We have summarized how certain federal laws interact with the privacy regulation to provide specific guidance in areas deserving special attention and to serve as examples of the analysis involved. In the Response to Comment section, we have provided our responses to specific questions raised during the comment period.
The Privacy Act.
The Privacy Act of 1974, 5 U.S.C. 552a, prohibits disclosures of records contained in a system of records maintained by a federal agency (or its contractors) without the written request or consent of the individual to whom the record pertains. This general rule is subject to various statutory exceptions. In addition to the disclosures explicitly permitted in the statute, the Privacy Act permits agencies to disclose information for other purposes compatible with the purpose for which the information was collected by identifying the disclosure as a "routine use" and publishing notice of it in the Federal Register. The Act applies to all federal agencies and certain federal contractors who operate Privacy Act systems of records on behalf of federal agencies.
Some federal agencies and contractors of federal agencies that are covered entities under the privacy rules are subject to the Privacy Act. These entities must comply with all applicable federal statutes and regulations. For example, if the privacy regulation permits a disclosure, but the disclosure is not permitted under the Privacy Act, the federal agency may not make the disclosure. If, however, the Privacy Act allows a federal agency the discretion to make a routine use disclosure, but the privacy regulation prohibits the disclosure, the federal agency will have to apply its discretion in a way that complies with the regulation. This means not making the particular disclosure.
The Freedom of Information Act.
FOIA, 5 U.S.C. 552, provides for public disclosure, upon the request of any person, of many types of information in the possession of the federal government, subject to nine exemptions and three exclusions. For example, Exemption 6 permits federal agencies to withhold "personnel and medical files and similar files the disclosure of which would constitute a clearly unwarranted invasion of personal privacy." 5 U.S.C. 552(b)(6).
Uses and disclosures required by FOIA come within § 164.512(a) of the privacy regulation that permits uses or disclosures required by law if the uses or disclosures meet the relevant requirements of the law. Thus, a federal agency must determine whether it may apply an exemption or exclusion to redact the protected health information when responding to a FOIA request. When a FOIA request asks for documents that include protected health information, we believe the agency, when appropriate, must apply Exemption 6 to preclude the release of medical files or otherwise redact identifying details before disclosing the remaining information.
We offer the following analysis for federal agencies and federal contractors who operate Privacy Act systems of records on behalf of federal agencies and must comply with FOIA and the privacy regulation. If presented with a FOIA request that would result in the disclosure of protected health information, a federal agency must first determine if FOIA requires the disclosure or if an exemption or exclusion would be appropriate. We believe that generally a disclosure of protected health information, when requested under FOIA, would come within FOIA Exemption 6. We recognize, however, that the application of this exemption to information about deceased individuals requires a different analysis than that applicable to living individuals because, as a general rule, under the Privacy Act, privacy rights are extinguished at death. However, under FOIA, it is entirely appropriate to consider the privacy interests of a decedent's survivors under Exemption 6. See Department of Justice FOIA Guide 2000, Exemption 6: Privacy Considerations. Covered entities subject to FOIA must evaluate each disclosure on a case-by-case basis, as they do now under current FOIA procedures.
Federal Substance Abuse Confidentiality Requirements.
The federal confidentiality of substance abuse patient records statute, section 543 of the Public Health Service Act, 42 U.S.C. 290dd-2, and its implementing regulation, 42 CFR Part 2, establish confidentiality requirements for patient records that are maintained in connection with the performance of any federally-assisted specialized alcohol or drug abuse program. Substance abuse programs are generally programs or personnel that provide alcohol or drug abuse treatment, diagnosis, or referral for treatment. The term "federally-assisted" is broadly defined and includes federally conducted or funded programs, federally licensed or certified programs, and programs that are tax exempt. Certain exceptions apply to information held by the Veterans Administration and the Armed Forces.
