[Federal Register: August 14, 2002 (Volume 67, Number 157)] [Rules and Regulations] [Page 53181-53273] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr14au02-32] [[Page 53181]] ----------------------------------------------------------------------- Part V Department of Health and Human Services ----------------------------------------------------------------------- Office of the Secretary ----------------------------------------------------------------------- 45 CFR Parts 160 and 164 Standards for Privacy of Individually Identifiable Health Information; Final Rule [[Page 53182]] ----------------------------------------------------------------------- DEPARTMENT OF HEALTH AND HUMAN SERVICES Office of the Secretary 45 CFR Parts 160 and 164 RIN 0991-AB14 Standards for Privacy of Individually Identifiable Health Information AGENCY: Office for Civil Rights, HHS. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The Department of Health and Human Services (``HHS'' or ``Department'') modifies certain standards in the Rule entitled ``Standards for Privacy of Individually Identifiable Health Information'' (``Privacy Rule''). The Privacy Rule implements the privacy requirements of the Administrative Simplification subtitle of the Health Insurance Portability and Accountability Act of 1996. The purpose of these modifications is to maintain strong protections for the privacy of individually identifiable health information while clarifying certain of the Privacy Rule's provisions, addressing the unintended negative effects of the Privacy Rule on health care quality or access to health care, and relieving unintended administrative burdens created by the Privacy Rule. DATES: This final rule is effective on October 15, 2002. FOR FURTHER INFORMATION CONTACT: Felicia Farmer, 1-866-OCR-PRIV (1-866- 627-7748) or TTY 1-866-788-4989. SUPPLEMENTARY INFORMATION: Availability of copies, and electronic access. Copies: To order copies of the Federal Register containing this document, send your request to: New Orders, Superintendent of Documents, P.O. Box 371954, Pittsburgh, PA 15250-7954. Specify the date of the issue requested and enclose a check or money order payable to the Superintendent of Documents, or enclose your Visa or Master Card number and expiration date. Credit card orders can also be placed by calling the order desk at (202) 512-1800 (or toll-free at 1-866-512- 1800) or by fax to (202) 512-2250. The cost for each copy is $10.00. Alternatively, you may view and photocopy the Federal Register document at most libraries designated as Federal Depository Libraries and at many other public and academic libraries throughout the country that receive the Federal Register. Electronic Access: This document is available electronically at the HHS Office for Civil Rights (OCR) Privacy Web site at http:// www.hhs.gov/ocr/hipaa/, as well as at the web site of the Government Printing Office at http://www.access.gpo.gov/su_docs/aces/aces140.html. I. Background A. Statutory Background Congress recognized the importance of protecting the privacy of health information given the rapid evolution of health information systems in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, which became law on August 21, 1996. HIPAA's Administrative Simplification provisions, sections 261 through 264 of the statute, were designed to improve the efficiency and effectiveness of the health care system by facilitating the electronic exchange of information with respect to certain financial and administrative transactions carried out by health plans, health care clearinghouses, and health care providers who transmit information electronically in connection with such transactions. To implement these provisions, the statute directed HHS to adopt a suite of uniform, national standards for transactions, unique health identifiers, code sets for the data elements of the transactions, security of health information, and electronic signature. At the same time, Congress recognized the challenges to the confidentiality of health information presented by the increasing complexity of the health care industry, and by advances in the health information systems technology and communications. Thus, the Administrative Simplification provisions of HIPAA authorized the Secretary to promulgate standards for the privacy of individually identifiable health information if Congress did not enact health care privacy legislation by August 21, 1999. HIPAA also required the Secretary of HHS to provide Congress with recommendations for legislating to protect the confidentiality of health care information. The Secretary submitted such recommendations to Congress on September 11, 1997, but Congress did not pass such legislation within its self- imposed deadline. With respect to these regulations, HIPAA provided that the standards, implementation specifications, and requirements established by the Secretary not supersede any contrary State law that imposes more stringent privacy protections. Additionally, Congress required that HHS consult with the National Committee on Vital and Health Statistics, a Federal advisory committee established pursuant to section 306(k) of the Public Health Service Act (42 U.S.C. 242k(k)), and the Attorney General in the development of HIPAA privacy standards. After a set of HIPAA Administrative Simplification standards is adopted by the Department, HIPAA provides HHS with authority to modify the standards as deemed appropriate, but not more frequently than once every 12 months. However, modifications are permitted during the first year after adoption of the standards if the changes are necessary to permit compliance with the standards. HIPAA also provides that compliance with modifications to standards or implementation specifications must be accomplished by a date designated by the Secretary, which may not be earlier than 180 days after the adoption of the modification. B. Regulatory and Other Actions to Date HHS published a proposed Rule setting forth privacy standards for individually identifiable health information on November 3, 1999 (64 FR 59918). The Department received more than 52,000 public comments in response to the proposal. After reviewing and considering the public comments, HHS issued a final Rule (65 FR 82462) on December 28, 2000, establishing ``Standards for Privacy of Individually Identifiable Health Information'' (``Privacy Rule''). In an era where consumers are increasingly concerned about the privacy of their personal information, the Privacy Rule creates, for the first time, a floor of national protections for the privacy of their most sensitive information--health information. Congress has passed other laws to protect consumers' personal information contained in bank, credit card, other financial records, and even video rentals. These health privacy protections are intended to provide consumers with similar assurances that their health information, including genetic information, will be properly protected. Under the Privacy Rule, health plans, health care clearinghouses, and certain health care providers must guard against misuse of individuals' identifiable health information and limit the sharing of such information, and consumers are afforded significant new rights to enable them to understand and control how their health information is used and disclosed. After publication of the Privacy Rule, HHS received many inquiries and unsolicited comments through [[Page 53183]] telephone calls, e-mails, letters, and other contacts about the impact and operation of the Privacy Rule on numerous sectors of the health care industry. Many of these commenters exhibited substantial confusion and misunderstanding about how the Privacy Rule will operate; others expressed great concern over the complexity of the Privacy Rule. In response to these communications and to ensure that the provisions of the Privacy Rule would protect patients' privacy without creating unanticipated consequences that might harm patients' access to health care or quality of health care, the Secretary of HHS opened the Privacy Rule for additional public comment in March 2001 (66 FR 12738). After an expedited review of the comments by the Department, the Secretary decided that it was appropriate for the Privacy Rule to become effective on April 14, 2001, as scheduled (65 FR 12433). At the same time, the Secretary directed the Department immediately to begin the process of developing guidelines on how the Privacy Rule should be implemented and to clarify the impact of the Privacy Rule on health care activities. In addition, the Secretary charged the Department with proposing appropriate changes to the Privacy Rule during the next year to clarify the requirements and correct potential problems that could threaten access to, or quality of, health care. The comments received during the comment period, as well as other communications from the public and all sectors of the health care industry, including letters, testimony at public hearings, and meetings requested by these parties, have helped to inform the Department's efforts to develop proposed modifications and guidance on the Privacy Rule. On July 6, 2001, the Department issued its first guidance to answer common questions and clarify certain of the Privacy Rule's provisions. In the guidance, the Department also committed to proposing modifications to the Privacy Rule to address problems arising from unintended effects of the Privacy Rule on health care delivery and access. The guidance will soon be updated to reflect the modifications adopted in this final Rule. The revised guidance will be available on the HHS Office for Civil Rights (OCR) Privacy Web site at http:// www.hhs.gov/ocr/hipaa/. In addition, the National Committee for Vital and Health Statistics (NCVHS), Subcommittee on Privacy and Confidentiality, held public hearings on the implementation of the Privacy Rule on August 21-23, 2001, and January 24-25, 2002, and provided recommendations to the Department based on these hearings. The NCVHS serves as the statutory advisory body to the Secretary of HHS with respect to the development and implementation of the Rules required by the Administrative Simplification provisions of HIPAA, including the privacy standards. Through the hearings, the NCVHS specifically solicited public input on issues related to certain key standards in the Privacy Rule: consent, minimum necessary, marketing, fundraising, and research. The resultant public testimony and subsequent recommendations submitted to the Department by the NCVHS also served to inform the development of these proposed modifications. II. Overview of the March 2002 Notice of Proposed Rulemaking (NPRM) As described above, through public comments, testimony at public hearings, meetings at the request of industry and other stakeholders, as well as other communications, the Department learned of a number of concerns about the potential unintended effects certain provisions would have on health care quality and access. On March 27, 2002, in response to these concerns, and pursuant to HIPAA's provisions for modifications to the standards, the Department proposed modifications to the Privacy Rule (67 FR 14776). ] The Department proposed to modify the following areas or provisions of the Privacy Rule: consent; uses and disclosures for treatment, payment, and health care operations; notice of privacy practices; minimum necessary uses and disclosures, and oral communications; business associates; uses and disclosures for marketing; parents as the personal representatives of unemancipated minors; uses and disclosures for research purposes; uses and disclosures for which authorizations are required; and de-identification. In addition to these key areas, the proposal included changes to other provisions where necessary to clarify the Privacy Rule. The Department also included in the proposed Rule a list of technical corrections intended as editorial or typographical corrections to the Privacy Rule. The proposed modifications collectively were designed to ensure that protections for patient privacy are implemented in a manner that maximizes the effectiveness of such protections while not compromising either the availability or the quality of medical care. They reflected a continuing commitment on the part of the Department to strong privacy protections for medical records and the belief that privacy is most effectively protected by requirements that are not exceptionally difficult to implement. The Department welcomed comments and suggestions for alternative ways effectively to protect patient privacy without adversely affecting access to, or the quality of, health care. Given that the compliance date of the Privacy Rule for most covered entities is April 14, 2003, and the Department's interest in having the compliance date for these revisions also be no later than April 14, 2003, the Department solicited public comment on the proposed modifications for only 30 days. As stated above, the proposed modifications addressed public concerns already communicated to the Department through a wide variety of sources since publication of the Privacy Rule in December 2000. For these reasons, the Department believed that 30 days should be sufficient for the public to state its views fully to the Department on the proposed modifications to the Privacy Rule. During the 30-day comment period, the Department received in excess of 11,400 comments. III. Section-by-Section Description of Final Modifications and Response to Comments A. Section 164.501--Definitions 1. Marketing December 2000 Privacy Rule The Privacy Rule defined ``marketing'' at Sec. 164.501 as a communication about a product or service, a purpose of which is to encourage recipients of the communication to purchase or use the product or service, subject to certain limited exceptions. To avoid interfering with, or unnecessarily burdening communications about, treatment or about the benefits and services of health plans and health care providers, the Privacy Rule explicitly excluded two types of communications from the definition of ``marketing:'' (1) communications made by a covered entity for the purpose of describing the participating providers and health plans in a network, or describing the services offered by a provider or the benefits covered by a health plan; and (2) communications made by a health care provider as part of the treatment of a patient and for the purpose of furthering that treatment, or made by a provider or health plan in the course of managing an individual's treatment or recommending an alternative treatment. Thus, a health plan could send its [[Page 53184]] enrollees a listing of network providers, and a health care provider could refer a patient to a specialist without either an authorization under Sec. 164.508 or having to meet the other special requirements in Sec. 164.514(e) that attach to marketing communications. However, these communications qualified for the exception to the definition of ``marketing'' only if they were made orally or, if in writing, were made without remuneration from a third party. For example, it would not have been marketing for a pharmacy to call a patient about the need to refill a prescription, even if that refill reminder was subsidized by a third party; but it would have been marketing for that same, subsidized refill reminder to be sent to the patient in the mail. Generally, if a communication was marketing, the Privacy Rule required the covered entity to obtain the individual's authorization to use or disclose protected health information to make the communication. However, the Privacy Rule, at Sec. 164.514(e), permitted the covered entity to make health-related marketing communications without such authorization, provided it