the extent that the researcher studying protected health
information is also providing treatment as defined in proposed
Sec. 164.504, such as in a clinical trial, the researcher would be a
covered health care provider for purposes of that treatment, and would
be required to comply with all the provisions of this rule applicable
to health care providers.
    ii. Individual access to research information.
    The provisions of Sec. 164.514 of this proposed rule, regarding
individual access to records, would also apply where the research
includes the delivery of health care. We are proposing an exception for
clinical trials where the information was obtained by a covered
provider in the course of a clinical trial, the individual has agreed
to the denial of access when consenting to participate in the trial (if
the individual's consent to participate was obtained), and the trial is
in still in progress.
    iii. Research on records of deceased persons.
    In Sec. 164.506(f), we propose that, unlike the protections
provided by the remainder of this rule, the protections of this
proposed rule will end at the death of the subject for the purpose of
disclosure of the subject's information for research purposes. In
general, this proposed rule would apply to the protected health
information of an individual for two years after the individual's
death. However, requiring IRB or privacy board review of research
studies that use only health information from deceased persons would be
a significant change from the requirements of the Common Rule, which
apply to individually identifiable information about living individuals
only. In addition, some of the Common Rule criteria for waiver of
authorization are not readily applicable to deceased persons. To avoid
a conflict between Common Rule requirements and the requirements of
this proposed rule, we are proposing that the protections of this
proposed rule end at the death of the subject for the purpose of
disclosure of the subject's information for research purposes.
    iv. Verification.
    In Sec. 164.518(c), we propose to require covered entities to
verify the identity of most persons making requests for protected
health information and, in some cases, the legal authority behind that
request. For disclosures of protected health information for research
purposes under this subsection, the required documentation of IRB or
privacy board approval would constitute sufficient verification. No
additional verification would be necessary under Sec. 164.518(c).
    f. Application to research covered by the Common Rule. Some
research projects would be covered by both the Common Rule and the
HIPAA regulation. This proposed rule would not override the Common
Rule. Thus, where both the HIPAA regulation and the Common Rule would
apply to research conducted by a covered entity, both sets of
regulations would need to be followed. Because only half of the
substantive criteria for board approval proposed in this rule are
applied by IRBs today, this would entail new responsibilities for IRBs
in these situations. However, we believe that the additional burden
would be minimal, since the IRBs will already be reviewing the research
protocol, and will be asked

[[Page 59971]]

only to assess the protocol against some additional criteria. This
burden is justified by the enhancement of privacy protections gained by
applying rules specifically designed to protect the subjects of medical
records research.
    We considered excluding research covered by the Common Rule from
the provisions of this proposed rule. We rejected this approach for two
reasons. First, the additional proposed requirements applied through
HIPAA are specifically designed to protect the privacy interests of the
research subjects, and the small additional burden on IRBs would be
outweighed by the improved protections for individuals. Second, such an
approach would allow federally-funded research to proceed under fewer
restrictions than privately funded research. We believe that the source
of funding of the research should not determine the level of protection
afforded to the individual.
    We note that the definition of ``identifiable'' information
proposed in Sec. 164.504 of this rule differs from the interpretation
of the term under the Common Rule. In particular, if a covered entity
encodes identifiers as required under Sec. 164.506(d) before
undertaking a disclosure of health information for research purposes,
the requirements of this section would not apply. However, the encoded
information would still be considered ``identifiable'' under the Common
Rule and therefore may fall under the human subjects regulations.
    g. Obtaining the individual's authorization for research use or
disclosure of protected health information. If a covered entity chooses
to obtain individual authorization for use or disclosure of information
for research, the requirements applicable to individual authorizations
for release of protected health information would apply. These
protections are described in Sec. 164.508.
    For research projects to which both the Common Rule and this
proposed rule would apply, both sets of requirements for obtaining the
authorization of the subject for research would apply. As with criteria
for waiver of authorization, this proposed rule would impose
requirements for obtaining authorization that are different from Common
Rule requirements for obtaining consent. In particular, the regulation
would require more information to be given to individuals regarding who
could see their information and how it would be used. For the reasons
explained above, we are proposing that both sets of requirements apply,
rather than allow federally-funded research to operate with fewer
privacy protections than privately-funded research.
    h. Need to assess the Common Rule. In general, the Common Rule was
designed to protect human subjects participating in research projects
from physical harm. It was not specifically designed to protect an
individual's medical records when used for research. For research in
which only the medical information of the human subject is used, i.e.,
records research, there are several ways in which the Common Rule
protections could be enhanced.
    In developing these proposed regulations, and in reviewing the
comprehensive medical privacy legislation pending before Congress, it
has become clear that the Department's human subject regulations (45
CFR part 46, 21 CFR part 50, and 21 CFR part 56) may not contain all of
the safeguards necessary to protect the privacy of research
participants. Because the source of research funding should not dictate
the level of privacy protection afforded to a research subject, the
Secretary of HHS will immediately initiate plans to review the
confidentiality provisions of the Common Rule.
    To further that process, we solicit comments here on how Common
Rule protections for the subjects of records review should be enhanced.
For example, we will consider the adequacy of the Common Rule's
provisions regarding conflict of interest, expedited review, exemptions
(such as the exemption for certain research on federal benefits
programs), deceased subjects, and whether IRB's should place greater
emphasis on confidentiality issues when reviewing research protocols.
We also seek comment on whether the Common Rule requirements for
obtaining consent for records research should be modified to reflect
the specific risks entailed in such research.
    In addition, because seventeen other Departments and Agencies are
signatories to the Common Rule and each has its own human subject
regulations, the Secretary of HHS will consult with these Departments
and Agencies regarding potential changes to the Common Rule.
10. Uses and Disclosures in Emergency Circumstances  (Sec. 164.510(k))
    [Please label comments about this section with the subject:
``Emergency circumstances'']
    In Sec. 164.510 (k), we propose to permit covered entities to use
or disclose protected health information in emergencies, consistent
with applicable law and standards of ethical conduct, based on a
reasonable belief that the use or disclosure is necessary to prevent or
lessen a serious and imminent threat to the health or safety of any
person or the public.
    a. Importance of emergency response and the need for protected
health information. Circumstances could arise that are not otherwise
covered in the rules proposed in Secs. 164.510(b) and 164.510(f) for
law enforcement and public health, where covered entities may need to
disclose protected health information to prevent or lessen a serious
and imminent threat of harm to persons or the public. Persons at risk
include the individual who is the subject of the protected health
information as well as others. Through their professional activities,
covered entities, particularly health care providers, may obtain
information that leads them to believe that an individual is at risk of
harm to him or herself, or poses a threat to others. This information
could be needed by emergency and first responders (including law
enforcement officials) to deal with or prevent an emergency situation
posing a serious and imminent threat of harm to such persons or the
public.
    b. Proposed requirements. We would permit covered entities,
consistent with applicable law and standards of ethical conduct, to
disclose protected health information based on a reasonable belief that
the disclosure is necessary to prevent or lessen a serious and imminent
threat to the health or safety of a person or the public. Covered
entities would only be permitted to make such disclosures to persons
who are reasonably able to prevent or lessen the threat, including to
the target of the threat.
    Anticipating all circumstances under which emergency disclosure
could be necessary is not possible. This section must be stated in
somewhat general terms. We intend to permit covered entities to respond
to emergency requests for protected health information, where it is
reasonable for the covered entity to believe that such disclosure would
prevent or reduce a serious emergency situation. Such emergencies may
threaten a single person or the general public. We do not intend to
permit disclosure of protected health information in response to
hypothetical scenarios or potential emergencies that are not imminent
and serious. This permitted disclosure would be narrow; it should not
become a loophole for disclosures not permitted by the other provisions
of the proposed rule.

[[Page 59972]]

    This provision would permit disclosure of relevant information in
response to credible requests from law enforcement, public health, or
other government officials. The covered entity would be permitted to
reasonably rely on credible representations that an emergency exists
and that protected health information could lessen the threat. If the
disclosure was made in a good faith belief that these circumstances
exist, it would be lawful under this section. A covered entity could
also disclose protected health information on its own initiative if it
determined that the disclosure were necessary, consistent with other
applicable legal or ethical standards. Our proposed rule is intended to
permit such disclosures where they are otherwise permitted by law or
ethical standards. We do not intend to permit disclosures by health
care providers or others that are currently prohibited by other law or
ethical standards.
    Disclosure for emergency circumstances could be authorized by
statute or common law and could also be addressed in medical
professional ethics and standards. For example, the American Medical
Association Principles of Medical Ethics on Confidentiality provides
that:

    [T]he obligation to safeguard patient confidences is subject to
certain exceptions that are ethically and legally justified because
of overriding social consideration. Where a patient threatens to
inflict serious bodily harm to another person or to him or herself
and there is a reasonable probability that the patient may carry out
the threat, the physician should take reasonable precautions for the
protection of the intended victim, including notification of law
enforcement authorities.

