Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Void for Vagueness


Comment: One comment suggested that the Secretary's use of a "reasonableness" standard is unconstitutionally vague. Specifically, this comment objected to the requirement that covered entities use "reasonable" efforts to use or disclose the minimum amount of protected health information, to ensure that business partners comply with the privacy provisions of their contracts, to notify business partners of any amendments or corrections to protected health information, and to verify the identity of individuals requesting information, as well as charge only a "reasonable" fee for inspecting and copying health information. This comment asserted that the Secretary provided "inadequate guidance" as to what qualifies as "reasonable."

Response: We disagree with the comment's suggestion that by applying a "reasonableness" standard, the regulation has failed to provide for "fair warning" or "fair enforcement." The "reasonableness" standard is well-established in law; for example, it is the foundation of the common law of torts. Courts also have consistently held as constitutional statutes that rely upon a "reasonableness" standard. Our reliance upon a "reasonableness" standard, thus, provides covered entities with constitutionally sufficient guidance.