Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Health Plan.


Comment: One commenter suggested that to eliminate any ambiguity, the Secretary should clarify that the catch-all category under the definition of health plan includes "24-hour coverage plans" (whether insured or self-insured) that integrate traditional employee health benefits coverage and workers' compensation coverage for the treatment of on-the-job injuries and illnesses under one program. It was stated that this clarification was essential if the Secretary persisted in excluding workers' compensation from the final rule.

Response: We understand concerns that such plans may use and disclose individually identifiable health information. We therefore clarify that to the extent that 24-hour coverage plans have a health care component that meets the definition of "health plan" in the final rule, such components must abide by the provisions of the final rule. In the final rule, we have added a new provision to § 164.512 that permits covered entities to disclose information under workers' compensation and similar laws. A health plan that is a 24-hour plan is permitted to make disclosures as necessary to comply with such laws.

Comment: A number of commenters urged that certain types of insurance entities, such as workers' compensation and automobile insurance carriers, property and casualty insurance health plans, and certain forms of limited benefits coverage, be included in the definition of "health plan." It was argued that consumers deserve the same protection with respect to their health information, regardless of the entity using it, and that it would be inequitable to subject health insurance carriers to more stringent standards than other types of insurers that use individually identifiable health information.

Response: The Congress did not include these programs in the definition of a "health plan" under section 1171 of the Act. Further, HIPAA's legislative history shows that the House Report's (H. Rep. 104-496) definition of "health plan" originally included certain benefit programs, such as workers' compensation and liability insurance, but was later amended to clarify the definition and remove these programs. Thus, since the statutory definition of a health plan both on its face and through legislative history evidence Congress' intention to exclude such programs, we do not have the authority to require that these programs comply with the standards. We have added explicit language to the final rule which excludes the excepted benefit programs, as defined in section 2971(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1).

Comment: Some commenters urged HHS to include entities such as stop loss insurers and reinsurers in the definition of "health plan." It was observed that such entities have come to play important roles in managed care delivery systems. They asserted that increasingly, capitated health plans and providers contract with their reinsurers and stop loss carriers to medically manage their high cost outlier cases such as organ and bone marrow transplants, and therefore should be specifically cited as subject to the regulations.

Response: Stop-loss and reinsurers do not meet the statutory definition of health plan. They do not provide or pay for the costs of medical care, as described in the statute, but rather insure health plans and providers against unexpected losses. Therefore, we cannot include them as health plans in the regulation.

Comment: A commenter asserted that there is a significant discrepancy between the effect of the definition of "group health plan" as proposed in § 160.103, and the anticipated impact in the cost estimates of the proposed rule at 64 FR 60014. Paragraph (1) of the proposed definition of "health plan" defined a "group health plan" as an ERISA-defined employee welfare benefit plan that provides medical care and that: "(i) Has 50 or more participants, or (ii) Is administered by an entity other than the employer that established and maintains the plan[.]" (emphasis added) According to this commenter, under this definition, the only insured or self-insured ERISA plans that would not be regulated "health plans" would be those that have less than 50 participants and are self administered.

The commenter presumed that the we had intended to exclude from the definition of "health plan" (and from coverage under the proposed rule) all ERISA plans that are small (less than 50 participants) or are administered by a third party, whether large or small, based on the statement at 64 FR 60014, note 18. That footnote stated that the Department had "not included the 3.9 million 'other' employer-health plans listed in HCFA's administrative simplification regulations because these plans are administered by a third party. The proposed regulation will not regulate the employer plans but will regulate the third party administrators of the plan." The commenter urged us not to repeat the statutory definition, and to adopt the policy implied in the footnote.

Response: We agree with the commenter's observation that footnote 18 (64 FR 60014) was inconsistent with the proposed definition. We erred in drafting that note. The definition of "group health plan" is adopted from the statutory definition at section 1171(5)(A), and excludes from the rule as "health plans" only the few insured or self-insured ERISA plans that have less than 50 participants and are self administered. We reject the commenter's proposed change to the definition as inconsistent with the statute.

Comment: A number of insurance companies asked that long term care insurance policies be excluded from the definition of "health plan." It was argued that such policies do not provide sufficiently comprehensive coverage of the cost of medical care, and are limited benefit plans that provide or pay for the cost of custodial and other related services in connection with a long term, chronic illness or disability.

