[Federal Register: December 28, 2000 (Volume 65, Number 250)] [Rules and Regulations] [Page 82611-82660] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr28de00-32] [[pp. 82611-82660]] Standards for Privacy of Individually Identifiable Health Information [[Continued from page 82610]] [[Page 82611]] disclosures for health care operations, not for oversight purposes. When they are performing accreditation activities for a covered entity, private accrediting organizations will meet the definition of business associate, and the covered entity must enter into a business associate contract with the accrediting organization in order to disclose protected health information. This is consistent with current practice; today, accrediting organizations perform their work pursuant to contracts with the accredited entity. This approach is also consistent with the recommendation by the Joint Commission on Accreditation of Healthcare Organizations and the National Committee for Quality Assurance, which stated in their report titled Protecting Personal Health Information: A Framework for Meeting the Challenges in a Managed Care Environment (1998) that ``Oversight organizations, including accrediting bodies, states, and federal agencies, should include in their contracts terms that describe their responsibility to maintain the confidentiality of any personally identifiable health information that they review.'' We agree with the commenter who believed that private companies providing information to insurers and employers are not performing an oversight function; the definition of health oversight agency does not include such companies. In developing and clarifying the definition of health oversight in the final rule, we seek to achieve a balance in accounting for the full range of activities that public agencies may undertake to perform their health oversight functions while establishing clear and appropriate boundaries on the definition so that it does not become a catch-all category that public and private agencies could use to justify any request for information. Individual Comment: A few commenters stated that foreign military and diplomatic personnel, and their dependents, and overseas foreign national beneficiaries, should not be excluded from the definition of ``individual.'' Response: We agree with concerns stated by commenters and eliminate these exclusions from the definition of ``individual'' in the final rule. Special rules for use and disclosure of protected health information about foreign military personnel are stated in Sec. 164.512(k). Under the final rule, protected health information about diplomatic personnel is not accorded special treatment. While the exclusion of overseas foreign national beneficiaries has been deleted from the definition of ``individual,'' we have revised Sec. 164.500 to indicate that the rule does not apply to the Department of Defense or other federal agencies or non-governmental organizations acting on its behalf when providing health care to overseas foreign national beneficiaries. This means that the rule will not cover any health information created incident to the provision of health care to foreign nationals overseas by U.S. sponsored missions or operations. (See Sec. 164.500 and its corresponding preamble for details and the rationale for this policy.) Comment: Several commenters expressed concern about the interrelationship of the definition of ``individual'' and the two year privacy protection for deceased persons. Response: In the final rule, we eliminate the two year limit on privacy protection for protected health information about deceased individuals and require covered entities to comply with the requirements of the rule with respect to the protected health information of deceased individuals as long as they hold such information. See discussion under Sec. 164.502. Individually Identifiable Health Information Comment: A number of commenters suggested that HHS revise the definitions of health information and individually identifiable health information to include consistent language in paragraph (1) of each respective definition. They observed that paragraph (1) of the definition of health information reads: ``(1) Is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse * * *;'' in contrast to paragraph (1) of the definition of individually identifiable health information, which reads: ``(1) Is created by or received from a health care provider, health plan, employer, or health care clearinghouse * * *'' [Emphasis added.] Another commenter asked that we delete from the definition of health information, the words ``health or'' to make the definition more consistent with the definition of ``health care,'' as well as the words ``whether oral or.'' Response: We define these terms in the final rule as they are defined by Congress in sections 1171(4) and 1171(6) of the Act, respectively. We have, however, changed the word ``from'' in the definition of ``individually identifiable health information'' to conform to the statute. Comment: Several commenters urged that the definition of individually identifiable health information include information created or received by a researcher. They reasoned that it is important to ensure that researchers using personally identifiable health information are subject to federal privacy standards. They also stated that if information created by a school regarding the health status of its students could be labeled ``health information,'' then information compiled by a clinical researcher regarding an individual also should be considered health information. Response: We are restricted to the statutory limits of the terms. The Congress did not include information created or received by a researcher in either definition, and, consequently, we do not include such language in the rule's definitions. Comment: Several commenters suggested modifying the definition of individually identifiable health information to state as a condition that the information provide a direct means of identifying the individual. They commented that the rule should support the need of those (e.g., researchers) who need ``ready access to health information * * * that remains linkable to specific individuals.'' Response: The Congress included in the statutory definition of individually identifiable health information the modifier ``reasonable basis'' when describing the condition for determining whether information can be used to identify the individual. Congress thus intended to go beyond ``direct'' identification and to encompass circumstances in which a reasonable likelihood of identification exists. Even after removing ``direct'' or ``obvious'' identifiers