Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Section 164.530(g) - Refraining from Intimidating or Retaliatory Acts


Comment: Several commenters stated that the regulation should prohibit covered entities from engaging in intimidating or retaliatory acts against any person, not just against the "individual," as proposed. They suggested adding "or other person or entity" after "any individual."

Response: We agree, and allow any person to file a compliant with the Secretary. "Person" is not limited to natural persons, but includes any type of organization, association or group such as other covered entities, health oversight agencies and advocacy groups.

Comment: A few commenters suggested deleting this provision in its entirety. One commenter indicated that the whistleblower and retaliation provisions could be inappropriately used against a hospital and that the whistleblower's ability to report numerous violations will result in a dangerous expansion of liability. Another commenter stated that covered entities could not take action against an employee who had violated the employer's privacy provisions if this employee files a complaint with the Secretary.

Several commenters suggested deleting "in any manner" and "or opposing any act or practice made unlawful by this subpart" in § 164.522(d)(4). The commenters indicated that, as proposed, the rule would make it difficult to enforce compliance within the workforce. One commenter stated that the proposed 164.522(d)(4) "is extremely broad and may allow an employee to reveal protected health information to fellow employees, the media and others (e.g., an employee may show a medical record to a friend or relative before filing a complaint with the Department). This commenter further stated that covered entities will "absolutely be prevented from prohibiting such conduct." One commenter suggested adding that a covered entity may take disciplinary action against any member of its work force or any business partner who uses or discloses individually identifiable health information in violation of this subpart in any manner other than through the processes set forth in the regulation.

Response: To respond to these comments, we make several changes to the proposed provision.

First, where the activity does not involve the filing of a complaint under § 160.306 of this part or participation in an investigation or proceeding initiated by the government under the rule, we delete the phrase "in any manner" and add a requirement that the individual's opposition to "any act or practice" made unlawful by this subpart be in good faith, and that the expression of that opposition must be reasonable. Second, we add a requirement that the individual's opposition to "any act or practice" made unlawful by this subpart must not involve a disclosure of protected health information that is in violation of this subpart. Thus, the employee who discloses protected health information to the media or friends is not protected. In providing interpretations of the retaliation provision, we will consider existing interpretations of similar provisions such as the guidance issued by EEOC in this regard.