complied with certain conditions on the manner in which the communications were made. Specifically, the Privacy Rule permitted a covered entity to use or disclose protected health information to communicate to individuals about the health-related products or services of the covered entity or of a third party, without first obtaining an authorization for that use or disclosure of protected health information, if the communication: (1) Identified the covered entity as the party making the communication; (2) identified, if applicable, that the covered entity received direct or indirect remuneration from a third party for making the communication; (3) with the exception of general circulation materials, contained instructions describing how the individual could opt-out of receiving future marketing communications; and (4) where protected health information was used to target the communication about a product or service to individuals based on their health status or health condition, explained why the individual had been targeted and how the product or service related to the health of the individual. For certain permissible marketing communications, however, the Department did not believe these conditions to be practicable. Therefore, Sec. 164.514(e) also permitted a covered entity to make a marketing communication that occurred in a face-to-face encounter with the individual, or that involved products or services of only nominal value, without meeting the above conditions or requiring an authorization. These provisions, for example, permitted a covered entity to provide sample products during a face-to-face communication, or to distribute calendars, pens, and the like, that displayed the name of a product or provider. March 2002 NPRM The Department received many complaints concerning the complexity and unworkability of the Privacy Rule's marketing requirements. Many entities expressed confusion over the Privacy Rule's distinction between health care communications that are excepted from the definition of ``marketing'' versus those that are marketing but permitted subject to the special conditions in Sec. 164.514(e). For example, questions were raised as to whether disease management communications or refill reminders were ``marketing'' communications subject to the special disclosure and opt-out conditions in Sec. 164.514(e). Others stated that it was unclear whether various health care operations activities, such as general health-related educational and wellness promotional activities, were to be treated as marketing under the Privacy Rule. The Department also learned that consumers were generally dissatisfied with the conditions required by Sec. 164.514(e). Many questioned the general effectiveness of the conditions and whether the conditions would properly protect consumers from unwanted disclosure of protected health information to commercial entities, and from the intrusion of unwanted solicitations. They expressed specific dissatisfaction with the provision at Sec. 164.514(e)(3)(iii) for individuals to opt-out of future marketing communications. Many argued for the opportunity to opt-out of marketing communications before any marketing occurred. Others requested that the Department limit marketing communications to only those consumers who affirmatively chose to receive such communications. In response to these concerns, the Department proposed to modify the Privacy Rule to make the marketing provisions clearer and simpler. First, the Department proposed to simplify the Privacy Rule by eliminating the special provisions for marketing health-related products and services at Sec. 164.514(e). Instead, any use or disclosure of protected health information for a communication defined as ``marketing'' in Sec. 164.501 would require an authorization by the individual. Thus, covered entities would no longer be able to make any type of marketing communications that involved the use or disclosure of protected health information without authorization simply by meeting the disclosure and opt-out conditions in the Privacy Rule. The Department intended to effectuate greater consumer privacy protection by requiring authorization for all uses or disclosures of protected health information for marketing communications, as compared to the disclosure and opt-out conditions of Sec. 164.514(e). Second, the Department proposed minor clarifications to the Privacy Rule's definition of ``marketing'' at Sec. 164.501. Specifically, the Department proposed to define ``marketing'' as ``to make a communication about a product or service to encourage recipients of the communication to purchase or use the product or service.'' The proposed modification retained the substance of the ``marketing'' definition, but changed the language slightly to avoid the implication that in order for a communication to be marketing, the purpose or intent of the covered entity in making such a communication would have to be determined. The simplified language permits the Department to make the determination based on the communication itself. Third, with respect to the exclusions from the definition of ``marketing'' in Sec. 164.501, the Department proposed to simplify the language to avoid confusion and better conform to other sections of the regulation, particularly in the area of treatment communications. The proposal retained the exclusions for communications about a covered entity's own products and services and about the treatment of the individual. With respect to the exclusion for a communication made ``in the course of managing the treatment of that individual,'' the Department proposed to modify the language to use the terms ``case management'' and ``care coordination'' for that individual. These terms are more consistent with the terms used in the definition of ``health care operations,'' and were intended to clarify the Department's intent. One substantive change to the definition proposed by the Department was to eliminate the condition on the above exclusions from the definition of ``marketing'' that the covered entity could not receive remuneration from a third party for any written communication. This limitation was not well understood and treated similar communications differently. For [[Page 53185]] example, a prescription refill reminder was marketing if it was in writing and paid for by a third party, while a refill reminder that was not subsidized, or was made orally, was not marketing. With the proposed elimination of the health-related marketing requirements in Sec. 164.514(e) and the proposed requirement that any marketing communication require an individual's prior written authorization, retention of this condition would have adversely affected a health care provider's ability to make many common health-related communications. Therefore, the Department proposed to eliminate the remuneration prohibition to the exceptions to the definition so as not to interfere with necessary and important treatment and health-related communications between a health care provider and patient. To reinforce the policy requiring an authorization for most marketing communications, the Department proposed to add a new marketing provision at Sec. 164.508(a)(3) explicitly requiring an authorization for a use or disclosure of protected health information for marketing purposes. Additionally, if the marketing was expected to result in direct or indirect remuneration to the covered entity from a third party, the Department proposed that the authorization state this fact. As noted above, because a use or disclosure of protected health information for marketing communications required an authorization, the disclosure and opt-out provisions in Sec. 164.514(e) no longer would be necessary and the Department proposed to eliminate them. As in the December 2000 Privacy Rule at Sec. 164.514(e)(2), the proposed modifications at Sec. 164.508(a)(3) excluded from the marketing authorization requirements face-to-face communications made by a covered entity to an individual. The Department proposed to retain this exception so that the marketing provisions would not interfere with the relationship and dialogue between health care providers and individuals. Similarly, the Department proposed to retain the exception to the authorization requirement for a marketing communication that involved products or services of nominal value, but proposed to replace the language with the common business term ``promotional gift of nominal value.'' As noted above, because some of the proposed simplifications were a substitute for Sec. 164.514(e), the Department proposed to eliminate that section, and to make conforming changes to remove references to Sec. 164.514(e) at Sec. 164.502(a)(1)(vi) and in paragraph (6)(v) of the definition of ``health care operations'' in Sec. 164.501. Overview of Public Comments The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, ``Response to Other Public Comments.'' The Department received generally favorable comment on its proposal to simplify the marketing provisions by requiring authorizations for uses or disclosures of protected health information for marketing communications, instead of the special provisions for health-related products and services at Sec. 164.514(e). Many also supported the requirement that authorizations notify the individual of marketing that results in direct or indirect remuneration to the covered entity from a third party. They argued that for patients to make informed decisions, they must be notified of potential financial conflicts of interest. However, some commenters opposed the authorization requirement for marketing, arguing instead for the disclosure and opt-out requirements at Sec. 164.514(e) or for a one-time, blanket authorization from an individual for their marketing activities. Commenters were sharply divided on whether the Department had properly defined what is and what is not marketing. Most of those opposed to the Department's proposed definitions objected to the elimination of health-related communications for which the covered entity received remuneration from the definition of ``marketing.'' They argued that these communications would have been subject to the consumer protections in Sec. 164.514(e) but, under the proposal, could be made without any protections at all. The mere presence of remuneration raised conflict of interest concerns for these commenters, who feared patients would be misled into thinking the covered entity was acting solely in the patients' best interest when recommending an alternative medication or treatment. Of particular concern to these commenters was the possibility of a third party, such as a pharmaceutical company, obtaining a health care provider's patient list to market its own products or services directly to the patients under the guise of recommending an ``alternative treatment'' on behalf of the provider. Commenters argued that, even if the parties attempted to cloak the transaction in the trappings of a business associate relationship, when the remuneration flowed from the third party to the covered entity, the transaction was tantamount to selling the patient lists and ought to be considered marketing. On the other hand, many commenters urged the Department to broaden the categories of communications that are not marketing. Several expressed concern that, under the proposal, they would be unable to send newsletters and other general circulation materials with information about health-promoting activities (e.g., screenings for certain diseases) to their patients or members without an authorization. Health plans were concerned that they would be unable to send information regarding enhancements to health insurance coverage to their members and beneficiaries. They argued, among other things, that they should be excluded from the definition of ``marketing'' because these communications would be based on limited, non-clinical protected health information, and because policyholders benefit and use such information to fully evaluate the mix of coverage most appropriate to their needs. They stated that providing such information is especially important given that individual and market-wide needs, as well as benefit offerings, change over time and by statute. For example, commenters informed the Department that some States now require long- term care insurers to offer new products to existing policyholders as they are brought to market and to allow policyholders to purchase the new benefits through a formal upgrade process. These health plans were concerned that an authorization requirement for routine communications about options and enhancements would take significant time and expense. Some insurers also urged that they be allowed to market other lines of insurance to their health plan enrollees. A number of commenters urged the Department to exclude any activity that met the definitions of ``treatment,'' ``payment,'' or ``health care operations'' from the definition of ``marketing'' so that they could freely inform customers about prescription discount card and price subsidy programs. Still others wanted the Department to broaden the treatment exception to include all health-related communications between providers and patients. Final Modifications. The Department adopts the modifications to marketing substantially as proposed in the NPRM, but makes changes to the proposed definition of ``marketing'' and further clarifies one of the exclusions from the definition of ``marketing'' in response to comments on the proposal. The [[Page 53186]] definition of ``marketing'' is modified to close what commenters characterized as a loophole, that is, the possibility that covered entities, for remuneration, could disclose protected health information to a third party that would then be able to market its own products and services directly to individuals. Also, in response to comments, the Department clarifies the language in the marketing exclusion for communications about a covered entity's own products and services. As it proposed to do, the Department eliminates the special provisions for marketing health-related products and services at Sec. 164.514(e). Except as provided for at Sec. 164.508(a)(3), a covered entity must have the individual's prior written authorization to use or disclose protected health information for marketing communications and will no longer be able to do so simply by meeting the disclosure and opt-out provisions, previously set forth in Sec. 164.514(e). The Department agrees with commenters that the authorization provides individuals with more control over whether they receive marketing communications and better privacy protections for such uses and disclosures of their health information. In response to commenters who opposed this proposal, the Department does not believe that an opt-out requirement for marketing communications would provide a sufficient level of control for patients regarding their health information. Nor does the Department believe that a blanket authorization provides sufficient privacy protections for individuals. Section 164.508(c) sets forth the core elements of an authorization necessary to give individuals control of their protected health information. Those requirements give individuals sufficient information and notice regarding the type of use or disclosure of their protected health information that they are authorizing. Without such specificity, an authorization would not have meaning. Indeed, blanket marketing authorizations would be considered defective under Sec. 164.508(b)(2). The Department adopts the general definition of ``marketing'' with one clarification. Thus, ``marketing'' means ``to make a communication about a product or service that encourages the recipients of the