NRPM: Standards for Privacy of Individually Identifiable Health Information. b. Proposed requirements.


Specifically, we would permit covered entities to disclose protected health information without individual authorization to a health oversight agency to conduct oversight activities authorized by law. Disclosures also could be made to private entities working under a contract with or grant of authority from one or more of the government oversight agencies described above. As discussed below, oversight activities by private entities operating pursuant to contracts with covered entities, such as accreditation organizations, would not be permitted to receive information under this provision, even if accreditation by such an organization is recognized by law as fulfilling a government requirement or condition of participation in a government program (often referred to as "deemed status").

Under our rule, oversight activities would include conducting or supervising the following activities: audits; investigations; inspections; civil, criminal or administrative proceedings or actions; and other activities necessary for appropriate oversight of the health care system, of government benefit programs for which health information is relevant to beneficiary eligibility, and of government regulatory programs for which health information is necessary for determining compliance with program standards. This regulation does not create any new right of access to health records by oversight agencies, and could not be used as authority to obtain records not otherwise legally available to the oversight agency.

Under our rule, a health oversight agency would be defined as a public agency authorized by law to conduct oversight activities relating to the health care system, a government program for which health information is relevant to determining beneficiary eligibility or a government regulatory program for which health information is necessary for determining compliance with program standards. Examples of agencies in the first category would include State insurance commissions, State health professional licensure agencies, Offices of Inspectors General of federal agencies, the Department of Justice, State Medicaid fraud control units, Defense Criminal Investigative Services, the Pension and Welfare Benefit Administration, the HHS Office for Civil Rights, and the FDA. Examples of agencies in the second category include the Social Security Administration and the Department of Education. Examples of agencies in the third category include the workplace safety programs such as the Occupational Health and Safety Administration and the Environmental Protection Agency. Agencies that conduct both oversight and law enforcement activities would be subject to this provision when conducting oversight activities.

In cases where health oversight agencies are working in tandem with other agencies overseeing public benefit programs to address compliance, fraud, or other integrity issues that could span across programs, the oversight activities of the team would be considered health oversight and disclosure to and among team members would be permitted under the proposed rule to the extent permitted under other law. For example, a fraud investigation could attempt to find a pattern of abuse across related programs, such as Medicaid and the supplemental security income program. Protected health information could be disclosed to the team of oversight agencies and could be shared among such agencies for oversight activities.

Public oversight agencies sometimes contract with private entities to conduct program integrity activities on a public agency's behalf. Such audits or investigations may include, for example, program integrity reviews of fraud and abuse in billing Federal and State health care programs; investigations conducted in response to consumer complaints regarding the quality or accessibility of a particular provider, health plan, or facility; and investigations related to disciplinary action against a health care provider, health plan, or health care facility. Covered entities may disclose protected health information to these agents to the extent such disclosure would be permitted to the public oversight body.

In many cases today, public agencies' contracts with private entities conducting investigations on their behalf require the private oversight organization to implement safeguards to protect individual privacy. HIPAA does not provide statutory authority to regulate the contracts between public oversight entities and their agents. However, we encourage public oversight entities to include privacy safeguards in all such contracts, and believe it would be appropriate for federal legislation to impose such safeguards.

In developing our proposal, we considered but rejected the option of providing an exemption from the general rules for situations in which a covered entity has a contract with a private accreditation organization to conduct an accreditation inspection. In such instances, the accreditation organization is performing a service for the covered entity much like any other contractor. The situation is not materially different in instances where accreditation from a private organization would have the effect of "deeming" the covered entity to be in compliance with a government standard or condition of participation in a government program. In both cases, the accreditation organization is performing a service for the covered entity, not for the government. In our considerations, we were unable to identify a reason that covered entities should hold these contractors to lesser standards than their other contractors. Individuals' privacy interests would not be diminished in this situation, nor is there any reason why such accreditation organizations should not be held to the requirements described above for business partners. Proposed rules for disclosure to these entities are discussed in section II.C.5., "Application to business partners." We invite comment on our proposed approach.