    The duty to warn third persons at risk has been addressed in court
cases, and the provision proposed permits disclosures in accord with
such legal duties. The leading case on this issue is Tarasoff v.
Regents of the University of California, 17 Cal. 3d 425 (1976). In that
case, a therapist's patient made credible threats against the physical
safety of a specific person. The Supreme Court of California found that
the therapist involved in the case had an obligation to use reasonable
care to protect the intended victim of his patient against danger,
including warning the victim of the peril. Many States have adopted
(judicially or legislatively) versions of the Tarasoff duty to warn,
but not all States have done so. This proposed rule is not intended to
create a duty to warn or disclose but would simply permit the
disclosure under the emergency circumstances consistent with other
applicable legal or ethical standards.
    An emergency disclosure provision does present some risks of
improper disclosure. There will be pressures and uncertainties when
disclosures are requested under emergency circumstances, and decisions
must often be made instantaneously and without the ability to seek
individual authorization or to perform complete verification of the
request. We believe that this risk would be warranted when balancing
the individual's interest in confidentiality against the societal
interests to preserve life and protect public safety in those rare
emergency circumstances where disclosure is necessary. A covered entity
that makes a reasonable judgement under such pressure and discloses
protected health information in good faith would not be held liable for
wrongful disclosure if circumstances later prove not to have warranted
the disclosure.
    We would also exempt emergency disclosures from provisions that
allow individuals to request restrictions on uses and disclosures of
their protected health information for treatment, payment and health
care operations. In emergency situations, health care professionals
need to have any information that will allow them to respond to the
emergency circumstance, and cannot be expected to take the time to
remind themselves of restrictions on particular information. See
proposed Sec. 164.506(c).
11. Disclosure to Next-of-Kin  (Sec. 164.510(l))
[Please label comments about this section with the subject: ``Next-of-
kin'']
    In Sec. 164.510(l), we propose to require health care providers to
obtain a verbal agreement from the individual before disclosing
protected health information to next-of-kin, to other family members,
or to others with whom the individual has a close personal
relationship. Where it is not practical or feasible to request and
obtain such verbal agreement, providers could disclose to next-of-kin,
to other family members, or to others with whom an individual has a
close personal relationship, protected health information that is
directly relevant to the person's involvement in the individual's care,
consistent with good professional health practice and ethics.
    a. Importance of disclosures to next-of-kin and the need for
protected health information. In some cases, disclosure of protected
health information to next-of-kin, to other relatives, or to persons
with whom the individual has a close personal relationship and who are
involved in caring for or helping the individual, can facilitate
effective health care delivery. We do not intend to impede the
disclosure of protected health information to relatives or friends when
expeditious disclosure of such information clearly would be in the
individual's best interest.
    b. Proposed requirements. We propose that when an individual has
the capacity to make his or her own health decisions, providers could
disclose protected health information to the individual's next-of-kin,
to other relatives, or to persons with whom the individual has a close
personal relationship, if the individual has verbally agreed to such
disclosure. Verbal agreement could be indicated informally, for
example, from the fact that the individual brought a family member or
friend to the physician appointment and is actively including the
family member or friend in the discussion with the physician. If,
however, the situation is less clear and the provider is not certain
that the individual intends for the family member or friend to be privy
to protected health information about the individual, the provider
would be required to ask the individual. In these cases, when verbal
agreement can be obtained, that agreement would be sufficient
verification of the identity of the person to meet the requirements of
Sec. 164.518(c).
    We would also permit health care providers to disclose protected
health information without verbal agreement to next-of-kin, to other
relatives, or to persons with whom the individual has a close personal
relationship, if such agreement cannot practicably or reasonably be
obtained and the disclosure is consistent with good health professional
practice and ethics. When verbal agreement cannot be obtained, the
provider would be required to take reasonable steps to verify the
identity of the family member or friend in order to meet the
verification requirement under Sec. 164.518(c). Verbal inquiry would
suffice; we would not require any specific type of identity check.
    We considered requiring a written authorization for each disclosure
in these situations, but rejected that option because it is not
practicable and does not provide sufficient additional privacy
protection to justify the burden it would place on health care
providers and individuals. Many of these conversations are unscheduled
and of short duration, and requiring a written authorization may impede
treatment and detain the individual. Therefore we would allow a one-
time verbal agreement and (where required) verification to suffice for
disclosure of protected health information relevant to

[[Page 59973]]

the individual's care. For example, a health care provider could
disclose protected health information about an individual's treatment
plan to the individual's adult child who is taking the individual home
from the hospital, if the provider has verbally requested and
individual has agreed to providing the adult child with relevant
information about aspects of the individual's health care. Disclosure
also could be appropriate in cases where a verbal agreement cannot
practicably be obtained. For example, a pharmacist could be guided by
his or her professional judgment in dispensing a filled prescription to
someone who claims to be picking it up on behalf of the individual for
whom the prescription was filled.
    In such cases, disclosures would have to follow the ``minimum
necessary'' provisions of proposed Sec. 164.506(b). For example, health
care providers could not disclose without individual authorization
extensive information about the individual's surgery or past medical
history to the neighbor who is simply driving the individual home and
has no need for this information. We request comment on this approach.
    The proposed definition of ``individual'' addresses related
disclosures regarding minors and incapacitated individuals.
12. Additional Uses and Disclosures Required by Other Law
(Sec. 164.510(n))
    [Please label comments about this section with the subject:
``Additional uses and disclosures required by other law'']
    In Sec. 164.510(n) we propose to allow covered entities to use or
disclose protected health information if such use or disclosure is not
addressed elsewhere in Sec. 164.510, is required by other law, and the
disclosure meets all the relevant requirements of such law.
    Other laws may require uses or disclosures of protected health
information for purposes not captured by the other provisions of
proposed Sec. 164.510. An example is State workers' compensation laws,
which could require health care providers to disclose protected health
information to a workers' compensation insurer or to an employer.
Covered entities generally could make uses and disclosures required by
such other laws.
    Where such a use or disclosure would also be addressed by other
provisions of this regulation, the covered entity would also have to
follow the requirements of this regulation. Where the provisions of the
other law requirements are contrary to the provisions in this proposed
rule and more protective of the individual's privacy, the provisions of
the other law would generally control. See discussion in section II.I
below.
    We have included this section because it is not our intention to
obstruct access to information deemed important enough by other
authorities to require it by law. We considered omitting this provision
because we are concerned that we do not know enough about the required
disclosures it would encompass, but decided to retain it in order to
raise the issue of permitting disclosures for other, undetermined
purposes. We solicit comment on the possible effects of omitting or
narrowing this provision.
    Under this section, health care providers could make reports of
abuse of any person that are required by State law. All States require
reports of abuse. All States require reporting to child protective
agencies of instances of child abuse or neglect that they identify, and
most States require similar reports of abuse or neglect of elderly
persons. These are valuable requirements which we support and
encourage. The Act (in section 1178(b)) specifically requires that this
regulation not interfere with State requirements for reporting of
abuse. Additionally, all States require health care providers to report
gunshot wounds and certain other health conditions related to violence;
this provision would permit such reports.
    Section 164.518(c), requiring verification of the identity and
legal authority of persons requesting disclosure of protected health
information would apply to disclosures under Sec. 164.510(n). As noted
above, we are not familiar with all of the disclosures of protected
health information that are mandated by State law, so we cannot be
certain that the verification requirements in Sec. 164.518(c) would
always be appropriate. We solicit comments on whether those
requirements would be appropriate for all disclosures that would be
permitted here.
13. Application to Specialized Classes  (Sec. 164.510(m))
    In the following categories we propose use and disclosure
provisions that respond to the unique circumstances of certain federal
programs. We request comment on whether additional provisions are
necessary to comply with the suitability and national security
determination requirements of Executive Order 10450, as amended, and
other national security laws.
    a. Application to military services.
    [Please label comments about this section with the subject:
``Military services'']
    To address the special circumstances of the Armed Forces and their
health care systems, we propose to permit military and other federal
providers and health plans to use and disclose protected health
information about active duty members of the Armed Forces for certain
purposes, and to exclude from coverage under this rule health
information about certain persons who receive care from military
providers.
    i. Members of the Armed Forces.
    The primary purpose of the health care system of the military
services differs in its basic character from that of the health care
system of society in general. The special nature of military service is
acknowledged by the Constitutional provision for separate lawmaking for
them (U.S. Constitution, article I, section 8, clause 14) and in their
separate criminal justice system under the Uniform Code of Military
Justice (10 U.S.C. 801, et seq.).
    The military health care system, like other federal and civilian
health care systems, provides medical care and treatment to its
beneficiary population. However, it also serves a critical national
defense purpose, ensuring that the Armed Forces are in a state of
medical readiness to permit the discharge of those responsibilities as
directed by the National Command Authority.
    The health and well-being of military members is key and essential.
This is true whether such personnel are serving in the continental
United States or overseas or whether such service is combat-related or
not. In all environments, operational or otherwise, the Armed Forces
must be assured that its personnel are medically qualified to perform
their responsibilities. This is critical as each and every person
performs a vital service upon which others must rely in executing a
specified defense requirement. Unqualified personnel not only
jeopardize the possible success of an assignment or operation, but they
pose an undue risk and danger to others.
    To assure that such persons are medically fit, health information
is provided to proper command authorities regarding military members
performing certain critical functions for medical screening and other
purposes so that determinations can be made regarding the ability of
such personnel to perform assigned duties. For example, health
information is provided regarding:

