Section 1171 of the Act defines several terms and our proposed rules would, for the most part, simply restate the law or adopt definitions previously defined in the other HIPAA proposed rules. In some instances, we propose definitions from the Secretary’s Recommendations. We also propose some new definitions for convenience and efficiency of exposition, and others to clarify the application and operation of this rule. We describe the proposed definitions and discuss the rationale behind them, below.
Most of the definitions would be defined in proposed §§ 160.103 and 164.504. The definitions at proposed § 160.103 apply to all Administrative Simplification standards, including this privacy rule and the security standard. The definitions proposed in § 164.504 would apply only to this privacy rule. Certain other definitions are specific to particular sections of the proposed rule and are provided in those sections. The terms that are defined at proposed § 160.103 follow:
1. Act. We would define “Act” to mean the Social Security Act, as amended. This definition would be added for convenience.
2. Covered entity. This definition would be provided for convenience of reference and would mean the entities to which part C of title XI of the Act applies. These are the entities described in section 1172(a)(1): health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction referred to in section 1173(a)(1) of the Act (a “standard transaction”). In the preamble we occasionally refer to health plans and the health care providers described above as "covered plans," "covered providers," or "covered plans and providers."
We note that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. The provider could not circumvent these requirements by assigning the task to its agent, since the agent would be deemed to be acting as the provider.
3. Health care. We would define the term “health care” as it is defined in the Secretary’s Recommendations. Health care means the provision of care, services, or supplies to a patient and includes any: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body; (2) sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription; or (3) procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.
4. Health care clearinghouse. We would define “health care clearinghouse” as defined by section 1171(2) of the Act. The Act defines a “health care clearinghouse” as a “public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.” In practice, clearinghouses receive transactions from health care providers, health plans, other health care clearinghouses, or business partners of such entities, and other entities, translate the data from a given format into one acceptable to the entity receiving the transaction, and forward the processed transaction to that entity. There are currently a number of private clearinghouses that contract or perform this function for health care providers. For purposes of this rule, we would consider billing services, repricing companies, community health management information systems or community health information systems, “value-added” networks, switches and similar organizations to be health care clearinghouses for purposes of this part only if they actually perform the same functions as a health care clearinghouse.
We would note that we are proposing to exempt clearinghouses from a number of the provisions of this rule that would apply to other covered entities (see §§ 164.512, 164.514 and 164.516 below), because in most cases we do not believe that clearinghouses would be dealing directly with individuals. In many instances, clearinghouses would be considered business partners under this rule and would be bound by their contracts with covered plans and providers. See proposed § 164.506(e). We would adopt this position with the caveat that the exemptions would be void for any clearinghouse that had direct contact with individuals in a capacity other than that of a business partner.
5. Health care provider. Section 1171(3) of the Act defines “health care provider” as a “provider of medical services as defined in section 1861(u) of the Act, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes health care services or supplies.” We are proposing to define “health care provider” as the Act does, and clarify that a health care provider is limited to any person or organization that furnishes, bills, or is paid for, health care services or supplies in the normal course of business. This definition would include a researcher who provides health care to the subjects of research, free clinics, and a health clinic or licensed health care professional located at a school or business.
Section 1861(u) of the Act contains the Medicare definition of a provider, which encompasses institutional providers, such as hospitals, skilled nursing facilities, home health agencies, and comprehensive outpatient rehabilitation facilities. Section 1861(s) of the Act defines other Medicare facilities and practitioners, including assorted clinics and centers, physicians, clinical laboratories, various licensed/certified health care practitioners, and suppliers of durable medical equipment. The last portion of the proposed definition encompasses appropriately licensed or certified health care practitioners or organizations, including pharmacies and nursing homes and many types of therapists, technicians, and aides. It also would include any other individual or organization that furnishes health care services or supplies in the normal course of business. An individual or organization that bills and/or is paid for health care services or supplies in the normal course of business, such as a group practice or an “on-line” pharmacy accessible on the Internet, is also a health care provider for purposes of this statute.
For a more detailed discussion of the definition of health care provider, we refer the reader to our proposed rule (Standard Health Care Provider Identifier) published on May 7, 1998, in the Federal Register (63 Fed Reg 25320).
6. Health information. We would define “health information” as it is defined in section 1171(4) of the Act. “Health information” would mean any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.
In this paragraph we attempt to clarify the relationship between the defined terms “health information,” “individually identifiable health information” and “protected health information.” The term “health information” encompasses the universe of information governed by the administrative simplification requirements of the Act. For example, under section 1173 of the Act, the Secretary is to adopt standards to enable the electronic exchange of all health information. However, protection of personal privacy is primarily a concern for the subset of health information that is “individually identifiable health information,” as defined by the Act (see below). For example, a tabulation of the number of students with asthma by school district would be health information, but since it normally could not be used to identify any individuals, it would not usually create privacy concerns. The definition of individually identifiable health information omits some of the persons or organizations that are described as creating or receiving “health information.” Some sections of the Act refer specifically to individually identifiable health information, such as section 1177 in setting criminal penalties for wrongful use or disclosure, and section 264 in requesting recommendations for privacy standards. Finally, we propose the phrase “protected health information” (§ 164.504) to refer to the subset of individually identifiable health information that is used or disclosed by the entities that are subject to this rule.
7. Health plan. We would define “health plan” essentially as section 1171(5) of the Act defines it. Section 1171 of the Act refers to several definitions in section 2791 of the Public Health Service Act, 42 U.S.C. 300gg-91, as added by Public Law 104-191. For clarity, we would incorporate the referenced definitions as currently stated into our proposed definitions.
