Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.501 - Definitions

The proposed rule did not define the term correctional institution. The final rule defines correctional institution as any penal or correctional facility, jail, reformatory, detention center, work farm, halfway house, or residential community program center operated by, or under contract to, the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, for the confinement or rehabilitation of persons charged with or convicted of a criminal offense or other persons held in lawful custody. Other persons held in lawful custody includes juvenile offenders adjudicated delinquent, aliens detained awaiting deportation, persons committed to mental institutions through the criminal justice system, witnesses, or others awaiting charges or trial. This language was necessary to explain the privacy rights and protections of inmates in this regulation.

In the proposed rule, we defined designated record set as "a group of records under the control of a covered entity from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual and which is used by the covered entity to make decisions about the individual." We defined a "record" as "any item, collection, or grouping of protected health information maintained, collected, used, or disseminated by a covered entity."

In the final rule, we modify the definition of designated record set to specify certain records maintained by or for a covered entity that are always part of a covered entity's designated record sets and to include other records that are used to make decisions about individuals. We do not use the means of retrieval of a record as a defining criteria.

For health plans, designated record sets include, at a minimum, the enrollment, payment, claims adjudication, and case or medical management record systems of the plan. For covered health care providers, designated record sets include, at a minimum, the medical record and billing record about individuals maintained by or for the provider. In addition to these records, designated record sets include any other group of records that are used, in whole or in part, by or for a covered entity to make decisions about individuals. We note that records that otherwise meet the definition of designated record set and which are held by a business associate of the covered entity are part of the covered entity's designated record sets. Although we do not specify particular types of records that are always included in the designated record sets of clearinghouses when they are not acting as business associates, this definition includes a group of records that such a clearinghouse uses, in whole or in part, to make decisions about individuals.

For the most part we retain, with slight modifications, the definition of "record," defining it as any item, collection, or grouping of information that includes protected health information and is maintained, collected, used, or disseminated.

We add a new term, "covered functions," as a shorthand way of expressing and referring to the functions that the entities covered by section 1172(a) of the Act perform. Section 1171 defines the terms "health plan", "health care provider", and "health care clearinghouse" in functional terms. Thus, a "health plan" is an individual or group plan "that provides, or pays the cost of, medical care...", a "health care provider" "furnish[es] health care services or supplies," and a "health care clearinghouse" is an entity "that processes or facilitates the processing of ... data elements of health information...". Covered functions, therefore, are the activities that any such entity engages in that are directly related to operating as a health plan, health care provider, or health care clearinghouse; that is, they are the functions that make it a health plan, health care provider, or health care clearinghouse.

The term "covered functions" is not intended to include various support functions, such as computer support, payroll and other office support, and similar support functions, although we recognize that these support functions must occur in order for the entity to carry out its health care functions. Because such support functions are often also performed for parts of an organization that are not doing functions directly related to the health care functions and may involve access to and/or use of protected health information, the rules below describe requirements for ensuring that workforce members who perform these support functions do not impermissibly use or disclose protected health information. See § 164.504.

The NPRM did not include a definition of data aggregation. In the final rule, data aggregation is defined, with respect to protected health information received by a business associate in its capacity as the business associate of a covered entity, as the combining of such protected health information by the business associate with protected health information received by the business associate in its capacity as a business associate of another covered entity, to permit the creation of data for analyses that relate to the health care operations of the respective covered entities. The definition is included in the final rule to help describe how business associates can assist covered entities to perform health care operations that involve comparative analysis of protected health information from otherwise unaffiliated covered entities. Data aggregation is a service that gives rise to a business associate relationship if the performance of the service involves disclosure of protected health information by the covered entity to the business associate.

This term was not included in the proposed rule. Direct treatment relationship means a relationship between a health care provider and an individual that is not an indirect treatment relationship (see definition of indirect treatment relationship, below). For example, outpatient pharmacists and Web-based providers generally have direct treatment relationships with patients. Outpatient pharmacists fill prescriptions written by other providers, but they furnish the prescription and advice about the prescription directly to the patient, not through another treating provider. Web-based providers generally deliver health care independently, without the orders of another provider.

A provider may have direct treatment relationships with some patients and indirect treatment relationships with others. In some provisions of the final rule, providers with indirect treatment relationships are excepted from requirements that apply to other providers. See § 164.506 regarding consent for uses and disclosures of protected health information for treatment, payment, and health care operations, and § 164.520 regarding notice of information practices. These exceptions apply only with respect to the individuals with whom the provider has an indirect treatment relationship.

We proposed to define "disclosure" to mean the release, transfer, provision of access to, or divulging in any other manner of information outside the entity holding the information. The final rule is unchanged. We note that the transfer of protected health information from a covered entity to a business associate is a disclosure for purposes of this regulation.

The preamble to the proposed rule explained that in order for treatment and payment to occur, protected health information must be used within entities and shared with business partners. In the proposed rule we provided a definition for "health care operations" to clarify the activities we considered to be "compatible with and directly related to" treatment and payment and for which protected health information could be used or disclosed without individual authorization. These activities included conducting quality assessment and improvement activities, reviewing the competence or qualifications and accrediting/licensing of health care professionals and plans, evaluating health care professional and health plan performance, training future health care professionals, insurance activities relating to the renewal of a contract for insurance, conducting or arranging for medical review and auditing services, and compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding. Recognizing the dynamic nature of the health care industry, we acknowledged that the specified categories may need to be modified as the industry evolves.

