Comment: One comment noted that federal agencies must provide information to certain entities pursuant to various federal statutes. For example, federal agencies must not withhold information from a Congressional oversight committee or the General Accounting Office. Similarly, some federal agencies must provide the Bureau of the Census and the National Archives and Records Administration with certain information. This comment expressed concern that the privacy regulation would conflict with these requirements. Additionally, the commenter asked whether the privacy notice would need to contain these uses and disclosures and recommended that a general statement that these federal agencies would disclose protected health information when required by law be considered sufficient to meet the privacy notice requirements.
Response: To the extent a federal agency acting as a covered entity is required by federal statute to disclose protected health information, the regulation permits the disclosure as required by law under § 164.512(a). The notice provisions at § 164.520(b)(1)(ii)(B) require covered entities to provide a brief description of the purposes for which the covered entity is permitted or required by the rules to use or disclose protected health information without an individual's written authorization. If these statutes require the disclosures, covered entities subject to the requirement may make the disclosure pursuant to § 164.512(a). Thus, their notice must include a description of the category of these disclosures. For example, a general statement such as the covered entity "will disclose your protected health information to comply with legal requirements" should suffice.
Comment: One comment stressed that the final rule should not inadvertently preempt mandatory reporting laws duly enacted by federal, state, or local legislative bodies. This commenter also suggested that the final rule not prevent the reporting of violations to law enforcement agencies.
Response: We agree. Like the proposed rule, the final rule permits covered entities to disclose protected health information when required by law under § 164.512(a). To the extent a covered entity is required by law to make a report to law enforcement agencies or is otherwise permitted to make a disclosure to a law enforcement agency as described in § 164.512(f), it may do so without an authorization. Alternatively, a covered entity may always request that individuals authorize these disclosures.