There are a number of health care providers that are subject to both these rules and the substance abuse statute and regulations. In most cases, a conflict will not exist between these rules. These privacy rules permit a health care provider to disclose information in a number of situations that are not permitted under the substance abuse regulation. For example, disclosures allowed, without patient authorization, under the privacy rule for law enforcement, judicial and administrative proceedings, public health, health oversight, directory assistance, and as required by other laws would generally be prohibited under the substance abuse statute and regulation. However, because these disclosures are permissive and not mandatory, there is no conflict. An entity would not be in violation of the privacy rules for failing to make these disclosures.
Similarly, provisions in the substance abuse regulation provide for permissive disclosures in case of medical emergencies, to the FDA, for research activities, for audit and evaluation activities, and in response to certain court orders. Because these are permissive disclosures, programs subject to both the privacy rules and the substance abuse rule are able to comply with both rules even if the privacy rules restrict these types of disclosures. In addition, the privacy rules generally require that an individual be given access to his or her own health information. Under the substance abuse regulation, programs may provide such access, so there is no conflict.
The substance abuse regulation requires notice to patients of the substance abuse confidentiality requirements and provides for written consent for disclosure. While the privacy rules have requirements that are somewhat different, the program may use notice and authorization forms that include all the elements required by both regulations. The substance abuse rule provides a sample notice and a sample authorization form and states that the use of these forms would be sufficient. While these forms do not satisfy all of the requirements of the privacy regulation, there is no conflict because the substance abuse regulation does not mandate the use of these forms.
Employee Retirement Income Security Act of 1974.
ERISA was enacted in 1974 to regulate pension and welfare employee benefit plans established by private sector employers, unions, or both, to provide benefits to their workers and dependents. Under ERISA, plans that provide "through the purchase of insurance or otherwise ... medical, surgical, or hospital care or benefits, or benefits in the event of sickness, accident, disability, [or] death" are defined as employee welfare benefit plans. 29 U.S.C. 1002(1). In 1996, HIPAA amended ERISA to require portability, nondiscrimination, and renewability of health benefits provided by group health plans and group health insurance issuers. Numerous, although not all, ERISA plans are covered under the rules proposed below as "health plans."
Section 514(a) of ERISA, 29 U.S.C. 1144(a), preempts all state laws that "relate to" any employee benefit plan. However, section 514(b) of ERISA, 29 U.S.C. 1144(b)(2)(A), expressly saves from preemption state laws that regulate insurance. Section 514(b)(2)(B) of ERISA, 29 U.S.C. 1144(b)(2)(B), provides that an ERISA plan is deemed not to be an insurer for the purpose of regulating the plan under the state insurance laws. Thus, under the deemer clause, states may not treat ERISA plans as insurers subject to direct regulation by state law. Finally, section 514(d) of ERISA, 29 U.S.C. 1144(d), provides that ERISA does not "alter, amend, modify, invalidate, impair, or supersede any law of the United States."
We considered whether the preemption provision of section 264(c)(2) of HIPAA would give effect to state laws that would otherwise be preempted by section 514(a) of ERISA. As discussed above, our reading of the statutes together is that the effect of section 264(c)(2) is only to leave in place state privacy protections that would otherwise apply and that are more stringent than the federal privacy protections.
Many health plans covered by the privacy regulation are also subject to ERISA requirements. Our discussions and consultations have not uncovered any particular ERISA requirements that would conflict with the rules.
The Family Educational Rights and Privacy Act.
FERPA, as amended, 20 U.S.C. 1232g, provides parents of students and eligible students (students who are 18 or older) with privacy protections and rights for the records of students maintained by federally funded educational agencies or institutions or persons acting for these agencies or institutions. We have excluded education records covered by FERPA, including those education records designated as education records under Parts B, C, and D of the Individuals with Disabilities Education Act Amendments of 1997, from the definition of protected health information. For example, individually identifiable health information of students under the age of 18 created by a nurse in a primary or secondary school that receives federal funds and that is subject to FERPA is an education record, but not protected health information. Therefore, the privacy regulation does not apply. We followed this course because Congress specifically addressed how information in education records should be protected in FERPA.