[[Page 59974]]

    <bullet> A pilot receiving medication that may affect alertness;
    <bullet> An Armed Forces member with an intolerance for a vaccine
necessary for deployment to certain geographical areas;
    <bullet> Any significant medical or psychological changes in a
military member who is a member of the Nuclear Weapons Personnel
Reliability Program;
    <bullet> A military recruit or member with an illness or injury
which disqualifies him or her from military service;
    <bullet> Compliance with controlled substances policies.
    The military and the Coast Guard obtain such information from their
own health care systems, as well as from other agencies that provide
health care to service members, such as the Department of
Transportation (DOT), which is responsible for the United States Coast
Guard and other federal agencies which provide medical care to members
of the Armed Forces (e.g., the Department of State (DOS) provides such
care to military attaches and Marine security personnel assigned to
embassies and consulates overseas, the Department of Veterans Affairs
provides care in certain areas of the country or in cases involving
specialized services). Other health care providers could also provide
information, for example, when a private sector physician treats a
member injured in an accident.
    The special needs of the DOD and DOT for accessing information for
purposes other than treatment, payment or health care operations were
recognized in the Secretary's Recommendations. We considered several
options for accommodating the unique circumstances of a military health
care environment. We considered providing special rule-making authority
to the DOD and other federal agencies which provide care to members of
the military, but HIPAA does not allow for such delegation by the
Secretary of HHS. Therefore, we propose that health care providers and
health plans of the DOD, the DOT, the DOS, the Department of Veterans
Affairs as well as any other person or entity providing health care to
Armed Forces personnel, could use or disclose protected health
information without individual authorization for activities deemed
necessary by appropriate military command authorities to assure the
proper execution of the military mission.
    The appropriate military command authorities, the circumstances in
which use or disclosure without individual authorization would be
required, and the activities for which such use or disclosure would
occur in order to assure proper execution of the military mission,
would be identified through Federal Register notices promulgated by the
DOD or the DOT (for the Coast Guard). The verification requirements in
Sec. 164.518(c) would apply to disclosures permitted without
authorization.
    This proposal would not confer authority on the DOD or the DOT to
enact rules which would permit use or disclosure of health information
that is restricted or controlled by other statutory authority.
    ii. Foreign diplomatic and military personnel.
    The Department of Defense, as well as other federal agencies,
provide medical care to foreign military and diplomatic personnel, as
well as their dependents. Such care is provided pursuant to either
statutory authority (e.g., 10 U.S.C. 2549) or international agreement.
The care may be delivered either in the United States or overseas.
Also, where health care is provided in the United States, it may be
furnished by non-government providers when government delivered care is
not available or the beneficiary elects to obtain private as opposed to
government health care. Examples include:
    <bullet> Foreign military personnel being trained, or assigned to
U.S. military organizations, in the United States who receive care from
either government or private health care providers;
    <bullet> The DOD operated medical clinic which provides care to all
allied military and diplomatic personnel assigned to NATO SHAPE
Headquarters in Brussels, Belgium;
    <bullet> The DOS, which also is engaged in arranging health care
for foreign diplomatic and military personnel and their families, could
also have legitimate needs for information concerning the health
services involved.
    We believe that the statute was not intended to cover this unique
class of beneficiaries. These persons are receiving U.S., either
private or governmental, furnished health care, either in the United
States or overseas, because of the beneficiary's military or diplomatic
status. For such personnel, we believe that the country-to-country
agreements or federal statutes which call for, or authorize, such care
in furtherance of a national defense or foreign policy purpose should
apply. We propose to exclude foreign military and diplomatic personnel
and their dependents who receive health care provided by or paid for by
the DOD or other federal agency, or by an entity acting on its behalf
pursuant to a country-to-country agreement or federal statute, from the
definition of an ``individual'' in Sec. 164.504. Therefore, the health
information created about such persons by a DOD or other federal agency
health care provider would not be protected under this rule. However,
information created about such persons by covered health care providers
whose services are not paid for by or provided on behalf of a federal
agency would be protected health information.
    iii. Overseas foreign national beneficiaries.
    The Department of Defense, as well as other federal agencies and
U.S.-based non-governmental organizations, provide health care to
foreign nationals overseas incident to U.S. sponsored missions or
operations. Such care is provided pursuant to federal statute,
international agreement, international organization sponsorship, or
incident to military operations (including humanitarian and
peacekeeping operations). Examples include:
    <bullet> The DOD provides general health care to an indigenous
population incident to military deployment;
    <bullet> The DOD provides health care to captured and detained
personnel as a consequence of overseas combat operations. Such care is
mandated by international agreement, i.e., the Geneva Conventions. The
most recent example involves the surrender or capture of Iraqi soldiers
during the conduct of Operation Desert Storm;
    <bullet> A number of federal agencies and non-governmental
organizations provide health care services as part of organized
disaster relief or other humanitarian programs and activities around
the world.
    We believe that the statute did not contemplate these unique
beneficiary populations. Under circumstances where healthcare is being
furnished to foreign nationals incident to sanctioned U.S. activities
overseas, application of these proposed rules could have the unintended
effect of impeding or frustrating the conduct of such activities, and
producing incongruous results. Examples include:
    <bullet> Requiring preparation of a notice advising the local
population of the information practices of the DOD incident to
receiving free medical care as part of disaster relief.
    <bullet> Medical information involving a prisoner of war could not
be disclosed, without the prisoner's consent, to U.S. military
authorities who have responsibility for operating the POW camps.
    Therefore, we propose to exclude overseas foreign national
beneficiaries of health care provided by the DOD or other federal
agency, or by non-governmental organizations acting on behalf of a
federal agency, from the

[[Page 59975]]

definition of an individual. This exclusion would mean that any health
information created when providing health care to this population would
not be protected health information and therefore not covered by these
rules.
    iv. Disclosure to the Department of Veterans Affairs.
    Upon completion of an individual's military service, the DOD
routinely transfers that person's entire military service record,
including protected health information, to the Department of Veterans
Affairs so the file can be retrieved quickly if the individual or his/
her dependents apply for veterans benefits. This practice was initiated
in an effort to expedite veterans benefits eligibility determinations
by ensuring timely access to complete, accurate information on the
veteran's military service. Under the proposed rule, the transfer of
these files would require individual authorization if protected health
information is included. While this change could increase the time
necessary for benefits processing in some cases, we believe the privacy
interests outweigh the related administrative challenges. We invite
comment on whether our assessment of costs and benefits is accurate. We
also invite comment on alternative methods for ensuring privacy while
expediting benefits processing.
    b. Application to the Department of Veterans Affairs.
    [Please label comments about this section with the subject:
``Department of Veterans Affairs'']
    We propose to permit protected health information to be used
without individual authorization by and among components of the
Department of Veterans Affairs that determine eligibility for or
entitlement to, or that provide, benefits under laws administered by
the Secretary of Veterans Affairs.
    This exemption recognizes that the Veterans Administration is two
separate components: The Veterans Health Administration (which operates
health care facilities) and the Veterans Benefits Administration (which
operates the Veterans disability program). The close integration of the
operations of the two components may make requiring individual
authorizations before transferring protected health information
particularly disruptive. Further, the Veterans Health Administration
transfers medical information on a much larger scale than most other
covered entities, and requiring individual authorization for transfers
among components could compromise the Department of Veterans Affairs'
ability to fulfill its statutory mandates.
    Nonetheless, we invite comments on this approach. In particular, we
are interested in whether the requirement for individual authorization
for disclosure of medical records for use in benefits calculations
would increase privacy protections for veterans, or whether it would be
of questionable value since most veterans would authorize disclosure if
it were tied to their benefits. We also are interested in comments on
whether the proposed approach would unreasonably hamper the Department
of Veterans Affairs in its ability to make accurate benefits
determinations in cases in which individuals chose not to authorize
disclosure.
    c. Application to the Department of State.
    [Please label comments about this section with the subject:
``Department of State'']
    We propose to permit the Department of State to use and disclose
protected health information for certain purposes unrelated to its role
as a health care provider but necessary for the achievement of its
mission.
    i. Importance of Foreign Service determinations and the need for
protected health information.
    The Secretary of State administers and directs the Foreign Service.
As contemplated in the Foreign Service Act, the Foreign Service is ``to
serve effectively the interests of the United States'' and ``provide
the highest caliber of representation in the conduct of foreign
affairs;'' members of the Foreign Service are to be available to serve
in assignments throughout the world. As called for under the Foreign
Service Act, the DOS has established a health care program to promote
and maintain the physical and mental health of members of the Service
and that of other Government employees serving abroad under chief of
mission authority, as well as accompanying family members. The DOS
provides health care services to thousands of Foreign Service officers,
other government employees and their families serving abroad, many of
whom are frequently changing posts or assignments.
    Worldwide availability for service is a criterion for entrance into
the Foreign Service, so that applicants with conditional offers of
employment must undergo medical clearance examinations to establish
their physical fitness to serve in the Foreign Service on a worldwide
basis prior to entrance into the Foreign Service. Employees and
accompanying family members also must be medically cleared before
assignments overseas, to preclude assignment to posts where existing
medical conditions would be exacerbated or where resources to support
an existing medical condition are inadequate.
    The DOS uses protected health information gained through its role
as a health care provider to fulfill its other responsibilities. The
information is used to make medical clearance and fitness decisions as
well as other types of determinations requiring medical information
(such as fitness for duty or eligibility for disability retirement of
Foreign Service members). Such information is also used to determine
whether to immediately evacuate an individual for evaluation or
treatment, or to determine whether to allow an employee or family
member to remain in a position or at post abroad. An individual's
record can include medical information provided to the DOS with the
individual's authorization by outside health care providers, protected
health information about treatment provided or paid for by the DOS, and
medical information collected from non-treatment processes such as the
clearance process.
    ii. Proposed requirements.
    We are proposing to exempt the DOS from the requirement to obtain
individual authorization (Sec. 164.508) in order to use or disclose
protected health information maintained by its health care program in
certain cases. Specifically, the exemption would apply to the
disclosure or use of protected health information of the following
individuals for the following purposes: (1) Of applicants to the
Foreign Service for medical clearance determinations of physical
fitness to serve in the Foreign Service on a worldwide basis,
including: medical and mental conditions limiting assignability abroad;
conformance to occupational physical standards, where applicable; and
suitability;
    (2) of members of the Foreign Service and other United States
Government employees assigned to serve abroad under Chief of Mission
authority, for (a) medical clearance determinations for assignment to
posts abroad, including: medical and mental conditions limiting such
assignment; conformance to occupational physical standards, where
applicable; continued fitness for duty, suitability, and continuation
of service at post (including decisions on curtailment); (b) separation
medical examinations; and (c) determinations of eligibility of members
of the Foreign Service for disability retirement (whether on
application of the employee or the Secretary);