These commenters asserted that HIPAA recognizes this nature of long term care insurance, observing that, with respect to HIPAA's portability requirements, Congress enacted a series of exclusions for certain defined types of health plan arrangements that do not typically provide comprehensive coverage. They maintained that Congress recognized that long term care insurance is excluded, so long as it is not a part of a group health plan. Where a long term care policy is offered separately from a group health plan it is considered an excepted benefit and is not subject to the portability and guarantee issue requirements of HIPAA. Although this exception does not appear in the Administrative Simplification provisions of HIPAA, it was asserted that it is guidance with respect to the treatment of long term care insurance as a limited benefit coverage and not as coverage that is so "sufficiently comprehensive" that it is to be treated in the same manner as a typical, comprehensive major medical health plan arrangement.

Another commenter offered a different perspective observing that there are some long-term care policies that do not pay for medical care and therefore are not "health plans." It was noted that most long-term care policies are reimbursement policies-that is, they reimburse the policyholder for the actual expenses that the insured incurs for long-term care services. To the extent that these constitute "medical care," this commenter presumed that these policies would be considered "health plans." Other long-term care policies, they pointed out, simply pay a fixed dollar amount when the insured becomes chronically ill, without regard to the actual cost of any long-term care services received, and thus are similar to fixed indemnity critical illness policies. The commenter suggested that while there was an important distinction between indemnity based long-term care policies and expenses based long-term care policies, it may be wise to exclude all long-term care policies from the scope of the rule to achieve consistency with HIPAA.

Response: We disagree. The statutory language regarding long-term care policies in the portability title of HIPAA is different from the statutory language regarding long-term care policies in the Administrative Simplification title of HIPAA. Section 1171(5)(G) of the Act means that issuers of long-term care policies are considered health plans for purposes of administrative simplification. We also interpret the statute as authorizing the Secretary to exclude nursing home fixed-indemnity policies, not all long-term care policies, from the definition of "health plan," if she determines that these policies do not provide "sufficiently comprehensive coverage of a benefit" to be treated as a health plan (see section 1171 of the Act). We interpret the term "comprehensive" to refer to the breadth or scope of coverage of a policy. "Comprehensive" policies are those that cover a range of possible service options. Since nursing home fixed indemnity policies are, by their own terms, limited to payments made solely for nursing facility care, we have determined that they should not be included as health plans for the purposes of the HIPAA regulations. The Secretary, therefore, explicitly excluded nursing home fixed-indemnity policies from the definition of "health plan" in the Transactions Rule, and this exclusion is thus reflected in this final rule. Issuers of other long-term care policies are considered to be health plans under this rule and the Transactions Rule.

Comment: One commenter was concerned about the potential impact of the proposed regulations on "unfunded health plans," which the commenter described as programs used by smaller companies to provide their associates with special employee discounts or other membership incentives so that they can obtain health care, including prescription drugs, at reduced prices. The commenter asserted that if these discount and membership incentive programs were covered by the regulation, many smaller employers might discontinue offering them to their employees, rather than deal with the administrative burdens and costs of complying with the rule.

Response: Only those special employee discounts or membership incentives that are "employee welfare benefit plans" as defined in section 3(1) of the Employee Retirement Income Security Act of 1974, 29 U.S.C. 1002(1), and provide "medical care" (as defined in section 2791(a)(2) of the Public Health Service Act, 42 U.S.C. 300gg-91(a)(2)), are health plans for the purposes of this rule. Discount or membership incentive programs that are not group health plans are not covered by the rule.

Comment: Several commenters agreed with the proposal to exclude "excepted benefits" such as disability income insurance policies, fixed indemnity critical illness policies, and per diem long-term care policies from the definition of "health plan," but were concerned that the language of the proposed rule did not fully reflect this intent. They asserted that clarification was necessary in order to avoid confusion and costs to both consumers and insurers.

One commenter stated that, while HHS did not intend for the rule to apply to every type of insurance coverage that paid for medical care, the language of the proposed rule did not bear this out. The problem, it was asserted, is that under the proposed rule any insurance policy that pays for "medical care" would technically be a "health plan." It was argued that despite the statements in the narrative, there are no provisions that would exempt any of the "excepted benefits" from the definition of "health care." It was stated that:

Although (with the exception of long-term care insurance), the proposed rule does not include the 'excepted benefits' in its list of sixteen examples of a health plan (proposed 45 CFR 160.104), it does not explicitly exclude them either. Because these types of policies in some instances pay benefits that could be construed as payments for medical care, we are concerned by the fact that they are not explicitly excluded from the definition of 'health plan' or the requirements of the proposed rule."

Several commenters proposed that HHS adopt the same list of "excepted benefits" contained in 29 U.S.C. 1191b, suggesting that they could be adopted either as exceptions to the definition of "health plan" or as exceptions to the requirements imposed on "health plans." They asserted that this would promote consistency in the federal regulatory structure for health plans.

