Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Health Care Clearinghouse.


Comment: The largest set of comments relating to health care clearinghouses focused on our proposal to exempt health care clearinghouses from the patient notice and access rights provisions of the regulation. In our NPRM, we proposed to exempt health care clearinghouses from certain provisions of the regulation that deal with the covered entities' notice of information practices and consumers' rights to inspect, copy, and amend their records. The rationale for this exemption was based on our belief that health care clearinghouses engage primarily in business-to-business transactions and do not initiate or maintain direct relationships with individuals. We proposed this position with the caveat that the exemptions would be void for any health care clearinghouse that had direct contact with individuals in a capacity other than that of a business partner. In addition, we indicated that, in most instances, clearinghouses also would be considered business partners under this rule and would be bound by their contracts with covered plans and providers. They also would be subject to the notice of information practices developed by the plans and providers with whom they contract.

Commenters stated that, although health care clearinghouses do not have direct contact with individuals, they do have individually identifiable health information that may be subject to misuse or inappropriate disclosure. They expressed concern that we were proposing to exempt health care clearinghouses from all or many aspects of the regulation. These commenters suggested that we either delete the exemption or make it very narrow, specific and explicit in the final regulatory text.

Clearinghouse commenters, on the other hand, were in agreement with our proposal, including the exemption provision and the provision that the exemption is voided when the entity does have direct contact with individuals. They also stated that a health care clearinghouse that has a direct contact with individuals is no longer a health care clearinghouse as defined and should be subject to all requirements of the regulation.

Response: In the final rule, where a clearinghouse creates or receives protected health information as a business associate of another covered entity, we maintain the exemption for health care clearinghouses from certain provisions of the regulation dealing with the notice of information practices and patient's direct access rights to inspect, copy and amend records (§§ 164.524 and 164.526), on the grounds that a health care clearinghouse is engaged in business-to-business operations, and is not dealing directly with individuals. Moreover, as business associates of plans and providers, health care clearinghouses are bound by the notices of information practices of the covered entities with whom they contract.

Where a health care clearinghouse creates or receives protected health information other than as a business associate, however, it must comply with all the standards, requirements, and implementation specifications of the rule. We describe and delimit the exact nature of the exemption in the regulatory text. See § 164.500(b). We will monitor developments in this sector should the basic business-to-business relationship change.

Comment: A number of comments relate to the proposed definition of health care clearinghouse. Many commenters suggested that we expand the definition. They suggested that additional types of entities be included in the definition of health care clearinghouse, specifically medical transcription services, billing services, coding services, and "intermediaries." One commenter suggested that the definition be expanded to add entities that receive standard transactions, process them and clean them up, and then send them on, without converting them to any standard format. Another commenter suggested that the health care clearinghouse definition be expanded to include entities that do not perform translation but may receive protected health information in a standard format and have access to that information. Another commenter stated that the list of covered entities should include any organization that receives or maintains individually identifiable health information. One organization recommended that we expand the health care clearinghouse definition to include the concept of a research data clearinghouse, which would collect individually identifiable health information from other covered entities to generate research data files for release as de-identified data or with appropriate confidentiality safeguards. One commenter stated that HHS had gone beyond Congressional intent by including billing services in the definition.

Response: We cannot expand the definition of "health care clearinghouse" to cover entities not covered by the definition of this term in the statute. In the final regulation, we make a number of changes to address public comments relating to definition. We modify the definition of health care clearinghouse to conform to the definition published in the Transactions Rule (with the addition of a few words, as noted above). We clarify in the preamble that, while the term "health care clearinghouse" may have other meanings and connotations in other contexts, for purposes of this regulation an entity is considered a health care clearinghouse only to the extent that it actually meets the criteria in our definition. Entities performing other functions but not meeting the criteria for a health care clearinghouse are not clearinghouses, although they may be business associates. Billing services are included in the regulatory definition of "health care clearinghouse," if they perform the specified clearinghouse functions. Although we have not added or deleted any entities from our original definition, we will monitor industry practices and may add other entities in the future as changes occur in the health system.

Comment: Several commenters suggested that we clarify that an entity acting solely as a conduit through which individually identifiable health information is transmitted or through which protected health information flows but is not stored is not a covered entity, e.g., a telephone company or Internet Service Provider. Other commenters indicated that once a transaction leaves a provider or plan electronically, it may flow through several entities before reaching a clearinghouse. They asked that the regulation protect the information in that interim stage, just as the security NPRM established a chain of trust arrangement for such a network. Others noted that these "conduit" entities are likely to be business partners of the provider, clearinghouse or plan, and we should clarify that they are subject to business partner obligations as in the proposed Security Rule.

Response: We clarify that entities acting as simple and routine communications conduits and carriers of information, such as telephone companies and Internet Service Providers, are not clearinghouses as defined in the rule unless they carry out the functions outlined in our definition. Similarly, we clarify that value added networks and switches are not health care clearinghouses unless they carry out the functions outlined in the definition, and clarify that such entities may be business associates if they meet the definition in the regulation.

Comment: Several commenters, including the large clearinghouses and their trade associations, suggested that we not treat health care clearinghouses as playing a dual role as covered entity and business partner in the final rule because such a dual role causes confusion as to which rules actually apply to clearinghouses. In their view, the definition of health care clearinghouse is sufficiently clear to stand alone and identify a health care clearinghouse as a covered entity, and allows health care clearinghouses to operate under one consistent set of rules. Response: For reasons explained in § 164.504 of this preamble, we do not create an exception to the business associate requirements when the business associate is also a covered entity. We retain the concept that a health care clearinghouse may be a covered entity and a business associate of a covered entity under the regulation. As business associates, they would be bound by their contracts with covered plans and providers.