of information, a risk or probability of identification of the subject of the information may remain; in some instances, the risk will not be inconsequential. Thus, we agree with the Congress that ``reasonable basis'' is the appropriate standard to adequately protect the privacy of individuals' health information. Comment: A number of commenters suggested that the Secretary eliminate the distinction between protected health information and individually identifiable health information. One commenter asserted that all individually identifiable health information should be protected. One commenter observed that the terms individually identifiable health information and protected health information are defined differently in the rule and requested clarification as to the precise scope of coverage of the standards. Another commenter stated [[Page 82612]] that the definition of individually identifiable health information includes ``employer,'' whereas protected health information pertains only to covered entities for which employers are not included. The commenter argued that this was an ``incongruity'' between the definitions of individually identifiable health information and protected health information and recommended that we remove ``employer'' from the definition of individually identifiable health information. Response: We define individually identifiable health information in the final rule generally as it is defined by Congress in section 1171(6) of the Act. Because ``employer'' is included in the statutory definition, we cannot accept the comment to remove the word ``employer'' from the regulatory definition. We use the phrase `protected health information' to distinguish between the individually identifiable health information that is used or disclosed by the entities that are subject to this rule and the entire universe of individually identifiable health information. `Individually identifiable health information' as defined in the statute is not limited to health information used or disclosed by covered entities, so the qualifying phrase `protected health information' is necessary to define that individually identifiable health information to which this rule applies. Comment: One commenter noted that the definition of individually identifiable health information in the NPRM appeared to be the same definition used in the other HIPAA proposed rule, Security and Electronic Signature Standards (63 FR 43242). However, the commenter stated that the additional condition in the privacy NPRM, that protected health information is or has been electronically transmitted or electronically maintained by a covered entity and includes such information in any other form, appears to create potential disparity between the requirements of the two rules. The commenter questioned whether the provisions in proposed Sec. 164.518(c) were an attempt to install similar security safeguards for such situations. Response: The statutory definition of individually identifiable health information applies to the entire Administrative Simplification subtitle of HIPAA and, thus, was included in the proposed Security Standards. At this time, however, the final Security Standards have not been published, so the definition of protected health information is relevant only to HIPAA's privacy standards and is, therefore, included in subpart E of part 164 only. We clarify that the requirements in the proposed Security Standards are distinct and separate from the privacy safeguards promulgated in this final rule. Comment: Several commenters expressed confusion and requested clarification as to what is considered health information or individually identifiable health information for purposes of the rule. For example, one commenter was concerned that information exists in collection agencies, credit bureaus, etc., which could be included under the proposed regulation but may or may not have been originally obtained by a covered entity. The commenter noted that generally this information is not clinical, but it could be inferred from the data that a health care provider provided a person or member of person's family with health care services. The commenter urged the Secretary to define more clearly what and when information is covered. One commenter queried how a non-medical record keeper could tell when personal information is health information within the meaning of rule, e.g., when a worker asks for a low salt meal in a company cafeteria, when a travel voucher of an employee indicates that the traveler returned from an area that had an outbreak of fever, or when an airline passenger requests a wheel chair. It was suggested that the rule cover health information in the hands of schools, employers, and life insurers only when they receive individually identifiable health information from a covered entity or when they create it while providing treatment or making payment. Response: This rule applies only to individually identifiable health information that is held by a covered entity. Credit bureaus, airlines, schools, and life insurers are not covered entities, so the information described in the above comments is not protected health information. Similarly, employers are not covered entities under the rule. Covered entities must comply with this regulation in their health care capacity, not in their capacity as employers. For example, information in hospital personnel files about a nurses' sick leave is not protected health information under this rule. Comment: One commenter recommended that the privacy of health information should relate to actual medical records. The commenter expressed concern about the definition's broadness and contended that applying prescriptive rules to information that health plans hold will not only delay processing of claims and coverage decisions, but ultimately affect the quality and cost of care for health care consumers. Response: We disagree. Health information about individuals exists in many types of records, not just the formal medical record about the individual. Limiting the rule's protections to individually identifiable health information contained in medical records, rather than individually identifiable health information in any form, would omit a significant amount of individually identifiable health information, including much information in covered transactions. Comment: One commenter voiced a need for a single standard for individually identifiable health information and disability and workers' compensation information; each category of information is located in their one electronic data base, but would be subjected to a different set of use and transmission rules. Response: We