It was suggested that HHS clarify whether the definition of health plan, particularly the "group health plan" and "health insurance issuer" components, includes a disability plan or disability insurer. It was noted that a disability plan or disability insurer may cover only income lost from disability and, as mentioned above, some rehabilitation services, or a combination of lost income, rehabilitation services and medical care. The commenter suggested that in addressing this coverage issue, it may be useful to refer to the definitions of group health plan, health insurance issuer and medical care set forth in Part I of HIPAA, which the statutory provisions of the Administrative Simplification subtitle expressly reference. See 42 U.S.C. 1320d(5)(A) and(B).

Response: We agree that the NPRM may have been ambiguous regarding the types of plans the rule covers. To remedy this confusion, we have added language that specifically excludes from the definition any policy, plan, or program providing or paying the cost of the excepted benefits, as defined in section 2971(c)(1) of the PHS Act, 42 U.S.C. 300gg-91(c)(1). As defined in the statute, this includes but is not limited to benefits under one or more (or any combination thereof) of the following: coverage only for accident, or disability income insurance, or any combination thereof; liability insurance, including general liability insurance and automobile liability insurance; and workers' compensation or similar insurance.

However, the other excepted benefits as defined in section 2971(c)(2) of the PHS Act, 42 U.S.C. 300gg-91(c)(2), such as limited scope dental or vision benefits, not explicitly excepted from the regulation could be considered "health plans" under paragraph (1)(xvii) of the definition of "health plan" in the final rule if and to the extent that they meet the criteria for the definition of "health plan." Such plans, unlike the programs and plans listed at section 2971(c)(1), directly and exclusively provide health insurance, even if limited in scope.

Comment: One commenter recommended that the Secretary clarify that "health plan" does not include property and casualty benefit providers. The commenter stated that the clarifying language is needed given the "catchall" category of entities defined as "any other individual plan or group health plan, or combination thereof, that provides or pays for the cost of medical care," and asserted that absent clarification there could be serious confusion as to whether property and casualty benefit providers are "health plans" under the rule.

Response: We agree and as described above have added language to the final rule to clarify that the "excepted benefits" as defined under 42 U.S.C. 300gg-91(c)(1), which includes liability programs such as property and casualty benefit providers, are not health plans for the purposes of this rule.

Comment: Some commenters recommended that the Secretary replace the term "medical care" with "health care." It was observed that "health care" was defined in the proposal, and that this definition was used to define what a health care provider does. However, they observed that the definition of "health plan" refers to the provision of or payment for "medical care," which is not defined. Another commenter recommended that HHS add the parenthetical phrase "as such term is defined in section 2791 of the Public Health Service Act" after the phrase "medical care."

Response: We disagree with the first recommendation. We understand that the term "medical care" can be easily confused with the term "health care." However, the two terms are not synonymous. The term "medical care" is a statutorily defined term and its use is critical in making a determination as to whether a health plan is considered a "health plan" for purposes of administrative simplification. In addition, since the term "medical care" is used in the regulation only in the context of the definition of "health plan" and we believe that its inclusion in the regulatory text may cause confusion, we did not add a definition of "medical care" in the final rule. However, consistent with the second recommendation above, the statutory cite for "medical care" was added to the definition of "health plan" in the Transactions Rule, and thus is reflected in this final rule.

Comment: A number of commenters urged that the Secretary define more narrowly what characteristics would make a government program that pays for specific health care services a "health plan." Commenters argued that there are many "payment" programs that should not be included, as discussed below, and that if no distinctions were made, "health plan" would mean the same as "purchaser" or even "payor."

Commenters asserted that there are a number of state programs that pay for "health care" (as defined in the rule) but that are not health plans. They said that examples include the WIC program (Special Supplemental Nutrition Program for Women, Infants, and Children) which pays for nutritional assessment and counseling, among other services; the AIDS Client Services Program (including AIDS prescription drug payment) under the federal Ryan White Care Act and state law; the distribution of federal family planning funds under Title X of the Public Health Services Act; and the breast and cervical health program which pays for cancer screening in targeted populations. Commenters argued that these are not insurance plans and do not fall within the "health plan" definition's list of examples, all of which are either insurance or broad-scope programs of care under a contract or statutory entitlement. However, paragraph (16) in that list opens the door to broader interpretation through the catchall phrase, "any other individual or group plan that provides or pays for the cost of medical care." Commenters assert that clarification is needed.