As defined in section 1171(5), a “health plan” is an individual plan or group health plan that provides, or pays the cost of, medical care (see section 2791(a) of the Public Health Service Act (PHS Act)). This definition would include, but is not limited to, the 15 types of plans listed in the statute, as well as any combination of them. The term would include, when applied to public benefit programs, the component of the government agency that administers the program. Church plans and government plans are included to the extent that they fall into one or more of the listed categories.
“Health plan” includes the following singly or in combination:
a. “Group health plan” (as currently defined by Section 2791(a) of the PHS Act). A group health plan is a plan that has 50 or more participants (as the term “participant” is currently defined by section 3(7) of ERISA) or is administered by an entity other than the employer that established and maintains the plan. This definition includes both insured and self-insured plans.
Section 2791(a)(1) of the PHS Act defines “group health plan” as an employee welfare benefit plan (as defined in current section 3(1) of ERISA) to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, or otherwise.
b. “Health insurance issuer” (as currently defined by section 2791(b) of the PHS Act).
Section 2971(b) of the PHS Act defines a “health insurance issuer” as an insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance.
c. “Health maintenance organization” (as currently defined by section 2791(b) of the PHS Act). Section 2791(b) of the PHS Act currently defines a “health maintenance organization” as a federally qualified health maintenance organization, an organization recognized as such under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such a health maintenance organization. These organizations may include preferred provider organizations, provider sponsored organizations, independent practice associations, competitive medical plans, exclusive provider organizations, and foundations for medical care.
d. Part A or Part B of the Medicare program (title XVIII of the Act).
e. The Medicaid program (title XIX of the Act).
f. A “Medicare supplemental policy” as defined under section 1882(g)(1) of the Act. Section 1882(g)(1) of the Act defines a “Medicare supplemental policy” as a health insurance policy that a private entity offers a Medicare beneficiary to provide payment for expenses incurred for services and items that are not reimbursed by Medicare because of deductible, coinsurance, or other limitations under Medicare. The statutory definition of a Medicare supplemental policy excludes a number of plans that are similar to Medicare supplemental plans, such as health plans for employees and former employers and for members and former members of trade associations and unions. A number of these health plans may be included under the definitions of “group health plan” or “health insurance issuer,” as defined in paragraphs “a” and “b” above.
g. A “long-term care policy,” including a nursing-home fixed indemnity policy. A “long- term care policy” is considered to be a health plan regardless of how comprehensive it is.
h. An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. This includes plans that are referred to as multiple employer welfare arrangements (“MEWAs”).
i. The health care program for active military personnel under title 10 of the United States Code. See paragraph “k”, below, for further discussion.
j. The veterans health care program under chapter 17 of title 38 of the United States Code. This health plan primarily furnishes medical care through hospitals and clinics administered by the Department of Veterans Affairs (VA) for veterans enrolled in the VA health care system.
k. The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) as defined in 10 U.S.C. 1072(4). We note that the Act’s definition of “health plan” omits several types of health care provided by the Department of Defense (DOD). Sections 1171(5)(I) and 1171(5)(K) cover only the health care program for active duty personnel (see 10 U.S.C. 1074(a)) and the CHAMPUS program (see 10 U.S.C. 1079, 1086). What is omitted is health care provided in military treatment facilities to military retirees (see 10 U.S.C. 1074(b)), to dependents of active duty personnel and to dependents of retirees (see 10 U.S.C. 1076), to Secretarial designees such as members of Congress, Justices of the Supreme Court, and to foreign military personnel under NATO status of forces agreements. Health care provided by the DOD in military facilities to the aforementioned persons is not included as a “health plan” under HIPAA. However, these facilities would still be considered to be health care providers.
l. The Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601, et. seq.). This program furnishes services, generally through its own health care providers, primarily to persons who are eligible to receive services because they are of American Indian or Alaskan Native descent.
m. The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89. This program consists of health insurance plans offered to active and retired federal employees and their dependents. Although section 1171(5)(M) of the Act refers to the “Federal Employees Health Benefit Plan,” this and any other rules adopting administrative simplification standards will use the correct name, the Federal Employees Health Benefits Program. One health plan does not cover all federal employees; over 350 health plans provide health benefits coverage to federal employees, retirees, and their eligible family members. Therefore, we will use the correct name, The Federal Employees Health Benefits Program, to make clear that the administrative simplification standards apply to all health plans that participate in the Program.
n. An approved State child health plan for child health assistance that meets the requirements of section 2103 of the Act, which established the Children's Health Insurance Program (CHIP).
o. A Medicare Plus Choice organization as defined in 42 CFR 422.2, with a contract under 42 CFR part 422, subpart K.
p. Any other individual plan or group health plan, or combination thereof, that provides or pays for the cost of medical care. This category implements the language at the beginning of the statutory definition of the term "health plan": "The term 'health plan' means an individual or group plan that provides, or pays the cost of, medical care . . . Such term includes the following, and any combination thereof . . ." This statutory language is general, not specific. Moreover, the statement that the term "health plan" "includes" the specified plans implies that the term also covers other plans that meet the stated criteria. One approach to interpreting this introductory language in the statute would be to make coverage decisions about plans that may meet these criteria on a case-by-case basis. Instead we propose to clarify its coverage by adding this category to the proposed definition of "health plan"; we seek public comment on its application. The Secretary would determine which plans that meet the criteria in the preceding paragraph are health plans for purposes of title II of HIPAA.
