Application to Military Services
In the NPRM we would have permitted a covered entity providing health care to Armed Forces personnel to use and disclose protected health information for activities deemed necessary by appropriate military command authorities to assure the proper execution of the military mission, where the appropriate military authority had published by notice in the Federal Register (In the NPRM, we proposed that the Department of Defense would publish this Federal Register notice in the future.) The final rule takes a similar approach while making some modifications to the NPRM. One modification concerns the information that will be required in the Federal Register notice. The NPRM would have required a listing of (i) appropriate military command authorities; (ii) the circumstances for which use or disclosure without individual authorization would be required; and (iii) activities for which such use or disclosure would occur in order to assure proper execution of the military mission. In the final rule, we eliminate the third category and also slightly modify language in the second category to read: "the purposes for which the protected health information may be used or disclosed."
An additional modification concerns the rule's application to foreign military and diplomatic personnel. The NPRM would have excluded foreign diplomatic and military personnel, as well as their dependents, from the proposed definition of "individual," thereby excluding any protected health information created about these personnel from the NPRM's privacy protections. Foreign military and diplomatic personnel affected by this provision include, for example, allied military personnel who are in the United States for training. The final rule applies a more limited exemption to foreign military personnel only (Foreign diplomatic personnel will have the same protections granted to all other individuals under the rule). Under the final rule, foreign military personnel are not excluded from the definition of "individual." Covered entities will be able to use and disclose protected health information of foreign military personnel to their appropriate foreign military authority for the same purposes for which uses and disclosures are permitted for U.S. Armed Forces personnel under the notice to be published in the Federal Register. Foreign military personnel do have the same rights of access, notice, right to request privacy protection, copying, amendment, and accounting as do other individuals pursuant to §§ 164.520-164.526 (sections on access, notice, right to request privacy protection for protected health information, amendment, inspection, copying) of the rule.
The NPRM likewise would have exempted overseas foreign national beneficiaries from the proposed rule's requirements by excluding them from the definition of "individual." Under the final rule, these beneficiaries no longer are exempt from the definition of "individual." However, the rule's provisions do not apply to the individually identifiable health information of overseas foreign nationals who receive care provided by the Department of Defense, other federal agencies, or by non-governmental organizations incident to U.S. sponsored missions or operations.
The final rule includes a new provision to address separation or discharge from military service. The preamble to the NPRM noted that upon completion of individuals' military service, DOD and the Department of Transportation routinely transfer entire military service records, including protected health information to the Department of Veterans Affairs so that the file can be retrieved quickly if the individuals or their dependents apply for veterans benefits. The NPRM would have required consent for such transfers. The final rule no longer requires consent in such situations. Thus, under the final rule, a covered entity that is a component of DOD or the Department of Transportation may disclose to DVA the protected health information of an Armed Forces member upon separation or discharge from military service for the purpose of a determination by DVA of the individual's eligibility for or entitlement to benefits under laws administered by the Secretary of Veterans Affairs.
Department of Veterans Affairs
Under the NPRM, a covered entity that is a component of the Department of Veterans Affairs could have used and disclosed protected health information to other components of the Department that determine eligibility for, or entitlement to, or that provide benefits under the laws administered by the Secretary of Veterans Affairs. In the final rule, we retain this approach.
Application to Intelligence Community
The NPRM would have provided an exemption from its proposed requirements to the intelligence community. As defined in section 4 of the National Security Act, 50 U.S.C. 401a, the intelligence community includes: the Office of the Director of Central Intelligence Agency; the Office of the Deputy Director of Central Intelligence; the National Intelligence Council and other such offices as the Director may designate; the Central Intelligence Agency; the National Security Agency; the Defense Intelligence Agency; the National Imagery and Mapping Agency ; the National Reconnaissance Office; other offices within the DOD for the collection of specialized national intelligence through reconnaissance programs; the intelligence elements of the Army, the Navy, the Air Force, the Marine Corps, the Federal Bureau of Investigation, the Department of the Treasury, and the Department of Energy; the Bureau of Intelligence and Research of the Department of State; and such other elements of any other department or agency as may be designated by the President, or designated jointly by the Director of Central Intelligence and the head of the department or agency concerned, as an element of the intelligence community. It would have allowed a covered entity to use without individual authorization protected health information of employees of the intelligence community, and of their dependents, if such dependents were being considered for posting abroad. The final rule does not include such an exemption. Rather, the final rule does not except intelligence community employees and their dependents from the general rule requiring an authorization in order for protected health information to be used and disclosed.