The preamble discussion of the proposed general rules listed certain activities that would not be considered health care operations because they were sufficiently unrelated to treatment and payment to warrant requiring an individual to authorize such use or disclosure. Those activities included: marketing of health and non-health items and services; disclosure of protected health information for sale, rent or barter; use of protected health information by a non-health related division of an entity; disclosure of protected health information for eligibility, enrollment, underwriting, or risk rating determinations prior to an individuals' enrollment in a health plan; disclosure to an employer for employment determinations; and fundraising.

In the final rule, we do not change the general approach of defining health care operations: health care operations are the listed activities undertaken by the covered entity that maintains the protected health information (i.e., one covered entity may not disclose protected health information for the operations of a second covered entity); a covered entity may use any protected health information it maintains for its operations (e.g., a plan may use protected health information about former enrollees as well as current enrollees); we expand the proposed list to reflect many changes requested by commenters.

We modify the proposal that health care operations represent activities "in support of" treatment and payment functions. Instead, in the final rule, health care operations are the enumerated activities to the extent that the activities are related to the covered entity's functions as a health care provider, health plan or health care clearinghouse, i.e., the entity's "covered functions." We make this change to clarify that health care operations includes general administrative and business functions necessary for the covered entity to remain a viable business. While it is possible to draw a connection between all the enumerated activities and "treatment and payment," for some general business activities (e.g., audits for financial disclosure statements) that connection may be tenuous. The proposed concept also did not include the operations of those health care clearinghouses that may be covered by this rule outside their status as business associate to a covered entity. We expand the definition to include disclosures for the enumerated activities of organized health care arrangements in which the covered entity participates. See also the definition of organized health care arrangements, below.

In addition, we make the following changes and additions to the enumerated subparagraphs:

(1) We add language to clarify that the primary purpose of the studies encompassed by "quality assessment and improvement activities" must not be to obtain generalizable knowledge. A study with such a purpose would meet the rule's definition of research, and use or disclosure of protected health information would have to meet the requirements of §§ 164.508 or 164.512(i). Thus, studies may be conducted as a health care operation if development of generalizable knowledge is not the primary goal. However, if the study changes and the covered entity intends the results to be generalizable, the change should be documented by the covered entity as proof that, when initiated, the primary purpose was health care operations.

We add population-based activities related to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives, and related functions that do not entail direct patient care. Many commenters recommended adding the term "disease management" to health care operations. We were unable, however, to find a generally accepted definition of the term. Rather than rely on this label, we include many of the functions often included in discussions of disease management in this definition or in the definition of treatment. This topic is discussed further in the comment responses below.

(2) We have deleted "undergraduate and graduate" as a qualifier for "students," to make the term more general and inclusive. We add the term "practitioners." We expand the purposes encompassed to include situations in which health care providers are working to improve their skills. The rule also adds the training of non-health care professionals.

(3) The rule expands the range of insurance related activities to include those related to the creation, renewal or replacement of a contract for health insurance or health benefits, as well as ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss and excess of loss insurance). For these activities, we also eliminate the proposed requirement that these uses and disclosures apply only to protected health information about individuals already enrolled in a health plan. Under this provision, a group health plan that wants to replace its insurance carrier may disclose certain protected health information to insurance issuers in order to obtain bids on new coverage, and an insurance carrier interested in bidding on new business may use protected health information obtained from the potential new client to develop the product and pricing it will offer. For circumstances in which no new contract is issued, we add a provision in § 164.514(g) restricting the recipient health plan from using or disclosing protected health information obtained for this purpose, other than as required by law. Uses and disclosures in these cases come within the definition of "health care operations," provided that the requirements of § 164.514(g) are met, if applicable. See § 164.504(f) for requirements for such disclosures by group health plans, as well as specific restrictions on the information that may be disclosed to plan sponsors for such purposes. We note that a covered health care provider must obtain an authorization under § 164.508 in order to disclose protected health information about an individual for purposes of pre-enrollment underwriting; the underwriting is not an "operation" of the provider and that disclosure is not otherwise permitted by a provision of this rule.

(4) We delete reference to the "compiling and analyzing information in anticipation of or for use in a civil or criminal legal proceeding" and replace it with a broader reference to conducting or arranging for "legal services."

We add two new categories of activities:

(5) Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies.

(6) Business management activities and general administrative functions, such as management activities relating to implementation of and compliance with the requirements of this subchapter, fundraising for the benefit of the covered entity to the extent permitted without authorization under § 164.514(f), and marketing of certain services to individuals served by the covered entity, to the extent permitted without authorization under § 164.514(e) (see discussion in the preamble to that section, below). For example, under this category we permit uses or disclosures of protected health information to determine from whom an authorization should be obtained, for example to generate a mailing list of individuals who would receive an authorization request.

We add to the definition of health care operations disclosure of protected health information for due diligence to a covered entity that is a potential successor in interest. This provision includes disclosures pursuant to the sale of a covered entity's business as a going concern, mergers, acquisitions, consolidations, and other similar types of corporate restructuring between covered entities, including a division of a covered entity, and to an entity that is not a covered entity but will become a covered entity if the transfer or sale is completed. Other types of sales of assets, or disclosures to organizations that are not and would not become covered entities, are not included in the definition of health care operations and could only occur if the covered entity obtained valid authorization for such disclosure in accordance with § 164.508, or if the disclosure is otherwise permitted under this rule.