Consistent with the other parts of HIPAA, the provisions of this rule generally would not apply to certain types of insurance entities, such as workers’ compensation and automobile insurance carriers, other property and casualty insurers, and certain forms of limited benefits coverage, even when such arrangements provide coverage for health care services. 29 U.S.C. 1186(c). We note that health care providers would be subject to the provisions of this rule with respect to the health care they provide to individuals, even if such providers seek or receive reimbursement from an insurance entity that is not a covered entity under these rules. However, nothing in this rule would be intended to prevent a health care provider from disclosing protected health information to a non-covered insurance entity for the purpose of obtaining payment for services. Further, under proposed § 164.510(n), this rule would permit disclosures by health care providers of protected health information to such insurance entities and to other persons when mandated by applicable law for the purposes of determining eligibility for coverage or benefits under such insurance arrangements. For example, a State workers’ compensation law that requires disclosure of protected health information to an insurer or employer for the purposes of determining an individual’s eligibility for medical or other benefits, or for the purpose of determining fitness for duty, would not be disturbed by this rule.
8. Secretary. This term means the Secretary of Health and Human Services and any other officer or employee of the Department of Health and Human Services to whom the authority involved has been delegated. It is provided for ease of reference.
9. Small health plan. The HIPAA does not define a “small health plan,” but instead explicitly leaves the definition to be determined by the Secretary. We propose to adopt the size classification used by the Small Business Administration. We would therefore define a “small health plan” as a health plan with annual receipts of $5 million or less. 31 CFR 121.201. This differs from the definition of “small health plan” in prior proposed Administrative Simplification rules. We will conform the definitions in the final Administrative Simplification rules.
10. Standard. The term “standard” would mean a prescribed set of rules, conditions, or requirements concerning classification of components, specification of materials, performance or operations, or delineation of procedures in describing products, systems, services, or practices. This definition is a general one, to accommodate the varying functions of the specific standards proposed in the other HIPAA regulations, as well as the rules proposed below.
11. State. This term would include the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, and Guam. This definition follows the statutory definition of “State” in section 1101(a) of the Act.
12. Transaction. We would define “transaction,” as we have done in other Administrative Simplification regulations, to mean the exchange of information between two parties to carry out financial or administrative activities related to health care. A transaction would be (1) any of the transactions listed in section 1173(a)(2) of the Act, and (2) any transaction determined appropriate by the Secretary in accordance with Section 1173(a)(1) of the Act.
A “transaction” would mean any of the following:
a. Health claims or equivalent encounter information. This transaction could be used to submit health care claim billing information, encounter information, or both, from health care providers to payers, either directly or via intermediary billers and claims clearinghouses.
b. Health care payment and remittance advice. This transaction could be used by a health plan to make a payment to a financial institution for a health care provider (sending payment only), to send an explanation of benefits remittance advice directly to a health care provider (sending data only), or to make payment and send an explanation of benefits remittance advice to a health car provider via a financial institution (sending both payment and data).
c. Coordination of benefits. This transaction could be used to transmit health care claims and billing payment information between payers with different payment responsibilities where coordination of benefits is required or between payers and regulatory agencies to monitor the furnishing, billing, and/or payment of health care services within a specific health care/insurance industry segment.
d. Health claims status. This transaction could be used by health care providers and recipients of health care products or services (or their authorized agents) to request the status of a health care claim or encounter from a health plan.
e. Enrollment and disenrollment in a health plan. This transaction could be used to establish communication between the sponsor of a health benefit and the payer. It provides enrollment data, such as subscriber and dependents, employer information, and primary care health care provider information. A sponsor would be the backer of the coverage, benefit, or product. A sponsor could be an employer, union, government agency, association, or insurance company. The health plan would refer to an entity that pays claims, administers the insurance product or benefit, or both.
f. Eligibility for a health plan. This transaction could be used to inquire about the eligibility, coverage, or benefits associated with a benefit plan, employer, plan sponsor, subscriber, or a dependent under the subscriber’s policy. It also could be used to communicate information about or changes to eligibility, coverage, or benefits from information sources (such as insurers, sponsors, and payers) to information receivers (such as physicians, hospitals, third party administrators, and government agencies).
g. Health plan premium payments. This transaction could be used by, for example, employers, employees, unions, and associations to make and keep track of payments of health plan premiums to their health insurers. This transaction could also be used by a health care provider, acting as liaison for the beneficiary, to make payment to a health insurer for coinsurance, copayments, and deductibles.
h. Referral certification and authorization. This transaction could be used to transmit health care service referral information between health care providers, health care providers furnishing services, and payers. It could also be used to obtain authorization for certain health care services from a health plan.
i. First report of injury. This transaction could be used to report information pertaining to an injury, illness, or incident to entities interested in the information for statistical, legal, claims, and risk management processing requirements.
j. Health claims attachments. This transaction could be used to transmit health care service information, such as subscriber, patient, demographic, diagnosis, or treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a health care services review.
k. Other transactions as the Secretary may prescribe by regulation. Under section 1173(a)(1)(B) of the Act, the Secretary may adopt standards, and data elements for those standards, for other financial and administrative transactions deemed appropriate by the Secretary. These transactions would be consistent with the goals of improving the operation of the health care system and reducing administrative costs.
In addition to the above terms, a number of terms are defined in proposed § 164.504, and are specific to the proposed privacy rules. They are as follows:
13. Business partner. This term would mean a person to whom a covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. Such term includes any agent, contractor or other person who receives protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence. It would not include a person who is an employee, a volunteer or other person associated with the covered entity on a paid or unpaid basis.
14. Designated record set. This term would be defined as a group of records under the control of a covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual, and which is used by the covered entity to make decisions about the individual. The concept of a “designated record set” is derived from the Privacy Act’s concept of a “system of records.” Under the Privacy Act, federal agencies must provide an individual with access to "information pertaining to him which is contained in [a system of records]." 5 U.S.C. 552a(d)(1). A “system of records” is defined as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 5 U.S.C. 552a(a)(5). Under this rule, we would substitute the term “covered entity” for “agency” and limit the information to that used by the covered entity to make decisions about the individual.