We have also excluded certain records, those described at 20 U.S.C. 1232g(a)(4)(B)(iv), from the definition of protected health information because FERPA also provided a specific structure for the maintenance of these records. These are records (1) of students who are 18 years or older or are attending post-secondary educational institutions, (2) maintained by a physician, psychiatrist, psychologist, or recognized professional or paraprofessional acting or assisting in that capacity, (3) that are made, maintained, or used only in connection with the provision of treatment to the student, and (4) that are not available to anyone, except a physician or appropriate professional reviewing the record as designated by the student. Because FERPA excludes these records from its protections only to the extent they are not available to anyone other than persons providing treatment to students, any use or disclosure of the record for other purposes, including providing access to the individual student who is the subject of the information, would turn the record into an education record. As education records, they would be subject to the protections of FERPA.
These exclusions are not applicable to all schools, however. If a school does not receive federal funds, it is not an educational agency or institution as defined by FERPA. Therefore, its records that contain individually identifiable health information are not education records. These records may be protected health information. The educational institution or agency that employs a school nurse is subject to our regulation as a health care provider if the school nurse or the school engages in a HIPAA transaction.
While we strongly believe every individual should have the same level of privacy protection for his/her individually identifiable health information, Congress did not provide us with authority to disturb the scheme it had devised for records maintained by educational institutions and agencies under FERPA. We do not believe Congress intended to amend or preempt FERPA when it enacted HIPAA.
With regard to the records described at 20 U.S.C. 1232g(a)(4)(b)(iv), we considered requiring health care providers engaged in HIPAA transactions to comply with the privacy regulation up to the point these records were used or disclosed for purposes other than treatment. At that point, the records would be converted from protected health information into education records. This conversion would occur any time a student sought to exercise his/her access rights. The provider, then, would need to treat the record in accordance with FERPA's requirements and be relieved from its obligations under the privacy regulation. We chose not to adopt this approach because it would be unduly burdensome to require providers to comply with two different, yet similar, sets of regulations and inconsistent with the policy in FERPA that these records be exempt from regulation to the extent the records were used only to treat the student.
In 1999, Congress passed Gramm-Leach-Bliley (GLB), Pub. L. 106-102, which included provisions, section 501 et seq., that limit the ability of financial institutions to disclose "nonpublic personal information" about consumers to non-affiliated third parties and require financial institutions to provide customers with their privacy policies and practices with respect to nonpublic personal information. In addition, Congress required seven agencies with jurisdiction over financial institutions to promulgate regulations as necessary to implement these provisions. GLB and its accompanying regulations define "financial institutions" as including institutions engaged in the financial activities of bank holding companies, which may include the business of insuring. See 15 U.S.C. 6809(3); 12 U.S.C. 1843(k). However, Congress did not provide the designated federal agencies with the authority to regulate health insurers. Instead, it provided states with an incentive to adopt and have their state insurance authorities enforce these rules. See 15 U.S.C. 6805. If a state were to adopt laws consistent with GLB, health insurers would have to determine how to comply with both sets of rules.
Thus, GLB has caused concern and confusion among health plans that are subject to our privacy regulation. Although Congress remained silent as to its understanding of the interaction of GLB and HIPAA's privacy provisions, the Federal Trade Commission and other agencies implementing the GLB privacy provisions noted in the preamble to their GLB regulations that they "would consult with HHS to avoid the imposition of duplicative or inconsistent requirements." 65 Fed. Reg. 33646, 33648 (2000). Additionally, the FTC also noted that "persons engaged in providing insurance" would be within the enforcement jurisdiction of state insurance authorities and not within the jurisdiction of the FTC. Id.