We also add to health care operations disclosure of protected health information for resolution of internal grievances. These uses and disclosures include disclosure to an employee and/or employee representative, for example when the employee needs protected health information to demonstrate that the employer's allegations of improper conduct are untrue. We note that such employees and employee representatives are not providing services to or for the covered entity, and, therefore, no business associate contract is required. Also included are resolution of disputes from patients or enrollees regarding the quality of care and similar matters.

We also add use for customer service, including the provision of data and statistical analyses for policyholders, plan sponsors, or other customers, as long as the protected health information is not disclosed to such persons. We recognize that part of the general management of a covered entity is customer service. We clarify that customer service may include the use of protected health information to provide data and statistical analyses. For example, a plan sponsor may want to understand why its costs are rising faster than average, or why utilization in one plant location is different than in another location. An association that sponsors an insurance plan for its members may want information on the relative costs of its plan in different areas. Some plan sponsors may want more detailed analyses that attempt to identify health problems in a work site. We note that when a plan sponsor has several different group health plans, or when such plans provide insurance or coverage through more than one health insurance issuer or HMO, the covered entities may jointly engage in this type of analysis as a health care operation of the organized health care arrangement.

This activity qualifies as a health care operation only if it does not result in the disclosure of protected health information to the customer. The results of the analyses must be presented in a way that does not disclose protected health information. A disclosure of protected health information to the customer as a health care operation under this provision violates this rule. This provision is not intended to permit covered entities to circumvent other provisions in this rule, including requirements relating to disclosures of protected health information to plan sponsors or the requirements relating to research. See § 164.504(f) and § 164.512(i).

We use the term customer to provide flexibility to covered entities. We do not intend the term to apply to persons with whom the covered entity has no other business; this provision is intended to permit covered entities to provide service to their existing customer base.

We note that this definition, either alone or in conjunction with the definition of "organized health care arrangement," allows an entity such as an integrated staff model HMO, whether legally integrated or whether a group of associated entities, that hold themselves out as an organized arrangement to share protected health information under § 164.506. In these cases, the sharing of protected health information will be either for the operations of the disclosing entity or for the organized health care arrangement in which the entity is participating.

Whether a disclosure is allowable for health care operations under this provision is determined separately from whether a business associate contract is required. These provisions of the rule operate independently. Disclosures for health care operations may be made to an entity that is neither a covered entity nor a business associate of the covered entity. For example, a covered academic medical center may disclose certain protected health information to community health care providers who participate in one of its continuing medical education programs, whether or not such providers are covered health care providers under this rule. A provider attending a continuing education program is not thereby performing services for the covered entity sponsoring the program and, thus, is not a business associate for that purpose. Similarly, health plans may disclose for due diligence purposes to another entity that may or may not be a covered entity or a business associate.

The proposed rule would have defined "health oversight agency" as "an agency, person, or entity, including the employees or agents thereof, (1) That is: (i) A public agency; or (ii) A person or entity acting under grant of authority from or contract with a public agency; and (2) Which performs or oversees the performance of any audit; investigation; inspection; licensure or discipline; civil, criminal, or administrative proceeding or action; or other activity necessary for appropriate oversight of the health care system, of government benefit programs for which health information is relevant to beneficiary eligibility, or of government regulatory programs for which health information is necessary for determining compliance with program standards." The proposed rule also described the functions of health oversight agencies in the proposed health oversight section (§ 164.510(c)) by repeating much of this definition.

In the final rule, we modify the definition of health oversight agency by eliminating from the definition the language in proposed § 164.510(c) (now § 164.512(d)). In addition, the final rule clarifies this definition by specifying that a "health oversight agency" is an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or grantees, that is authorized by law to oversee the health care system or government programs in which health information is necessary to determine eligibility or compliance, or to enforce civil rights laws for which health information is relevant.

The preamble to the proposed rule listed the following as examples of health oversight agencies that conduct oversight activities relating to the health care system: state insurance commissions, state health professional licensure agencies, Offices of Inspectors General of federal agencies, the Department of Justice, state Medicaid fraud control units, Defense Criminal Investigative Services, the Pension and Welfare Benefit Administration, the HHS Office for Civil Rights, and the FDA. The proposed rule listed the Social Security Administration and the Department of Education as examples of health oversight agencies that conduct oversight of government benefit programs for which health information is relevant to beneficiary eligibility. The proposed rule listed the Occupational Health and Safety Administration and the Environmental Protection Agency as examples of oversight agencies that conduct oversight of government regulatory programs for which health information is necessary for determining compliance with program standards.

In the final rule, we include the following as additional examples of health oversight activities: (1) The U.S. Department of Justice's civil rights enforcement activities, and in particular, enforcement of the Civil Rights of Institutionalized Persons Act (42 U.S.C. 1997-1997j) and the Americans with Disabilities Act (42 U.S.C. 12101 et seq.), as well as the EEOC's civil rights enforcement activities under titles I and V of the ADA; (2) the FDA's oversight of food, drugs, biologics, devices, and other products pursuant to the Food, Drug, and Cosmetic Act (21 U.S.C. 301 et seq.) and the Public Health Service Act (42 U.S.C. 201 et seq.); and (3) data analysis - performed by a public agency or by a person or entity acting under grant of authority from or under contract with a public agency - to detect health care fraud.

"Overseeing the health care system," which is included in the definition of health oversight, encompasses activities such as: oversight of health care plans; oversight of health benefit plans; oversight of health care providers; oversight of health care and health care delivery; oversight activities that involve resolution of consumer complaints; oversight of pharmaceuticals, medical products and devices, and dietary supplements; and a health oversight agency's analysis of trends in health care costs, quality, health care delivery, access to care, and health insurance coverage for health oversight purposes.

