Standards for Privacy of Individually Identifiable Health Information. Final Privacy Rule Preamble.. Workforce.


Comment: Some commenters requested that we exclude "volunteers" from the definition of workforce. They stated that volunteers are important contributors within many covered entities, and in particular hospitals. They argued that it was unfair to ask that these people donate their time and at the same time subject them to the penalties placed upon the paid employees by these regulations, and that it would discourage people from volunteering in the health care setting.

Response: We disagree. We believe that differentiating those persons under the direct control of a covered entity who are paid from those who are not is irrelevant for the purposes of protecting the privacy of health information, and for a covered entity's management of its workforce. In either case, the person is working for the covered entity. With regard to implications for the individual, persons in a covered entity's workforce are not held personally liable for violating the standards or requirements of the final rule. Rather, the Secretary has the authority to impose civil monetary penalties and in some cases criminal penalties for such violations on only the covered entity.

Comment: One commenter asked that the rule clarify that employees administering a group health or other employee welfare benefit plan on their employers' behalf are considered part of the covered entity's workforce.

Response: As long as the employees have been identified by the group health plan in plan documents as performing functions related to the group health plan (consistent with the requirements of § 164.504(f)), those employees may have access to protected health information. However, they are not permitted to use or disclose protected health information for employment-related purposes or in connection with any other employee benefit plan or employee benefit of the plan sponsor.