communication to purchase or use the product or service.'' In removing the language referencing the purpose of the communication and substituting the term ``that encourages'' for the term ``to encourage'', the Department intends to simplify the determination of whether a communication is marketing. If, on its face, the communication encourages recipients of the communication to purchase or use the product or service, the communication is marketing. A few commenters argued for retaining the purpose of the communication as part of the definition of ``marketing'' based on their belief that the intent of the communication was a clearer and more definitive standard than the effect of the communication. The Department disagrees with these commenters. Tying the definition of ``marketing'' to the purpose of the communication creates a subjective standard that would be difficult to enforce because the intent of the communicator rarely would be documented in advance. The definition adopted by the Secretary allows the communication to speak for itself. The Department further adopts the three categories of communications that were proposed as exclusions from the definition of ``marketing.'' Thus, the covered entity is not engaged in marketing when it communicates to individuals about: (1) The participating providers and health plans in a network, the services offered by a provider, or the benefits covered by a health plan; (2) the individual's treatment; or (3) case management or care coordination for that individual, or directions or recommendations for alternative treatments, therapies, health care providers, or settings of care to that individual. For example, a doctor that writes a prescription or refers an individual to a specialist for follow-up tests is engaging in a treatment communication and is not marketing a product or service. The Department continues to exempt from the ``marketing'' definition the same types of communications that were not marketing under the Privacy Rule as published in December 2000, but has modified some of the language to better track the terminology used in the definition of ``health care operations.'' The commenters generally supported this clarification of the language. The Department, however, does not agree with commenters that sought to expand the exceptions from marketing for all communications that fall within the definitions of ``treatment,'' ``payment,'' or ``health care operations.'' The purpose of the exclusions from the definition of marketing is to facilitate those communications that enhance the individual's access to quality health care. Beyond these important communications, the public strongly objected to any commercial use of protected health information to attempt to sell products or services, even when the product or service is arguably health related. In light of these strong public objections, ease of administration is an insufficient justification to categorically exempt all communications about payment and health care operations from the definition of ``marketing.'' However, in response to comments, the Department is clarifying the language that excludes from the definition of ``marketing'' those communications that describe network participants and the services or benefits of the covered entity. Several commenters, particularly insurers, were concerned that the reference to a ``plan of benefits'' was too limiting and would prevent them from sending information to their enrollees regarding enhancements or upgrades to their health insurance coverage. They inquired whether the following types of communications would be permissible: enhancements to existing products; changes in deductibles/copays and types of coverage (e.g., prescription drug); continuation products for students reaching the age of majority on parental policies; special programs such as guaranteed issue products and other conversion policies; and prescription drug card programs. Some health plans also inquired if they could communicate with beneficiaries about ``one-stop shopping'' with their companies to obtain long-term care, property, casualty, and life insurance products. The Department understands the need for covered health care providers and health plans to be able to communicate freely to their patients or enrollees about their own products, services, or benefits. The Department also understands that some of these communications are required by State or other law. To ensure that such communications may continue, the Department is broadening its policy, both of the December 2000 Privacy Rule as well as proposed in the March 2002 NPRM, to allow covered entities to use protected health information to convey information to beneficiaries and members about health insurance products offered by the covered entity that could enhance or substitute for existing health plan coverage. Specifically, the Department modifies the relevant exemption from the definition of ``marketing'' to include communications that describe ``a health-related product or service (or payment for such product or service) that is provided by, or included in a plan of benefits of, the covered entity making the communication, including communications about: the entities participating in a health care provider network or health plan network; replacement of, or enhancements to, a [[Page 53187]] health plan; and health-related products or services available only to a health plan enrollee that add value to, but are not part of, a plan of benefits.'' Thus, under this exemption, a health plan is not engaging in marketing when it advises its enrollees about other available health plan coverages that could enhance or substitute for existing health plan coverage. For example, if a child is about to age out of coverage under a family's policy, this provision will allow the plan to send the family information about continuation coverage for the child. This exception, however, does not extend to excepted benefits (described in section 2791(c)(1) of the Public Health Service Act, 42 U.S.C. 300gg-91(c)(1)), such as accident-only policies), nor to other lines of insurance (e.g., it is marketing for a multi-line insurer to promote its life insurance policies using protected health information). Moreover, the expanded language makes clear that it is not marketing when a health plan communicates about health-related products and services available only to plan enrollees or members that add value to, but are not part of, a plan of benefits. The provision of value- added items or services (VAIS) is a common practice, particularly for managed care organizations. Communications about VAIS may qualify as a communication that is about a health plan's own products or services, even if VAIS are not considered plan benefits for the Adjusted Community Rate purposes. To qualify for this exclusion, however, the VAIS must meet two conditions. First, they must be health-related. Therefore, discounts offered by Medicare+Choice or other managed care organizations for eyeglasses may be considered part of the plan's benefits, whereas discounts to attend movie theaters will not. Second, such items and services must demonstrably ``add value'' to the plan's membership and not merely be a pass-through of a discount or item available to the public at large. Therefore, a Medicare+Choice or other managed care organization could, for example, offer its members a special discount opportunity for a health/fitness club without obtaining authorizations, but could not pass along to its members discounts to a health fitness club that the members would be able to obtain directly from the health/fitness clubs. In further response to comments, the Department has added new language to the definition of ``marketing'' to close what commenters perceived as a loophole that a covered entity could sell protected health information to another company for the marketing of that company's products or services. For example, many were concerned that a pharmaceutical company could pay a provider for a list of patients with a particular condition or taking a particular medication and then use that list to market its own drug products directly to those patients. The commenters believed the proposal would permit this to happen under the guise of the pharmaceutical company acting as a business associate of the covered entity for the purpose of recommending an alternative treatment or therapy to the individual. The Department agrees with commenters that the potential for manipulating the business associate relationship in this fashion should be expressly prohibited. Therefore, the Department is adding language that would make clear that business associate transactions of this nature are marketing. Marketing is defined expressly to include ``an arrangement between a covered entity and any other entity whereby the covered entity discloses protected health information to the other entity, in exchange for direct or indirect remuneration, for the other entity or its affiliate to make a communication about its own product or service that encourages recipients of the communication to purchase or use that product or service.'' These communications are marketing and can only occur if the covered entity obtains the individual's authorization pursuant to Sec. 164.508. The Department believes that this provision will make express the fundamental prohibition against covered entities selling lists of patients or enrollees to third parties, or from disclosing protected health information to a third party for the marketing activities of the third party, without the written authorization of the individual. The Department further notes that manufacturers that receive identifiable health information and misuse it may be subject to action taken under other consumer protection statutes by other Federal agencies, such as the Federal Trade Commission. The Department does not, however, agree with commenters who argued for retention of the provisions that would condition the exclusions from the ``marketing'' definition on the absence of remuneration. Except for the arrangements that are now expressly defined as ``marketing,'' the Department eliminates the conditions that communications are excluded from the definition of ``marketing'' only if they are made orally, or, if in writing, are made without any direct or indirect remuneration. The Department does not agree that the simple receipt of remuneration should transform a treatment communication into a commercial promotion of a product or service. For example, health care providers should be able to, and can, send patients prescription refill reminders regardless of whether a third party pays or subsidizes the communication. The covered entity also is able to engage a legitimate business associate to assist it in making these permissible communications. It is only in situations where, in the guise of a business associate, an entity other than the covered entity is promoting its own products using protected health information it has received from, and for which it has paid, the covered entity, that the remuneration will place the activity within the definition of ``marketing.'' In addition, the Department adopts the proposed marketing authorization provision at Sec. 164.508(a)(3), with minor language changes to conform to the revised ``marketing'' definition. The Rule expressly requires an authorization for uses or disclosures of protected health information for marketing communications, except in two circumstances: (1) When the communication occurs in a face-to-face encounter between the covered entity and the individual; or (2) the communication involves a promotional gift of nominal value. A marketing authorization must include a statement about remuneration, if any. For ease of administration, the Department has changed the regulatory provision to require a statement on the authorization whenever the marketing ``involves'' direct or indirect remuneration to the covered entity from a third party, rather than requiring the covered entity to identify those situations where ``the marketing is expected to result in'' remuneration. Finally, the Department clarifies that nothing in the marketing provisions of the Privacy Rule are to be construed as amending, modifying, or changing any rule or requirement related to any other Federal or State statutes or regulations, including specifically anti- kickback, fraud and abuse, or self-referral statutes or regulations, or to authorize or permit any activity or transaction currently proscribed by such statutes and regulations. Examples of such laws include the anti-kickback statute (section 1128B(b) of the Social Security Act), safe harbor regulations (42 CFR part 1001), Stark law (section 1877 of the Social Security Act) and regulations (42 CFR parts 411 and 424), and HIPAA statute on self-referral (section 1128C of the Social Security Act). The definition [[Page 53188]] of ``marketing'' is solely applicable to the Privacy Rule and the permissions granted by the Rule are only for a covered entity's use or disclosure of protected health information. In particular, although this regulation defines the term ``marketing'' to exclude communications to an individual to recommend, purchase, or use a product or service as part of the treatment of the individual or for case management or care coordination of that individual, such communication by a ``white coat'' health care professional may violate the anti-kickback statute. Similar examples for pharmacist communications with patients relating to the marketing of products on behalf of pharmaceutical companies were identified by the OIG as problematic in a 1994 Special Fraud Alert (December 19, 1994, 59 FR 65372). Other violations have involved home health nurses and physical therapists acting as marketers for durable medical equipment companies. Although a particular communication under the Privacy Rule may not require patient authorization because it is not marketing, or may require patient authorization because it is ``marketing'' as the Rule defines it, the arrangement may nevertheless violate other statutes and regulations administered by HHS, the Department of Justice, or other Federal or State agency. Response to Other Public Comments Comment: Some commenters recommended that the definition of ``marketing'' be broadened to read as follows: ``any communication about a product or service to encourage recipients of the communication to purchase or use the product or service or that will make the recipient aware of the product or service available for purchase or use by the recipient.'' According to these commenters, the additional language would capture marketing campaign activities to establish ``brand recognition.'' Response: The Department believes that marketing campaigns to establish brand name recognition of products is already encompassed within the general definition of ``marketing'' and that it is not necessary to add language to accomplish this purpose. Comment: Some commenters opposed the proposed deletion of references to the covered entity as the source of the communications, in the definition of those communications that were excluded from the ``marketing'' definition. They objected to these non-marketing communications being made by unrelated third parties based on protected health information disclosed to these third parties by the covered entity, without the individual's knowledge or authorization. Response: These commenters appear to have misinterpreted the proposal as allowing third parties to obtain protected health information from covered entities for marketing or other purposes for which the Rule requires an individual's authorization. The deletion of the specific reference to the covered entity does not permit disclosures