We would define a “record” as "any item, collection, or grouping of protected health information maintained, collected, used, or disseminated by a covered entity." Under the Privacy Act, "the term 'record' means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph." 5 U.S.C. 552a(a)(4). For purposes of this rule we propose to limit the information to protected health information, as defined in this rule. “Protected health information” already incorporates the concept of identifiability, and therefore our definition of “record” is much simpler.
For health plans, designated record sets would include, at a minimum, the claims adjudication, enrollment, and patient accounting systems. For health care providers, designated record sets would include, at a minimum, the medical records and billing records. Designated record set would also include a correspondence system, a complaint system, or an event tracking system if decisions about individuals are made based, in whole or in part, on information in those systems. Files used to backup a primary data system or the sequential files created to transmit a batch of claims to a clearinghouse are clear examples of data files which would not fall under this definition.
We note that a designated record set would only exist for types of records that a covered entity actually “retrieves” by an identifier, and not records that are only “retrievable” by an identifier. In many cases, technology will permit sorting and retrieving by a variety of fields and therefore the “retrievable” standard would be relatively meaningless.
15. Disclosure. This term would be defined as the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.
16. Health care operations. We propose the term “health care operations” to clarify the activities we consider to be “compatible with and directly related to” treatment and payment and therefore would not require authorization from the individual for use or disclosure of protected health information.
Under our proposal, “health care operations” means the following services or activities if provided by or on behalf of a covered health plan or health care provider for the purposes of carrying out the management functions of such plan or provider necessary for the support of treatment or payment:
- Conducting quality assessment and improvement activities, including evaluating outcomes, and developing clinical guidelines;
- Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which undergraduate and graduate students and trainees in all areas of health care learn under supervision to practice as health care providers (e.g., residency programs, grand rounds, nursing practicums), accreditation, certification, licensing or credentialing activities;
- Insurance rating and other insurance activities relating to the renewal of a contract for insurance, including underwriting, experience rating, and reinsurance, but only when the individuals are already enrolled in the health plan conducting such activities and only when the use or disclosure of such protected health information relates to an existing contract of insurance (including the renewal of such a contract);
- Conducting or arranging for auditing services, including fraud and abuse detection and compliance programs; and
- Compiling and analyzing information in anticipation of, or for use in, civil or criminal legal proceedings.
Our definition proposes to limit health care operations to functions and activities performed by a health plan or provider or by a business partner on behalf of a health plan or a provider. Our definition anticipates that in order for treatment and payment to occur, protected health information would be used within entities, would be shared with business partners, and in some cases would be shared between covered entities (or their business partners). However, a health care operation should not result in protected health information being disclosed to an entity that is not the covered entity (or a business partner of such entity) on whose behalf the operation is being performed. For example, a health plan may request a health care provider to provide protected health information to the health plan, or to a business partner of the health plan, as part of an outcomes evaluation effort relating to providers affiliated with that plan. This would be a health care operation.
We are aware that the health care industry is changing and that these categories, though broad, may need to be modified to reflect different conditions in the future.
17. Health oversight agency. We would define the term “health oversight agency” as it is defined in the Secretary’s Recommendations. See section II.E. below for further discussion.
18. Individual. We would define “individual” to mean the person who is the subject of protected health information. We would define the term to include, with respect to the signing of authorizations and other rights (such as access, copying, and correction), various types of legal representatives. The term would include court-appointed guardians or persons with a power of attorney, including persons making health care decisions for incapacitated persons, persons acting on behalf of a decedent’s estate, where State or other applicable law authorizes such legal representatives to exercise the person’s rights in such contexts, and parents subject to certain restrictions explained below. We would define this term to exclude foreign military and foreign diplomatic personnel and their dependents who receive health care provided or paid for by the DOD or other federal agency or entity acting on its behalf, and overseas foreign national beneficiaries of health care provided by the DOD or other federal agency, or non-governmental organization acting on its behalf.
a. Disclosures pursuant to a power of attorney.
The definition of an individual would include legal representatives, to the extent permitted under State or other applicable law. We considered several issues in making this determination.
A “power of attorney” is a legal agreement through which a person formally grants authority to another person to make decisions on the person’s behalf about financial, health care, legal, and/or other matters. In granting power of attorney, a person does not give up his or her own right to make decisions regarding the health care, financial, legal, or other issues involved in the legal agreement. Rather, he or she authorizes the other person to make these decisions as well.
In some cases, an individual gives another person power of attorney over issues not directly related to health care (e.g., financial matters) while informally relying on a third person (either implicitly or through verbal agreement) to make health care decisions on his or her behalf. In such situations, the person with power of attorney could seek health information from a health plan or provider in order to complete a task related to his or her power of attorney. For example, a person with financial power of attorney may request health information from a health plan or provider in order to apply for disability benefits on the individual’s behalf.
In developing proposed rules to address these situations, we considered two options: (1) allowing health plans and health care providers to disclose health information without authorization directly to the person with power of attorney over issues not directly related to health care; and (2) prohibiting health plans or health care providers from disclosing health information without authorization directly to such persons and stating that disclosure without authorization is permitted only to persons designated formally (through power of attorney for health care) or informally as the patient’s health care decision-maker. We believe that both options have merit.