Because the FTC has clearly stated that it will not enforce the GLB privacy provisions against persons engaged in providing insurance, health plans will not be subject to dual federal agency jurisdiction for information that is both nonpublic personal information and protected health information. If states choose to adopt GLB-like laws or regulations, which may or may not track the federal rules completely, health plans would need to evaluate these laws under the preemption analysis described in subpart B of Part 160.
Federally Funded Health Programs.
These rules will affect various federal programs, some of which may have requirements that are, or appear to be, inconsistent with the requirements of these regulations. These programs include those operated directly by the federal government (such as health programs for military personnel and veterans) as well as programs in which health services or benefits are provided by the private sector or by state or local governments, but which are governed by various federal laws (such as Medicare, Medicaid, and ERISA).
Congress explicitly included some of these programs in HIPAA, subjecting them directly to the privacy regulation. Section 1171 of the Act defines the term "health plan" to include the following federally conducted, regulated, or funded programs: group plans under ERISA that either have 50 or more participants or are administered by an entity other than the employer who established and maintains the plan; federally qualified health maintenance organizations; Medicare; Medicaid; Medicare supplemental policies; the health care program for active military personnel; the health care program for veterans; the Civilian Health and Medical Program of the Uniformed Services (CHAMPUS); the Indian health service program under the Indian Health Care Improvement Act, 25 U.S.C. 1601, et seq.; and the Federal Employees Health Benefits Program. There also are many other federally conducted, regulated, or funded programs in which individually identifiable health information is created or maintained, but which do not come within the statutory definition of "health plan." While these latter types of federally conducted, regulated, or assisted programs are not explicitly covered by part C of title XI in the same way that the programs listed in the statutory definition of "health plan" are covered, the statute may nonetheless apply to transactions and other activities conducted under such programs. This is likely to be the case when the federal entity or federally regulated or funded entity provides health services; the requirements of part C may apply to such an entity as a "health care provider." Thus, the issue of how different federal requirements apply is likely to arise in numerous contexts.
There are a number of authorities under the Public Health Service Act and other legislation that contain explicit confidentiality requirements, either in the enabling legislation or in the implementing regulations. Many of these are so general that there would appear to be no problem of inconsistency, in that nothing in those laws or regulations would appear to restrict the provider's ability to comply with the privacy regulation's requirements.
There may, however, be authorities under which either the requirements of the enabling legislation or of the program regulations would impose requirements that differ from these rules.
For example, regulations applicable to the substance abuse block grant program funded under section 1943(b) of the Public Health Service Act require compliance with 42 CFR part 2, and, thus, raise the issues identified above in the substance abuse confidentiality regulations discussion. There are a number of federal programs which, either by statute or by regulation, restrict the disclosure of patient information to, with minor exceptions, disclosures "required by law." See, for example, the program of projects for prevention and control of sexually transmitted diseases funded under section 318(e)(5) of the Public Health Service Act (42 CFR 51b.404); the regulations implementing the community health center program funded under section 330 of the Public Health Service Act (42 CFR 51c.110); the regulations implementing the program of grants for family planning services under title X of the Public Health Service Act (42 CFR 59.15); the regulations implementing the program of grants for black lung clinics funded under 30 U.S.C. 437(a) (42 CFR 55a.104); the regulations implementing the program of maternal and child health projects funded under section 501 of the Act (42 CFR 51a.6); the regulations implementing the program of medical examinations of coal miners (42 CFR 37.80(a)). These legal requirements would restrict the grantees or other entities providing services under the programs involved from making many of the disclosures that §§ 164.510 or 164.512 would permit. In some cases, permissive disclosures for treatment, payment, or health care operations would also be limited. Because §§ 164.510 and 164.512 are merely permissive, there would not be a conflict between the program requirements, because it would be possible to comply with both. However, entities subject to both sets of requirements would not have the total range of discretion that they would have if they were subject only to this regulation.
Food, Drug, and Cosmetic Act.