[[Page 59976]]

    (3) of eligible family members of Foreign Service or other United
States Government employees, for medical clearance determinations like
those described in (2) above to permit such family members to accompany
employees to posts abroad on Government orders, as well as
determinations regarding family members remaining at post and
separation medical examinations.
    The proposed exemption is intended to maintain the DOS's procedures
regarding internal of medical information in conformance with the
Privacy Act of 1974, as amended, and 42 CFR Part 2, which would
continue to apply to the DOS. The verification requirements of
Sec. 164.518(c) would apply to these disclosures.
    The DOS is considering the need to add national security
determinations under Executive Order 10450, as amended, and other
suitability determinations to the exempted purposes listed above. We
therefore request comment as to the purposes for which use or
disclosure of protected health information without individual
authorization by the DOS would be appropriate.
    d. Application to employees of the intelligence community.
    [Please label comments about this section with the subject:
``Intelligence community'']
    We propose to permit covered entities to disclose protected health
information about individuals who are employees of the intelligence
community (as defined in Section 4 of the National Security Act, 50
U.S.C. 401a), and their dependents, to intelligence community agencies
without individual authorization when authorized by law.
    This provision addresses the special circumstances of the national
intelligence community. The preservation of national security depends
to a large degree on the health and well-being of intelligence
personnel. To determine fitness for duty, including eligibility for a
security clearance, these agencies must have continued access to the
complete health records of their employees. To ensure continued fitness
for duty, it is critical that these agencies have access to the entire
medical record on a continuing basis. An incomplete medical file that
excluded mental health information, for instance, could result in an
improper job placement and a potential breach in security.
    The term ``intelligence community'' is defined in section 4 of the
National Security Act, 50 U.S.C. 401a, to include: the Office of the
Director of Central Intelligence, which shall include the Office of the
Deputy Director of Central Intelligence, the National Intelligence
Council (as provided for in 50 U.S.C. 403-5(b)(3) [1]), and such other
offices as the Director may designate; the Central Intelligence Agency;
the National Security Agency; the Defense Intelligence Agency; the
National Imagery and Mapping Agency; the National Reconnaissance
Office; other offices within the DOD for the collection of specialized
national intelligence through reconnaissance programs; the intelligence
elements of the Army, the Navy, the Air Force, the Marine Corps, the
Federal Bureau of Investigation, the Department of the Treasury, and
the Department of Energy; the Bureau of Intelligence and Research of
the Department of State; and such other elements of any other
department or agency as may be designated by the President, or
designated jointly by the Director of Central Intelligence and the head
of the department or agency concerned, as an element of the
intelligence community.
    We would permit covered entities to disclose protected health
information concerning employees of the intelligence community and
their dependents where authorized by law. The verification requirements
of Sec. 164.518(c) would apply to these disclosures.

F. Rights of individuals.

    [Please label comments about this section with the subject:
``Introduction to rights of individuals'']
    The following proposed sections are intended to facilitate
individual understanding of and involvement in the handling of their
protected health information. Four basic individual rights would be
created under this section: the right to a notice of information
practices; the right to obtain access to protected health information
about them; the right to obtain access to an accounting of how their
protected health information has been disclosed; and the right to
request amendment and correction of protected health information.
    The rights described below would apply with respect to protected
health information held by health care providers and health plans. We
are proposing that clearinghouses not be subject to all of these
requirements. We believe that as business partners of covered plans and
providers, clearinghouses would not usually initiate or maintain direct
relationships with individuals. The contractual relationship between a
clearinghouse (as a business partner) and a covered plan or provider
would bind the clearinghouse to the notice of information practices
developed by the plan or provider and it will include specific
provisions regarding inspection, copying, amendment and correction.
Therefore, we do not believe the clearinghouses should be required to
provide a notice or provide access for inspection, copying, amendment
or correction. We would require clearinghouses to provide an accounting
of any disclosures for purposes other than treatment, payment and
health care operations to individuals upon request. See proposed
Sec. 164.515. It is our understanding that the vast majority of the
clearinghouse function falls within the scope of treatment, payment,
and health care operations and therefore we do not believe providing
this important right to individuals will impose a significant burden on
the industry. We invite comment on whether or not we should require
clearinghouses to comply with all of the provisions of the individual
rights section.
1. Rights and Procedures for a Written Notice of Information Practices.
(Sec. 164.512)
    [Please label comments about this section with the subject:
``Notice of information practices'']
    a. Right to a written notice of information procedures. We are
proposing that individuals have a right to an adequate notice of the
information practices of covered plans and providers. The notice would
be intended to inform individuals about what is done with their
protected health information and about any rights they may have with
respect to that information. Federal agencies must adhere to a similar
notice requirement pursuant to the Privacy Act of 1974 (5 U.S.C.
552a(e)(3)).
    We are not proposing that business partners (including health care
clearinghouses) be required to develop a notice of information
practices because, under this proposed rule, they would be bound by the
information practices of the health plan or health care provider with
whom they are contracting.
    We considered requiring covered plans or providers to obtain a
signed copy of the notice form (or some other signed indication of
receipt) when they give the form to individuals. There are advantages
to including such a requirement. A signed acknowledgment would provide
evidence that the notice form has been provided to the individual.
Further, the request to the individual to formally acknowledgment
receipt would highlight the importance of the notice, providing
additional encouragement for the individual to

