Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Protected health information.


Comment: An overwhelmingly large number of commenters urged the Secretary to expand privacy protection to all individually identifiable health information, regardless of form, held or transmitted by a covered entity. Commenters provided many arguments in support of their position. They asserted that expanding the scope of covered information under the rule would increase patient confidence in their health care providers and the health care system in general. Commenters stated that patients may not seek care or honestly discuss their health conditions with providers if they do not believe that all of their health information is confidential. In particular, many suggested that this fear would be particularly strong with certain classes of patients, such as persons with disabilities, who may be concerned about potential discrimination, embarrassment or stigmatization, or domestic violence victims, who may hide the real cause of their injuries.

In addition, commenters felt that a more uniform standard that covered all records would reduce the complexity, burden, cost, and enforcement problems that would result from the NPRM's proposal to treat electronic and non-electronic records differently. Specifically, they suggested that such a standard would eliminate any confusion regarding how to treat mixed records (paper records that include information that has been stored or transmitted electronically) and would eliminate the need for health care providers to keep track of which portions of a paper record have been (or will be) stored or transmitted electronically, and which are not. Many of these commenters argued that limiting the definition to information that is or has at one time been electronic would result in different protections for electronic and paper records, which they believe would be unwarranted and give consumers a false sense of security. Other comments argued that the proposed definition would cause confusion for providers and patients and would likely cause difficulties in claims processing. Many others complained about the difficulty of determining whether information has been maintained or transmitted electronically. Some asked us to explicitly list the electronic functions that are intended to be excluded, such as voice mail, fax, etc. It was also recommended that the definitions of 'electronic transmission' and 'electronic maintenance' be deleted. It was stated that the rule may apply to many medical devices that are regulated by the FDA. A commenter also asserted that the proposal's definition was technically flawed in that computers are also involved in analog electronic transmissions such as faxes, telephone, etc., which is not the intent of the language. Many commenters argued that limiting the definition to information that has been electronic would create a significant administrative burden, because covered entities would have to figure out how to apply the rule to some but not all information.

Others argued that covering all individually identifiable health information would eliminate any disincentives for covered entities to convert from paper to computerized record systems. These commenters asserted that under the proposed limited coverage, contrary to the intent of HIPAA's administrative simplification standards, providers would avoid converting paper records into computerized systems in order to bypass the provisions of the regulation. They argued that treating all records the same is consistent with the goal of increasing the efficiency of the administration of health care services.

Lastly, in the NPRM, we explained that while we chose not to extend our regulatory coverage to all records, we did have the authority to do so. Several commenters agreed with our interpretation of the statute and our authority and reiterated such statements in arguing that we should expand the scope of the rule in this regard.

Response: We find these commenters' arguments persuasive and extend protections to individually identifiable health information transmitted or maintained by a covered entity in any form (subject to the exception for "education records" governed by FERPA and records described at 20 U.S.C. 1232g(a)(4)(B)(iv)). We do so for the reasons described by the commenters and in our NPRM, as well as because we believe that the approach in the final rule creates a logical, consistent system of protections that recognizes the dynamic nature of health information use and disclosure in a continually shifting health care environment. Rules that are specific to certain formats or media, such as "electronic" or "paper," cannot address the privacy threats resulting from evolving forms of data capture and transmission or from the transfer of the information from one form to another. This approach avoids the somewhat artificial boundary issues that stem from defining what is and is not electronic.

In addition, we have reevaluated our reasons for not extending privacy protections to all paper records in the NPRM and after review of comments believe such justifications to be less compelling than we originally thought. For example, in the NPRM, we explained that we chose not to cover all paper records in order to focus on the public concerns about health information confidentiality in electronic communications, and out of concern that the potential additional burden of covering all records may not be justified because of the lower privacy risks presented by records that are in paper form only. As discussed above however, a great many commenters asserted that dealing with a mixture of protected and non-protected records is more burdensome, and that public concerns over health information confidentiality are not at all limited to electronic communications.