The Food, Drug, and Cosmetic Act, 21 U.S.C. 301, et seq., and its accompanying regulations outline the responsibilities of the Food and Drug Administration with regard to monitoring the safety and effectiveness of drugs and devices. Part of the agency's responsibility is to obtain reports about adverse events, track medical devices, and engage in other types of post marketing surveillance. Because many of these reports contain protected health information, the information within them may come within the purview of the privacy rules. Although some of these reports are required by the Food, Drug, and Cosmetic Act or its accompanying regulations, other types of reporting are voluntary. We believe that these reports, while not mandated, play a critical role in ensuring that individuals receive safe and effective drugs and devices. Therefore, in § 164.512(b)(1)(iii), we have provided that covered entities may disclose protected health information to a person subject to the jurisdiction of the Food and Drug Administration for specified purposes, such as reporting adverse events, tracking medical devices, or engaging in other post marketing surveillance. We describe the scope and conditions of such disclosures in more detail in § 164.512(b).
Clinical Laboratory Improvement Amendments.
CLIA, 42 U.S.C. 263a, and the accompanying regulations, 42 CFR part 493, require clinical laboratories to comply with standards regarding the testing of human specimens. This law requires clinical laboratories to disclose test results or reports only to authorized persons, as defined by state law. If a state does not define the term, the federal law defines it as the person who orders the test.
We realize that the person ordering the test is most likely a health care provider and not the individual who is the subject of the protected health information included within the result or report. Under this requirement, therefore, a clinical laboratory may be prohibited by law from providing the individual who is the subject of the test result or report with access to this information.
Although we believe individuals should be able to have access to their individually identifiable health information, we recognize that in the specific area of clinical laboratory testing and reporting, the Health Care Financing Administration, through regulation, has provided that access may be more limited. To accommodate this requirement, we have provided at § 164.524(1)(iii) that covered entities maintaining protected health information that is subject to the CLIA requirements do not have to provide individuals with a right of access to or a right to inspect and obtain a copy of this information if the disclosure of the information to the individual would be prohibited by CLIA.
Not all clinical laboratories, however, will be exempted from providing individuals with these rights. If a clinical laboratory operates in a state in which the term "authorized person" is defined to include the individual, the clinical laboratory would have to provide the individual with these rights. Similarly, if the individual was the person who ordered the test and an authorized person included such a person, the laboratory would be required to provide the individual with these rights.
Additionally, CLIA regulations exempt the components or functions of "research laboratories that test human specimens but do not report patient specific results for the diagnosis, prevention or treatment of any disease or impairment of, or the assessment of the health of individual patients" from the CLIA regulatory scheme. 42 CFR 493.3(a)(2). If subject to the access requirements of this regulation, such entities would be forced to meet the requirements of CLIA from which they are currently exempt. To eliminate this additional regulatory burden, we have also excluded covered entities that are exempt from CLIA under that rule from the access requirement of this regulation.
Although we are concerned about the lack of immediate access by the individual, we believe that, in most cases, individuals who receive clinical tests will be able to receive their test results or reports through the health care provider who ordered the test for them. The provider will receive the information from the clinical laboratory. Assuming that the provider is a covered entity, the individual will have the right of access and right to inspect and copy this protected health information through his or her provider.
Other Mandatory Federal or State Laws.
Many federal laws require covered entities to provide specific information to specific entities in specific circumstances. If a federal law requires a covered entity to disclose a specific type of information, the covered entity would not need an authorization under § 164.508 to make the disclosure because the final rule permits covered entities to make disclosures that are required by law under § 164.512(a). Other laws, such as the Social Security Act (including its Medicare and Medicaid provisions), the Family and Medical Leave Act, the Public Health Service Act, Department of Transportation regulations, the Environmental Protection Act and its accompanying regulations, the National Labor Relations Act, the Federal Aviation Administration, and the Federal Highway Administration rules, may also contain provisions that require covered entities or others to use or disclose protected health information for specific purposes.