A few commenters stated that other state agencies often work in partnership with the state Medicaid program to implement certain Medicaid benefits, such as maternity support services and prenatal genetics screening. They concluded that while this probably makes parts of the agency the "business partner" of a covered entity, they were uncertain whether it also makes the same agency parts a "health plan" as well.

Response: We agree with the commenters that clarification is needed as to the rule's application to government programs that pay for health care services. Accordingly, in the final rule we have excepted from the definition of "health plan" a government funded program which does not have as its principal purpose the provision of, or payment for, the cost of health care or which has as its principal purpose the provision, either directly or by grant, of health care. For example, the principal purpose of the WIC program is not to provide or pay for the cost of health care, and thus, the WIC program is not a health plan for purposes of this rule. The program of health care services for individuals detained by the INS provides health care directly, and so is not a health plan. Similarly, the family planning program authorized by Title X of the Public Health Service Act pays for care exclusively through grants, and so is not a health plan under this rule. These programs (the grantees under the Title X program) may be or include health care providers and may be covered entities if they conduct standard transactions.

We further clarify that, where a public program meets the definition of "health plan," the government agency that administers the program is the covered entity. Where two agencies administer a program jointly, they are both a health plan. For example, both the Health Care Financing Administration and the insurers that offers a Medicare+Choice plan are "health plans" with respect to Medicare beneficiaries. An agency that does not administer a program but which provides services for such a program is not a covered entity by virtue of providing such services. Whether an agency providing services is a business associate of the covered entity depends on whether its functions for the covered entity meet the definition of business associate in § 164.501 and, in the example described by this comment, in particular on whether the arrangement falls into the exception in § 164.504(e)(1)(ii)(C) for government agencies that collect eligibility or enrollment information for covered government programs.

Comment: Some commenters expressed support for retaining the category in paragraph (16) of the proposal's definition: "Any other individual or group health plan, or combination thereof, that provides or pays for the cost of medical care." Others asked that the Secretary clarify this category. One commenter urged that the final rule clearly define which plans would meet the criteria for this category.

Response: As described in the proposed rule, this category implements the language at the beginning of the statutory definition of the term "health plan": "The term 'health plan' means an individual or group plan that provides, or pays the cost of, medical care... Such term includes the following, and any combination thereof..." This statutory language is general, not specific, and as such, we are leaving it general in the final rule. However, as described above, we add explicit language which excludes certain "excepted benefits" from the definition of "health plan" in an effort to clarify which plans are not health plans for the purposes of this rule. Therefore, to the extent that a certain benefits plan or program otherwise meets the definition of "health plan" and is not explicitly excepted, that program or plan is considered a "health plan" under paragraph (1)(xvii) of the final rule.

Comment: A commenter explained that HIPAA defines a group health plan by expressly cross-referencing the statutory sections in the PHS Act and the Employee Retirement Income Security Act of 1974 (ERISA), 29 U.S.C. 1001, et seq., which define the terms "group health plan," "employee welfare benefit plan" and "participant." See 29 U.S.C. 1002(l) (definition of "employee welfare benefit plan," which is the core of the definition of group health plan under both ERISA and the PHS Act); 29 U.S.C. 100217) (definition of participant); 29 U.S.C. 1193(a) (definition of "group health plan," which is identical to that in section 2791(a) of the PHS Act).

It was pointed out that the preamble and the text of the proposed rule both limit the definition of all three terms to their current definitions. The commenter reasoned that since the ERISA definitions may change over time through statutory amendment, Department of Labor regulations or judicial interpretation, it would not be clear what point in time is to be considered current. Therefore, they suggested deleting references to "current" or "currently" in the preamble and in the regulation with respect to these three ERISA definitions.

In addition, the commenter stated that as the preamble to the NPRM correctly reflected, HIPAA expressly cross-references ERISA's definition of "participant" in section 3(7) of ERISA, 29 U.S.C. 1002(7). 42 U.S.C. 1320d(5)(A). The text of the privacy regulation, however, omits this cross-reference. It was suggested that the reference to section 3(7) of ERISA, defining "participant," be included in the regulation.

Finally, HIPAA incorporates the definition of a group health plan as set forth in section 2791(a) of the PHS Act, 42 U.S.C. 300gg-91(a)(l). That definition refers to the provision of medical care "directly or through insurance, reimbursement, or otherwise." The word "reimbursement" is omitted in both the preamble and the text of the regulation; the commenter suggested restoring it to both.

Response: We agree. These changes were made to the definition of "health plan" as promulgated in the Transactions Rule, and are reflected in this final rule.