We note that medical devices in and of themselves, for example, pacemakers, are not protected health information for purposes of this regulation. However, information in or from the device may be protected health information to the extent that it otherwise meets the definition.

Comment: Numerous commenters argued that the proposed coverage of any information other than that which is transmitted electronically and/or in a HIPAA transaction exceeds the Secretary's authority under section 264(c)(1) of HIPAA. The principal argument was that the initial language in section 264(c)(1) ("If language governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act ... is not enacted by [August 21, 1999], the Secretary ... shall promulgate final regulations containing such standards...") limits the privacy standards to "information transmitted in connection with the [HIPAA] transactions." The precise argument made by some commenters was that the grant of authority is contained in the words "such standards," and that the referent of that phrase was "standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a)...".

Commenters also argued that this limitation on the Secretary's authority is discernible from the statutory purpose statement at section 261 of HIPAA, from the title to section 1173(a) ("Standards to Enable Electronic Exchange"), and from various statements in the legislative history, such as the statement in the Conference Report that the "Secretary would be required to establish standards and modifications to such standards regarding the privacy of individually identifiable health information that is in the health information network." H. Rep. No. 104-736,104th Cong., 2d Sess., at 265. It was also argued that extension of coverage beyond the HIPAA transactions would be inconsistent with the underlying statutory trade-off between facilitating accessibility of information in the electronic transactions for which standards are adopted under section 1173(a) and protecting that information through the privacy standards.

Other commenters argued more generally that the Secretary's authority was limited to information in electronic form only, not information in any other form. These comments tended to focus on the statutory concern with regulating transactions in electronic form and argued that there was no need to have the privacy standards apply to information in paper form, because there is significantly less risk of breach of privacy with respect to such information.

The primary justifications provided by commenters for restricting the scope of covered individually identifiable health information under the regulation were that such an approach would reduce the complexity, burden, cost, and enforcement problems that would result from a rule that treats electronic and non-electronic records differently; would appropriately limit the rule's focus to the security risks that are inherent in electronic transmission or maintenance of individually identifiable health information; and would conform these provisions of the rule more closely with their interpretation of the HIPAA statutory language.

Response: We disagree with these commenters. We believe that restricting the scope of covered information under the rule consistent with any of the comments described above would generate a number of policy concerns. Any restriction in the application of privacy protections based on the media used to maintain or transmit the information is by definition arbitrary, unrelated to the potential use or disclosure of the information itself and therefore not responsive to actual privacy risks. For example, information contained in a paper record may be scanned and transmitted worldwide almost as easily as the same information contained in an electronic claims transaction, but would potentially not be protected.

In addition, application of the rule to only the standard transactions would leave large gaps in the amount of health information covered. This limitation would be particularly harmful for information used and disclosed by health care providers, who are likely to maintain a great deal of information never contained in a transaction.

We disagree with the arguments that the Secretary lacks legal authority to cover all individually identifiable health information transmitted or maintained by covered entities. The arguments raised by these comments have two component parts: (1) that the Secretary's authority is limited by form, to individually identifiable health information in electronic form only; and (2) that the Secretary's authority is limited by content, to individually identifiable health information that is contained in what commenters generally termed the "HIPAA transactions," i.e., information contained in a transaction for which a standard has been adopted under section 1173(a) of the Act.

With respect to the issue of form, the statutory definition of "health information" at section 1171(4) of the Act defines such information as "any information, whether oral or recorded in any form or medium" (emphasis added) which is created or received by certain entities and relates to the health condition of an individual or the provision of health care to an individual (emphasis added). "Individually identifiable health information", as defined at section 1171(6) of the Act, is information that is created or received by a subset of the entities listed in the definition of "health information", relates to the same subjects as "health information," and is, in addition, individually identifiable. Thus, "individually identifiable health information" is, as the term itself implies, a subset of "health information." As "health information," "individually identifiable health information" means, among other things, information that is "oral or recorded in any form or medium." Therefore, the statute does not limit "individually identifiable health information" to information that is in electronic form only.

