Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Health Care Provider.


Comment: One commenter pointed out that the preamble referred to the obligations of providers and did not use the term, "covered entity," and thus created ambiguity about the obligations of health care providers who may be employed by persons other than covered entities, e.g., pharmaceutical companies. It was suggested that a better reading of the statute and rule is that where neither the provider nor the company is a covered entity, the rule does not impose an obligation on either the provider-employee or the employer.

Response: We agree. We use the term "covered entity" whenever possible in the final rule, except for the instances where the final rule treats the entities differently, or where use of the term "health care provider" is necessary for purposes of illustrating an example.

Comment: Several commenters stated that the proposal's definition was broad, unclear, and/or confusing. Further, we received many comments requesting clarification as to whether specific entities or persons were "health care providers" for the purposes of our rule. One commenter questioned whether affiliated members of a health care group (even though separate legal entities) would be considered as one primary health care provider.

Response: We permit legally distinct covered entities that share common ownership or control to designate themselves together to be a single covered entity. Such organizations may promulgate a single shared notice of information practices and a consent form. For more detailed information, see the preamble discussion of § 164.504(d).

We understand the need for additional guidance on whether specific entities or persons are health care providers under the final rule. We provide guidance below and will provide additional guidance as the rule is implemented.

Comment: One commenter observed that sections 1171(3), 1861(s) and 1861(u) of the Act do not include pharmacists in the definition of health care provider or pharmacist services in the definition of "medical or other health services," and questioned whether pharmacists were covered by the rule.

Response: The statutory definition of "health care provider" at section 1171(3) includes "any other person or organization who furnishes, bills, or is paid for health care in the normal course of business." Pharmacists' services are clearly within this statutory definition of "health care." There is no basis for excluding pharmacists who meet these statutory criteria from this regulation .

Comment: Some commenters recommended that the scope of the definition be broadened or clarified to cover additional persons or organizations. Several commenters argued for expanding the reach of the health care provider definition to cover entities such as state and local public health agencies, maternity support services (provided by nutritionists, social workers, and public health nurses and the Special Supplemental Nutrition Program for Women, Infants and Children), and those companies that conduct cost-effectiveness reviews, risk management, and benchmarking studies. One commenter queried whether auxiliary providers such as child play therapists, and speech and language therapists are considered to be health care providers. Other commenters questioned whether "alternative" or "complementary" providers, such as naturopathic physicians and acupuncturists would be considered health care providers covered by the rule.

Response: As with other aspects of this rule, we do not define "health care provider" based on the title or label of the professional. The professional activities of these kinds of providers vary; a person is a "health care provider" if those activities are consistent with the rule's definition of "health care provider." Thus, health care providers include persons, such as those noted by the commenters, to the extent that they meet the definition. We note that health care providers are only subject to this rule if they conduct certain transactions. See the definition of "covered entity."

However companies that conduct cost-effectiveness reviews, risk management, and benchmarking studies are not health care providers for the purposes of this rule unless they perform other functions that meet the definition. These entities would be business associates if they perform such activities on behalf of a covered entity.

Comment: Another commenter recommended that the Secretary expand the definition of health care provider to cover health care providers who transmit or "or receive" any health care information in electronic form.

Response: We do not accept this suggestion. Section 1172(a)(3) states that providers that "transmit" health information in connection with one of the HIPAA transactions are covered, but does not use the term "receive" or a similar term.

Comment: Some comments related to online companies as health care providers and covered entities. One commenter argued that there was no reason "why an Internet pharmacy should not also be covered" by the rule as a health care provider. Another commenter stated that online health care service and content companies, including online medical record companies, should be covered by the definition of health care provider. Another commenter pointed out that the definitions of covered entities cover "Internet providers who 'bill' or are 'paid' for health care services or supplies, but not those who finance those services in other ways, such as through sale of identifiable health information or advertising." It was pointed out that thousands of Internet sites use information provided by individuals who access the sites for marketing or other purposes.

Response: We agree that online companies are covered entities under the rule if they otherwise meet the definition of health care provider or health plan and satisfy the other requirements of the rule, i.e., providers must also transmit health information in electronic form in connection with a HIPAA transaction. We restate here the language in the preamble to the proposed rule that "An individual or organization that bills and/or is paid for health care services or supplies in the normal course of business, such 'online' pharmacy accessible on the Internet, is also a health care provider for purposes of this statute" (64 FR 59930).