National Security and Intelligence Activities
The NPRM included a provision, in § 164.510(f) - Disclosure for Law Enforcement Purposes - that would allow covered entities to disclose protected health information without consent for the conduct of lawful intelligence activities under the National Security Act, and in connection with providing protective services to the President or to foreign heads of state pursuant to 18 U.S.C. 3056 and 22 U.S.C. 2709(a)(3) respectively. The final rule preserves these exemptions, with slight modifications, but moves them from proposed § 164.510(f) to § 164.512(k). It also divides this area into two paragraphs - one called "National Security and Intelligence Activities" and the second called "Protective services for the President and Others."
The final rule, with modifications, allows a covered entity to disclose protected health information to an authorized federal official for the conduct of lawful intelligence, counter-intelligence, and other national security activities authorized by the National Security Act and implementing authority (e.g., Executive Order 1233). The references to "counter-intelligence and other national security activities" are new to the final rule. The reference to "implementing authority (e.g. Executive Order 12333)" is also new. The final rule also adds specificity to the provision on protective services. It states that a covered entity may disclose protected health information to authorized federal officials for the provision of protective services to the President or other persons as authorized by 18 U.S.C. 3056, or to foreign heads of state or other persons as authorized by 22 U.S.C. 2709(a)(3), or for the conduct of investigations authorized by 18 U.S.C. 871 and 879.
Application to the State Department
The final rule creates a narrower exemption for Department of State for uses and disclosures of protected health information (1) for purposes of a required security clearance conducted pursuant to Executive Orders 10450 and 12698; (2) as necessary to meet the requirements of determining worldwide availability or availability for mandatory service abroad under Sections 101(a)(4) and 504 of the Foreign Service Act; and (3) for a family member to accompany a Foreign Service Officer abroad, consistent with Section 101(b)(5) and 904 of the Foreign Service Act.
Regarding security clearances, nothing prevents any employer from requiring that individuals provide authorization for the purpose of obtaining a security clearance. For the Department of the State, however, the final rule provides a limited exemption that allows a component of the Department of State without an authorization to (1) use protected health information to make medical suitability determinations and (2) to disclose whether or not the individual was determined to be medically suitable to authorized officials in the Department of State for the purpose of a security clearance investigation conducted pursuant to Executive Order 10450 and 12698.
Sections 101(a)(4) and 504 of the Foreign Service Act require that Foreign Service members be available to serve in assignments throughout the world. The final rule permits disclosures to officials who need protected health information to determine availability for duty worldwide.
Section 101(b)(5) of the Foreign Service Act requires the Department of State to mitigate the impact of hardships, disruptions, and other unusual conditions on families of Foreign Service Officers. Section 904 requires the Department to establish a health care program to promote and maintain the physical and mental health of Foreign Service member family members. The final rule permits disclosure of protected health information to officials who need protected health information for a family member to accompany a Foreign Service member abroad.
This exemption does not permit the disclosure of specific medical conditions, diagnoses, or other specific medical information. It permits only the disclosure of the limited information needed to determine whether the individual should be granted a security clearance or whether the Foreign Service member of his or her family members should be posted to a certain overseas assignment.
Application to Correctional Facilities
The NPRM would have excluded the individually identifiable health information of correctional facility inmates and detention facility detainees from the definition of protected health information. Thus, none of the NPRM's proposed privacy protections would have applied to correctional facility inmates or to detention facility detainees while they were in these facilities or after they had been released.
The final rule takes a different approach. First, to clarify that we are referring to individuals who are incarcerated in correctional facilities that are part of the criminal justice system or in the lawful custody of a law enforcement official - and not to individuals who are "detained" for non-criminal reasons, for example, in psychiatric institutions - § 164.512(k) covers disclosure of protected health information to correctional institutions or law enforcement officials having such lawful custody. In addition, where a covered health care provider is also a health care component of a correctional institution, the final rule permits the covered entity to use protected health information in all cases in which it is permitted to disclose such information.