The first option recognizes that the responsibilities of persons with power of attorney often are broad, and that even when the power of attorney agreement does not relate directly to health care, the person with power of attorney at times has a legitimate need for health information in order to carry out his or her legal responsibility. The second option recognizes that when an individual is competent to make health care decisions, it is appropriate for him or her (or, if the individual wishes, for the informally designated health care decision maker) to decide whether the covered entity should disclose health information to someone with power of attorney over issues not directly related to health care.
In light of the fact that laws vary by State regarding power of attorney and that implementation of either option could be in the individual’s interest, we would allow health plans and health care providers to disclose protected health information without authorization directly to persons with power of attorney to handle any issue on the individual’s behalf, in accordance with State or other applicable laws regarding this issue.
This definition also accounts for situations in which a competent individual has granted one person power of attorney over health care issues yet, in practice, relies on another person to make health care decisions. We recognize that, by giving power of attorney for health care issues to one person and involving another person informally in making treatment decisions, the individual is, in the first instance, formally granting consent to release his or her health information and, in practice, granting consent to release medical information to the second person. Therefore, we would allow a health plan or provider, pursuant to State or other applicable law, to disclose protected health information without authorization to a person with power of attorney for the patient’s health care and to a person informally designated as the patient’s health care decision maker.
b. Disclosures pertaining to incapacitated individuals.
Covered entities would be permitted to disclose protected health information to any person making health care decisions for an incapacitated person under State or other applicable law. This definition defers to current laws regarding health care decision-making when a patient is not a minor and is incapable of making his or her own decisions. We propose to permit information to follow such decision-making authority. It is our intent not to disturb existing practices regarding incapacitated patients.
Applicable laws vary significantly regarding the categories of persons who can make health care decisions when a patient is incapable of making them. For example, some State laws establish a hierarchy of persons who may make medical decisions for the incapacitated person (e.g., first a person with power of attorney, if not then next-of-kin, if none then close friend, etc.). In other States, health care providers may exercise professional judgment about which person would make health care decisions in the patient’s best interest. We also recognize that federal agencies have, in some cases, established rules regarding such patients. For example, the DOD has established requirements regarding military personnel who are based overseas and who have become incapable of making their own decisions.
Because laws vary regarding patients unable to make their own decisions and because these patients’ interests could be served through a variety of arrangements, we would allow health plans and health care providers to disclose information in accordance with applicable laws regarding incapacitated patients.
c. Disclosures pertaining to minors.
In general, because the definition of individual would include parents, a parent, guardian, or person acting in loco parentis could exercise the rights established under this regulation on behalf of their minor (as established by applicable law) children. However, in cases where a minor lawfully obtains a health care service without the consent of or notification to a parent, the minor would be treated as the individual for purposes of exercising any rights established under this regulation with respect to protected health information relating to such health services. Laws regarding access to health care for minors and confidentiality of their medical records vary widely; this proposed regulation recognizes and respects the current diversity of the law in this area. It would not affect applicable regulation of the delivery of health care services to minors, and would not preempt any law authorizing or prohibiting disclosure of individually identifiable health information of minor individuals to their parents. The disclosure of individually identifiable health information from substance abuse records is also addressed by additional requirements established under 42 CFR part 2.
d. Foreign recipients of defense related health care.
We would define the term “individual” to exclude foreign military and foreign diplomatic personnel and their dependents who receive health care provided by or paid for by the DOD or other federal agency, or by an entity acting on its behalf, pursuant to a country-to-country agreement or federal statute. We would also exclude from this term overseas foreign national beneficiaries of health care provided by the DOD or other federal agency or by a non- governmental organization acting on behalf of DOD or such agency. This exclusion is discussed in section II.E.l3.
e. Disclosures pertaining to deceased persons.
This provision is discussed in Section II.C.6.
19. Individually identifiable health information. We would define “individually identifiable health information” as it is defined in section 1171(6) of the Act. While the definition of individually identifiable health information does not expand on the statutory definition, we recognize that the issue of how the identifying characteristics can be removed from such information (referred to in this rule as de-identification) presents difficult operational issues. Accordingly, we propose in §164.506(d) an approach for de-identifying identifiable information, along with restrictions designed to ensure that de-identified information is not used inappropriately.
The privacy standards would apply to “individually identifiable health information,” and not to information that does not identify the individual. We are aware that, even after removing obvious identifiers, there is always some probability or risk, however remote, that any information about an individual can be attributed. A 1997 MIT study showed that, because of the public availability of the Cambridge, Massachusetts voting list, 97 percent of the individuals in Cambridge whose data appeared in a data base which contained only their nine digit zip code and birth date could be identified with certainty. 1 Their information had been “de-identified” (some obvious identifiers had been removed) but it was not anonymous (it was still possible to identify the individual).
It is not always obvious when information identifies the subject. If the name and identifying numbers (e.g., SSN, insurance number, etc.) are removed, a person could still be identified by the address. With the address removed, the subject of a medical record could be identified based on health and demographic characteristics (e.g., age, race, diagnosis). “Identifiability” varies with the location of the subject; there could be hundreds of people in Manhattan who have the same age, race, gender, and diagnosis, but only one such person in a small town or rural county. Gauging the risk of identification of information requires statistical experience and expertise that most covered entities will not possess.
Obvious identifiers on health information could be replaced with random numbers or encrypted codes, which can prevent the person using the record from identifying the subject, but which allow the person holding the code to re-identify the information. Information with coded or encrypted identifiers would be considered “de-identified” but not “anonymous,” because it is still possible for someone to identify the subject.
We considered defining “individually identifiable health information” as any information that is not anonymous, that is, for which there is any possibility of identifying the subject. We rejected this option, for several reasons. First, the statute suggests a different approach. The term “individually identifiable health information” is defined in HIPAA as health information that “... identifies the individual, or with respect to which there is a reasonable basis to believe that the information can be used to identify the individual.” By including the modifier “reasonable basis,” Congress appears to reject the absolute approach to defining “identifiable.”
