NRPM: Standards for Privacy of Individually Identifiable Health Information. B. Definitions. (§§ 160.103 and 164.504)


Section 1171 of the Act defines several terms and our proposed rules would, for the most part, simply restate the law or adopt definitions previously defined in the other HIPAA proposed rules. In some instances, we propose definitions from the Secretary’s Recommendations. We also propose some new definitions for convenience and efficiency of exposition, and others to clarify the application and operation of this rule. We describe the proposed definitions and discuss the rationale behind them, below.

Most of the definitions would be defined in proposed §§ 160.103 and 164.504. The definitions at proposed § 160.103 apply to all Administrative Simplification standards, including this privacy rule and the security standard. The definitions proposed in § 164.504 would apply only to this privacy rule. Certain other definitions are specific to particular sections of the proposed rule and are provided in those sections. The terms that are defined at proposed § 160.103 follow:

1. Act. We would define “Act” to mean the Social Security Act, as amended. This definition would be added for convenience.

2. Covered entity. This definition would be provided for convenience of reference and would mean the entities to which part C of title XI of the Act applies. These are the entities described in section 1172(a)(1): health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form in connection with a transaction referred to in section 1173(a)(1) of the Act (a “standard transaction”). In the preamble we occasionally refer to health plans and the health care providers described above as "covered plans," "covered providers," or "covered plans and providers."

We note that health care providers who do not submit HIPAA transactions in standard form become covered by this rule when other entities, such as a billing service or a hospital, transmit standard electronic transactions on their behalf. The provider could not circumvent these requirements by assigning the task to its agent, since the agent would be deemed to be acting as the provider.

3. Health care. We would define the term “health care” as it is defined in the Secretary’s Recommendations. Health care means the provision of care, services, or supplies to a patient and includes any: (1) preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, counseling, service, or procedure with respect to the physical or mental condition, or functional status, of a patient or affecting the structure or function of the body; (2) sale or dispensing of a drug, device, equipment, or other item pursuant to a prescription; or (3) procurement or banking of blood, sperm, organs, or any other tissue for administration to patients.

4. Health care clearinghouse. We would define “health care clearinghouse” as defined by section 1171(2) of the Act. The Act defines a “health care clearinghouse” as a “public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.” In practice, clearinghouses receive transactions from health care providers, health plans, other health care clearinghouses, or business partners of such entities, and other entities, translate the data from a given format into one acceptable to the entity receiving the transaction, and forward the processed transaction to that entity. There are currently a number of private clearinghouses that contract or perform this function for health care providers. For purposes of this rule, we would consider billing services, repricing companies, community health management information systems or community health information systems, “value-added” networks, switches and similar organizations to be health care clearinghouses for purposes of this part only if they actually perform the same functions as a health care clearinghouse.

We would note that we are proposing to exempt clearinghouses from a number of the provisions of this rule that would apply to other covered entities (see §§ 164.512, 164.514 and 164.516 below), because in most cases we do not believe that clearinghouses would be dealing directly with individuals. In many instances, clearinghouses would be considered business partners under this rule and would be bound by their contracts with covered plans and providers. See proposed § 164.506(e). We would adopt this position with the caveat that the exemptions would be void for any clearinghouse that had direct contact with individuals in a capacity other than that of a business partner.

5. Health care provider. Section 1171(3) of the Act defines “health care provider” as a “provider of medical services as defined in section 1861(u) of the Act, a provider of medical or other health services as defined in section 1861(s) of the Act, and any other person who furnishes health care services or supplies.” We are proposing to define “health care provider” as the Act does, and clarify that a health care provider is limited to any person or organization that furnishes, bills, or is paid for, health care services or supplies in the normal course of business. This definition would include a researcher who provides health care to the subjects of research, free clinics, and a health clinic or licensed health care professional located at a school or business.

Section 1861(u) of the Act contains the Medicare definition of a provider, which encompasses institutional providers, such as hospitals, skilled nursing facilities, home health agencies, and comprehensive outpatient rehabilitation facilities. Section 1861(s) of the Act defines other Medicare facilities and practitioners, including assorted clinics and centers, physicians, clinical laboratories, various licensed/certified health care practitioners, and suppliers of durable medical equipment. The last portion of the proposed definition encompasses appropriately licensed or certified health care practitioners or organizations, including pharmacies and nursing homes and many types of therapists, technicians, and aides. It also would include any other individual or organization that furnishes health care services or supplies in the normal course of business. An individual or organization that bills and/or is paid for health care services or supplies in the normal course of business, such as a group practice or an “on-line” pharmacy accessible on the Internet, is also a health care provider for purposes of this statute.

