The rules proposed below also would affect various federal programs, some of which may have requirements that are, or appear to be, inconsistent with the requirements proposed below. Such federal programs include those programs that are operated directly by the federal government, such as the health benefit programs for federal employees or the health programs for military personnel. They also include a wide variety of health services or benefit programs in which health services or benefits are provided by the private sector or by State or local government, but which are governed by various federal laws. Examples of the latter types of programs would be the Medicare and Medicaid programs, the health plans governed by the Employee Retirement Income Security Act of 1974, 29 U.S.C. 1001, et seq. (ERISA), the various clinical services programs funded by federal grants, and substance abuse treatment programs.
Some of the above programs are explicitly covered by HIPAA. Section 1171 of the Act defines the term “health plan” to include the following federally conducted, regulated, or funded programs: group plans under ERISA which either have 50 or more participants or are administered by an entity other than the employer who established and maintains the plan; federally qualified health maintenance organizations; Medicare; Medicaid; Medicare supplemental policies; the health care program for active military personnel; the health care program for veterans; the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); the Indian health service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.; and the Federal Employees Health Benefits Program. There also are many other federally conducted, regulated, or funded programs in which individually identifiable health information is created or maintained, but which do not come within the statutory definition of “health plan.” While these latter types of federally conducted, regulated, or assisted programs are not explicitly covered by part C of title XI in the same way that the programs listed in the statutory definition of “health plan” are covered, the statute may nonetheless apply to transactions and other activities conducted under such programs. This is likely to be the case where the federal entity or federally regulated or funded entity provides health services; the requirements of part c are likely to apply to such an entity as a “health care provider.” Thus, the issue of how different federal requirements apply is likely to arise in numerous contexts.
When two federal statutes appear to conflict, the courts generally engage in what is called an “implied repeal” analysis. The first step in such an analysis is to look for some way in which to reconcile the apparently conflicting requirements. Only if the conflicting provisions cannot be reconciled do courts reach the second step of the analysis, in which they look to see whether the later statute repealed the prior statute (to the extent of the conflict) by implication. In making such a determination, the courts look to the later statute and its legislative history, to see if there is evidence as to whether Congress intended to leave the prior statute in place or whether it intended the later statute to supersede the prior statute, to the extent of the conflict between the two. It is not a foregone conclusion that a later statute will repeal inconsistent provisions of a prior statute. Rather, there are cases in which the courts have held prior, more specific statutes not to be impliedly repealed by later, more general statutes.
As noted above, the section 1171 of the Act explicitly makes certain federal programs subject to the standards and implementation specifications promulgated by the Secretary, while entities carrying out others are implicitly covered by the scope of the term “health care provider.” The legislative history of the statute is silent with respect to how these requirements were to operate in the federal sector vis-à-vis these and other federal programs with potentially conflicting requirements. Congress is presumed to have been aware that various federal programs that the privacy and other standards would reach would be governed by other federal requirements, so the silence of the legislative history and the limited reach of the statute would seem to be significant. On the other hand, Congress’ express inclusion of certain federal programs in the statute also has significance, as it constitutes an express Congressional statement that the HIPAA standards and implementation specifications apply to these programs. In light of the absence of relevant legislative history, we do not consider this Congressional statement strong enough to support a conclusion of implied repeal, where the conflict is one between the HIPAA regulatory standards and implementation specifications and another federal statute. However, it seems strong enough to support an inference that, with respect to these programs, the HIPAA standards and implementation specifications establish the federal policy in the case of a conflict at the regulatory level.
Thus, the first principle that applies where both the HIPAA standards and implementation specifications and the requirements of another federal program apply is that we must seek to reconcile and accommodate any apparently conflicting federal requirements. Two conclusions flow from this principle. First, where one federal statute or regulation permits an activity that another federal statute or regulation requires, and both statutes apply to the entity in question, there is no conflict, because it is possible to comply with both sets of federal requirements. Second, where one federal statute or regulation permits, but does not require, an activity that another federal statute or regulation prohibits, there is again no conflict, because it is possible to comply with both sets of federal requirements. In each case, the entity has lost some discretion that it would otherwise have had under the more permissive set of requirements, but in neither case has it been required to do something that is illegal under either federal program.