We recognize that health oversight agencies, such as the U.S. Department of Labor's Pension and Welfare Benefits Administration, may perform more than one type of health oversight. For example, agencies may sometimes perform audits and investigations and at other times conduct general oversight of health benefit plans. Such entities are considered health oversight agencies under the rule for any and all of the health oversight functions that they perform.

The definition of health oversight agency does not include private organizations, such as private-sector accrediting groups. Accreditation organizations are performing health care operations functions on behalf of health plans and covered health care providers. Accordingly, in order to obtain protected health information without individuals' authorizations, accrediting groups must enter into business associate agreements with health plans and covered health care providers for these purposes. Similarly, private entities, such as coding committees, that help government agencies that are health plans make coding and payment decisions are performing health care payment functions on behalf the government agencies and, therefore, must enter into business associate agreements in order to receive protected health information from the covered entity (absent individuals' authorization for such disclosure).

This term was not included in the proposed rule. An "indirect treatment relationship" is a relationship between a health care provider and an individual in which the provider delivers health care to the individual based on the orders of another health care provider and the health care services, products, diagnoses, or results are typically furnished to the patient through another provider, rather than directly. For example, radiologists and pathologists generally have indirect treatment relationships with patients because they deliver diagnostic services based on the orders of other providers and the results of those services are furnished to the patient through the direct treating provider. This definition is necessary to clarify the relationships between providers and individuals in the regulation. For example, see the consent discussion at § 164.506.

We proposed to define "individual" to mean the person who is the subject of the protected health information. We proposed that the term include, with respect to the signing of authorizations and other rights (such as access, copying, and correction), the following types of legal representatives:

(1) With respect to adults and emancipated minors, legal representatives (such as court-appointed guardians or persons with a power of attorney), to the extent to which applicable law permits such legal representatives to exercise the person's rights in such contexts.

(2) With respect to unemancipated minors, a parent, guardian, or person acting in loco parentis, provided that when a minor lawfully obtains a health care service without the consent of or notification to a parent, guardian, or other person acting in loco parentis, the minor shall have the exclusive right to exercise the rights of an individual with respect to the protected health information relating to such care.

(3) With respect to deceased persons, an executor, administrator, or other person authorized under applicable law to act on behalf of the decedent's estate.

In addition, we proposed to exclude from the definition:

(1) Foreign military and diplomatic personnel and their dependents who receive health care provided by or paid for by the Department of Defense or other federal agency or by an entity acting on its behalf, pursuant to a country-to-country agreement or federal statute.

(2) Overseas foreign national beneficiaries of health care provided by the Department of Defense or other federal agency or by a non-governmental organization acting on its behalf.

In the final rule, we eliminate from the definition of "individual" the provisions designating a legal representative as the "individual" for purposes of exercising certain rights with regard to protected health information. Instead, we include in the final rule a separate standard for "personal representatives." A covered entity must treat a personal representative of an individual as the individual except under specified circumstances. See discussion in§ 164.502(g) regarding personal representatives.

In addition, we eliminate from the definition of "individual" the above exclusions for foreign military and diplomatic personnel and overseas foreign national beneficiaries. We address the special circumstances for use and disclosure of protected health information about individuals who are foreign military personnel in § 164.512(k). We address overseas foreign national beneficiaries in § 164.500, "Applicability." The protected health information of individuals who are foreign diplomatic personnel and their dependents are not subject to special treatment under the final rule.

Individually identifiable health information about one individual may exist in the health records of another individual; health information about one individual may include health information about a second person. For example, a patient's medical record may contain information about the medical conditions of the patient's parents, children, and spouse, as well as their names and contact information. For the purpose of this rule, if information about a second person is included within the protected health information of an individual, the second person is not the person who is the subject of the protected health information. The second person is not the "individual" with regard to that protected health information, and under this rule thus does not have the individual's rights (e.g., access and amendment) with regard to that information.

We proposed to define "individually identifiable health information" to mean information that is a subset of health information, including demographic information collected from an individual, and that:

(1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse; and

(2) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual, and

(i) Which identifies the individual, or

(ii) With respect to which there is a reasonable basis to believe that the information can be used to identify the individual.

In the final rule, we change "created by or received from a health care provider..." to "created or received by a health care provider... " in order to conform to the statute. We otherwise retain the definition of "individually identifiable health information" without change in the final rule.

The proposed rule did not define the term inmate. In the final rule, it is defined as a person incarcerated in or otherwise confined to a correctional institution. The addition of this definition is necessary to explain the privacy rights and protections of inmates in this regulation.

The proposed rule would have defined a "law enforcement official" as "an official of an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to conduct: (1) an investigation or official proceeding inquiring into a violation of, or failure to comply with, any law; or (2) a criminal, civil, or administrative proceeding arising from a violation of, or failure to comply with, any law."

The final rule modifies this definition slightly. The definition in the final rule recognizes that law enforcement officials are empowered to prosecute cases as well as to conduct investigations and civil, criminal, or administrative proceedings. In addition, the definition in the final rule reflects the fact that when investigations begin, often it is not clear that law has been violated. Thus, the final rule describes law enforcement investigations and official proceedings as inquiring into a potential violation of law. In addition, it describes law enforcement-related civil, criminal, or administrative proceedings as arising from alleged violation of law.