For a more detailed discussion of the definition of health care provider, we refer the reader to our proposed rule (Standard Health Care Provider Identifier) published on May 7, 1998, in the Federal Register (63 Fed Reg 25320).

6. Health information. We would define “health information” as it is defined in section 1171(4) of the Act. “Health information” would mean any information, whether oral or recorded in any form or medium, that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

In this paragraph we attempt to clarify the relationship between the defined terms “health information,” “individually identifiable health information” and “protected health information.” The term “health information” encompasses the universe of information governed by the administrative simplification requirements of the Act. For example, under section 1173 of the Act, the Secretary is to adopt standards to enable the electronic exchange of all health information. However, protection of personal privacy is primarily a concern for the subset of health information that is “individually identifiable health information,” as defined by the Act (see below). For example, a tabulation of the number of students with asthma by school district would be health information, but since it normally could not be used to identify any individuals, it would not usually create privacy concerns. The definition of individually identifiable health information omits some of the persons or organizations that are described as creating or receiving “health information.” Some sections of the Act refer specifically to individually identifiable health information, such as section 1177 in setting criminal penalties for wrongful use or disclosure, and section 264 in requesting recommendations for privacy standards. Finally, we propose the phrase “protected health information” (§ 164.504) to refer to the subset of individually identifiable health information that is used or disclosed by the entities that are subject to this rule.

7. Health plan. We would define “health plan” essentially as section 1171(5) of the Act defines it. Section 1171 of the Act refers to several definitions in section 2791 of the Public Health Service Act, 42 U.S.C. 300gg-91, as added by Public Law 104-191. For clarity, we would incorporate the referenced definitions as currently stated into our proposed definitions.

As defined in section 1171(5), a “health plan” is an individual plan or group health plan that provides, or pays the cost of, medical care (see section 2791(a) of the Public Health Service Act (PHS Act)). This definition would include, but is not limited to, the 15 types of plans listed in the statute, as well as any combination of them. The term would include, when applied to public benefit programs, the component of the government agency that administers the program. Church plans and government plans are included to the extent that they fall into one or more of the listed categories.

“Health plan” includes the following singly or in combination:

a. “Group health plan” (as currently defined by Section 2791(a) of the PHS Act). A group health plan is a plan that has 50 or more participants (as the term “participant” is currently defined by section 3(7) of ERISA) or is administered by an entity other than the employer that established and maintains the plan. This definition includes both insured and self-insured plans.

Section 2791(a)(1) of the PHS Act defines “group health plan” as an employee welfare benefit plan (as defined in current section 3(1) of ERISA) to the extent that the plan provides medical care, including items and services paid for as medical care, to employees or their dependents directly or through insurance, or otherwise.

b. “Health insurance issuer” (as currently defined by section 2791(b) of the PHS Act).

Section 2971(b) of the PHS Act defines a “health insurance issuer” as an insurance company, insurance service, or insurance organization that is licensed to engage in the business of insurance in a State and is subject to State law that regulates insurance.

c. “Health maintenance organization” (as currently defined by section 2791(b) of the PHS Act). Section 2791(b) of the PHS Act currently defines a “health maintenance organization” as a federally qualified health maintenance organization, an organization recognized as such under State law, or a similar organization regulated for solvency under State law in the same manner and to the same extent as such a health maintenance organization. These organizations may include preferred provider organizations, provider sponsored organizations, independent practice associations, competitive medical plans, exclusive provider organizations, and foundations for medical care.

d. Part A or Part B of the Medicare program (title XVIII of the Act).

e. The Medicaid program (title XIX of the Act).

f. A “Medicare supplemental policy” as defined under section 1882(g)(1) of the Act. Section 1882(g)(1) of the Act defines a “Medicare supplemental policy” as a health insurance policy that a private entity offers a Medicare beneficiary to provide payment for expenses incurred for services and items that are not reimbursed by Medicare because of deductible, coinsurance, or other limitations under Medicare. The statutory definition of a Medicare supplemental policy excludes a number of plans that are similar to Medicare supplemental plans, such as health plans for employees and former employers and for members and former members of trade associations and unions. A number of these health plans may be included under the definitions of “group health plan” or “health insurance issuer,” as defined in paragraphs “a” and “b” above.

g. A “long-term care policy,” including a nursing-home fixed indemnity policy. A “long- term care policy” is considered to be a health plan regardless of how comprehensive it is.

h. An employee welfare benefit plan or any other arrangement that is established or maintained for the purpose of offering or providing health benefits to the employees of two or more employers. This includes plans that are referred to as multiple employer welfare arrangements (“MEWAs”).