When a covered entity is faced with a question as to whether the privacy regulation would prohibit the disclosure of protected health information that it seeks to disclose pursuant to a federal law, the covered entity should determine if the disclosure is required by that law. In other words, it must determine if the disclosure is mandatory rather than merely permissible. If it is mandatory, a covered entity may disclose the protected health information pursuant to § 164.512(a), which permits covered entities to disclose protected health information without an authorization when the disclosure is required by law. If the disclosure is not required (but only permitted) by the federal law, the covered entity must determine if the disclosure comes within one of the other permissible disclosures. If the disclosure does not come within one of the provisions for permissible disclosures, the covered entity must obtain an authorization from the individual who is the subject of the information or de-identify the information before disclosing it.
If another federal law prohibits a covered entity from using or disclosing information that is also protected health information, but the privacy regulation permits the use or disclosure, a covered entity will need to comply with the other federal law and not use or disclose the information.
Federal Disability Nondiscrimination Laws.
The federal laws barring discrimination on the basis of disability protect the confidentiality of certain medical information. The information protected by these laws falls within the larger definition of "health information" under this privacy regulation. The two primary disability nondiscrimination laws are the Americans with Disabilities Act (ADA), 42 U.S.C. 12101et seq., and the Rehabilitation Act of 1973, as amended, 29 U.S.C. 701 et seq., although other laws barring discrimination on the basis of disability (such as the nondiscrimination provisions of the Workforce Investment Act of 1988, 29 U.S.C. 2938) may also apply. Federal disability nondiscrimination laws cover two general categories of entities relevant to this discussion: employers and entities that receive federal financial assistance.
Employers are not covered entities under the privacy regulation. Many employers, however, are subject to the federal disability nondiscrimination laws and, therefore, must protect the confidentiality of all medical information concerning their applicants and employees.
The employment provisions of the ADA, 42 U.S.C. 12111 et seq., expressly cover employers of 15 or more employees, employment agencies, labor organizations, and joint labor-management committees. Since 1992, employment discrimination complaints arising under sections 501, 503, and 504 of the Rehabilitation Act also have been subject to the ADA's employment nondiscrimination standards. See "Rehabilitation Act Amendments," Pub. L. No. 102-569, 106 Stat. 4344. Employers subject to ADA nondiscrimination standards have confidentiality obligations regarding applicant and employee medical information. Employers must treat such medical information, including medical information from voluntary health or wellness programs and any medical information that is voluntarily disclosed as a confidential medical record, subject to limited exceptions.
Transmission of health information by an employer to a covered entity, such as a group health plan, is governed by the ADA confidentiality restrictions. The ADA, however, has been interpreted to permit an employer to use medical information for insurance purposes. See 29 CFR 1630 App. at § 1630.14(b) (describing such use with reference to 29 CFR 1630.16(f), which in turn explains that the ADA regulation "is not intended to disrupt the current regulatory structure for self-insured employers . . . or current industry practices in sales, underwriting, pricing, administrative and other services, claims and similar insurance related activities based on classification of risks as regulated by the states"). See also, "Enforcement Guidance on Disability-Related Inquiries and Medical Examinations of Employees under the Americans with Disabilities Act," 4, n.10 (July 26, 2000), __ FEP Manual (BNA) __ ("Enforcement Guidance on Employees"). See generally, "ADA Enforcement Guidance on Preemployment Disability-Related Questions and Medical Examinations" (October 10, 1995), 8 FEP Manual (BNA) 405:7191 (1995) (also available at http://www.eeoc.gov). Thus, use of medical information for insurance purposes may include transmission of health information to a covered entity.
If an employer-sponsored group health plan is closely linked to an employer, the group health plan may be subject to ADA confidentiality restrictions, as well as this privacy regulation. See Carparts Distribution Center, Inc. v. Automotive Wholesaler's Association of New England, Inc., 37 F.3d 12 (1st Cir. 1994)(setting forth three bases for ADA Title I jurisdiction over an employer-provided medical reimbursement plan, in a discrimination challenge to the plan's HIV/AIDS cap). Transmission of applicant or employee health information by the employer's management to the group health plan may be permitted under the ADA standards as the use of medical information for insurance purposes. Similarly, disclosure of such medical information by the group health plan, under the limited circumstances permitted by this privacy regulation, may involve use of the information for insurance purposes as broadly described in the ADA discussion above.