Comment: We received many comments related to the reference to "health clinic or licensed health care professional located at a school or business in the preamble's discussion of "health care provider." It was stated that including "licensed health care professionals located at a school or business" highlights the need for these individuals to understand they have the authority to disclose information to the Social Security Administration (SSA) without authorization.

However, several commenters urged HHS to create an exception for or delete that reference in the preamble discussion to primary and secondary schools because of employer or business partner relationships. One federal agency suggested that the reference "licensed health care professionals located at a [school]" be deleted from the preamble because the definition of health care provider does not include a reference to schools. The commenter also suggested that the Secretary consider: adding language to the preamble to clarify that the rules do not apply to clinics or school health care providers that only maintain records that have been excepted from the definition of protected health information, adding an exception to the definition of covered entities for those schools, and limiting paperwork requirements for these schools. Another commenter argued for deleting references to schools because the proposed rule appeared to supersede or create ambiguity as to the Family Educational Rights and Privacy Act (FERPA), which gives parents the right to access "education" and health records of their unemancipated minor children. However, in contrast, one commenter supported the inclusion of health care professionals who provide services at schools or businesses.

Response: We realize that our discussion of schools in the NPRM may have been confusing. Therefore, we address these concerns and set forth our policy regarding protected health information in educational agencies and institutions in the "Relationship to Other Federal Laws" discussion of FERPA, above.

Comment: Many commenters urged that direct contact with the patient be necessary for an entity to be considered a health care provider. Commenters suggested that persons and organizations that are remote to the patient and have no direct contact should not be considered health care providers. Several commenters argued that the definition of health care provider covers a person that provides health care services or supplies only when the provider furnishes to or bills the patient directly. It was stated that the Secretary did not intend that manufacturers, such as pharmaceutical, biologics, and device manufacturers, health care suppliers, medical-surgical supply distributors, health care vendors that offer medical record documentation templates and that typically do not deal directly with the patient, be considered health care providers and thus covered entities. However, in contrast, one commenter argued that, as an in vitro diagnostics manufacturer, it should be covered as a health care provider.

Response: We disagree with the comments that urged that direct dealings with an individual be a prerequisite to meeting the definition of health care provider. Many providers included in the statutory definition of provider, such as clinical labs, do not have direct contact with patients. Further, the use and disclosure of protected health information by indirect treatment providers can have a significant effect on individuals' privacy. We acknowledge, however, that providers who treat patients only indirectly need not have the full array of responsibilities as direct treatment providers, and modify the NPRM to make this distinction with respect to several provisions (see, for example § 164.506 regarding consent). We also clarify that manufacturers and health care suppliers who are considered providers by Medicare are providers under this rule.

Comment: Some commenters suggested that blood centers and plasma donor centers that collect and distribute source plasma not be considered covered health care providers because the centers do not provide "health care services" and the blood donors are not "patients" seeking health care. Similarly, commenters expressed concern that organ procurement organizations might be considered health care providers.

Response: We agree and have deleted from the definition of "health care" the term "procurement or banking of blood, sperm, organs, or any other tissue for administration to patients." See prior discussion under "health care."

Comment: Several commenters proposed to restrict coverage to only those providers who furnished and were paid for services and supplies. It was argued that a salaried employee of a covered entity, such as a hospital-based provider, should not be covered by the rule because that provider would be subject both directly to the rule as a covered entity and indirectly as an employee of a covered entity.

Response: The "dual" direct and indirect situation described in these comments can arise only when a health care provider conducts standard HIPAA transactions both for itself and for its employer. For example, when the services of a provider such as a hospital-based physician are billed through a standard HIPAA transaction conducted for the employer, in this example the hospital, the physician does not become a covered provider. Only when the provider uses a standard transaction on its own behalf does he or she become a covered health care provider. Thus, the result is typically as suggested by this commenter. When a hospital-based provider is not paid directly, that is, when the standard HIPAA transaction is not on its behalf, it will not become a covered provider.

Comment: Other commenters argued that an employer who provides health care services to its employees for whom it neither bills the employee nor pays for the health care should not be considered health care providers covered by the proposed rule.

Response: We clarify that the employer may be a health care provider under the rule, and may be covered by the rule if it conducts standard transactions. The provisions of § 164.504 may also apply.