[[Page 59977]]

read it and ask questions about its content.
    We are concerned, however, that requiring a signed acknowledgment
would significantly increase the administrative and paperwork burden of
this provision. We also are unsure of the best way for health plans to
obtain a signed acknowledgment because plans often do not have face-to-
face contact with enrollees. It may be possible to collect an
acknowledgment at initial enrollment, for example by adding an
additional acknowledgment to the enrollment form, but it is less clear
how to obtain it when the form is revised. We solicit comment on
whether we should require a signed acknowledgment. Comments that
address the relative advantages and burdens of such a provision would
be most useful. We also solicit comment on the best way to obtain
signed acknowledgments from health plans if such a provision is
included in the final rule. We also solicit comments on other
strategies, not involving signed acknowledgments, to ensure that
individuals are effectively informed about the information practices of
covered plans or providers.
    b. Revising the notice. We are proposing that covered plans and
providers be permitted to change their policies and procedures at any
time. Before implementing a change in policies and procedures, the
covered plan or provider must revise its notice accordingly. However,
where the covered plan or provider determines that a compelling reason
exists to take an action that violates its notice, it may do so only if
it documents the reason supporting the action and revises its notice
within 30 days of taking such action. The distribution requirements
that would apply when the notice has been materially revised are
discussed in detail below.
    c. Content of the notice. In Sec. 164.512, we propose the
categories of information that would be required in each notice of
information practices, the specific types of information that would
have to be included in each category, and general guidance as to the
presentation of written materials. A sample notice is provided in the
Appendix to this preamble. This sample notice is provided as an example
of how the policies of a specific covered health care provider could be
presented in a notice. Each covered health plan and health care
provider would be required to create a notice that complies with the
requirements of this proposed rule and reflects its own unique
information practices. It does not indicate all possible information
practices or all issues that could be addressed in the notice. Covered
plans and providers may want to include significantly more detail, such
as the business hours during which an individual could review their
records or its standard time frame for responding to requests to review
records; entities could choose to list all types of mandatory
disclosures.
    In a separate section of this proposed rule, we would require
covered plans or providers to develop and document policies and
procedures relating to use, disclosure, and access to protected health
information. See proposed Sec. 164.520. We intend for the documentation
of policies and procedures to be a tool for educating the entity's
personnel about its policies and procedures. In addition, the
documentation would be the primary source of information for the notice
of information practices. We intend for the notice be a tool for
educating individuals served by the covered plan or provider about the
information practices of that entity. The information contained in the
notice would not be as comprehensive as the documentation, but rather
provide a clear and concise summary of relevant policies and
procedures.
    We considered prescribing specific language that each covered plan
or provider would include in its notice. The advantages of this
approach would be that the recipient would get exactly the same
information from each covered plan or provider in the same format, and
that it would be convenient for covered plans or providers to use a
uniform model notice.
    There are, however, several disadvantages to this approach. First,
and most important, no model notice could fully capture the information
practices of every covered plan or provider. Large entities will have
different information practices than small entities. Some health care
providers, for example academic teaching hospitals, may routinely
disclose identifiable health information for research purposes. Other
health care providers may rarely or never make such disclosures. To be
useful to individuals, each entity's notice of information practices
should reflect its unique privacy practices.
    Another disadvantage of prescribing specific language is that it
would limit each covered plan or provider's ability to distinguish
itself in the area of privacy protections. We believe that if
information on privacy protections were readily available, individuals
might compare and select plans or providers based on their information
practices. In addition, a uniform model notice could easily become
outdated. As new communication methods or technologies are introduced,
the content of the notices might need to reflect those changes.
    A covered plan or provider that adopts and follows the notice
content and distribution requirements described below, we would
presume, for the purposes of compliance, that the plan or provider has
provided adequate notice. However, the proposed requirements for the
content of the notice are not intended to be exclusive. Covered plans
or providers could include additional information and additional
detail, beyond that required. In particular, all federal agencies must
still comply with the Privacy Act of 1974. For federal agencies that
are covered plans or providers, this would mean that the notice must
comply with the notice requirements provided in the Privacy Act as well
as those included in this proposed rule.
    i. Uses and disclosures of protected health information.
    In proposed Sec. 164.512, we would require each covered plan and
provider to include in the notice an explanation of how it uses and
discloses protected health information. The explanation must be
provided in sufficient detail as to put the individual on notice of the
uses and disclosures expected to be made of his or her protected health
information. As explained above in section II.C.5, covered plans and
providers may only use and disclose protected health information for
purposes stated in this notice.
    This section of the notice might be as simple as a statement that
information will be used and disclosed for treatment, payment,
administrative purposes, and quality assurance. If the entity will be
using or disclosing the information for other purposes, the notice must
include a brief explanation. For example, some entities might include a
statement that protected health information will be used for clinician
education and disclosed for research purposes. We are soliciting
comment on the level of detail that should be required in describing
the uses and disclosures, specifically with respect to uses and
disclosures for health care operations.
    In addition we would require that notices distinguish between those
uses and disclosures the entity makes that are required by law and
those that are permitted but not required by law. By distinguishing
between uses and disclosures that an entity is required to make those
that the entity is choosing to make, the notice would provide the

[[Page 59978]]

individual with a clearer understanding of the entity's privacy
practices.
    For uses and disclosures required by law, the notice need only list
the categories of disclosures that are authorized by law, and note that
it complies with such requirements. This language could be the same for
every covered entity within a State, territory or other locale. We
encourage states, state professional associations, and other
organizations to develop model language to assist covered plans or
providers in preparing this section of the notice.
    For each type of permissible use or disclosure that the entity
makes (e.g., research, public health, and next-of-kin), the notice
would include a brief statement explaining the entity's policy with
respect to that type of disclosure. For example, if all relevant laws
permit health care providers to disclose protected health information
to public health without individual authorization, the entity would
need to develop policies and procedures regarding when and how it will
make such disclosures. The entity would then document those policies
and procedures as required by Sec. 164.520 and the notice would include
a statement of these policies. For example, the notice might state ``we
will disclose your protected health information to public health
authorities upon request.''
    We considered requiring the notice to include not only a discussion
the actual disclosure practices of the covered entity, but also a
listing or discussion of all additional disclosures that are authorized
by law. We considered this approach because, under this proposed rule,
covered plans or providers would be permitted to change their
information practices at any time, and therefore individuals would not
be able to rely on the entity's current policies alone to understand
how their protected health information may be used in the future. We
recognize that in order to be fully informed, individuals need to
understand when their information could be disclosed.
    We rejected this approach because we were concerned that a notice
with such a large amount of information could be burdensome to both the
individuals receiving the notices and the entities required to prepare
and distribute them. There are a substantial number of required and
permitted disclosures under State or other applicable law, and this
rule generally would permit them to be made.
    Alternatively, we considered requiring that the notice include all
of the types of permissible disclosures under this rule (e.g., public
health, research, next-of-kin). We rejected that approach for two
reasons. First, we felt that providing people with notice of the
intended or likely disclosures of their protected health information
was more useful than describing all of the potential types of
disclosures. Second, in many States and localities, different laws may
affect the permissible disclosures that an entity may make, in which
case a notice only discussing permissible disclosures under the federal
rule would be misleading. While it would be possible to require covered
plans or providers to develop notices that discuss or list disclosures
that would be permissible under this rule and other law, we were
concerned that such a notice may be very complicated because of the
need to discuss the interplay of federal, State or other law for each
type of permissible disclosure. We invite comments on the best approach
to provide most useful information to the individuals without
overburdening either covered plans or providers or the recipients of
the notices.
    In Sec. 164.520, we are proposing to require all covered entities
to develop and document policies and procedures for the use of
protected health information. The notice would simply summarize those
documented policies and procedures and therefore would entail little
additional burden.
    ii. Required statements.
    We are proposing that the notice include several basic statements
to inform the individual of their rights and interests with respect to
protected health information. First, we propose to require the notice
to inform individuals that the covered plan or provider will not use or
disclose their protected health information for purposes not listed in
the notice without the individual's authorization. Individuals need to
understand that they can authorize a disclosure of their protected
health information and that the covered entity may request the
individual to authorize a disclosure, and that such disclosures are
subject to their control. The notice should also inform individuals
that such authorizations can be revoked.
    Second, we propose that the notice inform individuals that they
have the right to request that the covered plan or provider restrict
certain uses and disclosures of protected health information about
them. The notice would also inform individuals that the covered plan or
provider is not required to agree to such a request.
    Third, we propose that the notice also inform individuals about
their right of access to protected health information for inspection
and copying and to an accounting of disclosures as provided in proposed
Secs. 164.514 and 164.515. In addition, the notice would inform
individuals about their right to request an amendment or correction of
protected health information as proposed in Sec. 164.516. The notice
would include brief descriptions of the procedures for submitting
requests to the covered plan or provider.
    Fourth, the notice would be required to include a statement that
there are legal requirements that require the covered plan or provider
to protect the privacy of its information, provide a notice of
information practices, and abide by the terms of that notice.
Individuals should be aware that there are government requirements in
place to protect their privacy. Without this statement, individuals may
not realize that covered plans or providers are required to take
measures to protect their privacy, and may therefore be less interested
in pursuing their rights or finding out more information.
    Fifth, the notice would be required to include a statement that the
entity may revise its policies and procedures with respect to uses or
disclosures of protected health information at any time and that such a
revision could result in additional uses or disclosures without the
individual's authorization. The notice also should inform the
individual how a revised notice would be made available when material
revisions in policies and procedures are made. For example, when a
provider makes a material change to its notice, proposed
Sec. 164.512(e) would require the provider to post a new notice.
    Finally, we propose that the notice inform individuals that they
have the right to complain to the covered entity and to the Secretary
if they believe that their privacy rights have been violated.
    iii. Identification of a contact person for complaints and
additional information.
    We propose that the notice be required to identify a contact person
or office within the covered plan or provider to receive complaints, as
provided in proposed Sec. 164.518(a)(2), and to help the individual
obtain further information on any of the issues identified in the
notice. A specific person would not need to be named in the notice. It
could be an office or general number where someone who can answer
privacy questions or concerns can be reached.
    In Sec. 164.518(d), we are proposing that covered plans and
providers permit individuals to submit complaints to the covered
entity. We are proposing that the contact person identified in the