The proposed rule did not include a definition of "marketing." The proposed rule generally required that a covered entity would need an authorization from an individual to use or disclose protected health information for marketing.

In the final rule we define marketing as a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service. The definition does not limit the type or means of communication that are considered marketing.

The definition of marketing contains three exceptions. If a covered entity receives direct or indirect remuneration from a third party for making a written communication otherwise described in an exception, then the communication is not excluded from the definition of marketing. The activities we except from the definition of marketing are encompassed by the definitions of treatment, payment, and health care operations. Covered entities may therefore use and disclose protected health information for these excepted activities without authorization under § 164.508 and pursuant to any applicable consent obtained under § 164.506.

The first exception applies to communications made by a covered entity for the purpose of describing the entities participating in a provider network or health plan network. It also applies to communications made by a covered entity for the purpose of describing if and the extent to which a product or service, or payment for a product or service, is provided by the covered entity or included in a benefit plan. This exception permits covered entities to use or disclose protected health information when discussing topics such as the benefits and services available under a health plan, the payment that may be made for a product or service, which providers offer a particular product or service, and whether a provider is part of a network or whether (and what amount of) payment will be provided with respect to the services of particular providers. This exception expresses our intent not to interfere with communications made to individuals about their health benefits.

The second exception applies to communications tailored to the circumstances of a particular individual, made by a health care provider to an individual as part of the treatment of the individual, and for the purpose of furthering the treatment of that individual. This exception leaves health care providers free to use or disclose protected health information as part of a discussion of its products and services, or the products and services of others, and to prescribe, recommend, or sell such products or services, as part of the treatment of an individual. This exception includes activities such as referrals, prescriptions, recommendations, and other communications that address how a product or service may relate to the individual's health. This exception expresses our intent not to interfere with communications made to individuals about their treatment.

The third exception applies to communications tailored to the circumstances of a particular individual and made by a health care provider or health plan to an individual in the course of managing the treatment of that individual or for the purpose of directing or recommending to that individual alternative treatments, therapies, providers, or settings of care. As with the previous exception, this exception permits covered entities to discuss freely their products and services and the products and services of third parties, in the course of managing an individual's care or providing or discussing treatment alternatives with an individual, even when such activities involve the use or disclose protected health information.

Section 164.514 contains provisions governing use or disclosure of protected health information in marketing communications, including a description of certain marketing communications that may use or include protected health information but that may be made by a covered entity without individual authorization. The definition of health care operations includes those marketing communications that may be made without an authorization pursuant to § 164.514. Covered entities may therefore use and disclose protected health information for these activities pursuant to any applicable consent obtained under § 164.506, or, if they are not required to obtain a consent under § 164.506, without one.

This term was not used in the proposed rule. We define the term in order to describe certain arrangements in which participants need to share protected health information about their patients to manage and benefit the common enterprise. To allow uses and disclosures of protected health information for these arrangements, we also add language to the definition of "health care operations." See discussion of that term above.

We include five arrangements within the definition of organized health care arrangement. The arrangements involve clinical or operational integration among legally separate covered entities in which it is often necessary to share protected health information for the joint management and operations of the arrangement. They may range in legal structure, but a key component of these arrangements is that individuals who obtain services from them have an expectation that these arrangements are integrated and that they jointly manage their operations. We include within the definition a clinically integrated care setting in which individuals typically receive health care from more than one health care provider. Perhaps the most common example of this type of organized health care arrangement is the hospital setting, where a hospital and a physician with staff privileges at the hospital together provide treatment to the individual. Participants in such clinically integrated settings need to be able to share health information freely not only for treatment purposes, but also to improve their joint operations. For example, any physician with staff privileges at a hospital must be able to participate in the hospital's morbidity and mortality reviews, even when the particular physician's patients are not being discussed. Nurses and other hospital personnel must also be able to participate. These activities benefit the common enterprise, even when the benefits to a particular participant are not evident. While protected health information may be freely shared among providers for treatment purposes under other provisions of this rule, some of these joint activities also support the health care operations of one or more participants in the joint arrangement. Thus, special rules are needed to ensure that this rule does not interfere with legitimate information sharing among the participants in these arrangements.

We also include within the definition an organized system of health care in which more than one covered entity participates, and in which the participating covered entities hold themselves out to the public as participating in a joint arrangement, and in which the joint activities of the participating covered entities include at least one of the following: utilization review, in which health care decisions by participating covered entities are reviewed by other participating covered entities or by a third party on their behalf; quality assessment and improvement activities, in which treatment provided by participating covered entities is assessed by other participating covered entities or by a third party on their behalf; or payment activities, if the financial risk for delivering health care is shared in whole or in part by participating covered entities through the joint arrangement and if protected health information created or received by a covered entity is reviewed by other participating covered entities or by a third party on their behalf for the purpose of administering the sharing of financial risk. A common example of this type of organized health care arrangement is an independent practice association formed by a large number of physicians. They may advertise themselves as a common enterprise (e.g., Acme IPA), whether or not they are under common ownership or control, whether or not they practice together in an integrated clinical setting, and whether or not they share financial risk.

If such a group engages jointly in one or more of the listed activities, the participating covered entities will need to share protected health information to undertake such activities and to improve their joint operations. In this example, the physician participants in the IPA may share financial risk through common withhold pools with health plans or similar arrangements. The IPA participants who manage the financial arrangements need protected health information about all the participants' patients in order to manage the arrangement. (The participants may also hire a third party to manage their financial arrangements.) If the participants in the IPA engage in joint quality assurance or utilization review activities, they will need to share protected health information about their patients much as participants in an integrated clinical setting would. Many joint activities that require the sharing of protected health information benefit the common enterprise, even when the benefits to a particular participant are not evident.