Comment: Some commenters were confused about the preamble statement: "in order to implement the principles in the Secretary's Recommendations, we must impose any protections on the health care providers that use and disclose the information, rather than on the researcher seeking the information," with respect to the rule's policy that a researcher who provides care to subjects in a trial will be considered a health care provider. Some commenters were also unclear about whether the individual researcher providing health care to subjects in a trial would be considered a health care provider or whether the researcher's home institution would be considered a health care provider and thus subject to the rule.

Response: We clarify that, in general, a researcher is also a health care provider if the researcher provides health care to subjects in a clinical research study and otherwise meets the definition of "health care provider" under the rule. However, a health care provider is only a covered entity and subject to the rule if that provider conducts standard transactions. With respect to the above preamble statement, we meant that our jurisdiction under the statute is limited to covered entities. Therefore, we cannot apply any restrictions or requirements on a researcher in that person's role as a researcher. However, if a researcher is also a health care provider that conducts standard transactions, that researcher/provider is subject to the rule with regard to its provider activities.

As to applicability to a researcher/provider versus the researcher's home institution, we provide the following guidance. The rule applies to the researcher as a covered entity if the researcher is a health care provider who conducts standard transactions for services on his or her own behalf, regardless of whether he or she is part of a larger organization. However, if the services and transactions are conducted on behalf of the home institution, then the home institution is the covered entity for purposes of the rule and the researcher/provider is a workforce member, not a covered entity.

Comment: One commenter expressed confusion about those instances when a health care provider was a covered entity one day, and one who "works under a contract" for a manufacturer the next day.

Response: If persons are covered under the rule in one role, they are not necessarily covered entities when they participate in other activities in another role. For example, that person could be a covered health care provider in a hospital one day but the next day read research records for a different employer. In its role as researcher, the person is not covered, and protections do not apply to those research records.

Comment: One commenter suggested that the Secretary modify proposed § 160.102, to add the following clause at the end (after (c)) (regarding health care provider), "With respect to any entity whose primary business is not that of a health plan or health care provider licensed under the applicable laws of any state, the standards, requirements, and implementation specifications of this subchapter shall apply solely to the component of the entity that engages in the transactions specified in [§] 160.103." (Emphasis added.) Another commenter also suggested that the definition of "covered entity" be revised to mean entities that are "primarily or exclusively engaged in health care-related activities as a health plan, health care provider, or health care clearinghouse."

Response: The Secretary rejects these suggestions because they will impermissibly limit the entities covered by the rule. An entity that is a health plan, health care provider, or health care clearinghouse meets the statutory definition of covered entity regardless of how much time is devoted to carrying out health care-related functions, or regardless of what percentage of their total business applies to health care-related functions.

Comment: Several commenters sought to distinguish a health care provider from a business partner as proposed in the NPRM. For example, a number of commenters argued that disease managers that provide services "on behalf of" health plans and health care providers, and case managers (a variation of a disease management service) are business partners and not "health care providers." Another commenter argued that a disease manager should be recognized (presumably as a covered entity) because of its involvement from the physician-patient level through complex interactions with health care providers.

Response: To the extent that a disease or case manager provides services on behalf of or to a covered entity as described in the rule's definition of business associate, the disease or case manager is a business associate for purposes of this rule. However, if services provided by the disease or case manager meet the definition of treatment and the person otherwise meets the definition of "health care provider," such a person is a health care provider for purposes of this rule.

Comment: One commenter argued that pharmacy employees who assist pharmacists, such as technicians and cashiers, are not business partners.

Response: We agree. Employees of a pharmacy that is a covered entity are workforce members of that covered entity for purposes of this rule.

Comment: A number of commenters requested that we clarify the definition of health care provider ("...who furnishes, bills, or is paid for health care services or supplies in the normal course of business") by defining the various terms "furnish", "supply", and "in the normal course of business." For instance, it was stated that this would help employers recognize when services such as an employee assistance program constituted health care covered by the rule.

Response: Although we understand the concern expressed by the commenters, we decline to follow their suggestion to define terms at this level of specificity. These terms are in common use today, and an attempt at specific definition would risk the inadvertent creations of conflict with industry practices. There is a significant variation in the way employers structure their employee assistance programs (EAPs) and the type of services that they provide. If the EAP provides direct treatment to individuals, it may be a health care provider.