We define correctional institution as defined pursuant to 42 U.S.C. 13725(b)(1), as a "prison, jail, reformatory, work farm, detention center, or halfway house, or any other similar institution designed for the confinement or rehabilitation of criminal offenders." The rules regarding disclosure and use of protected health information specified in § 164.512(k) cover individuals who are in transitional homes, and other facilities in which they are required by law to remain for correctional reasons and from which they are not allowed to leave. This section also covers individuals who are confined to psychiatric institutions for correctional reasons and who are not allowed to leave; however, it does not apply to disclosure of information about individuals in psychiatric institutions for treatment purposes only, who are not there due to a crime or under a mandate from the criminal justice system. The disclosure rules described in this section do not cover release of protected health information about individuals in pretrial release, probation, or on parole, such persons are not considered to be incarcerated in a correctional facility.
As described in § 164.512(k), correctional facility inmates' individually identifiable health information is not excluded from the definition of protected health information. When individuals are released from correctional facilities, they will have the same privacy rights that apply to all other individuals under this rule.
Section 164.512(k) of the final rule states that while individuals are in a correctional facility or in the lawful custody of a law enforcement official, covered entities (for example, the prison's clinic) can use or disclose protected health information about these individuals without authorization to the correctional facility or the law enforcement official having custody as necessary for: (1) the provision of health care to such individuals; (2) the health and safety of such individual or other inmates; (3) the health and safety of the officers of employees of or others at the correctional institution; and (4) the health and safety of such individuals and officers or other persons responsible for the transporting of inmates or their transfer from one institution or facility to another; (5) law enforcement on the premises of the correctional institution; and (6) the administration and maintenance of the safety, security, and good order of the correctional institution. This section is intended to allow, for example, a prison's doctor to disclose to a van driver transporting a criminal that the individual is a diabetic and frequently has seizures, as well as information about the appropriate action to take if the individual has a seizure while he or she is being transported.
We permit covered entities to disclose protected health information about these individuals if the correctional institution or law enforcement official represents that the protected health information is necessary for these purposes. Under 164.514(h), a covered entity may reasonably rely on the representation of such public officials.
Application to Public Benefits Programs Required to Share Eligibility Information
We create a new provision for covered entities that are a government program providing public benefits. This provision allows the following disclosures of protected health information.
First, where other law requires or expressly authorizes information relating to the eligibility for, or enrollment in more than one public program to be shared among such public programs and/or maintained in a single or combined data system, a public agency that is administering a health plan may maintain such a data base and may disclose information relating to such eligibility or enrollment in the health plan to the extent authorized by such other law.
Where another public entity has determined that the appropriate balance between the need for efficient administration of public programs and public funds and individuals' privacy interests is to allow information sharing for these limited purposes, we do not upset that determination. For example, section 1137 of the Social Security Act requires a variety of public programs, including the Social Security program, state medicaid programs, the food stamp program, certain unemployment compensation programs, and others, to participate in a joint income and eligibility verification system. Similarly, section 222 of the Social Security Act requires the Social Security Administration to provide information to certain state vocational rehabilitation programs for eligibility purposes. In some instances, it is a covered entity that first collects or creates the information that is then disclosed for these systems. We do not prohibit those disclosures.
This does not authorize these entities to share information for claims determinations or ongoing administration of these public programs. This provision is limited to the agencies and activities described above.
Second, § 164.512(k)(6) permits a covered entity that is a government agency administering a government program providing public benefits to disclose protected health information relating to the program to another covered entity that is a government agency administering a government program providing public benefits if the programs serve the same or similar populations and the disclosure of protected health information is necessary to coordinate the covered functions of such programs.
The second provision permits covered entities that are government program providing public benefits that serve the same or similar populations to share protected health information for the purposes of coordinating covered functions of the programs and for general management and administration relating to the covered functions of the programs. Often, similar government health programs are administered by different government agencies. For example, in some states, the Medicaid program and the State Children's Health Insurance Program are administered by different agencies, although they serve similar populations. Many states coordinate eligibility for these two programs, and sometimes offer services through the same delivery systems and contracts. This provision would permit the covered entities administering these programs to share protected health information of program participants to coordinate enrollment and services and to generally improve the health care operations of the programs. We note that this provision does not authorize the agencies to use or disclose the protected health information that is shared for purposes other than as provided for in this paragraph.