We include three relationships related to group health plans as organized health care arrangements. First, we include a group health plan and an issuer or HMO with respect to the group health plan within the definition, but only with respect to the protected health information of the issuer or HMO that relates to individuals who are or have been participants or beneficiaries in the group health plan. We recognize that many group health plans are funded partially or fully through insurance, and that in some cases the group health plan and issuer or HMO need to coordinate operations to properly serve the enrollees. Second, we include a group health plan and one or more other group health plans each of which are maintained by the same plan sponsor. We recognize that in some instances plan sponsors provide health benefits through a combination of group health plans, and that they may need to coordinate the operations of such plans to better serve the participants and beneficiaries of the plans. Third, we include a combination of group health plans maintained by the same plan sponsor and the health insurance issuers and HMOs with respect to such plans, but again only with respect to the protected health information of such issuers and HMOs that relates to individuals who are or have been enrolled in such group health plans. We recognize that is some instances a plan sponsor may provide benefits through more than one group health plan, and that such plans may fund the benefits through one or more issuers or HMOs. Again, coordinating health care operations among these entities may be necessary to serve the participants and beneficiaries in the group health plans. We note that the necessary coordination may necessarily involve the business associates of the covered entities and may involve the participation of the plan sponsor to the extent that it is providing plan administration functions and subject to the limits in § 164.504.

We proposed the term payment to mean:

(1) The activities undertaken by or on behalf of a covered entity that is:

(i) A health plan, or by a business partner on behalf of a health plan, to obtain premiums or to determine or fulfill its responsibility for coverage under the health plan and for provision of benefits under the health plan; or

(ii) A health care provider or health plan, or a business partner on behalf of such provider or plan, to obtain reimbursement for the provision of health care.

(2) Activities that constitute payment include:

(i) Determinations of coverage, adjudication or subrogation of health benefit claims;

(ii) Risk adjusting amounts due based on enrollee health status and demographic characteristics;

(iii) Billing, claims management, and medical data processing;

(iv) Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care, or justification of charges; and

(v) Utilization review activities, including precertification and preauthorization of services.

In the final rule, we maintain the general approach of defining of payment: payment activities are described generally in the first clause of the definition, and specific examples are given in the second clause. Payment activities relate to the covered entity that maintains the protected health information (i.e., one covered entity may not disclose protected health information for the payment activities of a second covered entity). A covered entity may use or disclose only the protected health information about the individual to whom care was rendered, for its payment activities (e.g., a provider may disclose protected health information only about the patient to whom care was rendered in order to obtain payment for that care, or only the protected health information about persons enrolled in the particular health plan that seeks to audit the provider's records). We expand the proposed list to reflect many changes requested by commenters.

We add eligibility determinations as an activity included in the definition of payment. We expand coverage determinations to include the coordination of benefits and the determination of a specific individual's cost sharing amounts. The rule deletes activities related to the improvement of methods of paying or coverage policies from this definition and instead includes them in the definition of health care operations. We add to the definition "collection activities." We replace "medical data processing" activities with health care data processing related to billing, claims management, and collection activities. We add activities for the purpose of obtaining payment under a contract for reinsurance (including stop-loss and excess of loss insurance). Utilization review activities now include concurrent and retrospective review of services.

In addition, we modify this definition to clarify that the activities described in section 1179 of the Act are included in the definition of "payment." We add new subclause (vi) allowing covered entities to disclose to consumer reporting agencies an individual's name, address, date of birth, social security number and payment history, account number, as well as the name and address of the individual's health care provider and/or health plan, as appropriate. Covered entities may make disclosure of this protected health information to consumer reporting agencies for purposes related to collection of premiums or reimbursement. This allows reporting not just of missed payments and overdue debt but also of subsequent positive payment experience (e.g., to expunge the debt). We consider such positive payment experience to be "related to" collection of premiums or reimbursement.

The remaining activities described in section 1179 are included in other language in this definition. For example, "authorizing, processing, clearing, settling, billing, transferring, reconciling or collecting, a payment for, or related to, health plan premiums or health care" are covered by paragraph (2)(iii) of the definition, which allows use and disclosure of protected health information for "billing, claims management, collection activities and related health care data processing." "Claims management" also includes auditing payments, investigating and resolving payment disputes and responding to customer inquiries regarding payments. Disclosure of protected health information for compliance with civil or criminal subpoenas, or with other applicable laws, are covered under§ 164.512 of this regulation. (See discussion above regarding the interaction between 1179 and this regulation.)

We modify the proposed regulation text to clarify that payment includes activities undertaken to reimburse health care providers for treatment provided to individuals.

Covered entities may disclose protected health information for payment purposes to any other entity, regardless of whether it is a covered entity. For example, a health care provider may disclose protected health information to a financial institution in order to cash a check or to a health care clearinghouse to initiate electronic transactions. However, if a covered entity engages another entity, such as a billing service or a financial institution, to conduct payment activities on its behalf, the other entity may meet the definition of 'business associate' under this rule. For example, an entity is acting as a business associate when it is operating the accounts receivable system on behalf of a health care provider.

