Comment: Some commenters expressed concern that the NPRM's provisions permitting disclosures for health oversight and disclosures for law enforcement overlapped, and that the overlap could create confusion among covered entities, members of the public, and government agencies. The commenters identified particular factors that could lead to confusion, including that (1) the phrase "criminal, civil, or administrative proceeding" appeared in the definitions of both law enforcement and oversight; (2) the examples of oversight agencies listed in the preamble included a number of organizations that also conduct law enforcement activities; (3) the NPRM addressed the issue of disclosures to investigate health care fraud in the law enforcement section (§ 164.510(f)(5)), yet health care fraud investigations are central to the mission of some health care oversight agencies; (4) the NPRM established more stringent rules for disclosure of protected health information pursuant to an administrative subpoena issued for law enforcement than for disclosure pursuant to an oversight agency's administrative subpoena; and (5) the preamble, but not the NPRM regulation text, indicated that agencies conducting both oversight and law enforcement activities would be subject to the oversight requirements when conducting oversight activities.
Some commenters said that covered entities would be confused by the overlap between law enforcement and oversight and that this concern would lead to litigation over which rules should apply when an entity engaged in more than one of the activities listed under the exceptions in proposed § 164.510. Other commenters believed that covered entities could manipulate the NPRM's ambiguities in their favor, claim that the more stringent law enforcement disclosure rules always should apply, and thereby delay investigations. A few comments suggested that the confusion could be clarified by making the regulation text consistent with the preamble, by stating that when agencies conducting both law enforcement and oversight seek protected health information as part of their oversight activities, the oversight rules would apply.
Response: We agree that the boundary between disclosures for health oversight and disclosures for law enforcement proposed in the NPRM could have been more clear. Because many investigations, particularly investigations involving public benefit programs, have both health oversight and law enforcement aspects to them, and because the same agencies often perform both functions, drawing any distinction between the two functions is necessarily difficult. For example, traditional law enforcement agencies, such as the Federal Bureau of Investigation, have a significant role in health oversight. At the same time, traditional health oversight agencies, such as federal Offices of Inspectors General, often participate in criminal investigations.
To clarify the boundary between law enforcement and oversight for purposes of complying with this rule, we add new language in the final rule, at § 164.512(d)(2). This section indicates that health oversight activities do not include an investigation or activity in which the individual is the subject of the investigation or activity and the investigation or activity does not arise out of and is not directly related to health care fraud. In this rule, we describe investigations involving suspected health care fraud as investigations related to: (1) the receipt of health care; (2) a claim for public benefits related to health; or (3) qualification for, or receipt of public benefits or services where a patient's health is integral to the claim for public benefits or services. In such cases, where the individual is the subject of the investigation and the investigation does not relate to health care fraud, identified as investigations regarding issues (a) through (c), the rules regarding disclosure for law enforcement purposes (see § 164.512(f)) apply.
Where the individual is not the subject of the activity or investigation, or where the investigation or activity relates to health care fraud, a covered entity may make a disclosure pursuant to § 164.512(d)(1), allowing uses and disclosures for health oversight activities. For example, when the U.S. Department of Labor's Pension and Welfare Benefits Administration (PWBA) needs to analyze protected health information about health plan enrollees in order to conduct an audit or investigation of the health plan (i.e., the enrollees are not subjects of the investigation) to investigate potential fraud by the health plan, the health plan may disclose protected health information to the PWBA under the health oversight rules.
To clarify further that health oversight disclosure rules apply generally in health care fraud investigations (subject to the exception described above), in the final rule, we eliminate proposed § 164.510(f)(5)(i), which would have established requirements for disclosure related to health fraud for law enforcement purposes. All disclosures of protected health information that would have been permitted under proposed § 164.510(f)(5)(i) are permitted under § 164.512(d).
We also recognize that sections 201 and 202 of HIPAA, which established a federal Fraud and Abuse Control Program and the Medicare Integrity Program, identified health care fraud-fighting as a critical national priority. Accordingly, under the final rule, in joint law enforcement/oversight investigations involving suspected health care fraud, the health oversight disclosures apply, even if the individual also is the subject of the investigation.
We also recognize that in some cases, health oversight agencies may conduct joint investigations with other oversight agencies involved in investigating claims for benefits unrelated to health. For example, in some cases, a state Medicaid agency may be working with officials of the Food Stamps program to investigate suspected fraud involving Medicaid and Food Stamps. While this issue was not raised specifically in the comments, we add new language (§ 164.512(d)(3)) to provide guidance to covered entities in such situations. Specifically, we clarify that if a health oversight investigation is conducted in conjunction with an oversight activity related to a claim for benefits unrelated to health, the joint activity or investigation is considered health oversight for purposes of the rule, and the covered entities may disclose protected health information pursuant to the health oversight provisions.
Comment: An individual commenter recommended requiring authorization for disclosure of patient records in fraud investigations, unless the individual was the subject or target of the investigation. This commenter recommended requiring a search warrant for cases in which the individual was the subject and stating that fraud investigators should have access to the minimum necessary patient information.
Response: As described above, we recognize that in some cases, activities include elements of both law enforcement and health oversight. Because we consider both of these activities to be critical national priorities, we do not require covered entities to obtain authorization for disclosure of protected health information to law enforcement or health oversight agencies - including those oversight activities related to health care fraud. We believe that investigations involving health care fraud represent health oversight rather than law enforcement. Accordingly, as indicated above, we remove proposed § 164.510(f)(5)(i) from the law enforcement section of the proposed rule and clarify that all disclosures of protected health information for health oversight are permissible without authorization. As discussed in greater detail in § 164.514, the final rule's minimum necessary standard applies to disclosures under § 164.512 unless the disclosure is required by law under § 164.512(a).
Comment: A large number of commenters expressed concern about the potential for health oversight agencies to become, in effect, the "back door" for law enforcement access to such information. The commenters suggested that health oversight agencies could use their relatively unencumbered access to protected health information to circumvent the more stringent process requirements that otherwise would apply to disclosures for law enforcement purposes. These commenters urged us to prohibit health oversight agencies from re-disclosing protected health information to law enforcement.
Response: As indicated above, we do not intend for the rule's permissive approach to health oversight or the absence of specific documentation to permit the government to gather large amounts of protected health information for purposes unrelated to health oversight as defined in the rule, and we do not intend for these oversight provisions to serve as a "back door" for law enforcement access to protected health information. While we do not have the statutory authority to regulate law enforcement and oversight agencies' re-use and re-disclosure of protected health information, we strongly support enactment of comprehensive privacy legislation that would govern public agencies' re-use and re-disclosure of this information. Furthermore, in an effort to prevent health oversight provisions from becoming the back door to law enforcement access to protected health information, the President is issuing an Executive Order that places strict limitations on the use of protected health information gathered in the course of an oversight investigation for law enforcement activities.
Comment: One commenter asked us to allow the requesting agency to decide whether a particular request for protected health information was for law enforcement or oversight purposes.
Response: As described above, we clarify the overlap between law enforcement disclosures and health oversight disclosures based on the privacy and liberty interests of the individual (whether the individual also is the subject of the official inquiry) and the nature of the public interest (whether the inquiry relates to health care fraud or to another potential violation of law). We believe it is more appropriate to establish these criteria than to leave the decision to the discretion of an agency that has a stake in the outcome of the investigation.