to a third party beyond the disclosures already permitted by the Rule. The change is intended to be purely editorial: since the Rule applies only to covered entities, the only entities whose communications can be governed by the Rule are covered entities, and thus the reference to covered entities there was redundant. Covered entities may not disclose protected health information to third parties for marketing purposes without authorization from the individual, even if the third party is acting as the business associate of the disclosing covered entity. Covered entities may, however, use protected health information to communicate with individuals about the covered entity's own health-related products or services, the individual's treatment, or case management or care coordination for the individual. The covered entity does not need an authorization for these types of communications and may make the communication itself or use a business associate to do so. Comment: Some commenters advocated for reversion to the provision in Sec. 164.514(e) that the marketing communication identify the covered entity responsible for the communication, and argued that the covered entity should be required to identify itself as the source of the protected health information. Response: As modified, the Privacy Rule requires the individual's written authorization for the covered entity to use or disclose protected health information for marketing purposes, with limited exceptions. The Department believes that the authorization process itself will put the individual sufficiently on notice that the covered entity is the source of the protected health information. To the extent that the commenter suggests that these disclosures are necessary for communications that are not ``marketing'as defined by the Rule, the Department disagrees because such a requirement would place an undue burden on necessary health-related communications. Comment: Many commenters opposed the proposed elimination of the provision that would have transformed a communication exempted from marketing into a marketing communication if it was in writing and paid for by a third party. They argued that marketing should include any activity in which a covered entity receives compensation, directly or indirectly, through such things as discounts from another provider, manufacturer, or service provider in exchange for providing information about the manufacturer or service provider's products to consumers, and that consumers should be advised whenever such remuneration is involved and allowed to opt-out of future communications. Response: The Department considered whether remuneration should determine whether a given activity is marketing, but ultimately concluded that remuneration should not define whether a given activity is marketing or falls under an exception to marketing. In fact, the Department believes that the provision in the December 2000 Rule that transformed a treatment communication into a marketing communication if it was in writing and paid for by a third party blurred the line between treatment and marketing in ways that would have made the Privacy Rule difficult to implement. The Department believes that certain health care communications, such as refill reminders or informing patients about existing or new health care products or services, are appropriate, whether or not the covered entity receives remuneration from third parties to pay for them. The fact that remuneration is received for a marketing communication does not mean the communication is biased or inaccurate. For the same reasons, the Department does not believe that the communications that are exempt from the definition of ``marketing'' require any special conditions, based solely on direct or indirect remuneration received by the covered entity. Requiring disclosure and opt-out conditions on these communications, as Sec. 164.514(e) had formerly imposed on health- related marketing communications, would add a layer of complexity to the Privacy Rule that the Department intended to eliminate. Individuals, of course, are free to negotiate with covered entities for limitations on such uses and disclosures, to which the entity may, but is not required to, agree. The Department does agree with commenters that, in limited circumstances, abuses can occur. The Privacy Rule, both as published in December 2000 and as proposed to be modified in March 2002, has always prohibited covered entities from selling protected health information to a third [[Page 53189]] party for the marketing activities of the third party, without authorization. Nonetheless, in response to continued public concern, the Department has added a new provision to the definition of ``marketing'' to prevent situations in which a covered entity could take advantage of the business associate relationship to sell protected health information to another entity for that entity's commercial marketing purposes. The Department intends this prohibition to address the potential financial conflict of interest that would lead a covered entity to disclose protected health information to another entity under the guise of a treatment exemption. Comment: Commenters argued that written authorizations (opt-ins) should be required for the use of clinical information in marketing. They stated that many consumers do not want covered entities to use information about specific clinical conditions that an individual has, such as AIDS or diabetes, to target them for marketing of services for such conditions. Response: The Department does not intend to interfere with the ability of health care providers or health plans to deliver quality health care to individuals. The ``marketing'' definition excludes communications for the individual's treatment and for case management, care coordination or the recommendation of alternative therapies. Clinical information is critical for these communications and, hence, cannot be used to distinguish between communications that are or are not marketing. The covered entity needs the individual's authorization to use or disclose protected health information for marketing communications, regardless of whether clinical information is to be used. Comment: The proposed modification eliminated the Sec. 164.514 requirements that permitted the use of protected health information to market health-related products and services without an authorization. In response to that proposed modification, many commenters asked whether covered entities would be allowed to make communications about ``health education'' or ``health promoting'' materials or services without an authorization under the modified Rule. Examples included communications about health improvement or disease prevention, new developments in the diagnosis or treatment of disease, health fairs, health/wellness-oriented classes or support groups. Response: The Department clarifies that a communication that merely promotes health in a general manner and does not promote a specific product or service from a particular provider does not meet the general definition of ``marketing.'' Such communications may include population-based activities to improve health or reduce health care costs as set forth in the definition of ``health care operations'' at Sec. 164.501. Therefore, communications, such as mailings reminding women to get an annual mammogram, and mailings providing information about how to lower cholesterol, about new developments in health care (e.g., new diagnostic tools), about health or ``wellness'' classes, about support groups, and about health fairs are permitted, and are not considered marketing. Comment: Some commenters asked whether they could communicate with beneficiaries about government programs or government-sponsored programs such as information about SCHIP; eligibility for Medicare/ Medigap (e.g., eligibility for limited, six-month open enrollment period for Medicare supplemental benefits). Response: The Department clarifies that communications about government and government-sponsored programs do not fall within the definition of ``marketing.'' There is no commercial component to communications about benefits available through public programs. Therefore, a covered entity is permitted to use and disclose protected health information to communicate about eligibility for Medicare supplemental benefits, or SCHIP. As in our response above, these communications may reflect population-based activities to improve health or reduce health care costs as set forth in the definition of ``health care operations'' at Sec. 164.501. Comment: The proposed modification eliminated the Sec. 164.514 requirements that allowed protected health information to be used and disclosed without authorization or the opportunity to opt-out, for communications contained in newsletters or similar general communication devices widely distributed to patients, enrollees, or other broad groups of individuals. Many commenters requested clarification as to whether various types of general circulation materials would be permitted under the proposed modification. Commenters argued that newsletters or similar general communication devices widely distributed to patients, enrollees, or other broad groups of individuals should be permitted without authorizations because they are ``common'' and ``serve appropriate information distribution purposes'' and, based on their general circulation, are less intrusive than other forms of communication. Response: Covered entities may make communications in newsletter format without authorization so long as the content of such communications is not ``marketing,'' as defined by the Rule. The Department is not creating any special exemption for newsletters. Comment: One commenter suggested that, even when authorizations are granted to disclose protected health information for a particular marketing purpose to a non-covered entity, there should also be an agreement by the third party not to re-disclose the protected health information. This same commenter also recommended that the Privacy Rule place restrictions on non-secure modes of making communications pursuant to an authorization. This commenter argued that protected health information should not be disclosed on the outside of mailings or through voice mail, unattended FAX, or other modes of communication that are not secure. Response: Under the final Rule, a covered entity must obtain an individual's authorization to use or disclose protected health information for a marketing communication, with some exceptions. If an individual wanted an authorization to limit the use of the information by the covered entity, the individual could negotiate with the covered entity to make that clear in the authorization. Similarly, individuals can request confidential forms of communication, even with respect to authorized disclosures. See Sec. 164.522(b). Comment: Commenters requested that HHS provide clear guidance on what types of activities constitute a use or disclosure for marketing, and, therefore, require an authorization. Response: The Department has modified the ``marketing'' definition to clarify the types of uses or disclosures of protected health information that are marketing, and, therefore, require prior authorization and those that are not marketing. The Department intends to update its guidance on this topic and address specific examples raised by commenters at that time. Comment: A number of commenters wanted the Department to amend the face-to-face authorization exception. Some urged that it be broadened to include telephone, mail and other common carriers, fax machines, or the Internet so that the exception would cover communications between providers and patients that are not in person. For example, it was pointed out that some providers, such as home [[Page 53190]] delivery pharmacies, may have a direct treatment relationship, but communicate with patients through other channels. Some raised specific concerns about communicating with ``shut-ins'' and ``persons living in rural areas.'' Other commenters asked the Department to make the exception more narrow to cover only those marketing communications made by a health care provider, as opposed to by a business associate, or to cover only those marketing communications of a provider that arise from a treatment or other essential health care communication. Response: The Department believes that expanding the face-to-face authorization exception to include telephone, mail, and other common carriers, fax machines or the Internet would create an exception essentially for all types of marketing communications. All providers potentially use a variety of means to communicate with their patients. The authorization exclusion, however, is narrowly crafted to permit only face-to-face encounters between the covered entity and the individual. The Department believes that further narrowing the exception to place conditions on such communications, other than that it be face-to- face, would neither be practical nor better serve the privacy interests of the individual. The Department does not intend to police communications between doctors and patients that take place in the doctor's office. Further limiting the exception would add a layer of complexity to the Rule, encumbering physicians and potentially causing them to second-guess themselves when making treatment or other essential health care communications. In this context, the individual can readily stop any unwanted communications, including any communications that may otherwise meet the definition of ``marketing.'' 2. Health Care Operations: Changes of Legal Ownership December 2000 Privacy Rule. The Rule's definition of ``health care operations'' included the disclosure of protected health information for the purposes of due diligence with respect to the contemplated sale or transfer of all or part of a covered entity's assets to a potential successor in interest who is a covered entity, or would become a covered entity as a result of the transaction. The Department indicated in the December 2000 preamble of the Privacy Rule its intent to include in the definition of health care operations the actual transfer of protected health information to a successor in interest upon a sale or transfer of its assets. (65 FR 82609.) However, the regulation itself did not expressly provide for the transfer of protected health information upon the sale or transfer of assets to a successor in interest. Instead, the definition of ``health care operations'' included uses or disclosures of protected health information only for due diligence purposes when a sale or transfer to a successor in interest is contemplated. March 2002 NPRM. A number of entities expressed concern about the discrepancy between the intent as expressed in the preamble to the December 2000 Privacy Rule and the actual regulatory language. To address these concerns, the Department proposed to add language to paragraph (6) of the definition of ``health care operations'' to clarify its intent to permit the transfer of records to a covered entity upon a sale, transfer, merger, or consolidation. This proposed change would prevent the Privacy Rule from interfering with necessary treatment or payment activities upon the sale of a covered entity or its assets. The Department also proposed to use the terms ``sale, transfer, consolidation or merger'' and to eliminate the term ``successor in interest'' from this paragraph. The Department intended this provision to apply to any sale, transfer, merger or consolidation and believed the current language may not accomplish this goal. The Department proposed to retain the limitation that such disclosures are health care operations only to the extent the entity receiving the protected health information is a covered entity or would become a covered entity as a result of the transaction. The Department clarified that the proposed modification would not affect a covered entity's other legal or ethical obligation to notify individuals of a sale, transfer, merger, or consolidation. Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, ``Response to Other Public Comments.'' Numerous commenters supported the proposed modifications. Generally, these commenters claimed the modifications would prevent inconvenience to consumers, and facilitate timely access to health care. Specifically, these commenters indicated that health care would be delayed and consumers would be inconvenienced if covered entities were required to obtain individual consent or authorization before they could access health records that are newly acquired assets resulting from the sale, transfer, merger, or consolidation of all or part of a covered entity. Commenters further claimed that the administrative burden of acquiring individual permission and culling records of consumers who do not give consent would be too great, and would cause some entities to simply store or destroy the records instead. Consequently, health information would be inaccessible, causing consumers to be inconvenienced and health care to be delayed. Some commenters noted that the proposed modifications recognize the realities of business without compromising the availability or quality of health care or diminishing privacy protections one would expect in the handling of protected health information during the course of such business transactions. Opposition to the proposed modifications was limited, with commenters generally asserting that the transfer of records in such circumstances would not be in the best interests of individuals. Final Modifications. The Department agrees with the commenters that supported the proposed modifications and, therefore, adopts the modifications to the definition of health care operations. Thus, ``health care operations'' includes the sale, transfer, merger, or consolidation of all or part of the covered entity to or with another covered entity, or an entity that will become a covered entity as a result of the transaction, as well as the due diligence activities in connection with such transaction. In response to a comment, the final Rule modifies the phrase ``all or part of a covered entity'' to read ``all or part of the covered entity'' to clarify that any disclosure for such activity must be by the covered entity that is a party to the transaction. Under the final definition of ``health care operations,'' a covered entity may use or disclose protected health information in connection with a sale or transfer of assets to, or a consolidation or merger with, an entity that is or will be a covered entity upon completion of the transaction; and to conduct due diligence in connection with such transaction. The modification makes clear it is also a health care operation to transfer records containing protected health information as part of the transaction. For example, if a pharmacy which is a covered entity buys another pharmacy which is also a covered entity, protected health information can be exchanged between the two entities for purposes of conducting due diligence, and the selling entity may [[Page 53191]] transfer any records containing protected health information to the new owner upon completion of the transaction. The new owner may then immediately use and disclose those records to provide health care services to the individuals, as well as for payment and health care operations purposes. Since the information would continue to be protected by the Privacy Rule, any other use or disclosure of the information would require an authorization unless otherwise permitted without authorization by the Rule, and the new owner would be obligated to observe the individual's rights of access, amendment, and accounting. The Privacy Rule would not interfere with other legal or ethical obligations of an entity that may arise out of the nature of its business or relationship with its customers or patients to provide such persons with notice of the transaction or an opportunity to agree to the transfer of records containing personal information to the new owner. Response to Other Public Comments Comment: One commenter was concerned about what obligations the parties to a transaction have regarding protected health information that was exchanged as part of a transaction if the transaction does not go through. Response: The Department believes that other laws and standard business practices are adequate to address these situations and accordingly does not impose additional requirements of this type. It is standard practice for parties contemplating such transactions to enter into confidentiality agreements. In addition to exchanging protected health information, the parties to such transactions commonly exchange confidential proprietary information. It is a standard practice for the parties to these transaction to agree that the handling of all confidential information, such as proprietary information, will include ensuring that, in the event that the proposed transaction is not consummated, the information is either returned to its original owner or destroyed as appropriate. They may include protected health information in any such agreement, as they determine appropriate to the circumstances and applicable law. ] 3. Protected Health Information: Exclusion for Employment Records December 2000 Privacy Rule. The Privacy Rule broadly defines ``protected health information'' as individually identifiable health information maintained or transmitted by a covered entity in any form or medium. The December 2000 Privacy Rule expressly excluded from the definition of ``protected health information'' only educational and other records that are covered by the Family Education Rights and Privacy Act of 1974, as amended, 20 U.S.C. 1232g. In addition, throughout the December 2000 preamble to the Privacy Rule, the Department repeatedly stated that the Privacy Rule does not apply to employers, nor does it apply to the employment functions of covered entities, that is, when they are acting in their role as employers. For example, the Department stated: Covered entities must comply with this regulation in their health care capacity, not in their capacity as employers. For example, information in hospital personnel files about a nurses' (sic) sick leave is not protected health information under this rule. 65 FR 82612. However, the definition of protected health information did not expressly exclude personnel or employment records of covered entities. March 2002 NPRM. The Department understands that covered entities are also employers, and that this creates two potential sources of confusion about the status of health information. First, some employers are required or elect to obtain health information about their employees, as part of their routine employment activities [e.g., hiring, compliance with the Occupational Safety and Health Administration (OSHA) requirements]. Second, employees of covered health care providers or health plans sometimes seek treatment or reimbursement from that provider or health plan, unrelated to the employment relationship. To avoid any confusion on the part of covered entities as to application of the Privacy Rule to the records they maintain as employers, the Department proposed to modify the definition of ``protected health information'' in Sec. 164.501 to expressly exclude employment records held by a covered entity in its role as employer. The proposed modification also would alleviate the situation where a covered entity would feel compelled to elect to designate itself as a hybrid entity solely to carve out its employment functions. Individually identifiable health information maintained or transmitted by a covered entity in its health care capacity would, under the proposed modification, continue to be treated as protected health information. The Department specifically solicited comments on whether the term ``employment records'' is clear and what types of records would be covered by the term. In addition, as discussed in section III.C.1. below, the Department proposed to modify the definition of a hybrid entity to permit any covered entity that engaged in both covered and non-covered functions to elect to operate as a hybrid entity. Under the proposed modification, a covered entity that primarily engaged in covered functions, such as a hospital, would be allowed to elect hybrid entity status even if its only non-covered functions were those related to its capacity as an employer. Indeed, because of the absence of an express exclusion for employment records in the definition of protected health information, some covered entities may have elected hybrid entity status under the misconception that this was the only way to prevent their personnel information from being treated as protected health information under the Rule. Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, ``Response to Other Public Comments.'' The Department received comments both supporting and opposing the proposal to add an exemption for employment records to the definition of protected health information. Support for the proposal was based primarily on the need for clarity and certainty in this important area. Moreover, commenters supported the proposed exemption for employment records because it reinforced and clarified that the Privacy Rule does not conflict with an employer's obligation under numerous other laws, including OSHA, Family and Medical Leave Act (FMLA), workers' compensation, and alcohol and drug free workplace laws. Those opposed to the modification were concerned that a covered entity may abuse its access to the individually identifiable health information in its employment records by using that information for discriminatory purposes. Many commenters expressed concern that an employee's health information created, maintained, or transmitted by the covered entity in its health care capacity would be considered an employment record and, therefore, would not be considered protected health information. Some of these commenters argued for the inclusion of special provisions, similar to the ``adequate separation'' requirements for disclosure of protected health information from group health plan to plan sponsor functions (Sec. 164.504(f)), to heighten the protection for an employee's individually identifiable health information when moving between a covered entity's [[Page 53192]] health care functions and its employer functions. A number of commenters also suggested types of records that the Department should consider to be ``employment records'' and, therefore, excluded from the definition of ``protected health information.'' The suggested records included records maintained under the FMLA or the Americans with Disabilities Act (ADA), as well as records relating to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty test results. One commenter suggested that health information related to professional athletes should qualify as an employment record. Final Modifications. The Department adopts as final the proposed language excluding employment records maintained by a covered entity in its capacity as an employer from the definition of ``protected health information.'' The Department agrees with commenters that the regulation should be explicit that it does not apply to a covered entity's employer functions and that the most effective means of accomplishing this is through the definition of ``protected health information.'' The Department is sensitive to the concerns of commenters that a covered entity not abuse its access to an employee's individually identifiable health information which it has created or maintains in its health care, not its employer, capacity. In responding to these concerns, the Department must remain within the boundaries set by the statute, which does not include employers per se as covered entities. Thus, we cannot regulate employers, even when it is a covered entity acting as an employer. To address these concerns, the Department clarifies that a covered entity must remain cognizant of its dual roles as an employer and as a health care provider, health plan, or health care clearinghouse. Individually identifiable health information created, received, or maintained by a covered entity in its health care capacity is protected health information. It does not matter if the individual is a member of the covered entity's workforce or not. Thus, the medical record of a hospital employee who is receiving treatment at the hospital is protected health information and is covered by the Rule, just as the medical record of any other patient of that hospital is protected health information and covered by the Rule. The hospital may use that information only as permitted by the Privacy Rule, and in most cases will need the employee's authorization to access or use the medical information for employment purposes. When the individual gives his or her medical information to the covered entity as the employer, such as when submitting a doctor's statement to document sick leave, or when the covered entity as employer obtains the employee's written authorization for disclosure of protected health information, such as an authorization to disclose the results of a fitness for duty examination, that medical information becomes part of the employment record, and, as such, is no longer protected health information. The covered entity as employer, however, may be subject to other laws and regulations applicable to the use or disclosure of information in an employee's employment record. The Department has decided not to add a definition of the term ``employment records'' to the Rule. The comments indicate that the same individually identifiable health information about an individual may be maintained by the covered entity in both its employment records and the medical records it maintains as a health care provider or enrollment or claims records it maintains as a health plan. The Department therefore is concerned that a definition of ``employment record'' may lead to the misconception that certain types of information are never protected health information, and will put the focus incorrectly on the nature of the information rather than the reasons for which the covered entity obtained the information. For example, drug screening test results will be protected health information when the provider administers the test to the employee, but will not be protected health information when, pursuant to the employee's authorization, the test results are provided to the provider acting as employer and placed in the employee's employment record. Similarly, the results of a fitness for duty exam will be protected health information when the provider administers the test to one of its employees, but will not be protected health information when the results of the fitness for duty exam are turned over to the provider as employer pursuant to the employee's authorization. Furthermore, while the examples provided by commenters represent typical files or records that may be maintained by employers, the Department does not believe that it has sufficient information to provide a complete definition of employment record. Therefore, the Department does not adopt as part of this rulemaking a definition of employment record, but does clarify that medical information needed for an employer to carry out its obligations under FMLA, ADA, and similar laws, as well as files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by the covered entity in its role as an employer. Response to Other Public Comments