Similarly, payment includes disclosure of protected health information by a health care provider to an insurer that is not a 'health plan' as defined in this rule, to obtain payment. For example, protected health information may be disclosed to obtain reimbursement from a disability insurance carrier. We do not interpret the definition of "payment" to include activities that involve the disclosure of protected health information by a covered entity, including a covered health care provider, to a plan sponsor for the purpose of obtaining payment under a group health plan maintained by such plan sponsor, or for the purpose of obtaining payment from a health insurance issuer or HMO with respect to a group health plan maintained by such plan sponsor, unless the plan sponsor is performing plan administration pursuant to § 164.504(f).

The Transactions Rule adopts standards for electronic health care transactions, including two for processing payments. We adopted the ASC X12N 835 transaction standard for "Health Care Payment and Remittance Advice" transactions between health plans and health care providers, and the ASC X12N 820 standard for "Health Plan Premium Payments" transactions between entities that arrange for the provision of health care or provide health care coverage payments and health plans. Under these two transactions, information to effect funds transfer is transmitted in a part of the transaction separable from the part containing any individually identifiable health information.

We note that a covered entity may conduct the electronic funds transfer portion of the two payment standard transactions with a financial institution without restriction, because it contains no protected health information. The protected health information contained in the electronic remittance advice or the premium payment enrollee data portions of the transactions is not necessary either to conduct the funds transfer or to forward the transactions. Therefore, a covered entity may not disclose the protected health information to a financial institution for these purposes. A covered entity may transmit the portions of the transactions containing protected health information through a financial institution if the protected health information is encrypted so it can be read only by the intended recipient. In such cases no protected health information is disclosed and the financial institution is acting solely as a conduit for the individually identifiable data.

In the final rule we add a definition of "plan sponsor." We define plan sponsor by referencing the definition of the term provided in (3)(16)(B) of the Employee Retirement Income Security Act (ERISA). The plan sponsor is the employer or employee organization, or both, that establishes and maintains an employee benefit plan. In the case of a plan established by two or more employers, it is the association, committee, joint board of trustees, or other similar group of representative of the parties that establish and maintain the employee benefit plan. This term includes church health plans and government health plans. Group health plans may disclose protected health information to plan sponsors who conduct payment and health care operations activities on behalf of the group health plan if the requirements for group health plans in § 164.504 are met.

The preamble to the Transactions Rule noted that plan sponsors of group health plans are not covered entities and, therefore, are not required to use the standards established in that regulation to perform electronic transactions, including enrollment and disenrollment transactions. We do not change that policy through this rule. Plan sponsors that perform enrollment functions are doing so on behalf of the participants and beneficiaries of the group health plan and not on behalf of the group health plan itself. For purposes of this rule, plan sponsors are not subject to the requirements of § 164.504 regarding group health plans when conducting enrollment activities.

We proposed to define "protected health information" to mean individually identifiable health information that is or has been electronically maintained or electronically transmitted by a covered entity, as well as such information when it takes any other form. For purposes of this definition, we proposed to define "electronically transmitted" as including information exchanged with a computer using electronic media, such as the movement of information from one location to another by magnetic or optical media, transmissions over the Internet, Extranet, leased lines, dial-up lines, private networks, telephone voice response, and "faxback" systems. We proposed that this definition not include "paper-to-paper" faxes, or person-to-person telephone calls, video teleconferencing, or messages left on voice-mail.

Further, "electronically maintained" was proposed to mean information stored by a computer or on any electronic medium from which the information may be retrieved by a computer, such as electronic memory chips, magnetic tape, magnetic disk, or compact disc optical media.

The proposal's definition explicitly excluded:

(1) individually identifiable health information that is part of an "education record" governed by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. 1232g.

(2) individually identifiable health information of inmates of correctional facilities and detainees in detention facilities.

In this final rule we expand the definition of protected health information to encompasses all individually identifiable health information transmitted or maintained by a covered entity, regardless of form. Specifically, we delete the conditions for individually identifiable health information to be "electronically maintained" or "electronically transmitted" and the corresponding definitions of those terms. Instead, the final rule defines protected health information to be individually identifiable health information that is:

(1) transmitted by electronic media;

(2) maintained in any medium described in the definition of electronic media at § 162.103 of this subchapter; or

(3) transmitted or maintained in any other form or medium.

We refer to electronic media, as defined in § 162.103, which means the mode of electronic transmission. It includes the Internet (wide-open), Extranet (using Internet technology to link a business with information only accessible to collaborating parties), leased lines, dial-up lines, private networks, and those transmissions that are physically moved from one location to another using magnetic tape, disk, or compact disk media.

The definition of protected health information is set out in this form to emphasize the severability of this provision. As discussed below, we believe we have ample legal authority to cover all individually identifiable health information transmitted or maintained by covered entities. We have structured the definition this way so that, if a court were to disagree with our view of our authority in this area, the rule would still be operational, albeit with respect to a more limited universe of information.

Other provisions of the rules below may also be severable, depending on their scope and operation. For example, if the rule itself provides a fallback, as it does with respect to the various discretionary uses and disclosures permitted under § 164.512, the provisions would be severable under case law.

The definition in the final rule retains the exception relating to individually identifiable health information in "education records" governed by FERPA. We also exclude the records described in 20 U.S.C. 1232g(a)(4)(B)(iv). These are records of students held by post-secondary educational institutions or of students 18 years of age or older, used exclusively for health care treatment and which have not been disclosed to anyone other than a health care provider at the student's request. (See discussion of FERPA above.)

We have removed the exception for individually identifiable health information of inmates of correctional facilities and detainees in detention facilities. Individually identifiable health information about inmates is protected health information under the final rule, and special rules for use and disclosure of the protected health information about inmates and their ability to exercise the rights granted in this rule are described below.

