Comment: One commenter asserted that the scope of the proposal had gone beyond the intent of Congress in addressing uses of information within the covered entity, as opposed to transactions and disclosures outside the covered entity. This commenter argued that, although HIPAA mentions use, it is unclear that the word "use" in the proposed rule is what Congress intended. The commenter pointed to the legislative history to argue that "use" is related to an information exchange outside of the entity.
Response: We disagree with the commenter regarding the Congress' intent. Section 264 of HIPAA requires that the Secretary develop and send to Congress recommendations on standards with respect to the privacy of individually identifiable health information (which she did on September 11, 1997) and prescribes that the recommendations address among other items "the uses and disclosures of such information that should be authorized or required." Section 264 explicitly requires the Secretary to promulgate standards that address at least the subjects described in these recommendations. It is therefore our interpretation that Congress intended to cover "uses" as well as disclosures of individually identifiable health information. We find nothing in the legislative history to indicate that Congress intended to deviate from the common meaning of the term "use."
Comment: One commenter observed that the definition could encompass the processing of data by computers to execute queries. It was argued that this would be highly problematic because computers are routinely used to identify subsets of data sets. It was explained that in performing this function, computers examine each record in the data set and return only those records in the data set that meet specific criteria. Consequently, a human being will see only the subset of data that the computer returns. Thus, the commenter stated that it is only this subset that could be used or disclosed.
Response: We interpret "use" to mean only the uses of the product of the computer processing, not the internal computer processing that generates the product.
Comments: Some commenters asked that the Department clarify that individualized medical information obtained through a fitness for duty examination is not subject to the privacy protections under the regulation.
Response: As discussed above, we have clarified that the definition of "treatment" to include assessments of an individual. If the assessment is performed by a covered health care provider, the health information resulting from the assessment is protected health information. We note that a covered entity is permitted to condition the provision of health care when the sole purpose is to create protected health information for the benefit of a third person. See § 164.508(b). For example, a covered health care provider may condition the provision of a fitness for duty examination to an individual on obtaining an authorization from the individual for disclosure to the employer who has requested the examination.