Comment: One commenter requested clarification as to whether the term ``employment record'' included the following information that is either maintained or transmitted by a fully insured group health plan to an insurer or HMO for enrollment and/or disenrollment purposes: (a) the identity of an individual including name, address, birth date, marital status, dependent information and SSN; (b) the individual's choice of plan; (c) the amount of premiums/contributions for coverage of the individual; (d) whether the individual is an active employee or retired; (e) whether the individual is enrolled in Medicare. Response: All of this information is protected health information when held by a fully insured group health plan and transmitted to an issuer or HMO, and the Privacy Rule applies when the group health plan discloses such information to any entity, including the plan sponsor. There are special rules in Sec. 164.504(f) which describe the conditions for disclosure of protected health information to the plan sponsor. If the group health plan received the information from the plan sponsor, it becomes protected health information when received by the group health plan. The plan sponsor is not the covered entity, so this information will not be protected when held by a plan sponsor, whether or not it is part of the plan sponsor's ``employment record.'' Comment: One commenter asked for clarification as to how the Department would characterize the following items that a covered entity may have: (1) medical file kept separate from the rest of an employment record containing (a) doctor's notes; (b) leave requests; (c) physician certifications; and (d) positive hepatitis test results; (2) FMLA documentation including: (a) physician certification form; and (b) leave requests; (3) occupational injury files containing (a) drug screening; (b) exposure test results; (c) doctor's notes; and (d) medical director's notes. [[Page 53193]] Response: As explained above, the nature of the information does not determine whether it is an employment record. Rather, it depends on whether the covered entity obtains or creates the information in its capacity as employer or in its capacity as covered entity. An employment record may well contain some or all of the items mentioned by the commenter; but so too might a treatment record. The Department also recognizes that the employer may be required by law or sound business practice to treat such medical information as confidential and maintain it separate from other employment records. It is the function being performed by the covered entity and the purpose for which the covered entity has the medical information, not its record keeping practices, that determines whether the health information is part of an employment record or whether it is protected health information. Comment: One commenter suggested that the health records of professional athletes should qualify as ``employment records.'' As such, the records would not be subject to the protections of the Privacy Rule. Response: Professional sports teams are unlikely to be covered entities. Even if a sports team were to be a covered entity, employment records of a covered entity are not covered by this Rule. If this comment is suggesting that the records of professional athletes should be deemed ``employment records'' even when created or maintained by health care providers and health plans, the Department disagrees. No class of individuals should be singled out for reduced privacy protections. As noted in the preamble to the December 2000 Rule, nothing in this Rule prevents an employer, such as a professional sports team, from making an employee's agreement to disclose health records a condition of employment. A covered entity, therefore, could disclose this information to an employer pursuant to an authorization. B. Section 164.502--Uses and Disclosures of Protected Health Information: General Rules 1. Incidental Uses and Disclosures December 2000 Privacy Rule. The December 2000 Rule did not explicitly address incidental uses and disclosures of protected health information. Rather, the Privacy Rule generally requires covered entities to make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. See Sec. 164.502(b). Additionally, Sec. 164.530(c) of the Privacy Rule requires covered entities to implement appropriate administrative, technical, and physical safeguards to reasonably safeguard protected health information from any intentional or unintentional use or disclosure that violates the Rule. Protected health information includes individually identifiable health information (with limited exceptions) in any form, including information transmitted orally, or in written or electronic form. See the definition of ``protected health information'' at Sec. 164.501. March 2002 NPRM. After publication of the Privacy Rule, the Department received a number of concerns and questions as to whether the Privacy Rule's restrictions on uses and disclosures will prohibit covered entities from engaging in certain common and essential health care communications and practices in use today. In particular, concern was expressed that the Privacy Rule establishes absolute, strict standards that would not allow for the incidental or unintentional disclosures that could occur as a by-product of engaging in these health care communications and practices. It was argued that the Privacy Rule would, in effect, prohibit such practices and, therefore, impede many activities and communications essential to effective and timely treatment of patients. For example, some expressed concern that health care providers could no longer engage in confidential conversations with other providers or with patients, if there is a possibility that they could be overheard. Similarly, others questioned whether they would be prohibited from using sign-in sheets in waiting rooms or maintaining patient charts at bedside, or whether they would need to isolate X-ray lightboards or destroy empty prescription vials. These concerns seemed to stem from a perception that covered entities are required to prevent any incidental disclosure such as those that may occur when a visiting family member or other person not authorized to access protected health information happens to walk by medical equipment or other material containing individually identifiable health information, or when individuals in a waiting room sign their name on a log sheet and glimpse the names of other patients. The Department, in its July 6 guidance, clarified that the Privacy Rule is not intended to impede customary and necessary health care communications or practices, nor to require that all risk of incidental use or disclosure be eliminated to satisfy its standards. The guidance promised that the Department would propose modifications to the Privacy Rule to clarify that such communications and practices may continue, if reasonable safeguards are taken to minimize the chance of incidental disclosure to others. Accordingly, the Department proposed to modify the Privacy Rule to add a new provision at Sec. 164.502(a)(1)(iii) which would explicitly permit certain incidental uses and disclosures that occur as a result of a use or disclosure otherwise permitted by the Privacy Rule. The proposal described an incidental use or disclosure as a secondary use or disclosure that cannot reasonably be prevented, is limited in nature, and that occurs as a by-product of an otherwise permitted use or disclosure. The Department proposed that an incidental use or disclosure be permissible only to the extent that the covered entity had applied reasonable safeguards as required by Sec. 164.530(c), and implemented the minimum necessary standard, where applicable, as required by Secs. 164.502(b) and 164.514(d). Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, ``Response to Other Public Comments.'' The Department received many comments on its proposal to permit certain incidental uses and disclosures, the majority of which expressed strong support for the proposal. Many of these commenters indicated that such a policy would help to ensure that essential health care communications and practices are not chilled by the Privacy Rule. A few commenters opposed the Department's proposal to permit certain incidental uses and disclosures, one of whom asserted that the burden on medical staff to take precautions not to be overheard is minimal compared to the potential harm to patients if incidental disclosures were to be considered permissible. Final Modifications. In response to the overwhelming support of commenters on this proposal, the Department adopts the proposed provision at Sec. 164.502(a)(1)(iii), explicitly permitting certain incidental uses and disclosures that occur as a by-product of a use or disclosure otherwise permitted under the Privacy Rule. As in the proposal, an incidental use or disclosure is permissible only to the extent that the covered entity has applied reasonable safeguards as [[Page 53194]] required by Sec. 164.530(c), and implemented the minimum necessary standard, where applicable, as required by Secs. 164.502(b) and 164.514(d). The Department continues to believe, as was stated in the proposed Rule, that so long as reasonable safeguards are employed, the burden of impeding such communications is not outweighed by any benefits that may accrue to individuals' privacy interests. However, an incidental use or disclosure that occurs as a result of a failure to apply reasonable safeguards or the minimum necessary standard, where required, is not a permissible use or disclosure and, therefore, is a violation of the Privacy Rule. For example, a hospital that permits an employee to have unimpeded access to patients' medical records, where such access is not necessary for the employee to do her job, is not applying the minimum necessary standard and, therefore, any incidental use or disclosure that results from this practice would be an unlawful use or disclosure under the Privacy Rule. In response to the few comments that opposed the proposal to permit certain incidental uses and disclosures, the Department reiterates that the Privacy Rule must not impede essential health care communications and practices. Prohibiting all incidental uses and disclosures would have a chilling effect on normal and important communications among providers, and between providers and their patients, and, therefore, would negatively affect individuals' access to quality health care. The Department does not intend with this provision to obviate the need for medical staff to take precautions to avoid being overheard, but rather, will only allow incidental uses and disclosures where appropriate precautions have been taken. The Department clarifies, in response to a comment, that this provision applies, subject to reasonable safeguards and the minimum necessary standard, to an incidental use or disclosure that occurs as a result of any permissible use or disclosure under the Privacy Rule made to any person, and not just to incidental uses and disclosures resulting from treatment communications or only to communications among health care providers or other medical staff. For example, a provider may instruct an administrative staff member to bill a patient for a particular procedure, and may be overheard by one or more persons in the waiting room. Assuming that the provider made reasonable efforts to avoid being overheard and reasonably limited the information shared, an incidental disclosure resulting from such conversation is permissible under the Rule. In the proposal, the Department did not address whether or not incidental disclosures would need to be included in the accounting of disclosures required by Sec. 164.528. However, one commenter urged the Department to exclude incidental disclosures from the accounting. The Department agrees with this commenter and clarifies that covered entities are not required to include incidental disclosures in an accounting of disclosures provided to the individual pursuant to Sec. 164.528. The Department does not believe such a requirement would be practicable; in many instances, the covered entity may not know that an incidental disclosure occurred. To make this policy clear, the Department includes an explicit exception for such disclosures to the accounting standard at Sec. 164.528(a)(1). Response to Other Public Comments Comment: One commenter expressed concern that the requirement reasonably to safeguard protected health information would be problematic because any unintended use or disclosure could arguably demonstrate a failure to ``reasonably safeguard.'' This commenter requested that the Department either delete the language in Sec. 164.530(c)(2)(ii) or modify the language to make clear that the fact that an incidental use or disclosure occurs does not imply that safeguards were not reasonable. Response: The Department clarifies that the fact that an incidental use or disclosure occurs does not by itself imply that safeguards were not reasonable. However, the Department does not believe that a modification to the proposed language is necessary to express this intent. The language proposed and now adopted at Sec. 164.530(c)(2)(ii) requires only that the covered entity reasonably safeguard protected health information to limit incidental uses or disclosures, not that the covered entity prevent all incidental uses and disclosures. Thus, the Department expects that incidental uses and disclosures will occur and permits such uses and disclosures to the extent the covered entity has in place reasonable safeguards and has applied the minimum necessary standard, where applicable. Comment: Another commenter requested that the Department clarify its proposal to assure that unintended disclosures will not result in civil penalties. Response: The Department's authority to impose civil monetary penalties on violations of the Privacy Rule is defined in HIPAA. Specifically, HIPAA added section 1176 to the Social Security Act, which prescribes the Secretary's authority to impose civil monetary penalties. Therefore, in the case of a violation of a disclosure provision in the Privacy Rule, a penalty may not be imposed, among other things, if the person liable for the penalty did not know and, by exercising reasonable diligence would not have known, that such person violated the provision. HIPAA also provides for criminal penalties under certain circumstances, but the Department of Justice, not this Department, has authority for criminal penalties. Comment: One commenter requested that the Department clarify how covered entities should implement technical and physical safeguards when they do not yet know what safeguards the final Security Rule will require. Response: Each covered entity should assess the nature of the protected health information it holds, and the nature and scope of its business, and implement safeguards that are reasonable for its particular circumstances. There should be no potential for conflict between the safeguards required by the Privacy Rule and the final Security Rule standards, for several reasons. First, while the Privacy Rule applies to protected health information in all forms, the Security Rule will apply only to electronic health information systems that maintain or transmit individually identifiable health information. Thus, all safeguards for protected health information in oral, written, or other non-electronic forms will be unaffected by the Security Rule. Second, in preparing the final Security Rule, the Department is working to ensure the Security Rule requirements for electronic information systems work ``hand in glove'' with any relevant requirements in the Privacy Rule, including Sec. 164.530. Comment: One commenter argued that while