There will, however, also be cases where the privacy or other Administrative Simplification standards and implementation specifications cannot be reconciled with the requirements of another federal program. In such a case the issue of implied repeal is presented. As suggested above, we think that where the conflict is between the privacy or other Administrative simplification regulations and another federal statute, the regulatory requirements would give way, because there is insufficient evidence to support a finding that part C of title XI is intended to repeal other federal laws. For example, if other law prohibits the dissemination of classified or other sensitive information, this rule's requirements for granting individuals' right to copy their own records would give way. Where the conflict is between the Administrative Simplification regulatory requirements and other federal regulatory requirements that are discretionary (not mandated by the other federal law), we think that there is also insufficient evidence to support a finding of implied repeal of the latter regulatory requirements, where the other federal program at issue is not one specifically addressed in section 1171. However, where the other federal program at issue is one of the ones which Congress explicitly intended to have the Administrative Simplification standards and implementation specifications apply to, by including them in the definition of “health plan” in section 1171, we think that there is evidence that the Administrative Simplification standards and implementation specifications should prevail over contrary exercises of discretion under those programs.
We considered whether the preemption provision of section 264(c)(2) of Public Law 104-191, discussed in the preceding section, would give effect to State laws that would otherwise be preempted by federal law. For example, we considered whether section 264(c)(2) could be read to make the Medicare program subject to State laws relating to information disclosures that are more stringent than the requirements proposed in this rule, where such laws are presently preempted by the Medicare statute. We also considered whether section 264(c)(2) could be read to apply such State laws to procedures and activities of federal agencies, such as administrative subpoenas and summons, that are prescribed under the authority of federal law. In general, we do not think that section 264(c)(2) would work to apply State law provisions to federal programs or activities with respect to which the State law provisions do not presently apply. Rather, the effect of section 264(c)(2) is to give preemptive effect to State laws that would otherwise be in effect, to the extent they conflict with and are more stringent than the requirements promulgated under the Administrative Simplification authority of HIPAA. Thus, we do not believe that it is the intent of section 264(c)(2) to give an effect to State law that it would not otherwise have in the absence of section 264(c)(2).
We explore some ramifications of these conclusions with respect to specific federal programs below. We note that the summaries below do not identify all possible conflicts or overlaps of the proposed rules with other federal requirements; rather, we have attempted to explain the general nature of the relationship of the different federal programs. We would anticipate issuing more detailed guidance in the future, when the final privacy policies are adopted, and the extent of conflict or overlap can be ascertained. We also invite comment with respect to issues raised by other federal programs.
a. The Privacy Act.
The Privacy Act of 1974, 5 U.S.C. 552a, is not preempted or amended by part C of title XI. The Privacy Act applies to all federal agencies, and to certain federal contractors who operate Privacy Act protected systems of records on behalf of federal agencies. It does not, however, apply to non-federal entities that are reached by part C. While the proposed rules are applicable to federal and non-federal entities, they are not intended to create any conflict with Privacy Act requirements. In any situation where compliance with the proposed rules would lead a federal entity to a result contrary to the Privacy Act, the Privacy Act controls. In sections of the proposed rules which might otherwise create the appearance of a conflict with Privacy Act requirements, entities subject to the Privacy Act are directed to continue to comply with Privacy Act requirements.