[[Page 59979]]

notice be responsible for initially receiving such complaints. The
contact person might or might not be responsible for processing and
resolving complaints, but, if not, he or she would forward the
complaints to the appropriate personnel or office. See discussion of
the complaint process in section II.G.4, below.
    In addition to receiving complaints, the contact person would be
able to help the individual obtain further information on any of the
issues identified in the notice. The contact person would be able to
refer to the documented policies and procedures required by proposed
Sec. 164.520. We would not prescribe a formal method for responding to
questions.
    The administrative requirements section below, proposed
Sec. 164.518(a), would also require the entity to designate an official
to develop policies for the use and disclosure of protected health
information and to supervise personnel with respect to use and
disclosure of protected health information. We would not require this
official to also be the contact person. Depending on the size and
structure of the entity, it might be appropriate to require one person
to fill both roles.
    iv. Date the notice was produced.
    We are proposing that covered plans and providers include the date
that the notice was produced on the face of the notice. We would also
encourage the provider to highlight or otherwise emphasize any changes
to help the individual recognize such changes.
    d. Requirements for distribution of the notice. It is critical to
the effectiveness of this proposed rule that individuals be given the
notice often enough to remind them of their rights, but without
overburdening covered plans or providers. We propose that all covered
plans and providers would be required to make their notice available to
any individual upon request, regardless of whether the requestor is
already a patient or enrollee. We believe that broad availability would
encourage individuals or organizations to compare the privacy practices
of plans or providers to assist in making enrollment or treatment
choices. We also propose additional distribution requirements for
updating notices, which would be different for health plans and health
care providers. The requirements for health plans and health care
providers are different because we recognize that they have contact
with individuals at different points in time in the health care system.
    i. Health plans.
    We considered a variety of combinations of distribution practices
for health plans and are proposing what we believe is the most
reasonable approach. We would require health plans to distribute the
notice by the effective date of the final rule, at enrollment, within
60 days of a material change to the plan's information practices, and
at least once every three years.
    We considered requiring health plans to post the notice either in
addition to or instead of distribution. Because most individuals rarely
visit the office of their health plan, we do not believe that this
would be an effective means of communication. We also considered either
requiring distribution of the notice more or less frequently than every
three years. As compared to most health care providers, we believe that
health plans often are larger and have existing administrative systems
to cost effectively provide notification to individuals. Three years
was chosen as a compromise between the importance of reminding
individuals of their plans' information practices and the need to keep
the burden health plans to the minimum necessary to achieve this
objective. We are soliciting comment on whether requiring a notice
every three years is reasonable for health plans.
    ii. Health care providers.
    We are proposing to require that covered health care providers
provide a copy of the notice to every individual served at the time of
first service delivery, that they post the notice in a clear and
prominent location where it is reasonable to expect individuals seeking
service from the provider to be able to read the notice, and that
copies be available on-site for individuals to take with them. In
addition, we are proposing to require that covered health care
providers provide a copy of the notice to individuals they are
currently serving at their first instances of service delivery within a
year of the effective date of the final rule.
    We would not require health care providers to mail or otherwise
disseminate their notices after giving the notice to individuals at the
time of the first service delivery. Health care providers' patient
lists may include individuals they have not served in decades. It would
be difficult for providers to distinguish between ``active'' patients,
those who are seen rarely, and those who have moved to different
providers. While some individuals will continue to be concerned with
the information practices of providers who treated them in the distant
past, overall the burden of an active distribution requirement would
not be outweighed by improved individual control and privacy
protection.
    We recognize that some health care providers, such as clinical
laboratories, pathologists and mail order pharmacies, do not have face-
to-face contact with individuals during service delivery. Such
providers would be required to provide the required notice in a
reasonable period of time following first service delivery, through
mail, electronic notice (i.e. e-mail), or other appropriate medium. For
example, a web-based pharmacy could meet this distribution requirement
by providing a prominent and conspicuous link to its notice on its home
page and by requiring review of that notice before processing an order.
    If a provider wishes to make a material change in the information
practices addressed in the notice, it would be required to revise its
notice in advance. After making the revision, the provider would be
required to post the new notice promptly. We believe that this approach
creates the minimum burden for health care providers consistent with
giving individuals a clear source of accurate information.
    e. Plain language requirement. We are proposing to apply a plain
language requirement to notices developed by covered plans or providers
under these proposed rules. A covered plan or provider could satisfy
the plain language requirement if it made a reasonable effort to:
organize material to serve the needs of the reader; write sentences in
the active voice, use ``you'' and other pronouns; use common, everyday
words in sentences; write in short sentences; and divide material into
short sections.
    We also considered proposing formatting specifications such as
requiring the covered plan or provider to use easy-to-read design
features (e.g., lists, tables, graphics, contrasting colors, and white
space), type face, and font size in the notice. We are soliciting
comment on whether these additional format specifications should be
required.
    The purpose of the notice proposed in the rules below is to tell
the recipient how protected health information collected about them
will be used. Recipients who cannot understand the entity's notice
would miss important information about their privacy rights and how the
entity is protecting health information about them. One of the goals of
this proposed rule is to create an environment of open communication
and transparency with respect to the use and disclosure of protected
health information. A lack of clarity in the notice could undermine
this goal and

[[Page 59980]]

create misunderstandings. Covered plans or providers have an incentive
to make their notice statements clear and concise. We believe that the
more understandable notices are, the more confidence the public will
have in the entity's commitment to protecting the privacy of health
information.
    It is important that the content of the notice be communicated to
all recipients and therefore we would encourage the covered plan or
provider to consider alternative means of communicating with certain
populations. We note that any covered entity that is a recipient of
federal financial assistance is generally obligated under title VI of
the Civil Rights Act of 1964 to provide material ordinarily distributed
to the public in the primary languages of persons with limited English
proficiency in the recipients' service areas. Specifically, this title
VI obligation provides that, where a significant number or proportion
of the population eligible to be served or likely to be directly
affected by a federally assisted program need service or information in
a language other than English in order to be effectively informed of or
participate in the program, the recipient shall take reasonable steps,
considering the scope of the program and the size and concentration of
such population, to provide information in language appropriate to such
persons. For entities not subject to title VI, the title VI standards
provide helpful guidance for effectively communicating the content of
their notices to non-English speaking populations.
    We also would encourage covered plans or providers to be attentive
to the needs of individuals who cannot read. For example, an employee
of the entity could read the notice to individuals upon request or the
notice could be incorporated into a video presentation that is played
in the waiting area.
    The requirement of a printed notice should not be interpreted as a
limitation. For example, if an individual who is requesting a notice
from a covered plan or providers were to ask to receive the notice via
e-mail, the requirements of this proposed rule could be met by
providing the notice via e-mail. The proposed rule would not preclude
the use of alternative forms of providing the notice and we would
encourage covered plans or providers to use other forms of
distribution, such as posting their privacy notices on their web sites.
While this will not substitute for paper distribution when that is
requested by an individual, it may reduce the number of requests for
paper copies.
2. Rights and Procedures for Access for Inspection and Copying
(Sec. 164.514)
    a. Right of access for inspection or copying. (Sec. 164.514(a))
    [Please label comments about this section with the subject:
``Access for inspection or copying'']
    In Sec. 164.514, we are proposing that, with very limited
exceptions, individuals have a right to inspect and copy protected
health information about them maintained by a covered health plan or
health care provider in a designated record set. Individuals would also
have a right of access to protected health information in a designated
record set that is maintained by a business partner of a covered plan
or provider when such information is not a duplicate of the information
held by the plan or provider, including when the business partner is
the only holder of the information or when the business partner has
materially altered the protected health information that has been
provided to it.
    This right of access means that an individual would be able to
either inspect or obtain copies of his or her health information
maintained in a designated record set by covered plans and providers
and, in limited circumstances, by their business partners. Inspection
and copying is a fundamental aspect of protecting privacy; this right
empowers individuals by helping them to understand the nature of the
health information about them that is held by their providers and plans
and to correct errors. In order to facilitate an open and cooperative
relationship with providers and allow the individual a fair opportunity
to know what information is held by an entity, inspection and copying
should be permitted in almost every case.
    While the right to have access to one's information may appear
somewhat different from the right to keep information private, these
two policy goals have always been closely tied. For example,
individuals are given an almost absolute right of access to information
in federal health record systems under the Privacy Act of 1974 (5
U.S.C. 552a(d)). The Privacy Protection Study Commission recommended
that this right be available. (Personal Privacy in an Information
Society 299 (1977)). The right of access was a key component of the
President's Advisory Commission on Consumer Protection and Quality in
the Health Care Industry recommendations in the Consumer Bill of Rights
and Responsibilities. The Commission's report stated that consumers
should ``have the right to review and copy their own medical records
and request amendments to their records.'' (Consumer Bill of Rights and
Responsibilities, Chapter Six: Confidentiality of Health Information,
November 1997). Most recently, the Health Privacy Project issued a
statement of ``Best Principles for Health Privacy'' that included the
same recommendation. Health Privacy Project, Institute for Health
Policy Solutions, Georgetown University (June 1999) (http://
www.healthprivacy.org).
    Open access to health information can benefit both the individuals
and the covered entities. It allows individuals to better understand
their own diagnosis and treatment, and to become more active
participants in their health care. It can increase communication,
thereby enhancing individuals' trust in their health care providers and
increasing compliance with the providers' instructions. If individuals
have access to and understand their health information, changing
providers may not disrupt health care or create risks based on lack of
information (e.g., drug allergies or unnecessary duplication of tests).
    i. Information available for inspection and copying.
    In Sec. 164.514(a), we are proposing to give the individual a right
of access to information that is maintained in a designated record set.
We intend to provide a means for individuals to have access to any
protected health information that is used to affect their rights and
interests. This would include, for example, information that would be
used to make health care decisions or information that would be used in
determining whether an insurance claim would be paid. Covered plans or
providers often incorporate the same protected health information that
is used to make these types of decisions into a variety of different
data systems. Not all of those data systems will be utilized to make
determinations about specific individuals. For example, information
systems that are used for quality control analyses are not usually used
to make determinations about a specific patient. We would not require
access to these other systems.
    In order to ensure that individuals have access to the protected
health information that is used, we are introducing the concept of a
``designated record set.'' In using the term ``designated record set,''
we are drawing on the concept of a ``system of records'' that is used
in the Privacy Act. Under the Privacy Act, federal agencies must
provide an individual with access to ``information pertaining to him
which

