Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Balance


A number of facts informed our approach to this regulation. Determining the best approach to protecting privacy depends on where we start, both with respect to existing legal expectations and also with respect to the expectations of individuals, health care providers, payers and other stakeholders. From the comments we received on the proposed rule, and from the extensive fact finding in which we engaged, a confused picture developed. We learned that stakeholders in the system have very different ideas about the extent and nature of the privacy protections that exist today, and very different ideas about appropriate uses of health information. This leads us to seek to balance the views of the different stakeholders, weighing the varying interests on each particular issue with a view to creating balance in the regulation as a whole.

For example, we received hundreds of comments explaining the legitimacy of various uses and disclosure of health information. We agree that many uses and disclosures of health information are "legitimate," but that is not the end of the inquiry. Neither privacy, nor the important social goals described by the commenters, are absolutes. In this regulation, we are asking health providers and institutions to add privacy into the balance, and we are asking individuals to add social goals into the balance.

The vast difference among regulated entities also informed our approach in significant ways. This regulation applies to solo practitioners, and multi-national health plans. It applies to pharmacies and information clearinghouses. These entities differ not only in the nature and scope of their businesses, but also in the degree of sophistication of their information systems and information needs. We therefore designed the core requirements of this regulation to be flexible and "scalable." This is reflected throughout the rule, particularly in the implementation specifications for making the 'minimum necessary' uses and disclosures, and in the administrative policies and procedures requirements.

We also are informed by the rapid evolution in industry organization and practice. Our goal is to enhance privacy protections in ways that do not impede this evolution. For example, we received many comments asking us to assign a status under this regulation based on a label or title. For example, many commenters asked whether "disease management" is a "health care operation," or whether a "pharmacy benefits manager" is a covered entity. From the comments and our fact-finding, however, we learned that these terms do not have consistent meanings today; rather, they encompass diverse activities and information practices. Further, the statutory definitions of key terms such as 'health care provider' and 'health care clearinghouse' describe functions, not specific types of persons or entities. To respect both the Congressional approach and industry evolution, we design the rule to follow activities and functions, not titles and labels.

Similarly, many comments asked whether a particular person would be a "business associate" under the rule, based on the nature of the person's business. Whether a business associate arrangement must exist under the rule, however, depends on the relationship between the entities and the services being performed, not on the type of persons or companies involved.

Our approach is also significantly informed by the limited jurisdiction conferred by HIPAA. In large part, we have the authority to regulate those who create and disclose health information, but not many key stakeholders who receive that health information from a covered entity. Again, this led us to look to the balance between the burden on covered entities and need to protect privacy in determining our approach to such disclosures. In some instances, we approach this dilemma by requiring covered entities to obtain a representation or documentation of purpose from the person requesting information. While there would be advantages to legislation regulating such third persons directly, we cannot justify abandoning any effort to enhance privacy.

It also became clear from the comments and our fact-finding that we have expectations as a society that conflict with individuals' views about the privacy of health information. We expect the health care industry to develop treatment protocols for the delivery of high quality health care. We expect insurers and the government to reduce fraud in the health care system. We expect to be protected from epidemics, and we expect medical research to produce miracles. We expect the police to apprehend suspects, and we expect to pay for our care by credit card. All of these activities involve disclosure of health information to someone other than our physician.

While most commenters support the concept of health privacy in general, many go on to describe activities that depend on the disclosure of health information and urge us to protect those information flows. Section III, in which we respond to the comments, describes our approach to balancing these conflicting expectations.

Finally, we note that many commenters were concerned that this regulation would lessen current privacy protections. It is important to understand this regulation as a new federal floor of privacy protections that does not disturb more protective rules or practices. Nor do we intend this regulation to describe a set of a "best practices." Rather, this regulation describes a set of basic consumer protections and a series of regulatory permissions for use and disclosure of health information. The protections are a mandatory floor, which other governments and any covered entity may exceed. The permissions are just that, permissive -- the only disclosures of health information required under this rule are to the individual who is the subject of the information or to the Secretary for enforcement of this rule. We expect covered entities to rely on their professional ethics and use their own best judgements in deciding which of these permissions they will use.