this new provision is helpful, it does not alleviate covered entities' concerns that routine practices, often beneficial for treatment, will be prohibited by the Privacy Rule. This commenter stated that, for example, specialists provide certain types of therapy to patients in a group setting, and, in some cases, where family members are also present. Response: The Department reiterates that the Privacy Rule is not intended to impede common health care communications and practices that are essential in providing health care to the individual. Further, the Privacy Rule's new provision permitting certain incidental uses and disclosures is [[Page 53195]] intended to increase covered entities' confidence that such practices can continue even where an incidental use or disclosure may occur, provided that the covered entity has taken reasonable precautions to safeguard and limit the protected health information disclosed. For example, this provision should alleviate concerns that common practices, such as the use of sign-in sheets and calling out names in waiting rooms will not violate the Rule, so long as the information disclosed is appropriately limited. With regard to the commenters' specific example, disclosure of protected health information in a group therapy setting would be a treatment disclosure, and thus permissible without individual authorization. Further, Sec. 164.510(b) generally permits a covered entity to disclose protected health information to a family member or other person involved in the individual's care. In fact, this section specifically provides that, where the individual is present during a disclosure, the covered entity may disclose protected health information if it is reasonable to infer from the circumstances that the individual does not object to the disclosure. Absent countervailing circumstances, the individual's agreement to participate in group therapy or family discussions is a good basis for such a reasonable inference. As such disclosures are permissible disclosures in and of themselves, they would not be incidental disclosures. Comment: Some commenters, while in support of permitting incidental uses and disclosures, requested that the Department provide additional guidance in this area by providing additional examples of permitted incidental uses and disclosures and/or clarifying what would constitute ``reasonable safeguards.'' Response: The reasonable safeguards and minimum necessary standards are flexible and adaptable to the specific business needs and circumstances of the covered entity. Given the discretion covered entities have in implementing these standards, it is difficult for the Department to provide specific guidance in this area that is generally applicable to many covered entities. However, the Department intends to provide future guidance through frequently asked questions or other materials in response to specific scenarios that are raised by industry. 2. Minimum Necessary Standard December 2000 Privacy Rule. The Privacy Rule generally requires covered entities to make reasonable efforts to limit the use or disclosure of, and requests for, protected health information to the minimum necessary to accomplish the intended purpose. See Sec. 164.502(b). Protected health information includes individually identifiable health information (with limited exceptions) in any form, including information transmitted orally, or in written or electronic form. See the definition of ``protected health information'' at Sec. 164.501. The minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to limit unnecessary or inappropriate access to, and disclosures of, protected health information. The Privacy Rule contains some exceptions to the minimum necessary standard. The minimum necessary requirements do not apply to uses or disclosures that are required by law, disclosures made to the individual or pursuant to an authorization initiated by the individual, disclosures to or requests by a health care provider for treatment purposes, uses or disclosures that are required for compliance with the regulations implementing the other administrative simplification provisions of HIPAA, or disclosures to the Secretary of HHS for purposes of enforcing this Rule. See Sec. 164.502(b)(2). The Privacy Rule sets forth requirements for implementing the minimum necessary standard with regard to a covered entity's uses, disclosures, and requests at Sec. 164.514(d). A covered entity is required to develop and implement policies and procedures appropriate to the entity's business practices and workforce that reasonably minimize the amount of protected health information used, disclosed, and requested. For uses of protected health information, the policies and procedures must identify the persons or classes of persons within the covered entity who need access to the information to carry out their job duties, the categories or types of protected health information needed, and the conditions appropriate to such access. For routine or recurring requests and disclosures, the policies and procedures may be standard protocols. Non-routine requests for, and disclosures of, protected health information must be reviewed individually. With regard to disclosures, the Privacy Rule permits a covered entity to rely on the judgment of certain parties requesting the disclosure as to the minimum amount of information that is needed. For example, a covered entity is permitted reasonably to rely on representations from a public official, such as a State workers' compensation official, that the information requested is the minimum necessary for the intended purpose. Similarly, a covered entity is permitted reasonably to rely on the judgment of another covered entity that the information requested is the minimum amount of information reasonably necessary to fulfill the purpose for which the request has been made. See Sec. 164.514(d)(3)(iii). March 2002 NPRM. The Department proposed a number of minor modifications to the minimum necessary standard to clarify the Department's intent or otherwise conform these provisions to other proposed modifications. First, the Department proposed to separate Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii) and (iii)) to eliminate confusion regarding the exception to the minimum necessary standard for uses or disclosures made pursuant to an authorization under Sec. 164.508, and the separate exception for disclosures made to the individual. Second, to conform to the proposal to eliminate the special authorizations required by the Privacy Rule at Sec. 164.508(d), (e), and (f), the Department proposed to exempt from the minimum necessary standard any uses or disclosures for which the covered entity had received an authorization that meets the requirements of Sec. 164.508, rather than just those authorizations initiated by the individual. Third, the Department proposed to modify Sec. 164.514(d)(1) to delete the term ``reasonably ensure'' in response to concerns that the term connotes an absolute, strict standard and, therefore, is inconsistent with the Department's intent that the minimum necessary requirements be reasonable and flexible to the unique circumstances of the covered entity. In addition, the Department proposed to generally revise the language in Sec. 164.514(d)(1) to be more consistent with the description of standards elsewhere in the Privacy Rule. Fourth, so that the minimum necessary standard would be applied consistently to requests for, and disclosures of, protected health information, the Department proposed to add a provision to Sec. 164.514(d)(4) to make the implementation specifications for applying the minimum necessary standard to requests for protected health information by a covered entity more consistent with the corresponding implementation specifications for disclosures. Specifically, for requests not made on a routine and recurring basis, the Department proposed to add the requirement that a covered entity must implement the minimum [[Page 53196]] necessary standard by developing and implementing criteria designed to limit its request for protected health information to the minimum necessary to accomplish the intended purpose. Overview of Public Comments. The following discussion provides an overview of the public comment received on this proposal. Additional comments received on this issue are discussed below in the section entitled, ``Response to Other Public Comments.'' The Department received a number of comments on its proposal to exempt from the minimum necessary standard any use or disclosure of protected health information for which the covered entity has received an authorization that meets the requirements of Sec. 164.508. Many commenters supported this proposal. A few commenters generally urged that the minimum necessary standard be applied to uses and disclosures pursuant to an authorization. A few other commenters appeared to misinterpret the policy in the December 2000 Rule and urged that the Department retain the minimum necessary standard for disclosures ``pursuant to an authorization other than disclosures to an individual.'' Some commenters raised specific concerns about authorizations for psychotherapy notes and the particular need for minimum necessary to be applied in these cases. A number of commenters expressed support for the Department's statements in the preamble to the proposed Rule reinforcing that the minimum necessary standard is intended to be flexible to account for the characteristics of the entity's business and workforce, and not intended to override the professional judgment of the covered entity. Similarly, some commenters expressed support for the Department's proposal to remove the term ``reasonably ensure'' from Sec. 164.514(d)(1). However, a few commenters expressed concerns that the proposed alternative language actually would implement a stricter standard than that included in the December 2000 Privacy Rule. Final Modifications. In this final Rule, the Department adopts the proposed policy to exempt from the minimum necessary standard any uses or disclosures for which the covered entity has received an authorization that meets the requirements of Sec. 164.508. The final modification adopts the proposal to eliminate the special authorizations that were required by the December 2000 Privacy Rule at Sec. 164.508(d), (e), and (f). (See section III.E.1. of the preamble for a detailed discussion of the modifications to the authorization requirements of the Privacy Rule.) Since the only authorizations to which the minimum necessary standard applied are being eliminated in favor of a single consolidated authorization, the final Rule correspondingly eliminates the minimum necessary provisions that applied to the now-eliminated special authorizations. All uses and disclosures made pursuant to any authorization are exempt from the minimum necessary standard. In response to commenters who opposed this proposal as a potential weakening of privacy protections or who wanted the minimum necessary requirements to apply to authorizations other than disclosures to the individual, the Department notes that nothing in the final Rule eliminates an individual's control over his or her protected health information with respect to an authorization. All authorizations must include a description of the information to be used and disclosed that identifies the information in a specific and meaningful fashion as required by Sec. 164.508(c)(1)(i). If the individual does not wish to release the information requested, the individual has the right to not sign the authorization or to negotiate a narrower authorization with the requestor. Additionally, in response to those commenters who raised specific concerns with respect to authorizations which request release of psychotherapy notes, the Department clarifies that the final Rule does not require a covered entity to use and disclose protected health information pursuant to an authorization. Rather, as with most other uses and disclosures under the Privacy Rule, this is only a permissible use or disclosure. If a covered health care provider is concerned that a request for an individual's psychotherapy notes is not warranted or is excessive, the provider may consult with the individual to determine whether or not the authorization is consistent with the individual's wishes. Further, the Privacy Rule does not permit a health plan to condition enrollment, eligibility for benefits, or payment of a claim on obtaining the individual's authorization to use or disclose psychotherapy notes. Nor may a health care provider condition treatment on an authorization for the use or disclosure of psychotherapy notes. Thus, the Department believes that these additional protections appropriately and effectively protect an individual's privacy with respect to psychotherapy notes. The final Rule also retains for clarity the proposal to separate Sec. 164.502(b)(2)(ii) into two subparagraphs (Sec. 164.502(b)(2)(ii) and (iii)); commenters did not explicitly address or raise issues with this proposed clarification. In response to concerns that the proposed language at Sec. 164.514(d)(1) would implement a stricter standard, the Department disagrees and, therefore, adopts the proposed language. The language in Sec. 164.514(d)(1) describes the standard: covered entities are required to meet the requirements in the implementation specifications of Sec. 164.514(d)(2) through (d)(5). The implementation specifications describe what covered entities must do reasonably to limit uses, disclosures, and requests to the minimum necessary. Thus, the Department believes that the language in the implementation specifications is adequate to reflect the Department's intent that the minimum necessary standard is reasonable and flexible to accommodate the unique circumstances of the covered entity. Commenters also generally did not address the Department's proposed clarification to make the implementation specifications for requests of protected health information consistent with those for disclosures of protected health information. Consequently, as commenters did not raise concerns with the proposal, this final Rule adopts the proposed provision at Sec. 164.514(d)(4). For requests of protected health information not made on a routine and recurring basis, a covered entity must implement the minimum necessary standard by developing and implementing criteria designed to limit its request for protected health information to the minimum necessary to accomplish the intended purpose. Response to Other Public Comments Comment: Many commenters recommended changes to the minimum necessary standard unrelated to the proposed modifications. For example, some commenters urged that the Department exempt from the minimum necessary standard all uses of protected health information, or at least uses of protected health information for treatment purposes. Alternatively, one commenter urged that the minimum necessary standard be applied to disclosures for treatment purposes. Others requested that the Department exempt uses and disclosures for payment and health care operations from the standard, or exempt disclosures to another covered entity for such purposes. A few commenters argued that the minimum necessary standard should not apply to disclosures to another covered entity. Some urged that the minimum [[Page 53197]] necessary standard be eliminated entirely. Response: The Department did not propose modifications relevant to these comments, nor did it seek comment on these issues. The proposed modifications generally were intended to address those problems or issues that presented workability problems for covered entities or otherwise had the potential to impede an individual's timely access to quality