[[Page 59981]]

is contained in (a system of records).'' 5 U.S.C. 552a(d)(1). A
``system of records'' is defined as ``a group of any records under the
control of any agency from which information is retrieved by the name
of the individual or by some identifying number, symbol, or other
identifying particular assigned to the individual.'' 5 U.S.C.
552a(a)(5). Under this rule, a ``designated record set'' would be ``a
group of any records under the control of any covered entity from which
information is retrieved by the name of the individual or by some
identifying number, symbol, or other identifying particular assigned to
the individual.'' See discussion in section II.B.
    Files used to backup a primary data system or the sequential files
created to transmit a batch of claims to a clearinghouse are clear
examples of data files which do not fall under this definition. We
rejected requiring individual access to all records in which she or he
was identifiable because of the extreme burden it would place on
covered plans or providers without providing additional information or
protection for the individual. We also rejected using the subset of
such records which were accessed directly by individual identifiers
because of the redundancy of information involved and the increasing
use of database management systems to replace legacy systems that do
sequential processing. These would be accessed by individual identifier
but would contain redundant data and be used for routine processing
that did not directly affect the individual. We concluded that access
to only such record sets that were actually accessed by individual
identifier and that were used to make substantive decisions that affect
individuals would provide the desired information with a minimum of
burden for the covered plans or providers.
    We note that the standard would apply to records that are
``retrieved'' by an identifier and not records that are only
``retrievable'' by an identifier. In many cases, technology will permit
sorting and retrieving by a variety of fields and therefore the
``retrievable'' standard would be relatively meaningless. We intend to
limit access to those sets of records actually used to affect the
interests of the individual.
    We believe that by providing access to protected health information
maintained in a designated record set, we would be ensuring that
individuals will be able to inspect or copy relevant and appropriate
information without placing too significant of a burden on covered
plans or providers. We are soliciting comment on whether limiting
access to information maintained in a designated record set is an
appropriate standard when applied to covered plans and providers and
their business partners.
    ii. Right of access to information maintained by business partners.
    In Sec. 164.506(e), we are proposing that covered plans and
providers include specific terms in their contract with each business
partner. One of the required terms would be that the business partner
must provide for inspection and copying of protected health information
as provided in this section. Because our authority is limited by HIPAA
to the covered entities, we must rely upon covered plans and providers
to ensure that all of the necessary protected health information
provided by the individual to the plan or provider is available for
inspection and copying. We would require covered plans and providers to
provide access to information held in the custody of a business partner
when it is different from information maintained by the covered plan or
provider. We identified two instances where this seemed appropriate:
when the protected health information is only in the custody of a
business partner and not in the custody of the covered plan or
provider; and when protected health information has been materially
altered by a business partner. We are soliciting comment on whether
there are other instances where access should be provided to protected
health information in the custody of a business partner.
    Other than in their capacity as business partners, we are not
proposing to require clearinghouses to provide access for inspection
and copying. As explained above in section II.C.5, clearinghouses would
usually be business partners under this proposed rule and therefore
they would be bound by the contract with the covered plan or provider.
See proposed Sec. 164.506(e). We carefully considered whether to
require clearinghouses to provide access for inspection and copying
above and beyond their obligations as a business partner, but
determined that the typical clearinghouse activities of translating
record formats and batching transmissions do not involve setting up
designated record sets on individuals. Although the data maintained by
the clearinghouse is protected health information, it is normally not
accessed by individual identifier and an individual's records could not
be found except at great expense. In addition, although clearinghouses
process protected health information and discover errors, they do not
create the data and make no changes in the original data. They,
instead, refer the errors back to the source for correction. Thus,
individual access to clearinghouse records provides no new information
to the individual but could impose a significant burden on the
industry.
    As technology improves it is likely that clearinghouses will find
ways to take advantage of databases of protected health information
that aggregate records on the basis of the individual subject of the
information. This technology would allow more cost-effective access to
clearinghouse records on individuals and therefore access for
inspection and copying could be appropriate and reasonable.
    iii. Duration of the right of access.
    We are proposing that covered plans and providers be required to
provide access for as long as the entity maintains the protected health
information. We considered requiring covered plans and providers to
provide access for a specific period or defining a specific retention
period. We rejected that approach because many laws and professional
standards already designate specific retention periods and we did not
want to create unnecessary confusion. In addition, we concluded that
individuals should be permitted to have access for as long as the
information is maintained by the covered plan or provider. We are
soliciting comments on whether we should include a specific duration
requirement in this proposed rule.
    b. Grounds for denial of access for inspection and copying.
Proposed Sec. 164.514 would permit denial of inspection and copying
under very limited circumstances. The categories of denials would not
be mandatory; the entity could always elect to provide all of the
requested health information to the individual. For each request by an
individual, the entity could provide all of the information requested
or it could evaluate the requested information, consider the
circumstances surrounding the individual's request, and make a
determination as to whether that request should be granted or denied.
We intend to create narrow exceptions to the stated rule of open access
and we would expect covered plans and providers to employ these
exceptions rarely, if at all.
    In proposing these categories of permissible denials, we are not
intending to create a legal duty for the entity to review all of the
health information before releasing it. Rather, we are proposing them
as a means of preserving the flexibility and judgment of covered plans
or providers under appropriate circumstances.

[[Page 59982]]

