Comment: A number of comments raised questions regarding the Secretary's priorities for enforcement. A few commenters stated that they supported deferring enforcement until there is experience using the proposed standards. One organization asked that we clarify that the regulation does not replace or otherwise modify the self-regulatory/consumer empowerment approach to consumer privacy in the online environment.
Response: We have not made any decisions regarding enforcement priorities. It appears that some commenters believe that no enforcement action will be taken against a given covered entity until that entity has had some time to comply. Covered entities have two years to come into compliance with the regulation (three years in the case of small health plans). Some covered entities will have had experience using the standards prior to the compliance date. We do not agree that we should defer enforcement where violations of the rule occur. It would be wrong for covered entities to believe that enforcement action is based on their not having much experience in using a particular standard or meeting another requirement.
We support a self-regulation approach in that we recognize that most compliance will be achieved by the voluntary activities of covered entities rather than by our enforcement activities. Our emphasis will be on education, technical assistance, and voluntary compliance and not on finding violations and imposing penalties. We also support a consumer empowerment approach. A knowledgeable consumer is key to the effectiveness of this rule. A consumer familiar with the requirements of this rule will be equipped to make choices regarding which covered entity will best serve their privacy interests and will know their rights under the rule and how they can seek redress for violations of this rule. Privacy-minded consumers will seek to protect the privacy rights of others by bringing concerns to the attention of covered entities, the public, and the Secretary. However, we do not agree that we should defer enforcement where violations of the rule occur.
Comment: One commenter expressed concern that by filing a complaint an individual would be required to reveal sensitive information to the public. Another commenter suggested that complaints regarding noncompliance in regard to psychotherapy notes should be made to a panel of mental health professionals designated by the Secretary. This commenter also proposed that all patient information be maintained as privileged, not be revealed to the public, and be kept under seal after the case is reviewed and closed.
Response: We appreciate this concern and will seek to ensure that individually identifiable health information and other personal information contained in complaints will not be available to the public. The privacy regulation provides, at § 160.310(c)(3), that protected health information obtained by the Secretary in connection with an investigation or compliance review will not be disclosed except if necessary for ascertaining or enforcing compliance with the regulation or if required by law. In addition, this Department generally seeks to protect the privacy of individuals to the fullest extent possible, while permitting the exchange of records required to fulfill its administrative and program responsibilities. The Freedom of Information Act, 5 U.S.C. 552, and the HHS implementing regulation, 45 CFR Part 5, provide substantial protection for records about individuals where disclosure would constitute an unwarranted invasion of their personal privacy. In implementing the privacy regulation, OCR plans to continue its current practice of protecting its complaint files from disclosure. OCR treats these files as investigatory records compiled for law enforcement purposes. Moreover, OCR maintains that disclosing protected health information in these files generally constitutes an unwarranted invasion of personal privacy.
It is not clear in regarding the use of mental health professionals, whether the commenter believes that such professionals should be involved because they would be best able to keep psychotherapy notes confidential or because such professionals can best understand the meaning or relevance of such notes. OCR anticipates that it will not have to obtain a copy or review psychotherapy notes in investigating most complaints regarding noncompliance in regard to such notes. There may be some cases where a review of the notes may be needed such as where we need to identify that the information a covered entity disclosed was in fact psychotherapy notes. If we need to obtain a copy of psychotherapy notes, we will keep these notes confidential and secure. OCR investigative staff will be trained to ensure that they fully respect the confidentiality of personal information. In addition, while the specific contents of these notes is generally not relevant to violations under this rule, if such notes are relevant, we will secure the expertise of mental health professionals if needed in reviewing psychotherapy notes.
Comment: A member of Congress and a number of privacy and consumer groups expressed concern with whether OCR has adequate funding to carry out the major responsibility of enforcing the complaint process established by this rule. The Senator stated that "[d]ue to the limited enforcement ability allowed for in this rule by HIPAA, it is essential that OCR have the capacity to enforce the regulations. Now is the time for OCR to begin building the necessary infrastructure to enforce the regulation effectively."
Response: We agree and are committed to an effective enforcement program. We are working with Congress to ensure that the Secretary has the necessary funds to secure voluntary compliance through education and technical assistance, to investigate complaints and conduct compliance reviews, to provide states with exception determinations, and to use civil and criminal penalties when necessary. We will continue to work with Congress and within the new Administration in this regard.