NRPM: Standards for Privacy of Individually Identifiable Health Information. c. Responsibilities of covered entities.


Proposed § 164.522(d) establishes certain obligations for covered entities that would be necessary to enable the Secretary to carry out her statutory role to determine their compliance with these requirements. Proposed § 164.522(d)(1) would require covered entities to maintain records as directed. Proposed §164.522(d)(2) would require them to participate as required in compliance reviews. Proposed §164.522(d)(3) would affirmatively establish their obligation to provide information to the Secretary upon demand. Finally, paragraph (d)(4) would prohibit intimidating, discriminatory or other retaliatory actions by a covered entity against a person who files a complaint with the Secretary; testifies, assists or participates in any manner in an investigation, compliance review, proceeding, or hearing under this Act; or opposes any act or practice made unlawful by this subpart. This language is modeled after the Americans with Disabilities Act and title VII of the Civil Rights Act of 1964. Prohibitions against retaliation are also common throughout Department programs. The experience of the federal government in enforcing civil rights and other laws has been that voluntary compliance with and effective enforcement of such laws depend in large part on the initiative of persons opposed to illegal practices. If retaliation for opposing practices that an person reasonably believes are unlawful were permitted to go unremedied, it would have a chilling effect upon the willingness of persons to speak out and to participate in administrative processes under this subpart.

Opposition to practices of covered entities refers to a person’s communication of his or her good faith belief that a covered entity’s activities violate this subpart. Opposition includes, but is not limited to, filing a complaint with the covered entity under §164.518(d) and making a disclosure as a whistleblower under §164.518(c)(4). This provision would not protect a person whose manner of opposition is so unreasonable that it interferes with the covered entities' legitimate activities. This provision would cover such situations such as where an employee of a physician is fired in retaliation for confronting the doctor regarding her practice of illegally disclosing individuals' records or where a health plan drops coverage after an enrollee argues to the plan that he has a right to access to his records.

We recognize that under these requirements the covered entity would be disclosing protected health information to representatives of the Department when such information is relevant to a compliance investigation or assessment. We recognize that this would create a mandatory disclosure of protected health information and that such a requirement carries significant privacy concerns. Those concerns must, however, be weighed against the need to obtain compliance by entities with the privacy standards, and to protect against future improper uses and disclosures of protected health information. The proposed rule accordingly attempts to strike a balance between these interests, providing that the Department would not disclose such information, except as may be necessary to enable the Secretary to ascertain compliance with this subpart or in enforcement proceedings or as otherwise required by law.