i. The health care program for active military personnel under title 10 of the United States Code. See paragraph “k”, below, for further discussion.

j. The veterans health care program under chapter 17 of title 38 of the United States Code. This health plan primarily furnishes medical care through hospitals and clinics administered by the Department of Veterans Affairs (VA) for veterans enrolled in the VA health care system.

k. The Civilian Health and Medical Program of the Uniformed Services (CHAMPUS) as defined in 10 U.S.C. 1072(4). We note that the Act’s definition of “health plan” omits several types of health care provided by the Department of Defense (DOD). Sections 1171(5)(I) and 1171(5)(K) cover only the health care program for active duty personnel (see 10 U.S.C. 1074(a)) and the CHAMPUS program (see 10 U.S.C. 1079, 1086). What is omitted is health care provided in military treatment facilities to military retirees (see 10 U.S.C. 1074(b)), to dependents of active duty personnel and to dependents of retirees (see 10 U.S.C. 1076), to Secretarial designees such as members of Congress, Justices of the Supreme Court, and to foreign military personnel under NATO status of forces agreements. Health care provided by the DOD in military facilities to the aforementioned persons is not included as a “health plan” under HIPAA. However, these facilities would still be considered to be health care providers.

l. The Indian Health Service program under the Indian Health Care Improvement Act (25 U.S.C. 1601, et. seq.). This program furnishes services, generally through its own health care providers, primarily to persons who are eligible to receive services because they are of American Indian or Alaskan Native descent.

m. The Federal Employees Health Benefits Program under 5 U.S.C. chapter 89. This program consists of health insurance plans offered to active and retired federal employees and their dependents. Although section 1171(5)(M) of the Act refers to the “Federal Employees Health Benefit Plan,” this and any other rules adopting administrative simplification standards will use the correct name, the Federal Employees Health Benefits Program. One health plan does not cover all federal employees; over 350 health plans provide health benefits coverage to federal employees, retirees, and their eligible family members. Therefore, we will use the correct name, The Federal Employees Health Benefits Program, to make clear that the administrative simplification standards apply to all health plans that participate in the Program.

n. An approved State child health plan for child health assistance that meets the requirements of section 2103 of the Act, which established the Children's Health Insurance Program (CHIP).

o. A Medicare Plus Choice organization as defined in 42 CFR 422.2, with a contract under 42 CFR part 422, subpart K.

p. Any other individual plan or group health plan, or combination thereof, that provides or pays for the cost of medical care. This category implements the language at the beginning of the statutory definition of the term "health plan": "The term 'health plan' means an individual or group plan that provides, or pays the cost of, medical care . . . Such term includes the following, and any combination thereof . . ." This statutory language is general, not specific. Moreover, the statement that the term "health plan" "includes" the specified plans implies that the term also covers other plans that meet the stated criteria. One approach to interpreting this introductory language in the statute would be to make coverage decisions about plans that may meet these criteria on a case-by-case basis. Instead we propose to clarify its coverage by adding this category to the proposed definition of "health plan"; we seek public comment on its application. The Secretary would determine which plans that meet the criteria in the preceding paragraph are health plans for purposes of title II of HIPAA.

Consistent with the other parts of HIPAA, the provisions of this rule generally would not apply to certain types of insurance entities, such as workers’ compensation and automobile insurance carriers, other property and casualty insurers, and certain forms of limited benefits coverage, even when such arrangements provide coverage for health care services. 29 U.S.C. 1186(c). We note that health care providers would be subject to the provisions of this rule with respect to the health care they provide to individuals, even if such providers seek or receive reimbursement from an insurance entity that is not a covered entity under these rules. However, nothing in this rule would be intended to prevent a health care provider from disclosing protected health information to a non-covered insurance entity for the purpose of obtaining payment for services. Further, under proposed § 164.510(n), this rule would permit disclosures by health care providers of protected health information to such insurance entities and to other persons when mandated by applicable law for the purposes of determining eligibility for coverage or benefits under such insurance arrangements. For example, a State workers’ compensation law that requires disclosure of protected health information to an insurer or employer for the purposes of determining an individual’s eligibility for medical or other benefits, or for the purpose of determining fitness for duty, would not be disturbed by this rule.

8. Secretary. This term means the Secretary of Health and Human Services and any other officer or employee of the Department of Health and Human Services to whom the authority involved has been delegated. It is provided for ease of reference.