With respect to the issue of content, the limitation of the Secretary's authority to information in HIPAA transactions under section 264(c)(1) is more apparent than real. While the first sentence of section 264(c)(1) may be read as limiting the regulations to standards with respect to the privacy of individually identifiable health information "transmitted in connection with the [HIPAA] transactions," what that sentence in fact states is that the privacy regulations must "contain" such standards, not be limited to such standards. The first sentence thus sets a statutory minimum, first for Congress, then for the Secretary. The second sentence of section 264(c)(1) directs that the regulations "address at least the subjects in subsection (b) [of section 264]." Section 264(b), in turn, refers only to "individually identifiable health information", with no qualifying language, and refers back to subsection (a) of section 264, which is not limited to HIPAA transactions. Thus, the first and second sentences of section 264(c)(1) can be read as consistent with each other, in which case they direct the issuance of privacy standards with respect to individually identifiable health information. Alternatively, they can be read as ambiguous, in which case one must turn to the legislative history.

The legislative history of section 264 does not reflect the content limitation of the first sentence of section 264(c)(1). Rather, the Conference Report summarizes this section as follows: "If Congress fails to enact privacy legislation, the Secretary is required to develop standards with respect to privacy of individually identifiable health information not later than 42 months from the date of enactment." Id., at 270. This language indicates that the overriding purpose of section 264(c)(1) was to postpone the Secretary's duty to issue privacy standards (which otherwise would have been controlled by the time limits at section 1174(a)), in order to give Congress more time to pass privacy legislation. A corollary inference, which is also supported by other textual evidence in section 264 and Part C of title XI, is that if Congress failed to act within the time provided, the original statutory scheme was to kick in. Under that scheme, which is set out in section 1173(e) of the House bill, the standards to be adopted were "standards with respect to the privacy of individually identifiable health information." Thus, the legislative history of section 264 supports the statutory interpretation underlying the rules below.

Comment: Many commenters were opposed to the rule covering specific forms of communication or records that could potentially be considered covered information, i.e., faxes, voice mail messages, etc. A subset of these commenters took issue particularly with the inclusion of oral communications within the scope of covered information. The commenters argued that covering information when it takes oral form (e.g., verbal discussions of a submitted claim) makes the regulation extremely costly and burdensome, and even impossible to administer. Another commenter also offered that it would make it nearly impossible to discuss health information over the phone, as the covered entity cannot verify that the person on the other end is in fact who he or she claims to be.

Response: We disagree. Covering oral communications is an important part of keeping individually identifiable health information private. If the final rule were not to cover oral communication, a conversation about a person's protected health information could be shared with anyone. Therefore, the same protections afforded to paper and electronically based information must apply to verbal communication as well. Moreover, the Congress explicitly included "oral" information in the statutory definition of health information.

Comment: A few commenters supported, without any change, the approach proposed in the NPRM to limit the scope of covered information to individually identifiable health information in any form once the information is transmitted or maintained electronically. These commenters asserted that our statutory authority limited us accordingly. Therefore, they believed we had proposed protections to the extent possible within the bounds of our statutory authority and could not expand the scope of such protections without new legislative authority.

Response: We disagree with these commenters regarding the limitations under our statutory authority. As explained above, we have the authority to extend the scope of the regulation as we have done in the final rule. We also note here that most of these commenters who supported the NPRM's proposed approach, voiced strong support for extending the scope of coverage to all individually identifiable health information in any form, but concluded that we had done what we could within the authority provided.

Comment: One commenter argued that the term "transaction" is generally understood to denote a business matter, and that the NPRM applied the term too broadly by including hospital directory information, communication with a patient's family, researchers' use of data and many other non-business activities.