    Entities subject to the Privacy Act would not be able to deny a
request for inspection and copying under all of the circumstances
permitted by this proposed rule. They would continue to be governed by
the denials permitted by the Privacy Act and applicable regulations.
See section II.I.4.a for further discussion.
    i. Disclosures reasonably likely to endanger life or physical
safety.
    In Sec. 164.514(b)(1)(i), we propose that covered plans and
providers be permitted to deny a request for inspection or copying if a
licensed health care professional has determined that, in the exercise
of reasonable professional judgment, the inspection and copying
requested is reasonably likely to endanger the life or physical safety
of the individual or another person. Denial based on this provision, as
with all of the provisions in this section, would be discretionary.
While it is important to protect the individual and others from
physical harm, we are also concerned about the subjectivity of the
standard and are soliciting comments on how to incorporate a more
objective standard into this provision.
    We are proposing that covered plans and providers should only
consider denying a request for inspection and copying under this
provision in situations where a licensed health care professional (such
as a physician, physician's assistant or nurse) makes the determination
that access for inspection and copying would be reasonably likely to
endanger life or physical safety. We are proposing to require a
licensed health care professional to make the determination because it
would rely entirely on the existing standards and ethics in the medical
profession. In some instances, the covered plan or provider would be a
licensed health care professional and therefore, he or she could make
the determination independently. However, when the request is made to a
health plan, the entity would need to consult with a health care
professional in order to deny access under this provision.
    We are soliciting comments as to whether the determination under
this provision should be limited to health care professionals who have
an existing relationship with the individual. While such a limitation
would significantly restrict the scope of this provision and could
reduce the number of denials of requests for inspection and copying, it
could also ensure that the determination of potential harm is as
accurate as possible.
    By proposing to allow covered plans and providers to deny a request
for inspection and copying based on potential endangerment, we are not
suggesting that entities should deny a request on that basis. This
provision is not intended to be used liberally as a means of denial of
individual inspection and copying rights for all mental health records
or other ``sensitive'' health information. Each request for access
would have to be assessed on its own merits. We would expect the
medical community to rely on its current professional standards for
determining what constitutes a threat to life or physical safety.
    As explained above, we are not proposing to create a new ``duty''
whereby entities can be held liable for failure to deny inspection and
copying. We simply are acknowledging that some providers, based on
reasonable professional judgment, may already assume a duty to protect
an individual from some aspect of their health information because of
the potential for physical harm. The most commonly cited example is
when an individual exhibits suicidal or homicidal tendencies. If a
health care professional determines that an individual exhibits such
tendencies and that permitting inspection or copying of some of their
health information could reasonably result in the individual committing
suicide, murder or other physical violence, then the individual could
be denied access to that information.
    We considered whether covered plans and providers should be
permitted to deny access on the basis of sensitivity of the health
information or the potential for causing emotional or psychological
harm. Many States allow denial of access on similar grounds. In
balancing the desire to provide individual access against the need to
protect the individual, we concluded that the individual access should
prevail because in the current age of health care , it is critical that
the individual is aware of his or her health information.
    Therefore, if a health care professional determines that inspection
and copying of the requested information may cause emotional or
psychological harm, but is not reasonably likely to endanger the life
or physical safety of the individual or another person, then the
covered plan or provider would not be permitted to deny the
individual's request. If the entity is concerned about the potential
for emotional or psychological harm, we would encourage it to offer
special procedures for explaining the information or counseling the
individual. For example, an entity could offer to have a nurse or other
employee review the information or the format with the individual or
provide supplemental written materials explaining a diagnosis. If the
entity elects to offer such special procedures, the entity would not be
permitted to condition inspection and copying upon compliance with the
procedures. We are not proposing to require covered plans or providers
to establish any informational or counseling procedures and we are not
proposing that individuals be required to comply with any procedures in
order to obtain access to their protected health information. We invite
comment on whether a standard such as emotional distress or
psychological harm should be included as a reason for which a covered
plan or provider could deny a request for inspection or copying.
    ii. Disclosures likely to cause harm to another individual.
    We propose that covered plans and providers be permitted to deny a
request for inspection or copying if the information requested is about
another person (other than a health care provider) and a licensed
health care professional has determined that inspection or copying is
reasonably likely to cause substantial harm to that other person. We
believe that it is rare that information about one person would be
maintained within the health records of another without one or both of
their knowledge. On some occasions when health information about one
person is relevant to the care of another, a physician may incorporate
it into the latter's record, such as information from group therapy
sessions and illnesses with a genetic component. In some instances the
information could be shared without harm, or may already be known to
the individual. There may, however, be situations where disclosure
could harm the other person, such as by implicitly revealing facts
about past sexual behavior, nonpaternity, or similarly sensitive
information. This provision would permit withholding of information in
such cases.
    We believe that this determination should be based on the existing
standards and ethics in the medical profession. We are soliciting
comments on whether the determination under this provision should be
limited to health care professionals who have an existing relationship
with the person who is expected to be harmed as a result of the
inspection or copying.
    Information about a third party may appear in an individual's
records unbeknownst to the individual. In such cases if the individual
chooses to exercise her right to inspect her protected health
information, the covered plan or provider providing her access would be
making an

[[Page 59983]]

unauthorized disclosure unless the third party has provided a written
authorization. We considered requiring that access to such information
be denied because the third party had not provided an authorization. We
considered proposing that the covered plan or provider would be
required to deny an individual's request for access to any information
about another person, unless there was a potential for harm to the
individual who would be denied. This would have been the only instance
where we would require that access be denied as a general rule. We
recognized that such requirements would ultimately require covered
plans and providers to review every piece of protected health
information before permitting inspection and copying to determine if
information about another person was included and whether the requester
would be harmed without such information. We concluded that this would
impose a significant burden on covered plans and providers. We seek
comment on whether and how often individual health records contain
identifiable information about other persons, and current practice
relating to the handling of such information in response to individual
requests for access.
    iii. Disclosures of confidential information likely to reveal the
source.
    We propose that covered plans or providers be permitted to deny a
request for inspection and copying if the entity determines that the
requested information was obtained under a promise of confidentiality
from someone other than a health care provider and such access would be
likely to reveal the source of the information. This provision is
intended to preserve an entity's ability to maintain an implicit or
explicit promise of confidentiality.
    Covered plans and providers would not be permitted to deny access
when the information has been obtained from another health care
provider. An individual is entitled to have access to all information
about him or her generated by the health care system (apart from the
other exceptions we propose here), and confidentiality promises by
health care providers to other providers should not interfere with that
access.
    iv. Disclosures of clinical trial information.
    While a clinical trial is research, it is also health care as
defined in Sec. 160.103, and the information generated in the course of
the trial would be protected health information. In
Sec. 164.514(b)(iv), we are proposing that a researcher/provider could
deny a request for inspection and copying of the clinical trial record
if the trial is still in progress, and the subject-patient had agreed
to the denial of access in conjunction with the subject's consent to
participate in the trial. The IRB or privacy board would determine
whether such waiver of access to information is appropriate, as part of
its review of the research protocol. In the rare instances in which
individuals are enrolled in trials without consent (such as those
permitted under FDA regulations, at 21 CFR 50.23), the covered entity
could deny access to information during the course of the trial even
without advance subject consent.
    Clinical trials are often masked--the subjects do not know the
identity of the medication they are taking, or of other elements of
their record while the trial is in progress. The research design
precludes their seeing their own records and continuing in the trial.
Thus it is appropriate for the patient to waive the right to see the
record while the trial is in progress. This understanding would be an
element of the patient's consent to participate in the trial; if the
consent signed by the patient did not include this fact, the patient
would have the normal right to see the record. In all cases, the
subject would have the right to see the record after the trial is
completed.
    As with all grounds for denial of access, denial would not be
required under these circumstances. We would expect all researchers to
maintain a high level of ethical consideration for the welfare of trial
participants and provide access where appropriate. For example, if a
participant has a severe adverse reaction, disclosure of information
during the course of the trial may be necessary to give the participant
adequate information for proper treatment decisions.
    v. Disclosure of information compiled for a legal proceeding.
    In Sec. 164.514(b)(1)(v), we are proposing that covered plans and
providers be permitted to deny a request for inspection and copying if
the information is compiled in reasonable anticipation of, or for use
in, a legal proceeding. This provision would permit the entity to deny
access to any information that relates specifically to legal
preparations but not to the individual's underlying health information.
For example, when a procedure results in an adverse outcome, a
hospital's attorney may obtain statements or other evidence from staff
about the procedure, or ask consultants to review the facts of the
situation for potential liability. Any documents containing protected
health information that are produced as a result of the attorney's
inquiries could be kept from the individual requesting access. This
provision is intended to incorporate the attorney work-product
privilege. Similar language is contained in the Privacy Act and has
been interpreted to extend beyond attorneys to information prepared by
``lay investigators.''
    We considered limiting this provision to ``civil'' legal
proceedings but determined that such a distinction could create
difficulties in implementation. In many situations, information is
gathered as a means of determining whether a civil or criminal
violation has occurred. For example, if several patients were
potentially mistreated by a member of a provider's staff, the provider
may choose to get copies of the patients' records and interview other
staff members. The provider may not know at the time they are compiling
all of this information whether any investigation, civil or criminal,
will take place. We are concerned that if we were to require the entity
to provide the individual with access to this information, we might
unreasonably interfere with this type of internal monitoring.
    c. Provision of other protected health information where access for
inspection and copying is denied. In proposed Sec. 164.514(b)(2), we
would require a covered plan or provider that elects to deny a request
for inspection or copying as provided above to make any other protected
health information requested available to the individual to the extent
possible consistent with the denial. The plan or provider could redact
or otherwise exclude only the information that falls within one or more
of the denial criteria described above and would be required to permit
inspection and copying of all remaining information. This provision is
key to the right to inspect and copy one's health information. We
intend to create narrow exceptions to the stated rule of open access
for inspection and copying and we would expect covered plans or
providers to employ these exceptions rarely, if at all. In the event
that a covered plan or provider would find it necessary to deny access,
then the denial would need to be as limited in scope as possible.
    d. Procedures to effect right of access for inspection and copying.
In Sec. 164.514(c) and (d), we are proposing that covered plans and
providers be required to have procedures that enable individuals to
exercise their rights to inspect and obtain a copy of protected health
information as explained above.

[[Page 59984]]

    We considered whether this proposed rule should include detailed
procedures governing a individual's request for inspection and copying.
Because this propos