Second, covered entities may not have the statistical sophistication to know with certainty when sufficient identifying information has been removed so that the record is no longer identifiable. We believe that covered entities need more concrete guidance as to when information will and will not be “identifiable” for purposes of this regulation.
Finally, defining non-identifiable to mean anonymous would require covered entities to comply with the terms of this regulation with respect to information for which the probability of identification of the subject is very low. We want to encourage covered entities and others to remove obvious identifiers or encrypt them whenever possible; use of the absolute definition of “identifiable” would not promote this salutary result.
For these reasons, we propose at § 164.506(d)(2)(ii) that there be a presumption that, if specified identifying information is removed and if the holder has no reason to believe that the remaining information can be used by the reasonably anticipated recipients alone or in combination with other information to identify an individual, then the covered entity is presumed to have created de-identified information.
At the same time, in proposed § 164.506(d)(2)(iii), we would leave leeway for more sophisticated data users to take a different approach. We would include a “reasonableness” standard so that entities with sufficient statistical experience and expertise could remove or code a different combination of information, so long as the result is still a low probability of identification. With this approach, our intent is to provide certainty for most covered entities, while not limiting the options of more sophisticated data users.
In § 164.504, we propose to define “individually identifiable health information” to mean health information created or received by a health care provider, health plan, employer or health care clearinghouse, that could be used directly or indirectly to identify the individual who is the subject of the information. Under proposed § 164.506(d)(2)(ii), information would be presumed not to be “identifiable” if:
- all of the following data elements have been removed or otherwise concealed: name; address, including street address, city, county, zip code, or equivalent geocodes; names of relatives and employers; birth date; telephone and fax numbers; e-mail addresses; social security number; medical record number; health plan beneficiary number; account number; certificate/license number; any vehicle or other device serial number; web URL; Internet Protocol (IP) address; finger or voice prints; photographic images; and any other unique identifying number, characteristic, or code (whether generally available in the public realm or not) that the covered entity has reason to believe may be available to an anticipated recipient of the information, and
- the covered entity has no reason to believe that any reasonably anticipated recipient of such information could use the information alone, or in combination with other information, to identify an individual.
Thus, to create de-identified information, entities that had removed the listed identifiers would still have to remove additional data elements if they had reason to believe that a recipient could use the remaining information, alone or in combination with other information, to identify an individual. For example, if the “occupation” field is left intact and the entity knows that a person’s occupation is sufficiently unique to allow identification, that field would have to be removed from the relevant record. The presumption does not allow use or disclosure if the covered entity has reason to believe the subject of the information can be re-identified. Our concern with the potential for re-identification is heightened by our limited jurisdiction under HIPAA. Because we can only regulate health care providers, health plans and health care clearinghouses, we cannot prohibit other recipients of de-identified information from attempting to re-identify it.
To assist covered entities in ascertaining whether their attempts to create de-identified information would be successful, the Secretary would from time to time issue guidance establishing methods that covered entities could use to determine the identifiability of information. This guidance would include information on statistical and other tests that could be performed by covered entities in assessing whether they have created de-identified information. The manner in which such guidance would be published and distributed will be addressed in the final regulation. We solicit comment on the best ways in which to inform covered entities of appropriate and useful information on methods that they can use to determine whether information is de-identified.
In enforcing this regulation, the Secretary would consider the sophistication of covered entities when determining whether a covered entity had reason to believe that information that it had attempted to de-identify continued to identify the subject. Covered entities that routinely create and distribute de-identified data would be expected to be aware of and to use advanced statistical techniques, including the guidance issued by the Secretary, to ensure that they are not improperly disclosing individually identifiable health information. Covered entities that rarely create de-identified information would not be expected to have the same level of knowledge of these statistical methods, and generally could rely on the presumption that information from which they have removed the listed identifiers (and provided that they do not know that the information remains identifiable) is de-identified. We solicit comment on whether the enforcement approach that we are suggesting here and our overall approach relating to the creation of de-identified information would provide sufficient guidance to covered entities to permit them to create, use and disclose de-identified information.
In addition, we propose to permit entities with appropriate statistical experience and expertise (obtained through a statistical consultant or staff with statistical expertise) to decide that some of the above named data elements could be retained in the de-identified data set if: (1) the entity determines that the probability of identifying an individual with the remaining information is very low, or (2) the entity has converted the “identifiable” data elements into data elements that, in combination with the remaining information, have a very low probability of being used to identify an individual. An example of such a conversion would be the translation of birth date into age expressed in years or, if still determined to convey “identifiability,” age expressed in categories of years (e.g., age 18 to 24). In making these determinations, the entity must consider the data elements taken together as well as any additional information that might reasonably be available to a recipient. Examples of the types of entities that would have the statistical experience and expertise to make this type of judgment include large health research institutions such as medical schools with epidemiologists and statisticians on the faculty; federal agencies such as the National Center for Health Statistics, the Agency for Health Care Policy and Research, FDA, the Bureau of the Census, and NIH; and large corporations that do health research such as pharmaceutical manufacturers with epidemiologists and statisticians on staff.