health care. Moreover, the proposed modifications to the minimum necessary standard were either minor clarifications of the Department's intent with respect to the standard or would conform the standard to other proposed modifications. The Department has, in previous guidance as well as in the preamble to the December 2000 Privacy Rule, explained its position with respect to the above concerns. The minimum necessary standard is derived from confidentiality codes and practices in common use today. We continue to believe that it is sound practice not to use or disclose private medical information that is not necessary to satisfy a request or effectively carry out a function. The privacy benefits of retaining the minimum necessary standard outweigh the burden involved with implementing the standard. The Department reiterates that position here. Further, the Department designed the minimum necessary standard to be sufficiently flexible to accommodate the various circumstances of any covered entity. Covered entities will develop their own policies and procedures to meet this standard. A covered entity's policies and procedures may and should allow the appropriate individuals within an entity to have access to protected health information as necessary to perform their jobs with respect to the entity's covered functions. The Department is not aware of any workability issues with this standard. With respect to disclosures to another covered entity, the Privacy Rule permits a covered entity reasonably to rely on another covered entity's request for protected health information as the minimum necessary for the intended disclosure. See Sec. 164.514(d)(3)(iii). The Department does not believe, therefore, that a blanket exception for such disclosures is justified. The covered entity who holds the information always retains discretion to make its own minimum necessary determination. Lastly, the Department continues to believe that the exception for disclosures to or requests by health care providers for treatment purposes is appropriate to ensure that access to timely and quality treatment is not impeded. As the Privacy Rule is implemented, the Department will monitor the workability of the minimum necessary standard and consider proposing revisions, where appropriate, to ensure that the Privacy Rule does not hinder timely access to quality health care. Comment: One commenter requested that the Department state in the preamble that the minimum necessary standard may not be used to interfere with or obstruct essential health plan payment and health care operations activities, including quality assurance, disease management, and other activities. Another commenter asked that the final Rule's preamble acknowledge that, in some cases, the minimum protected health information necessary for payment or health care operations will be the entire record. One commenter urged that the Rule be modified to presume that disclosure of a patient's entire record is justified, and that such disclosure does not require individual review, when requested for disease management purposes. Response: The minimum necessary standard is not intended to impede essential treatment, payment, or health care operations activities of covered entities. Nor is the Rule intended to change the way covered entities handle their differences with respect to disclosures of protected health information. The Department recognizes that, in some cases, an individual's entire medical record may be necessary for payment or health care operations purposes, including disease management purposes. However, the Department does not believe that disclosure of a patient's entire medical record is always justified for such purposes. The Privacy Rule does not prohibit the request for, or release of, entire medical records in such circumstances, provided that the covered entity has documented the specific justification for the request or disclosure of the entire record. Comment: A few commenters requested that the Department add to the regulatory text some of the statements included in the preamble to the proposed modifications. For example, commenters asked that the final Rule state that the minimum necessary standard is ``intended to be consistent with, and not override, professional judgement and standards.'' Similarly, others requested that the regulation specify that ``covered entities must implement policies and procedures based on their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and their workforce, and using their own professional judgment.'' Response: It is the Department's policy that the minimum necessary standard is intended to be consistent with, and not override, professional judgment and standards, and that covered entities must implement policies and procedures based on their own assessment of what protected health information is reasonably necessary for a particular purpose, given the characteristics of their business and their workforce. However, the Department does not believe a regulatory modification is necessary because the Department has made its policy clear not only in the preamble to the proposed modifications but also in previous guidance and in this preamble. Comment: A commenter argued that the Department should exempt disclosures for any of the standard transactions as required by the Transactions Rule, when information is requested by a health plan or its business associate. Response: The Department disagrees. The Privacy Rule already exempts from the minimum necessary standard data elements that are required or situationally required in any of the standard transactions (Sec. 164.502(b)(2)(v)). If, however, a standard transaction permits the use of optional data elements, the minimum necessary standard applies. For example, the standard transactions adopted for the outpatient pharmacy sector use optional data elements. The payer currently specifies which of the optional data elements are needed for payment of its particular pharmacy claims. The minimum necessary standard applies to the payer's request for such information. A pharmacist is permitted to rely on the payer's request for information, if reasonable to do so, as the minimum necessary for the intended disclosure. Comment: A few commenters expressed concerns with respect to a covered entity's disclosures for research purposes. Specifically, one commenter was concerned that a covered entity will not accept documentation of an external IRB's waiver of authorization for purposes of reasonably relying on the request as the minimum necessary. It was suggested that the Department deem that a disclosure to a researcher based on appropriate documentation from an IRB or Privacy Board meets the minimum necessary standard. Response: The Department understands commenters' concerns that covered entities may decline to [[Page 53198]] participate in research studies, but believes that the Rule already addresses this concern. The Privacy Rule explicitly permits a covered entity reasonably to rely on a researcher's documentation or the representations of an IRB or Privacy Board pursuant to Sec. 164.512(i) that the information requested is the minimum necessary for the research purpose. This is true regardless of whether the documentation is obtained from an external IRB or Privacy Board or one that is associated with the covered entity. The preamble to the March 2002 NPRM further reinforced this policy by stating that reasonable reliance on an IRB's documentation of approval of the waiver criteria and a description of the data needed for the research as required by Sec. 164.512(i) would satisfy a covered entity's obligations with respect to limiting the disclosure to the minimum necessary. The Department reiterates this policy here and believes that this should give covered entities sufficient confidence in accepting IRB waivers of authorization. Comment: A number of commenters requested that the Department limit the amount of information that pharmacy benefits managers (PBM) may demand from pharmacies as part of their claims payment activities. Response: The health plan, as a covered entity, is obligated to instruct the PBM, as its business associate acting through the business associate contract, to request only the minimum amount of information necessary to pay a claim. The pharmacist may rely on this determination if reasonable to do so, and then does not need to engage in a separate minimum necessary assessment. If a pharmacist does not agree that the amount of information requested is reasonably necessary for the PBM to fulfill its obligations, it is up to the pharmacist and PBM to negotiate a resolution of the dispute as to the amount of information needed by the PBM to carry out its obligations and that the pharmacist is willing to provide, recognizing that the PBM is not required to pay claims if it has not received the information it believes is necessary to process the claim in accordance with its procedures, including fraud prevention procedures. The standard for electronic pharmacy claims, adopted by the Secretary in the Transactions Rule, includes optional data elements and relies on each payer to specify the data elements required for payment of its claims. Understandably, the majority of health plans require some patient identification elements in order to adjudicate claims. As the National Council for Prescription Drug Programs (NCPDP) moves from optional to required and situational data elements, the question of whether the specific element of ``patient name'' should be required or situational will be debated by the NCPDP, by the Designated Standards Maintenance Organizations, by the National Committee on Vital and Health Statistics, and ultimately will be decided in rulemaking by the Secretary. Comment: One commenter requested that the minimum necessary standard be made an administrative requirement rather than a standard for uses and disclosures, to ease liability concerns with implementing the standard. The commenter stated that this change would mean that covered entities would be required to implement reasonable minimum necessary policies and procedures and would be liable if: (1) They fail to implement minimum necessary policies and procedures; (2) their policies and procedures are not reasonable; or (3) they fail to enforce their policies and procedures. The commenter further explained that health plans would be liable if their policies and procedures for requesting health information were unreasonable, but the burden of liability for the request shifts largely to the entity best suited to determine whether the amount of information requested is the minimum necessary. Response: The Privacy Rule already requires covered entities to implement reasonable minimum necessary policies and procedures and to limit any use, disclosure, or request for protected health information in a manner consistent with its policies and procedures. The minimum necessary standard is an appropriate standard for uses and disclosures, and is not merely an administrative requirement. The Privacy Rule provides adequate flexibility to adopt minimum necessary policies and procedures that are workable for the covered entity, thereby minimizing a covered entity's liability concerns. Comment: A number of commenters expressed concerns about application of the minimum necessary standard to disclosures for workers' compensation purposes. Commenters argued that the standard will prevent workers' compensation insurers and State administrators, as well as employers, from obtaining the information needed to pay injured workers the benefits guaranteed under the State workers' compensation system. They also argued that the minimum necessary standard could lead to fraudulent claims and unnecessary legal action in order to obtain information needed for workers' compensation purposes. Response: The Privacy Rule is not intended to disrupt existing workers' compensation systems as established by State law. In particular, the Rule is not intended to impede the flow of health information that is needed by employers, workers' compensation carriers, or State officials in order to process or adjudicate claims and/or coordinate care under the workers' compensation system. To this end, the Privacy Rule at Sec. 164.512(l) explicitly permits a covered entity to disclose protected health information as authorized by, and to the extent necessary to comply with, workers' compensation or other similar programs established by law that provide benefits for work- related injuries or illnesses without regard to fault. The minimum necessary standard permits covered entities to disclose any protected health information under Sec. 164.512(l) that is reasonably necessary for workers' compensation purposes and is intended to operate so as to permit information to be shared for such purposes to the full extent permitted by State or other law. Additionally, where a State or other law requires a disclosure of protected health information for workers' compensation purposes, such disclosure is permitted under Sec. 164.512(a). A covered entity also is permitted to disclose protected health information to a workers' compensation insurer where the insurer has obtained the individual's authorization pursuant to Sec. 164.508 for the release of such information. The minimum necessary provisions do not apply to disclosures required by law or made pursuant to authorizations. See Sec. 164.502(b), as modified herein. Further, the Department notes that a covered entity is permitted to disclose information to any person or entity as necessary to obtain payment for health care services. The minimum necessary provisions apply to such disclosures but permit the covered entity to disclose the amount and types of information that are necessary to obtain payment. The Department also notes that because the disclosures described above are permitted by the Privacy Rule, there is no potential for conflict with State workers' compensation laws, and, thus, no possibility of preemption of such laws by the Privacy Rule. The Department's review of certain States workers' compensation laws demonstrates that many of these laws address the issue of the scope of information that is available to carriers and employers. The Privacy Rule's minimum necessary standard will not create an obstacle to the type and [[Page 53199]] amount of information that currently is provided to employers, workers' compensation carriers, and State administrative agencies under these State laws. In many cases, the minimum necessary standard will not apply to disclosures made pursuant to such laws. In other cases, the minimum necessary standard applies, but permits disclosures to the full extent authorized by the workers' compensation laws. For example, Texas workers' compensation law requires a health care provider, upon the request of the injured employee or insurance carrier, to furnish records relating to the treatment or hospitalization for which compensation is being sought. Since such disclosure is required by law, it also is permissible under the Privacy Rule at Sec. 164.512(a) and exempt from the minimum necessary standard. The Texas law further provides that a health care provider is permitted to disclose to the insurance carrier records relating to the diagnosis or treatment of the injured employee without the authorization of the injured employee to determine the amount of payment or the entitlement to payment. Since the disclosure only is permitted and not required by Texas law, the provisions at Sec. 164.512(l) would govern to permit such disclosure. In this case, the minimum necessary standard would apply to the disclosure but would allow for information to be disclosed as authorized by the statute, that is, as necessary to ``determine the amou