Comment: A number of commenters referenced other entities that already consider the privacy of health information. One commenter indicated opposition to the delegation of inspections to third party organizations, such as the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO). A few commenters indicated that state agencies are already authorized to investigate violations of state privacy standards and that we should rely on those agencies to investigate alleged violations of the privacy rules or delegate its complaint process to states that wish to carry out this responsibility or to those states that have a complaint process in place. Another commenter argued that individuals should be required to exhaust any state processes before filing a complaint with the Secretary. Others referenced the fact that state medical licensing boards investigate complaints against physicians for violating patient confidentiality. One group asked that the federal government streamline all of these activities so physicians can have a single entity to whom they must be responsive. Another group suggested that OMB should be given responsibility for ensuring that FEHB Plans operate in compliance with the privacy standards and for enforcement.
A few commenters stated that the regulation might be used as a basis for violation findings and subsequent penalties under other Department authorities, such as under Medicare's Conditions of Participation related to patient privacy and right to confidentiality of medical records. One commenter wanted some assurance that this regulation will not be used as grounds for sanctions under Medicare. Another commenter indicated support for making compliance with the privacy regulation a Condition of Participation under Medicare.
Response: HIPAA does not give the Secretary the authority to delegate her responsibilities to other private or public agencies such as JCAHO or state agencies. However, we plan to explore ways that we may benefit from current activities that also serve to protect the privacy of individually identifiable health information. For example, if we conduct an investigation or review of a covered entity, that entity may want to share information regarding findings of other bodies that conducted similar reviews. We would welcome such information. In developing its enforcement program, we may explore ways it can coordinate with other regulatory or oversight bodies so that we can efficiently and effectively pursue our joint interests in protecting privacy.
We do not accept the suggestion that individuals be required to exhaust their remedies under state law before filing a complaint with the Secretary. Our rationale is similar to that discussed above in regard to the suggestion that covered entities be required to exhaust a covered entity's internal complaint process before filing a complaint with the Secretary. Congress provided for federal privacy protection and we want to allow individuals the right to this protection without barriers or delay. Covered entities may in their privacy notice inform individuals of any rights they have under state law including any right to file privacy complaints. We do not have the authority to interfere with state processes and HIPAA explicitly provides that we cannot preempt state laws that provide greater privacy protection.
We have not yet addressed the issue as to whether this regulation might be used as a basis for violation findings or penalties under other Department authorities. We note that Medicare conditions of participation require participating providers to have procedures for ensuring the confidentiality of patient records, as well as afford patients with the right to the confidentiality of their clinical records.