9. Small health plan. The HIPAA does not define a “small health plan,” but instead explicitly leaves the definition to be determined by the Secretary. We propose to adopt the size classification used by the Small Business Administration. We would therefore define a “small health plan” as a health plan with annual receipts of $5 million or less. 31 CFR 121.201. This differs from the definition of “small health plan” in prior proposed Administrative Simplification rules. We will conform the definitions in the final Administrative Simplification rules.

10. Standard. The term “standard” would mean a prescribed set of rules, conditions, or requirements concerning classification of components, specification of materials, performance or operations, or delineation of procedures in describing products, systems, services, or practices. This definition is a general one, to accommodate the varying functions of the specific standards proposed in the other HIPAA regulations, as well as the rules proposed below.

11. State. This term would include the 50 States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, and Guam. This definition follows the statutory definition of “State” in section 1101(a) of the Act.

12. Transaction. We would define “transaction,” as we have done in other Administrative Simplification regulations, to mean the exchange of information between two parties to carry out financial or administrative activities related to health care. A transaction would be (1) any of the transactions listed in section 1173(a)(2) of the Act, and (2) any transaction determined appropriate by the Secretary in accordance with Section 1173(a)(1) of the Act.

A “transaction” would mean any of the following:

a. Health claims or equivalent encounter information. This transaction could be used to submit health care claim billing information, encounter information, or both, from health care providers to payers, either directly or via intermediary billers and claims clearinghouses.

b. Health care payment and remittance advice. This transaction could be used by a health plan to make a payment to a financial institution for a health care provider (sending payment only), to send an explanation of benefits remittance advice directly to a health care provider (sending data only), or to make payment and send an explanation of benefits remittance advice to a health car provider via a financial institution (sending both payment and data).

c. Coordination of benefits. This transaction could be used to transmit health care claims and billing payment information between payers with different payment responsibilities where coordination of benefits is required or between payers and regulatory agencies to monitor the furnishing, billing, and/or payment of health care services within a specific health care/insurance industry segment.

d. Health claims status. This transaction could be used by health care providers and recipients of health care products or services (or their authorized agents) to request the status of a health care claim or encounter from a health plan.

e. Enrollment and disenrollment in a health plan. This transaction could be used to establish communication between the sponsor of a health benefit and the payer. It provides enrollment data, such as subscriber and dependents, employer information, and primary care health care provider information. A sponsor would be the backer of the coverage, benefit, or product. A sponsor could be an employer, union, government agency, association, or insurance company. The health plan would refer to an entity that pays claims, administers the insurance product or benefit, or both.

f. Eligibility for a health plan. This transaction could be used to inquire about the eligibility, coverage, or benefits associated with a benefit plan, employer, plan sponsor, subscriber, or a dependent under the subscriber’s policy. It also could be used to communicate information about or changes to eligibility, coverage, or benefits from information sources (such as insurers, sponsors, and payers) to information receivers (such as physicians, hospitals, third party administrators, and government agencies).

g. Health plan premium payments. This transaction could be used by, for example, employers, employees, unions, and associations to make and keep track of payments of health plan premiums to their health insurers. This transaction could also be used by a health care provider, acting as liaison for the beneficiary, to make payment to a health insurer for coinsurance, copayments, and deductibles.

h. Referral certification and authorization. This transaction could be used to transmit health care service referral information between health care providers, health care providers furnishing services, and payers. It could also be used to obtain authorization for certain health care services from a health plan.

i. First report of injury. This transaction could be used to report information pertaining to an injury, illness, or incident to entities interested in the information for statistical, legal, claims, and risk management processing requirements.

j. Health claims attachments. This transaction could be used to transmit health care service information, such as subscriber, patient, demographic, diagnosis, or treatment data for the purpose of a request for review, certification, notification, or reporting the outcome of a health care services review.

k. Other transactions as the Secretary may prescribe by regulation. Under section 1173(a)(1)(B) of the Act, the Secretary may adopt standards, and data elements for those standards, for other financial and administrative transactions deemed appropriate by the Secretary. These transactions would be consistent with the goals of improving the operation of the health care system and reducing administrative costs.

In addition to the above terms, a number of terms are defined in proposed § 164.504, and are specific to the proposed privacy rules. They are as follows:

13. Business partner. This term would mean a person to whom a covered entity discloses protected health information so that the person can carry out, assist with the performance of, or perform on behalf of, a function or activity for the covered entity. Such term includes any agent, contractor or other person who receives protected health information from the covered entity (or from another business partner of the covered entity) for the purposes described in the previous sentence. It would not include a person who is an employee, a volunteer or other person associated with the covered entity on a paid or unpaid basis.

