Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Health oversight agency.

12/28/2000

Comment: Some commenters sought to have specific organizations defined as health oversight agencies. For example, some commenters asked that the regulation text, rather than the preamble, explicitly list state insurance departments as an example of health oversight agencies. Medical device manufacturers recommended expanding the definition to include government contractors such as coding committees, which provide data to HCFA to help the agency make reimbursement decisions.

One federal agency sought clarification that several of its sub-agencies were oversight agencies; it was concerned about its status in part because the agency fits into more than one of the categories of health oversight agency listed in the proposed rule.

Other commenters recommended expanding the definition of oversight agency to include private-sector accreditation organizations. One commenter recommended stating in the final rule that private companies providing information to insurers and employers are not included in the definition of health oversight agency.

Response: Because the range of health oversight agencies is so broad, we do not include specific examples in the definition. We include many examples in the preamble above and provide further clarity here.

As under the NPRM, state insurance departments are an example of a health oversight agency. A commenter concerned about state trauma registries did not describe the registries' activities or legal charters, so we cannot clarify whether such registries may be health oversight agencies. Government contractors such as coding committees, which provide data to HCFA to support payment processes, are not thereby health oversight agencies under this rule. We clarify that public agencies may fit into more than one category of health oversight agency.

The definition of health oversight agency does not include private-sector accreditation organizations. While their work can promote quality in the health care delivery system, private accreditation organizations are not authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant. Under the final rule, we consider private accrediting groups to be performing a health care operations function for covered entities. Thus, disclosures to private accrediting organizations are disclosures for health care operations, not for oversight purposes.

When they are performing accreditation activities for a covered entity, private accrediting organizations will meet the definition of business associate, and the covered entity must enter into a business associate contract with the accrediting organization in order to disclose protected health information. This is consistent with current practice; today, accrediting organizations perform their work pursuant to contracts with the accredited entity. This approach is also consistent with the recommendation by the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance, which stated in their report titled Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment (1998) that "Oversight organizations, including accrediting bodies, states, and federal agencies, should include in their contracts terms that describe their responsibility to maintain the confidentiality of any personally identifiable health information that they review."

We agree with the commenter who believed that private companies providing information to insurers and employers are not performing an oversight function; the definition of health oversight agency does not include such companies.

In developing and clarifying the definition of health oversight in the final rule, we seek to achieve a balance in accounting for the full range of activities that public agencies may undertake to perform their health oversight functions while establishing clear and appropriate boundaries on the definition so that it does not become a catch-all category that public and private agencies could use to justify any request for information.