Response: This comment reflects a misunderstanding of our use of the term "transaction." The uses and disclosures described in the comment are not "transactions" as defined in § 160.103. The authority to regulate the types of uses and disclosures described is provided under section 264 of Pub. L. 104-191. The conduct of the activities noted by the commenters are not related to the determination of whether a health care provider is a covered entity. We explain in the preamble that a health care provider is a covered entity if it transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act.

Comment: A few commenters asserted that the Secretary has no authority to regulate "use" of protected health information. They stated that although section 264(b) mentions that the Secretary should address "uses and disclosures," no other section of HIPAA employs the term "use."

Response: We disagree with these commenters. As they themselves note, the authority to regulate use is given in section 264(b) and is sufficient.

Comment: Some commenters requested clarification as to how certain types of health information, such as photographs, faxes, X-Rays, CT-scans, and others would be classified as protected or not under the rule.

Response: All types of individually identifiable health information in any form, including those described, when maintained or transmitted by a covered entity are covered in the final rule.

Comment: A few commenters requested clarification with regard to the differences between the definitions of individually identifiable health information and protected health information.

Response: In expanding the scope of covered information in the final rule, we have simplified the distinction between the two definitions. In the final rule, protected health information is the subset of individually identifiable health information that is maintained or transmitted by covered entity, and thereby protected by this rule. For additional discussion of protected health information and individually identifiable health information, see the descriptive summary of § 164.501.

Comment: A few commenters remarked that the federal government has no right to access or control any medical records and that HHS must get consent in order to store or use any individually identifiable health information.

Response: We understand the commenters' concern. It is not our intent, nor do we through this rule create any government right of access to medical records, except as needed to investigate possible violations of the rule. Some government programs, such as Medicare, are authorized under other law to gain access to certain beneficiary records for administrative purposes. However, these programs are covered by the rule and its privacy protections apply.

Comment: Some commenters asked us to clarify how schools would be treated by the rule. Some of these commenters worried that privacy would be compromised if schools were exempted from the provisions of the final rule. Other commenters thought that school medical records were included in the provisions of the NPRM.

Response: We agree with the request for clarification and provide guidance regarding the treatment of medical records in schools in the "Relationship to Other Federal Laws" preamble discussion of FERPA, which governs the privacy of education records.

Comment: One commenter was concerned that only some information from a medical chart would be included as covered information. The commenter was especially concerned that transcribed material might not be considered covered information.

Response: As stated above, all individually identifiable health information in any form, including transcribed or oral information, maintained or transmitted by a covered entity is covered under the provisions of the final rule.

Comment: In response to our solicitation of comments on the scope of the definition of protected health information, many commenters asked us to narrow the scope of the proposed definition to include only information in electronic form. Others asked us to include only information from the HIPAA standard transactions.

Response: For the reasons stated by the commenters who asked us to expand the proposed definition, we reject these comments. We reject these approaches for additional reasons, as well. Limiting the protections to electronic information would, in essence, protect information only as long as it remained in a computer or other electronic media; the protections in the rule could be avoided simply by printing out the information. This approach would thus result in the illusion, but not the reality, of privacy protections. Limiting protection to information in HIPAA transactions has many of the problems in the proposed approach: it would fail to protect significant amounts of health information, would force covered entities to figure out which information had and had not been in such a transaction, and could cause the administrative burdens the commenters feared would result from protecting some but not all information.

Comment: A few commenters asserted that the definition of protected health information should explicitly include "genetic" information. It was argued that improper disclosure and use of such information could have a profound impact on individuals and families.

Response: We agree that the definition of protected health information includes genetic information that otherwise meets the statutory definition. But we believe that singling out specific types of protected health information for special mention in the regulation text could wrongly imply that other types are not included.

Comment: One commenter recommended that the definition of protected health information be modified to clarify that an entity does not become a 'covered entity' by providing a device to an individual on which protected health information may be stored, provided that the company itself does not store the individual's health information."