An important component of this approach to defining “identifiable” would be the prohibition on re-identification of health information. We propose that a covered entity that is a recipient of de-identified information who attempts to re-identify such de-identified information for a purpose for which protected health information could not be used or disclosed under this rule be deemed to be in violation of the law. See proposed § 164.506(d) and section II.C. below. There may be circumstances, however, when recipients of de-identified information will have a legitimate reason to request that the de-identified information be re-identified by the originating covered entity. For example, if a researcher received de-identified information from a covered entity and the research revealed that a particular patient was misdiagnosed, the covered entity should be permitted to re-identify the patient’s health information so that the patient could be informed of the error and seek appropriate care. One of the principal reasons entities retain information in coded form, rather than rendering it anonymous, is to enable re-identification of the information for appropriate reasons. Although we would anticipate that the need for re- identification would be rare, entities that expect to have to perform this function should establish a process for determining when re-identification is appropriate. Once covered entities re-identify information, it becomes protected information and may, therefore, be used and disclosed only as permitted by this regulation.
The phrase “individually identifiable” information is already in use by many HHS agencies and others. In particular, the Common Rule regulation includes “identifiable private information” in its definition of “human subject.” Because of this, medical records research on “identifiable private information” is subject to Common Rule consent and IRB review requirements. It would not be our intent to suggest changes to this practice. Researchers and others can and are encouraged to continue to use more stringent approaches to protecting information.
We invite comment on the approach that we are proposing and on alternative approaches to standards for covered entities to determine when health information can reasonably be considered no longer individually identifiable.
20. Law enforcement official. We propose a new definition of "law enforcement official," to mean an officer of the United States or a political subdivision thereof, who is empowered by law to conduct an investigation or official proceeding inquiring into a violation of, or failure to comply with, any law; or a criminal, civil, or administrative proceeding arising from a violation of, or failure to comply with, any law.
21. Payment. We offer a new definition of payment. The term “payment” would mean activities undertaken by a health plan (or by a business partner on behalf of a health plan) to determine its responsibilities for coverage under the health plan policy or contract including the actual payment under the policy or contract, or by a health care provider (or by a business partner on behalf of a provider) to obtain reimbursement for the provision of health care, including:
- determinations of coverage, improving payment methodologies or coverage policies, or adjudication or subrogation of claims;
- risk adjusting payments based on enrollee health status and demographic characteristics;
- billing, claims management, medical review, medical data processing;
- review of health care services with respect to medical necessity, coverage under a health plan policy or contract, appropriateness of care, or justification of charges; and,
- utilization review activities, including pre-certification and preauthorization of services.
Our proposed definition is intended to capture the necessary sharing of protected health information among health care providers who provide care, health plans and other insurers who pay for care, their business partners, as well as sponsors of group health plans, such as employers, who pay for care and sometimes provide administrative services in conjunction with health plan payment activities. For example, employers sometimes maintain the eligibility file with respect to a group health plan.
Our proposed definition anticipates that protected health information would be used for payment purposes within entities, would be shared with business partners, and in most cases would be shared between health care providers and health plans (and their business partners). In some cases, a payment activity could result in the disclosure of protected health information by a plan to an employer or to another payer of health care, or to an insurer that is not a covered entity, such as for coordination of benefits or to a workers compensation carrier. For example, a health plan could disclose protected health information to an employer in connection with determining the experience rate for group coverage.
We are concerned that disclosures for payments may routinely result in disclosures of protected health information to non-covered entities, such as employers, which are not subject to the use and disclosure requirements of this rule. We considered prohibiting disclosures to employers without individual authorization, or alternatively, requiring a contractual relationship, similar to the contracts required for business partners, before such disclosures could occur. We note that the National Committee on Quality Assurance has adopted a standard for the year 2000 that would require health plans to “have policies that prohibit sending identifiable personal health information to fully insured or self-insured employers and provide safeguards against the use of information in any action relating to an individual” (Standard R.R.6, National Committee for Quality Assurance 2000 Standards).
We did not adopt either of these approaches, however, because we were concerned that we might disrupt some beneficial activities if we were to prohibit or place significant conditions on disclosures by health plans to employers. We also recognize that employers are paying for health care in many cases, and it has been suggested to us that they may need access to claims and other information for the purposes of negotiating rates, quality improvement and auditing their plans and claims administrators. We invite comment on the extent to which employers currently receive protected health information about their employees, for what types of activities protected health information is received, and whether any or all of these activities could be accomplished with de-identified health information. We also invite other comments on how disclosures to employers should be treated under this rule.
22. Protected health information. We would create a new definition of “protected health information” to mean individually identifiable health information that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes any other form. For example, protected health information would remain protected after it is read from a computer screen and discussed orally, printed onto paper or other media, photographed, or otherwise duplicated. We note that individually identifiable health information created or received by an employer as such would not be considered protected health information, although such information created or received by an employer in its role as a health plan or provider would be protected health information.
Under this definition, information that is “electronically transmitted” would include information exchanged with a computer using electronic media, even when the information is physically moved from one location to another using magnetic or optical media (e.g., copying information from one computer to another using a floppy disc). Transmissions over the Internet (i.e., open network), Extranet (i.e., using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, and private networks would all be included. Telephone voice response and “faxback” (i.e., a request for information from a computer made via voice or telephone keypad input with the requested information returned as a fax) systems would be included because these are computer output devices similar in function to a printer or video screen. This definition would not include “paper-to-paper” faxes, or person-to- person telephone calls, video teleconferencing, or messages left on voice-mail. The key concept that determines if a transmission meets the definition is whether the source or target of the transmission is a computer. The medium or the machine through which the information is transmitted or rendered is irrelevant.
Also, information that is “electronically maintained” would be information stored by a computer or on any electronic medium from which the information may be retrieved by a computer. These media include, but are not limited to, electronic memory chips, magnetic tape, magnetic disk, or compact disc (CD) optical media.