Because the Privacy Act gives federal agencies the authority to promulgate agency-specific implementing regulations, and because the Privacy Act also allows agencies to publish routine uses that have the status of exceptions to the Privacy Act’s general rule prohibiting disclosure of Privacy Act protected information to third parties, the issue of possible conflicts between the proposed Administrative Simplification rules and existing Privacy Act rules and routine uses must be addressed. Where the federal program at issue is one of the ones that Congress explicitly intended to have the Administrative Simplification standards and implementation specifications apply to, by including them in the definition of “health plan” in section 1171, we think that there is evidence that the Administrative Simplification standards and implementation specifications should prevail over contrary exercises of discretion under those programs. That is, to the extent that a routine use is truly discretionary to an agency which is also a covered entity under section 1172(a), the agency would not have discretion to ignore the Administrative Simplification regulations. It is possible, however, that in some cases there might be underlying federal statutes that call for disclosure of certain types of information, and routine uses could be promulgated as the only way to implement those statutes and still comply with the Privacy Act. If this were to happen or be the case, the routine use should prevail.
b. The Substance Abuse Confidentiality regulations.
Regulations that are codified at 42 CFR part 2 establish confidentiality requirements for the patient records of substance abuse “programs” that are “federally assisted.” Substance abuse programs are specialized programs or personnel that provide alcohol and drug abuse treatment, diagnosis, or referral for treatment. 42 CFR 2.11. The term “federally assisted” is broadly defined, and includes federal tax exempt status and Medicare certification, among other criteria. 42 CFR 2.12(b). Such programs may not disclose patient identifying information without the written consent of the patient, unless the information is needed to respond to a medical emergency, or such information is disclosed for purposes of research, audit, or evaluation. Disclosures may not be made in response to a subpoena; rather, a court order is required in order for a disclosure of covered records to be lawfully made. Limited disclosures may also be made by such programs to State or local officials under a State law requiring reporting of incidents of suspected child abuse and neglect and to law enforcement officials regarding a patient’s crime on program premises or against program personnel or a threat to commit such a crime. 42 CFR 2.12. Unlike the rules proposed below, the confidentiality protections continue indefinitely after death, although part 2 would permit disclosure of identifying information relating to the cause of death under laws relating to the collection of vital statistics or permitting inquiry into cause of death.
It seems likely that most, if not all, programs covered by the part 2 regulations will also be covered, as health care providers, by the rules proposed below. As can be seen from the above summary, the part 2 regulations would not permit many disclosures that would be permitted under proposed § 164.510 below, such as many disclosures for law enforcement, directory information, governmental health data systems, and judicial and other purposes. In addition, the general permissive disclosure for treatment or payment purposes at proposed § 164.506 below would be inconsistent with the more restrictive requirements at part 2. In such situations, providers (or others) subject to both sets of requirements could not make disclosures prohibited by part 2, even if the same disclosures would be permitted under the rules proposed below.
There are also a number of requirements of the part 2 regulations that parallel the requirements proposed below. For example, the minimum necessary rule, where applicable, would parallel a similar requirement at 42 CFR 2.13(a). Similarly, the notice requirements of part 2, at 42 CFR 2.22 parallel the notice requirements proposed below, although the notice required below would be more detailed and cover more issues. The preemptive effect on State law should be the same under both part 2 and section 264(c)(2). The requirements for disclosures for research proposed below are likewise similar to those in part 2. In such cases, health care providers would have to comply with the more extensive or detailed requirements, but there should be no direct conflict.
Many other provisions of the proposed rules, however, simply have no counterpart in part 2. For example, the part 2 regulations do not require programs to maintain an accounting of uses and disclosures, nor do they provide for a right to request amendment or correction of patient information. Similarly, the part 2 regulations contain no prohibition on conditioning treatment or payment on provision of an individual authorization for disclosure. In such situations, health care providers would be bound by both sets of requirements.
ERISA was enacted in 1974 to regulate pension and welfare employee benefit plans that are established by private sector employers, unions, or both, to provide benefits to their workers and dependents. An employee welfare benefit plan includes plans that provide “through the purchase of insurance or otherwise ... medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, disability, [or] death.” 29 U.S.C. 1002(1). In 1996, Public Law 104-191 amended ERISA to require portability, nondiscrimination, and renewability of health benefits provided by group health plans and group health insurance issuers. Numerous, although not all, ERISA plans are covered under the rules proposed below as “health plans.”