Response: We agree with the commenter's analysis, but believe the definition is sufficiently clear without a specific amendment to this effect.

Comment: One commenter recommended that the definition be amended to explicitly exclude individually identifiable health information maintained, used, or disclosed pursuant to the Fair Credit Reporting Act, as amended, 15 U.S.C. 1681. It was stated that a disclosure of payment history to a consumer reporting agency by a covered entity should not be considered protected health information. Another commenter recommended that health information, billing information, and a consumer's credit history be exempted from the definition because this flow of information is regulated by both the Fair Credit Reporting Act (FCRA) and the Fair Debt Collection Practices Act (FDCPA).

Response: We disagree. To the extent that such information meets the definition of protected health information, it is covered by this rule. These statutes are designed to protect financial, not health, information. Further, these statutes primarily regulate entities that are not covered by this rule, minimizing the potential for overlap or conflict. The protections in this rule are more appropriate for protecting health information. However, we add provisions to the definition of payment which should address these concerns. See the definition of 'payment' in § 164.501.

Comment: An insurance company recommended that the rule require that medical records containing protected health information include a notation on a cover sheet on such records.

Response: Since we have expanded the scope of protected health information, there is no need for covered entities to distinguish among their records, and such a notation is not needed. This uniform coverage eliminates the mixed record problem and resultant potential for confusion.

Comment: A government agency requested clarification of the definition to address the status of information that flows through dictation services.

Response: A covered entity may disclose protected health information for transcription of dictation under the definition of health care operations, which allows disclosure for "general administrative" functions. We view transcription and clerical services generally as part of a covered entity's general administrative functions. An entity transcribing dictation on behalf of a covered entity meets this rule's definition of business associate and may receive protected health information under a business associate contract with the covered entity and subject to the other requirements of the rule.

Comment: A commenter recommended that information transmitted for employee drug testing be exempted from the definition.

Response: We disagree that is necessary to specifically exclude such information from the definition of protected health information. If a covered entity is involved, triggering this rule, the employer may obtain authorization from the individuals to be tested. Nothing in this rule prohibits an employer from requiring an employee to provide such an authorization as a condition of employment.

Comment: A few commenters addressed our proposal to exclude individually identifiable health information in education records covered by FERPA. Some expressed support for the exclusion. One commenter recommended adding another exclusion to the definition for the treatment records of students who attend institutions of post secondary education or who are 18 years old or older to avoid confusion with rules under FERPA. Another commenter suggested that the definition exclude health information of participants in "Job Corps programs" as it has for educational records and inmates of correctional facilities.

Response: We agree with the commenter on the potential for confusion regarding records of students who attend post-secondary schools or who are over 18, and therefore in the final rule we exclude records defined at 20 U.S.C. 1232g(a)(4)(B)(iv) from the definition of protected health information. For a detailed discussion of this change, refer to the "Relationship to Other Federal Laws" section of the preamble. We find no similar reason to exclude "Job Corps programs" from the requirements of this regulation.

Comment: Some commenters voiced support for the exclusion of the records of inmates from the definition of protected health information, maintaining that correctional agencies have a legitimate need to share some health information internally without authorization between health service units in various facilities and for purposes of custody and security. Other commenters suggested that the proposed exclusion be extended to individually identifiable health information: created by covered entities providing services to inmates or detainees under contract to such facilities; of "former" inmates; and of persons who are in the custody of law enforcement officials, such as the United States Marshals Service and local police agencies. They stated that corrections and detention facilities must be able to share information with law enforcement agencies such as the United States Marshals Service, the Immigration and Naturalization Services, county jails, and U.S. Probation Offices.

Another commenter said that there is a need to have access to records of individuals in community custody and explained that these individuals are still under the control of the state or local government and the need for immediate access to records for inspections and/or drug testing is necessary.

