Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Statutory Background


Section 1178 of the Act establishes a "general rule" that state law provisions that are contrary to the provisions or requirements of part C of title XI or the standards or implementation specifications adopted or established thereunder are preempted by the federal requirements. The statute provides three exceptions to this general rule: (1) in section 1178(a)(2)(A)(i), for state laws that the Secretary determines are necessary to prevent fraud and abuse, ensure appropriate state regulation of insurance and health plans, for state reporting on health care delivery, and other purposes; (2) in section 1178(a)(2)(A)(ii), for state laws that address controlled substances; and (3) in section 1178(a)(2)(B), for state laws relating to the privacy of individually identifiable health information that as provided for by the related provision of section 264(c)(2) of HIPAA, are contrary to and more stringent than the federal requirements. Section 1178 also carves out, in sections 1178(b) and 1178(c), certain areas of state authority that are not limited or invalidated by the provisions of part C of title XI: these areas relate to public health and state regulation of health plans.

The NPRM proposed a new Subpart B of the proposed part 160. The new Subpart B, which would apply to all standards, implementation specifications, and requirements adopted under HIPAA, would consist of four sections. Proposed § 160.201 provided that the provisions of Subpart B applied to exception determinations and advisory opinions issued by the Secretary under section 1178. Proposed § 160.202 set out proposed definitions for four terms: (1) "contrary," (2) "more stringent," (3) "relates to the privacy of individually identifiable health information," and (4) "state law." The definition of "contrary" was drawn from case law concerning preemption. A seven-part set of specific criteria, drawn from fair information principles, was proposed for the definition of "more stringent." The definition of "relates to the privacy of individually identifiable health information" was also based on case law. The definition of "state law" was drawn from the statutory definition of this term elsewhere in HIPAA. We note that state action having the force and effect of law may include common law. We eliminate the term "decision" from the proposed rule because it is redundant.

Proposed § 160.203 proposed a general rule reflecting the statutory general rule and exceptions that generally mirrored the statutory language of the exceptions. The one substantive addition to the statutory exception language was with respect to the statutory exception, "for other purposes." The following language was added: "for other purposes related to improving the Medicare program, the Medicaid program, or the efficiency and effectiveness of the health care system."

Proposed § 160.204 proposed two processes, one for the making of exception determinations, relating to determinations under section 1178(a)(2)(A) of the Act, the other for the rendering of advisory opinions, with respect to section 1178(a)(2)(B) of the Act. The processes proposed were similar in the following respects: (1) only the state could request an exception determination or advisory opinion, as applicable; (2) both required the request to contain the same information, except that a request for an exception determination also had to set out the length of time the requested exception would be in effect, if less than three years; (3) both sets of requirements provided that requests had to be submitted to the Secretary as required by the Secretary, and until the Secretary's determination was made, the federal standard, requirement or implementation specification remained in effect; (4) both sets of requirements provided that the Secretary's decision would be effective intrastate only; (5) both sets of requirements provided that any change to either the federal or state basis for the Secretary's decision would require a new request, and the federal standard, implementation specification, or requirement would remain in effect until the Secretary acted favorably on the new request; (6) both sets of requirements provided that the Secretary could seek changes to the federal rules or urge states or other organizations to seek changes; and (7) both sets of requirements provided for annual publication of Secretarial decisions. In addition, the process for exception determinations provided for a maximum effective period of three years for such determinations.

The following changes have been made to Subpart B in the final rules. First, § 160.201 now expressly implements section 1178. Second, the definition of "more stringent" has been changed by eliminating the criterion relating to penalties and by framing the criterion under paragraph (1) more generally. Also, we have clarified that the term "individual" means the person who is the subject of the individually identifiable health information, since the term "individual" is defined this way only in Subpart E of Part 164, not in Part 160. Third, the definition of "state law" has been changed by substituting the words "statute, constitutional provision" for the word "law," the words "common law" for the word "decision," and adding the words "force and" before the word "effect" in the proposed definition. Fourth, in § 160.203, several criteria relating to the statutory grounds for exception determinations have been further spelled out: (1) the words " related to the provision of or payment for health care" have been added to the exception for fraud and abuse; (2) the words " to the extent expressly authorized by statute or regulation" have been added to the exception for state regulation of health plans; (3) the words "of serving a compelling need related to public health, safety, or welfare, and, where a standard, requirement, or implementation specification under part 164 of this subchapter is at issue, where the Secretary determines that the intrusion into privacy is warranted when balanced against the need to be served" have been added to the general exception "for other purposes"; and (4) the statutory provision regarding controlled substances has been elaborated on as follows: "Has as its principal purpose the regulation of the manufacture, registration, distribution, dispensing, or other control of any controlled substance, as defined at 21 U.S.C. 802, or which is deemed a controlled substance by state law."

The most extensive changes have been made to proposed § 160.204. The provision for advisory opinions has been eliminated. Section 160.204 now sets out only a process for requesting exception determinations. In most respects, this process is the same as proposed. However, the proposed restriction of the effect of exception determinations to wholly intrastate transactions has been eliminated. Section 160.204(a) has been modified to allow any person, not just a state, to submit a request for an exception determination, and clarifies that requests from states may be made by the state's chief elected official or his or her designee. Proposed § 160.204(a)(3) stated that if it is determined that the federal standard, requirement, or implementation specification in question meets the exception criteria as well as or better than the state law for which the exception is requested, the request will be denied; this language has been deleted. Thus, the criterion for granting or denying an exception request is whether the applicable exception criterion or criteria are met.

A new § 160.205 is also adopted, replacing part of what was proposed at proposed § 160.204. The new § 160.205 sets out the rules relating to the effectiveness of exception determinations. Exception determinations are effective until either the underlying federal or state laws change or the exception is revoked, by the Secretary, based on a determination that the grounds supporting the exception no longer exist. The proposed maximum of three years has been eliminated.