As noted above, section 514(a) of ERISA, 29 U.S.C. 1144(a), preempts all State laws that “relate to” any employee benefit plan. However, section 514(b) of ERISA, 29 U.S.C. 1144(b)(2)(A), expressly saves from preemption State laws which regulate insurance. Section of ERISA, 29 U.S.C.1144(b)(2)(B), provides that an ERISA plan is deemed not to be an insurer for the purpose of regulating the plan under the State insurance laws. Thus, under the deemer clause, States may not treat ERISA plans as insurers subject to direct regulation by State law. Finally, section 514(d) of ERISA, 29 U.S.C. 1144(d), provides that ERISA does not “alter, amend, modify, invalidate, impair, or supersede any law of the United States.”
We considered whether the preemption provision of section 264(c)(2) of Public Law 104-191, discussed in the preceding section, would give effect to State laws that would otherwise be preempted by section 514(a) of ERISA. Our reading of the statutes together is that the effect of section 264(c)(2) is simply to leave in place State privacy protections that would otherwise apply and which are more stringent than the federal privacy protections. In the case of ERISA plans, however, if those laws are preempted by section 514(a), they would not otherwise apply. We do not think that it is the intent of section 264(c)(2) to give an effect to State law that it would not otherwise have in the absence of section 264(c)(2). Thus, we would not view the preemption provisions below as applying to State laws otherwise preempted by section 514(a) of ERISA.
Many plans covered by the rules proposed below are also subject to ERISA requirements. To date our discussions and consultations have not uncovered any particular ERISA requirements that would conflict with the rules proposed below. However, we invite comment, particularly in the form of specific identification of statutory or regulatory provisions, of requirements under ERISA that would appear to conflict with provisions of the rules proposed below.
d. Other federally funded health programs.
There are a number of authorities under the Public Health Service Act and other legislation that contain explicit confidentiality requirements either in the enabling legislation or in the implementing regulations. Many of these are so general that there would appear to be no problem of inconsistency, in that nothing in the legislation or regulations would appear to restrict the assisted provider’s discretion to comply with the requirements proposed below. There are, however, several authorities under which either the requirements of the enabling legislation or of the program regulations would impose requirements that would differ from the rules proposed below. We have identified several as presenting potential issues in this regard. First, regulations applicable to the substance abuse block grant program funded under section 1943(b) of the Public Health Service Act require compliance with 42 CFR part 2, and thus raise the issues identified in section 2 above. Second, there are a number of federal programs which, either by statute or by regulation, restrict the disclosure of patient information to, with minor exceptions, disclosures “required by law.” See, for example, the program of projects for prevention and control of sexually transmitted diseases funded under section 318(e)(5) of the Public Health Service Act (42 CFR 51b.404); the regulations implementing the community health center program funded under section 330 of the Public Health Service Act (42 CFR 51c.110); the regulations implementing the program of grants for family planning services under title X of the Public Health Service Act (42 CFR 59.15); the regulations implementing the program of grants for black lung clinics funded under 30 U.S.C. 437(a) (42 CFR 55a.104); the regulations implementing the program of maternal and child health projects funded under section 501 of the Act (42 CFR 51a.6); the regulations implementing the program of medical examinations of coal miners (42 CFR 37.80(a)). These legal requirements would restrict the grantees or other entities under the programs involved from making many of the disclosures that proposed § 164.510 would permit. In some cases, permissive disclosures for treatment, payment or health care operations would also be limited. Since proposed § 164.510 is merely permissive, there would not be a conflict between the program requirements, as it would be possible to comply with both. However, it should be recognized that entities subject to both sets of requirements would not have the total range of discretion that the rules proposed below would suggest.