14. Designated record set. This term would be defined as a group of records under the control of a covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual, and which is used by the covered entity to make decisions about the individual. The concept of a “designated record set” is derived from the Privacy Act’s concept of a “system of records.” Under the Privacy Act, federal agencies must provide an individual with access to "information pertaining to him which is contained in [a system of records]." 5 U.S.C. 552a(d)(1). A “system of records” is defined as "a group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual." 5 U.S.C. 552a(a)(5). Under this rule, we would substitute the term “covered entity” for “agency” and limit the information to that used by the covered entity to make decisions about the individual.

We would define a “record” as "any item, collection, or grouping of protected health information maintained, collected, used, or disseminated by a covered entity." Under the Privacy Act, "the term 'record' means any item, collection, or grouping of information about an individual that is maintained by an agency, including, but not limited to, his education, financial transactions, medical history, and criminal or employment history and that contains his name, or the identifying number, symbol, or other identifying particular assigned to the individual, such as a finger or voice print or a photograph." 5 U.S.C. 552a(a)(4). For purposes of this rule we propose to limit the information to protected health information, as defined in this rule. “Protected health information” already incorporates the concept of identifiability, and therefore our definition of “record” is much simpler.

For health plans, designated record sets would include, at a minimum, the claims adjudication, enrollment, and patient accounting systems. For health care providers, designated record sets would include, at a minimum, the medical records and billing records. Designated record set would also include a correspondence system, a complaint system, or an event tracking system if decisions about individuals are made based, in whole or in part, on information in those systems. Files used to backup a primary data system or the sequential files created to transmit a batch of claims to a clearinghouse are clear examples of data files which would not fall under this definition.

We note that a designated record set would only exist for types of records that a covered entity actually “retrieves” by an identifier, and not records that are only “retrievable” by an identifier. In many cases, technology will permit sorting and retrieving by a variety of fields and therefore the “retrievable” standard would be relatively meaningless.

15. Disclosure. This term would be defined as the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information.

16. Health care operations. We propose the term “health care operations” to clarify the activities we consider to be “compatible with and directly related to” treatment and payment and therefore would not require authorization from the individual for use or disclosure of protected health information.

Under our proposal, “health care operations” means the following services or activities if provided by or on behalf of a covered health plan or health care provider for the purposes of carrying out the management functions of such plan or provider necessary for the support of treatment or payment:

  • Conducting quality assessment and improvement activities, including evaluating outcomes, and developing clinical guidelines;
  • Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which undergraduate and graduate students and trainees in all areas of health care learn under supervision to practice as health care providers (e.g., residency programs, grand rounds, nursing practicums), accreditation, certification, licensing or credentialing activities;
  • Insurance rating and other insurance activities relating to the renewal of a contract for insurance, including underwriting, experience rating, and reinsurance, but only when the individuals are already enrolled in the health plan conducting such activities and only when the use or disclosure of such protected health information relates to an existing contract of insurance (including the renewal of such a contract);
  • Conducting or arranging for auditing services, including fraud and abuse detection and compliance programs; and
  • Compiling and analyzing information in anticipation of, or for use in, civil or criminal legal proceedings.

Our definition proposes to limit health care operations to functions and activities performed by a health plan or provider or by a business partner on behalf of a health plan or a provider. Our definition anticipates that in order for treatment and payment to occur, protected health information would be used within entities, would be shared with business partners, and in some cases would be shared between covered entities (or their business partners). However, a health care operation should not result in protected health information being disclosed to an entity that is not the covered entity (or a business partner of such entity) on whose behalf the operation is being performed. For example, a health plan may request a health care provider to provide protected health information to the health plan, or to a business partner of the health plan, as part of an outcomes evaluation effort relating to providers affiliated with that plan. This would be a health care operation.

We are aware that the health care industry is changing and that these categories, though broad, may need to be modified to reflect different conditions in the future.

17. Health oversight agency. We would define the term “health oversight agency” as it is defined in the Secretary’s Recommendations. See section II.E. below for further discussion.

18. Individual. We would define “individual” to mean the person who is the subject of protected health information. We would define the term to include, with respect to the signing of authorizations and other rights (such as access, copying, and correction), various types of legal representatives. The term would include court-appointed guardians or persons with a power of attorney, including persons making health care decisions for incapacitated persons, persons acting on behalf of a decedent’s estate, where State or other applicable law authorizes such legal representatives to exercise the person’s rights in such contexts, and parents subject to certain restrictions explained below. We would define this term to exclude foreign military and foreign diplomatic personnel and their dependents who receive health care provided or paid for by the DOD or other federal agency or entity acting on its behalf, and overseas foreign national beneficiaries of health care provided by the DOD or other federal agency, or non-governmental organization acting on its behalf.