NRPM: Standards for Privacy of Individually Identifiable Health Information. 2. Relationship to other federal laws.

11/03/1999

The rules proposed below also would affect various federal programs, some of which may have requirements that are, or appear to be, inconsistent with the requirements proposed below. Such federal programs include those programs that are operated directly by the federal government, such as the health benefit programs for federal employees or the health programs for military personnel. They also include a wide variety of health services or benefit programs in which health services or benefits are provided by the private sector or by State or local government, but which are governed by various federal laws. Examples of the latter types of programs would be the Medicare and Medicaid programs, the health plans governed by the Employee Retirement Income Security Act of 1974, 29 U.S.C. 1001, et seq. (ERISA), the various clinical services programs funded by federal grants, and substance abuse treatment programs.

Some of the above programs are explicitly covered by HIPAA. Section 1171 of the Act defines the term “health plan” to include the following federally conducted, regulated, or funded programs: group plans under ERISA which either have 50 or more participants or are administered by an entity other than the employer who established and maintains the plan; federally qualified health maintenance organizations; Medicare; Medicaid; Medicare supplemental policies; the health care program for active military personnel; the health care program for veterans; the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); the Indian health service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.; and the Federal Employees Health Benefits Program. There also are many other federally conducted, regulated, or funded programs in which individually identifiable health information is created or maintained, but which do not come within the statutory definition of “health plan.” While these latter types of federally conducted, regulated, or assisted programs are not explicitly covered by part C of title XI in the same way that the programs listed in the statutory definition of “health plan” are covered, the statute may nonetheless apply to transactions and other activities conducted under such programs. This is likely to be the case where the federal entity or federally regulated or funded entity provides health services; the requirements of part c are likely to apply to such an entity as a “health care provider.” Thus, the issue of how different federal requirements apply is likely to arise in numerous contexts.

When two federal statutes appear to conflict, the courts generally engage in what is called an “implied repeal” analysis. The first step in such an analysis is to look for some way in which to reconcile the apparently conflicting requirements. Only if the conflicting provisions cannot be reconciled do courts reach the second step of the analysis, in which they look to see whether the later statute repealed the prior statute (to the extent of the conflict) by implication. In making such a determination, the courts look to the later statute and its legislative history, to see if there is evidence as to whether Congress intended to leave the prior statute in place or whether it intended the later statute to supersede the prior statute, to the extent of the conflict between the two. It is not a foregone conclusion that a later statute will repeal inconsistent provisions of a prior statute. Rather, there are cases in which the courts have held prior, more specific statutes not to be impliedly repealed by later, more general statutes.

As noted above, the section 1171 of the Act explicitly makes certain federal programs subject to the standards and implementation specifications promulgated by the Secretary, while entities carrying out others are implicitly covered by the scope of the term “health care provider.” The legislative history of the statute is silent with respect to how these requirements were to operate in the federal sector vis-à-vis these and other federal programs with potentially conflicting requirements. Congress is presumed to have been aware that various federal programs that the privacy and other standards would reach would be governed by other federal requirements, so the silence of the legislative history and the limited reach of the statute would seem to be significant. On the other hand, Congress’ express inclusion of certain federal programs in the statute also has significance, as it constitutes an express Congressional statement that the HIPAA standards and implementation specifications apply to these programs. In light of the absence of relevant legislative history, we do not consider this Congressional statement strong enough to support a conclusion of implied repeal, where the conflict is one between the HIPAA regulatory standards and implementation specifications and another federal statute. However, it seems strong enough to support an inference that, with respect to these programs, the HIPAA standards and implementation specifications establish the federal policy in the case of a conflict at the regulatory level.

Thus, the first principle that applies where both the HIPAA standards and implementation specifications and the requirements of another federal program apply is that we must seek to reconcile and accommodate any apparently conflicting federal requirements. Two conclusions flow from this principle. First, where one federal statute or regulation permits an activity that another federal statute or regulation requires, and both statutes apply to the entity in question, there is no conflict, because it is possible to comply with both sets of federal requirements. Second, where one federal statute or regulation permits, but does not require, an activity that another federal statute or regulation prohibits, there is again no conflict, because it is possible to comply with both sets of federal requirements. In each case, the entity has lost some discretion that it would otherwise have had under the more permissive set of requirements, but in neither case has it been required to do something that is illegal under either federal program.

There will, however, also be cases where the privacy or other Administrative Simplification standards and implementation specifications cannot be reconciled with the requirements of another federal program. In such a case the issue of implied repeal is presented. As suggested above, we think that where the conflict is between the privacy or other Administrative simplification regulations and another federal statute, the regulatory requirements would give way, because there is insufficient evidence to support a finding that part C of title XI is intended to repeal other federal laws. For example, if other law prohibits the dissemination of classified or other sensitive information, this rule's requirements for granting individuals' right to copy their own records would give way. Where the conflict is between the Administrative Simplification regulatory requirements and other federal regulatory requirements that are discretionary (not mandated by the other federal law), we think that there is also insufficient evidence to support a finding of implied repeal of the latter regulatory requirements, where the other federal program at issue is not one specifically addressed in section 1171. However, where the other federal program at issue is one of the ones which Congress explicitly intended to have the Administrative Simplification standards and implementation specifications apply to, by including them in the definition of “health plan” in section 1171, we think that there is evidence that the Administrative Simplification standards and implementation specifications should prevail over contrary exercises of discretion under those programs.

We considered whether the preemption provision of section 264(c)(2) of Public Law 104-191, discussed in the preceding section, would give effect to State laws that would otherwise be preempted by federal law. For example, we considered whether section 264(c)(2) could be read to make the Medicare program subject to State laws relating to information disclosures that are more stringent than the requirements proposed in this rule, where such laws are presently preempted by the Medicare statute. We also considered whether section 264(c)(2) could be read to apply such State laws to procedures and activities of federal agencies, such as administrative subpoenas and summons, that are prescribed under the authority of federal law. In general, we do not think that section 264(c)(2) would work to apply State law provisions to federal programs or activities with respect to which the State law provisions do not presently apply. Rather, the effect of section 264(c)(2) is to give preemptive effect to State laws that would otherwise be in effect, to the extent they conflict with and are more stringent than the requirements promulgated under the Administrative Simplification authority of HIPAA. Thus, we do not believe that it is the intent of section 264(c)(2) to give an effect to State law that it would not otherwise have in the absence of section 264(c)(2).

We explore some ramifications of these conclusions with respect to specific federal programs below. We note that the summaries below do not identify all possible conflicts or overlaps of the proposed rules with other federal requirements; rather, we have attempted to explain the general nature of the relationship of the different federal programs. We would anticipate issuing more detailed guidance in the future, when the final privacy policies are adopted, and the extent of conflict or overlap can be ascertained. We also invite comment with respect to issues raised by other federal programs.