Section 164.508(a)(3)(iv)(A) of the proposed rule defined psychotherapy notes as notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. The proposed definition excluded medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis and progress. Furthermore, we stated in the preamble of the proposed rule that psychotherapy notes would have to be maintained separately from the medical record.

In this final rule, we retain the definition of psychotherapy notes that we had proposed, but add to the regulation text the requirement that, to meet the definition of psychotherapy notes, the information must be separated from the rest of the individual's medical record.

The proposed rule would have defined "public health authority" as "an agency or authority of the United States, a state, a territory, or an Indian tribe that is responsible for public health matters as part of its official mandate."

The final rule changes this definition slightly to clarify that a "public health authority" also includes a person or entity acting under a grant of authority from or contract with a public health agency. Therefore, the final rule defines this term as an agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, or a person or entity acting under a grant of authority from or contract with such public agency, including the employees or agents of such public agency or its contractors or persons or entities to whom it has granted authority, that is responsible for public health matters as part of its official mandate.

In the preamble to the NPRM, we did not include a definition of "required by law." We discussed what it meant for an action to be considered to be "required" or "mandated" by law and included several examples of activities that would be considered as required by law for the purposes of the proposed rule, including a valid Inspector General subpoena, grand jury subpoena, civil investigative demand, or a statute or regulation requiring production of information justifying a claim would constitute a disclosure required by law.

In the final rule we include a new definition, move the preamble clarifications to the regulatory text and add several items to the illustrative list. For purposes of this regulation, "required by law" means a mandate contained in law that compels a covered entity to make a use or disclosure of protected health information and that is enforceable in a court of law. Among the examples listed in definition are Medicare conditions of participation with respect to health care providers participating in that program, court-ordered warrants, and subpoenas issued by a court. We note that disclosures "required by law" include disclosures of protected health information required by this regulation in § 164.502(a)(2). It does not include contracts between private parties or similar voluntary arrangements. This list is illustrative only and is not intended in any way to limit the scope of this paragraph or other paragraphs in § 164.512 that permit uses or disclosures to the extent required by other laws. We note that nothing in this rule compels a covered entity to make a use or disclosure required by the legal demands or prescriptions listed in this clarification or by any other law or legal process, and a covered entity remains free to challenge the validity of such laws and processes.

We proposed to define "research" as it is defined in the Federal Policy for the Protection of Human Subjects, at 45 CFR 46, Subpart A (referred to elsewhere in this rule as "Common Rule"), and in addition, elaborated on the meaning of the term "generalizable knowledge." In § 164.504 of the proposed rule we defined research as "... a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. 'Generalizable knowledge' is knowledge related to health that can be applied to populations outside of the population served by the covered entity."

The final rule eliminates the further elaboration of "generalizable knowledge." Therefore, the rule defines "research" as the term is defined in the Common Rule: a systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge.

We delete this definition and the associated requirements from the final rule. Refer to § 164.508(f) for new requirements regarding authorizations for research that includes treatment of the individual.

The proposed rule defined "treatment" as the provision of health care by, or the coordination of health care (including health care management of the individual through risk assessment, case management, and disease management) among, health care providers; the referral of a patient from one provider to another; or the coordination of health care or other services among health care providers and third parties authorized by the health plan or the individual. The preamble noted that the definition was intended to relate only to services provided to an individual and not to an entire enrolled population.

In the final rule, we do not change the general approach to defining treatment: treatment means the listed activities undertaken by any health care provider, not just a covered health care provider. A plan can disclose protected health information to any health care provider to assist the provider's treatment activities; and a health care provider may use protected health information about an individual to treat another individual. A health care provider may use any protected health information it maintains for treatment purposes (e.g., a provider may use protected health information about former patients as well as current patients). We modify the proposed list of treatment activities to reflect changes requested by commenters.

Specifically, we modify the proposed definition of "treatment" to include the management of health care and related services. Under the definition, the provision, coordination, or management of health care or related services may be undertaken by one or more health care providers. "Treatment" includes coordination or management by a health care provider with a third party and consultation between health care providers. The term also includes referral by a health care provider of a patient to another health care provider.

Treatment refers to activities undertaken on behalf of a single patient, not a population. Activities are considered treatment only if delivered by a health care provider or a health care provider working with another party. Activities of health plans are not considered to be treatment. Many services, such as a refill reminder communication or nursing assistance provided through a telephone service, are considered treatment activities if performed by or on behalf of a health care provider, such as a pharmacist, but are regarded as health care operations if done on behalf of a different type of entity, such as a health plan.

We delete specific reference to risk assessment, case management, and disease management. Activities often referred to as risk assessment, disease and case management are treatment activities only to the extent that they are services provided to a particular patient by a health care provider; population based analyses or records review for the purposes of treatment protocol development or modification are health care operations, not treatment activities. If a covered entity is licensed as both a health plan and a health care provider, a single activity could be considered to be both treatment and health care operations; for compliance purposes we would consider the purpose of the activity. Given the integration of the health care system we believe that further classification of activities into either treatment or health care operations would not be helpful. See the definition of health care operations for additional discussion.

We proposed to define "use" to mean the employment, application, utilization, examination, or analysis of information within an entity that holds the information. In the final rule, we clarify that use refers to the use of individually identifiable health information. We replace the term "holds" with the term "maintains." These changes are for clarity only, and are not intended to effect any substantive change.