Comment: A number of commenters suggested that HHS revise the definitions of health information and individually identifiable health information to include consistent language in paragraph (1) of each respective definition. They observed that paragraph (1) of the definition of health information reads: "(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse...;" in contrast to paragraph (1) of the definition of individually identifiable health information, which reads: "(1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse..." [Emphasis added.]
Another commenter asked that we delete from the definition of health information, the words "health or" to make the definition more consistent with the definition of "health care," as well as the words "whether oral or."
Response: We define these terms in the final rule as they are defined by Congress in sections 1171(4) and 1171(6) of the Act, respectively. We have, however, changed the word "from" in the definition of "individually identifiable health information" to conform to the statute.
Comment: Several commenters urged that the definition of individually identifiable health information include information created or received by a researcher. They reasoned that it is important to ensure that researchers using personally identifiable health information are subject to federal privacy standards. They also stated that if information created by a school regarding the health status of its students could be labeled "health information," then information compiled by a clinical researcher regarding an individual also should be considered health information.
Response: We are restricted to the statutory limits of the terms. The Congress did not include information created or received by a researcher in either definition, and, consequently, we do not include such language in the rule's definitions.
Comment: Several commenters suggested modifying the definition of individually identifiable health information to state as a condition that the information provide a direct means of identifying the individual. They commented that the rule should support the need of those (e.g., researchers) who need "ready access to health information... that remains linkable to specific individuals."
Response: The Congress included in the statutory definition of individually identifiable health information the modifier "reasonable basis" when describing the condition for determining whether information can be used to identify the individual. Congress thus intended to go beyond "direct" identification and to encompass circumstances in which a reasonable likelihood of identification exists. Even after removing "direct" or "obvious" identifiers of information, a risk or probability of identification of the subject of the information may remain; in some instances, the risk will not be inconsequential. Thus, we agree with the Congress that "reasonable basis" is the appropriate standard to adequately protect the privacy of individuals' health information.
Comment: A number of commenters suggested that the Secretary eliminate the distinction between protected health information and individually identifiable health information. One commenter asserted that all individually identifiable health information should be protected. One commenter observed that the terms individually identifiable health information and protected health information are defined differently in the rule and requested clarification as to the precise scope of coverage of the standards. Another commenter stated that the definition of individually identifiable health information includes "employer," whereas protected health information pertains only to covered entities for which employers are not included. The commenter argued that this was an "incongruity" between the definitions of individually identifiable health information and protected health information and recommended that we remove "employer" from the definition of individually identifiable health information.
Response: We define individually identifiable health information in the final rule generally as it is defined by Congress in section 1171(6) of the Act. Because "employer" is included in the statutory definition, we cannot accept the comment to remove the word "employer" from the regulatory definition.
We use the phrase 'protected health information' to distinguish between the individually identifiable health information that is used or disclosed by the entities that are subject to this rule and the entire universe of individually identifiable health information. 'Individually identifiable health information' as defined in the statute is not limited to health information used or disclosed by covered entities, so the qualifying phrase 'protected health information' is necessary to define that individually identifiable health information to which this rule applies.
Comment: One commenter noted that the definition of individually identifiable health information in the NPRM appeared to be the same definition used in the other HIPAA proposed rule, Security and Electronic Signature Standards (63 FR 43242). However, the commenter stated that the additional condition in the privacy NPRM, that protected health information is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form, appears to create potential disparity between the requirements of the two rules. The commenter questioned whether the provisions in proposed § 164.518(c) were an attempt to install similar security safeguards for such situations.
Response: The statutory definition of individually identifiable health information applies to the entire Administrative Simplification subtitle of HIPAA and, thus, was included in the proposed Security Standards. At this time, however, the final Security Standards have not been published, so the definition of protected health information is relevant only to HIPAA's privacy standards and is, therefore, included in Subpart E of Part 164 only. We clarify that the requirements in the proposed Security Standards are distinct and separate from the privacy safeguards promulgated in this final rule.
Comment: Several commenters expressed confusion and requested clarification as to what is considered health information or individually identifiable health information for purposes of the rule. For example, one commenter was concerned that information exists in collection agencies, credit bureaus, etc., which could be included under the proposed regulation but may or may not have been originally obtained by a covered entity. The commenter noted that generally this information is not clinical, but it could be inferred from the data that a health care provider provided a person or member of person's family with health care services. The commenter urged the Secretary to define more clearly what and when information is covered.
One commenter queried how a non-medical record keeper could tell when personal information is health information within the meaning of rule, e.g., when a worker asks for a low salt meal in a company cafeteria, when a travel voucher of an employee indicates that the traveler returned from an area that had an outbreak of fever, or when an airline passenger requests a wheel chair. It was suggested that the rule cover health information in the hands of schools, employers, and life insurers only when they receive individually identifiable health information from a covered entity or when they create it while providing treatment or making payment.
Response: This rule applies only to individually identifiable health information that is held by a covered entity. Credit bureaus, airlines, schools, and life insurers are not covered entities, so the information described in the above comments is not protected health information. Similarly, employers are not covered entities under the rule. Covered entities must comply with this regulation in their health care capacity, not in their capacity as employers. For example, information in hospital personnel files about a nurses' sick leave is not protected health information under this rule.
Comment: One commenter recommended that the privacy of health information should relate to actual medical records. The commenter expressed concern about the definition's broadness and contended that applying prescriptive rules to information that health plans hold will not only delay processing of claims and coverage decisions, but ultimately affect the quality and cost of care for health care consumers.
Response: We disagree. Health information about individuals exists in many types of records, not just the formal medical record about the individual. Limiting the rule's protections to individually identifiable health information contained in medical records, rather than individually identifiable health information in any form, would omit a significant amount of individually identifiable health information, including much information in covered transactions.
Comment: One commenter voiced a need for a single standard for individually identifiable health information and disability and workers' compensation information; each category of information is located in their one electronic data base, but would be subjected to a different set of use and transmission rules.
Response: We agree that a uniform, comprehensive privacy standard is desirable. However, our authority under the HIPAA is limited to individually identifiable health information as it is defined in the statute. The legislative history of HIPAA makes clear that workers' compensation and disability benefits programs were not intended to be covered by the rule. Entities are of course free to apply the protections required by this rule to all health information they hold, including the excepted benefits information, if they wish to do so (for example, in order to reduce administrative burden).
Comment: Commenters recommended that the definition of individually identifiable health information not include demographic information that does not have any additional health, treatment, or payment information with it. Another commenter recommended that protected health information should not include demographic information at all.
Response: Congress explicitly included demographic information in the statutory definition of this term, so we include such language in our regulatory definition of it.
Comments: A number of commenters expressed concern about whether references to personal information about individuals, such as "John Doe is fit to work as a pipe fitter ..." or "Jane Roe can stand no more than 2 hours ...", would be considered individually identifiable health information. They argued that such "fitness-to-work" and "fitness for duty" statements are not health care because they do not reveal the type of information (such as the diagnosis) that is detrimental to an individual's privacy interest in the work environment.
Response: References to personal information such as those suggested by the commenters could be individually identifiable health information if the references were created or received by a health care provider, health plan, employer, or health care clearinghouse and they related to the past, present, or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Although these fitness for duty statements may not reveal a diagnosis, they do relate to a present physical or mental condition of an individual because they describe the individual's capacity to perform the physical and mental requirements of a particular job at the time the statement is made (even though there may be other non-health-based qualifications for the job). If these statements were created or received by one of more of the entities described above, they would be individually identifiable health information.