Individually identifiable health information that is part of an “education record” governed by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g, would not be considered protected health information. Congress specifically addressed such information when it enacted FERPA to protect the privacy rights of students and parents in educational settings. FERPA applies to educational records that are maintained by educational agencies and institutions that are recipients of federal funds from the Department of Education. FERPA requires written consent of the parent or student prior to disclosure of education records except in statutorily specified circumstances. We do not believe that Congress intended to amend or preempt FERPA in enacting HIPAA.
Individually identifiable health information of inmates of correctional facilities and detainees in detention facilities would be excluded from this definition because unimpeded sharing of inmate identifiable health information is crucial for correctional and detention facility operations. In a correctional or detention setting, prison officials are required by law to safely house and provide health care to inmates. These activities require the use and disclosure of identifiable health information. Therefore, correctional and detention facilities must routinely share inmate health information among their health care and other components, as well as with community health care facilities. In order to maintain good order and protect the well-being of prisoners, the relationship between such facilities and inmates or detainees involves a highly regulated, specialized area of the law which has evolved as a carefully balanced compromise with due deference to institutional needs and obligations.
Federal and other prison facilities routinely share health information with community health care facilities in order to provide medical treatment to persons in their custody. It is not uncommon for inmates and detainees to be transported from one facility to another, for example, for the purpose of making a court appearance in another jurisdiction, or to obtain specialized medical care. In these and other circumstances, law enforcement agencies such as the Federal Bureau of Prisons (the Bureau), the United States Marshals Service (USMS), the Immigration and Naturalization Service, State prisons, county jails, and U.S. Probation Offices, share identifiable health information about inmates and detainees to ensure that appropriate health care and supervision of the inmate or detainee is maintained. Likewise, these agencies must, in turn, share health information with the facility that resumes custody of the inmate or detainee.
Requiring an inmate’s or detainee’s authorization for disclosure of identifiable health information for day-to-day operations would represent a significant shift in correctional and detention management philosophy. If correctional and detention facilities were covered by this rule, the proposed provisions for individual authorizations could potentially be used by an inmate or detainee to override the safety and security concerns of the correctional/custodial authority; for example, an inmate being sent out on a federal writ could refuse to permit the Bureau to disclose a suicide history to the USMS. Additionally, by seeking an authorization to disclose the information, staff may give the inmate or detainee advance notice of an impending transfer, which in turn may create security risks.
Therefore we propose to exclude the individually identifiable health information of inmates of correctional facilities and detainees in detention facilities from the definition of protected health information. We note that existing federal laws limiting the disclosure and release of information (e.g., FOIA/Privacy Act) protect the privacy of identifiable federal inmate health information. Subject to certain limitations, these laws permit inmates and detainees to obtain and review a copy of their medical records and to correct inaccurate information.
Under this approach, the identifiable health information held by correctional and detention facilities of persons who have been released would not be protected. The facilities require continued access to such information for security, protection and health care purposes because inmates and detainees are frequently readmitted to correctional and detention facilities. However, concern has been expressed about the possibility that absent coverage by this proposed rule, correctional and detention facilities may disclose information about former inmates and detainees without restriction. We therefore request comments on whether identifiable health information held by correctional and detention facilities about former inmates and detainees should be subject to this rule, and the potential security concerns and burden such a requirement might place on these facilities.
23. Psychotherapy notes. We would define “psychotherapy notes” to mean detailed notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. Such notes are used only by the therapist who wrote them, maintained separately from the medical record, and not involved in the documentation necessary for health care treatment, payment, or operations. Such term would not include medication prescription and monitoring, counseling session start and stop times or the modalities and frequencies of treatment furnished, results of clinical tests, or a brief summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date.
24. Public health authority. We would define “public health authority” as an agency or authority of the United States, a State, a territory, a political subdivision of a State or territory, or an Indian tribe that is responsible for public health matters as part of its official mandate.
25. Research. We would define "research" as a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. We further explain that “generalizable knowledge” is knowledge related to health that can be applied to populations outside of the population served by the covered entity.
This is the definition of "research" in the federal regulation that protects human subjects, entitled The Federal Policy for the Protection of Human Subjects (often referred to as the "Common Rule," at 45 CFR part 46). This definition is well understood in the research community and elsewhere, and we propose to use it here to maintain consistency with other federal regulations that affect research.
26. Research information unrelated to treatment. We would define "research information unrelated to treatment" as information that is received or created by a covered entity in the course of conducting research for which there is insufficient scientific and medical evidence regarding the validity or utility of the information such that it should not be used for the purpose of providing health care2, and with respect to which the covered entity has not requested payment from a health plan.
27. Treatment. We would define “treatment” to mean the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers, or the referral of an individual from one provider to another, or coordination of health care or other services among health care providers and third parties authorized by the health plan or the individual. Our definition is intended to relate only to services provided to an individual and not to an entire enrolled population.
28. Use. We would propose a new definition of the term “use” to mean the employment, application, utilization, examination or analysis of health information within an entity that holds the information.
29. Workforce. We would define “workforce” to mean employees, volunteers, trainees and other persons under the direct control of a covered entity, including persons providing labor on an unpaid basis.
1 Sweeney, L. Guaranteeing Anonymity when Sharing Medical Data, the Datafly System. Masys, D., Ed. Proceedings, American Medical Informatics Association, Nashville, TN: Hanley & Belfus, Inc., 1997:51-55.
2 For example, validity is an indicator of how well a test measures the property or characteristic it is intended to measure and the reliability of a test, i.e., whether the same result is obtained each time the test is used. Validity is also a measurement of the accuracy with which a test predicts a clinical condition. Utility refers to the degree to which the results of test can be used to make decision about the subsequent delivery of health care.