Entities that receive federal financial assistance, which may also be covered entities under the privacy regulation, are subject to section 504 of the Rehabilitation Act (29 U.S.C. 794) and its implementing regulations. Each federal agency has promulgated such regulations that apply to entities that receive financial assistance from that agency ("recipients"). These regulations may limit the disclosure of medical information about persons who apply to or participate in a federal financially assisted program or activity. For example, the Department of Labor's section 504 regulation (found at 29 CFR part 32), consistent with the ADA standards, requires recipients that conduct employment-related programs, including employment training programs, to maintain confidentiality regarding any information about the medical condition or history of applicants to or participants in the program or activity. Such information must be kept separate from other information about the applicant or participant and may be provided to certain specified individuals and entities, but only under certain limited circumstances described in the regulation. See 29 CFR 32.15(d). Apart from those circumstances, the information must be afforded the same confidential treatment as medical records, id. Also, recipients of federal financial assistance from the Department of Health and Human Services, such as hospitals, are subject to the ADA's employment nondiscrimination standards. They must, accordingly, maintain confidentiality regarding the medical condition or history of applicants for employment and employees.
The statutes and implementing regulations under which the federal financial assistance is provided may contain additional provisions regulating collection and disclosure of medical, health, and disability-related information. See, e.g., section 188 of the Workforce Investment Act of 1988 (29 U.S.C. 2938) and 29 CFR 37.3(b). Thus, covered entities that are subject to this privacy regulation, may also be subject to the restrictions in these laws as well.
U.S. Safe Harbor Privacy Principles (European Union Directive on Data Protection).
The E.U. Directive became effective in October 1998 and prohibits European Union Countries from permitting the transfer of personal data to another country without ensuring that an "adequate level of protection," as determined by the European Commission, exists in the other country or pursuant to one of the Directive's derogations of this rule, such as pursuant to unambiguous consent or to fulfill a contract with the individual. In July 2000, the European Commission concluded that the U.S. Safe Harbor Privacy Principles1 constituted "adequate protection." Adherence to the Principles is voluntary. Organizations wishing to engage in the exchange of personal data with E.U. countries may assert compliance with the Principles as one means of obtaining data from E.U. countries.
The Department of Commerce, which negotiated these Principles with the European Commission, has provided guidance for U.S. organizations seeking to adhere to the guidelines and comply with U.S. law. We believe this guidance addresses the concerns covered entities seeking to transfer personal data from E.U. countries may have. When "U.S. law imposes a conflicting obligation, U.S. organizations whether in the safe harbor or not must comply with the law." An organization does not need to comply with the Principles if a conflicting U.S. law "explicitly authorizes" the particular conduct. The organization's non-compliance is "limited to the extent necessary to meet the overriding legitimate interests further[ed] by such authorization." However, if only a difference exists such that an "option is allowable under the Principles and/or U.S. law, organizations are expected to opt for the higher protection where possible." Questions regarding compliance and interpretation will be decided based on U.S. law. See Department of Commerce, Memorandum on Damages for Breaches of Privacy, Legal Authorizations and Mergers and Takeovers in U.S. Law 5 (July 17, 2000); Department of Commerce, Safe Harbor Privacy Principles Issued by the U.S. Department of Commerce on July 21, 2000, 65 Fed. Reg. 45666 (2000). The Principles and our privacy regulation are based on common principles of fair information practices. We believe they are essentially consistent and that an organization complying with our privacy regulation can fairly and correctly self-certify that it complies with the Principles. If a true conflict arises between the privacy regulation and the Principles, the Department of Commerce's guidance provides that an entity must comply with the U.S. law.