A number of commenters were opposed to the proposed exclusion to the definition of protected health information, arguing that the proposal was too sweeping. Commenters stated that while access without consent is acceptable for some purposes, it is not acceptable in all circumstances. Some of these commenters concurred with the sharing of health care information with other medical facilities when the inmate is transferred for treatment. These commenters recommended that we delete the exception for jails and prisons and substitute specific language about what information could be disclosed and the limited circumstances or purposes for which such disclosures could occur.

Others recommended omission of the proposed exclusion entirely, arguing that excluding this information from protection sends the message that, with respect to this population, abuses do not matter. Commenters argued that inmates and detainees have a right to privacy of medical records and that individually identifiable health information obtained in these settings can be misused, e.g., when communicated indiscriminately, health information can trigger assaults on individuals with stigmatized conditions by fellow inmates or detainees. It can also lead to the denial of privileges, or inappropriately influence the deliberations of bodies such as parole boards.

A number of commenters explicitly took issue with the exclusion relative to individuals, and in particular youths, with serious mental illness, seizure disorders, and emotional or substance abuse disorders. They argued that these individuals come in contact with criminal justice authorities as a result of behaviors stemming directly from their illness and assert that these provisions will cause serious problems. They argue that disclosing the fact that an individual was treated for mental illness while incarcerated could seriously impair the individual's reintegration into the community. Commenters stated that such disclosures could put the individual or family members at risk of discrimination by employers and in the community at large.

Some commenters asserted that the rule should be amended to prohibit jails and prisons from disclosing private medical information of individuals who have been discharged from these facilities. They argued that such disclosures may seriously impair individuals' rehabilitation into society and subject them to discrimination as they attempt to re-establish acceptance in the community.

Response: We find commenters' arguments against a blanket exemption from privacy protection for inmates persuasive. We agree health information in these settings may be misused, which consequently poses many risks to the inmate or detainee and in some cases, their families as described above by the commenters. Accordingly, we delete this exception from the definition of "protected health information" in the final rule. The final rule considers individually identifiable health information of individuals who are prisoners and detainees to be protected health information to the extent that it meets the definition and is maintained or transmitted by a covered entity.

At the same time, we agree with those commenters who explained that correctional facilities have legitimate needs for use and sharing of individually identifiable health information inmates without authorization. Therefore, we add a new provision (§ 164.512(k)(5)) that permits a covered entity to disclose protected health information about inmates without individual consent, authorization, or agreement to correctional institutions for specified health care and other custodial purposes. For example, covered entities are permitted to disclose for the purposes of providing health care to the individual who is the inmate, or for the health and safety of other inmates or officials and employees of the facility. In addition, a covered entity may disclose protected health information as necessary for the administration and maintenance of the safety, security, and good order of the institution. See the preamble discussion of the specific requirements at § 164.512(k)(5), as well as discussion of certain limitations on the rights of individuals who are inmates with regard to their protected health information at §§ 164.506, 164.520, 164.524, and 164.528.

We also provide the following clarifications. Covered entities that provide services to inmates under contract to correctional institutions must treat protected health information about inmates in accordance with this rule and are permitted to use and disclose such information to correctional institutions as allowed under § 164.512(k)(5).

As to former inmates, the final rule considers such persons who are released on parole, probation, supervised release, or are otherwise no longer in custody, to be individuals who are not inmates. Therefore, the permissible disclosure provision at § 164.512(k)(5) does not apply in such cases. Instead, a covered entity must apply privacy protections to the protected health information about former inmates in the same manner and to the same extent that it protects the protected health information of other individuals. In addition, individuals who are former inmates hold the same rights as all other individuals under the rule.

As to individuals in community custody, the final rule considers inmates to be those individuals who are incarcerated in or otherwise confined to a correctional institution. Thus, to the extent that community custody confines an individual to a particular facility, § 164.512(k)(5) is applicable.