agree that a uniform, comprehensive privacy standard is desirable. However, our authority under the HIPAA is limited to individually identifiable health information as it is defined in the statute. The legislative history of HIPAA makes clear that workers' compensation and disability benefits programs were not intended to be covered by the rule. Entities are of course free to apply the protections required by this rule to all health information they hold, including the excepted benefits information, if they wish to do so (for example, in order to reduce administrative burden). Comment: Commenters recommended that the definition of individually identifiable health information not include demographic information that does not have any additional health, treatment, or payment information with it. Another commenter recommended that protected health information should not include demographic information at all. Response: Congress explicitly included demographic information in the statutory definition of this term, so we include such language in our regulatory definition of it. Comments: A number of commenters expressed concern about whether references to personal information about individuals, such as ``John Doe is fit to work as a pipe fitter * * *'' or ``Jane Roe can stand no more than 2 hours * * *'', would be considered individually identifiable health information. They argued that such ``fitness-to- work'' and ``fitness for duty'' statements are not health care because they do not reveal the type of [[Page 82613]] information (such as the diagnosis) that is detrimental to an individual's privacy interest in the work environment. Response: References to personal information such as those suggested by the commenters could be individually identifiable health information if the references were created or received by a health care provider, health plan, employer, or health care clearinghouse and they related to the past, present, or future physical or mental health or condition, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. Although these fitness for duty statements may not reveal a diagnosis, they do relate to a present physical or mental condition of an individual because they describe the individual's capacity to perform the physical and mental requirements of a particular job at the time the statement is made (even though there may be other non-health- based qualifications for the job). If these statements were created or received by one of more of the entities described above, they would be individually identifiable health information. Law Enforcement Official Comment: Some commenters, particularly those representing health care providers, expressed concern that the proposed definition of ``law enforcement official'' could have allowed many government officials without health care oversight duties to obtain access to protected health information without patient consent. Response: We do not intend for the definition of ``law enforcement official'' to be limited to officials with responsibilities directly related to health care. Law enforcement officials may need protected health information for investigations or prosecutions unrelated to health care, such as investigations of violent crime, criminal fraud, or crimes committed on the premises of health care providers. For these reasons, we believe it is not appropriate to limit the definition of ``law enforcement official'' to persons with responsibilities of oversight of the health care system. Comment: A few commenters expressed concern that the proposed definition could include any county or municipal official, even those without traditional law enforcement training. Response: We do not believe that determining training requirements for law enforcement officials is appropriately within the purview of this regulation; therefore, we do not make the changes that these commenters requested. Comment: Some commenters, particularly those from the district attorney community, expressed general concern that the proposed definition of ``law enforcement official'' was too narrow to account for the variation in state interpretations of law enforcement officials' power. One group noted specifically that the proposed definition could have prevented prosecutors from gaining access to needed protected health information. Response: We agree that protected health information may be needed by law enforcement officials for both investigations and prosecutions. We did not intend to exclude the prosecutorial function from the definition of ``law enforcement official,'' and accordingly we modify the definition of law enforcement official to reflect their involvement in prosecuting cases. Specifically, in the final rule, we define law enforcement official as an official of any agency or authority of the United States, a state, a territory, a political subdivision of a state or territory, or an Indian tribe, who is empowered by law to: (1) Investigate or conduct an inquiry into a potential violation of law; or (2) prosecute or otherwise conduct a criminal, civil, or administrative proceeding arising from an alleged violation of law. Comment: One commenter recommended making the definition of law enforcement official broad enough to encompass Medicaid program auditors, because some matters requiring civil or criminal law enforcement action are first identified through the audit process. Response: We disagree. Program auditors may obtain protected health information necessary for their audit functions under the oversight provision of this regulation (Sec. 164.512(d)). Comment: One commenter suggested that the proposed definition of ``law enforcement official'' could be construed as limited to circumstances in which an official ``knows'' that law has been violated. This commenter was concerned that, because individuals are presumed innocent and because many investigations, such as random audits, are opened without an agency knowing that there is a violation, the definition would not have allowed disclosure of protected health information for these purposes. The commenter recommended modifying the definition to include investigations into ``whether'' the law has been violated. Response: We do not intend for lawful disclosures of protected health information for law enforcement purposes to be limited to those in which a law enforcement official knows that law has been violated. Accordingly, we revise the definition of ``law enforcement official'' to include investigations of ``potential'' violations of law. Marketing Comments related to ``marketing'' are addressed in the responses to comments regarding Sec. 164.514(e). Payment Comment: One commenter urged that the Department not permit protected health information to be disclosed to a collection agency for collecting payment on a balance due on patient accounts. The commenter noted that, at best, such a disclosure would only require the patient's and/or insured's address and phone number. Response: We disagree. A collection agency may require additional protected health information to investigate and assess payment disputes for the covered entity. For example, the collection agency may need to know what services the covered entity rendered in order to resolve disputes about amounts due. The information necessary may vary, depending on the nature of the dispute. Therefore we do not specify the information that may be used or disclosed for collection activities. The commenter's concern may be addressed by the minimum necessary requirements in Sec. 164.514. Under those provisions, when a covered entity determines that a collection agency only requires limited information for its activities, it must make reasonable efforts to limit disclosure to that information. Comment: A number of commenters supported retaining the expansive definition in the proposed rule so that current methods of administering the claims payment process would not be hindered by blocking access to protected health information. Response: We agree and retain the proposed overall approach to the definition. Comment: Some commenters argued that the definition of ``payment'' should be narrowly interpreted as applying only to the individual who is the subject of the information. Response: We agree with the commenter and modify the definition to clarify that payment activities relate to the individual to whom health care is provided. Comment: Another group of commenters asserted that the doctor- patient relationship was already being interfered with by the current practices of managed care. For example, it was argued that the definition expanded the [[Page 82614]] power of government and other third party ``payors,'' turning them into controllers along with managed care companies. Others stated that activities provided for under the definition occur primarily to fulfill the administrative function of managed health plans and that an individual's privacy is lost when his or her individually identifiable health information is shared for administrative purposes. Response: Activities we include in the definition of payment reflect core functions through which health care and health insurance services are funded. It would not be appropriate for a rule about health information privacy to hinder mechanisms by which health care is delivered and financed. We do not through this rule require any health care provider to disclose protected health information to governmental or other third party payors for the activities listed in the payment definition. Rather, we allow these activities to occur, subject to and consistent with the requirements of this rule. Comment: Several commenters requested that we expand the definition to include ``coordination of benefits'' as a permissible activity. Response: We agree and modify the definition accordingly. Comment: A few commenters raised concerns that the use of ``medical data processing'' was too restrictive. It was suggested that a broader reference such as ``health related'' data processing would be more appropriate. Response: We agree and modify the definition accordingly. Comment: Some commenters suggested that the final rule needed to clarify that drug formulary administration activities are payment related activities. Response: While we agree that uses and disclosures of protected health information for drug formulary administration and development are common and important activities, we believe these activities are better described as health care operations and that these activities come within that definition. Comment: Commenters asked that the definition include calculation of prescription drug costs, drug discounts, and maximum allowable costs and copayments. Response: Calculations of drug costs, discounts, or copayments are payment activities if performed with respect to a specific individual and are health care operations if performed in the aggregate for a group of individuals. Comment: We were urged to specifically exclude ``therapeutic substitution'' from the definition. Response: We reject this suggestion. While we understand that there are policy concerns regarding therapeutic substitution, those policy concerns are not primarily about privacy and thus are not appropriately addressed in this regulation. Comment: A few commenters asked that patient assistance programs (PAPS) should be excluded from the definition of payment. Such programs are run by or on behalf of manufacturers and provide free or discounted medications to individuals who could not afford to purchase them. Commenters were concerned that including such activities in the definition of payment could harm these programs. For example, a university school of pharmacy may operate an outreach program and serve as a clearinghouse for information on various pharmaceutical manufacturer PAPS. Under the program state residents can submit a simple application to the program (including medication regimen and financial information), which is reviewed by program pharmacists who study the eligibility criteria and/or directly call the manufacturer's program personnel to help evaluate eligibility for particular PAPS. The program provides written guidance to the prescribing physicians that includes a suggested approach for helping their indigent patients obtain the medications that they need and enrollment information for particular PAPS. Response: We note that the concerns presented are not affected by definition of ``payment.'' The application of this rule to patient assistance programs activities will depend on how the individual programs operate and are affected primarily by the definition of treatment. Each of these programs function differently, so it is not possible to state a blanket rule for whether and how the rule affects such programs. Under the example provided, the physician who contacts the program on behalf of a patient is managing the patient's care. If the provider is also a covered entity, he or she would be permitted to make such a ``treatment'' disclosure of protected health information if a general consent had been obtained from the patient. Depending on the particular facts, the manufacturer, by providing the prescription drugs for an individual, could also be providing health care under this rule. Even so, however, the manufacturer may or may not be a covered entity, depending on whether or not it engages in any of the standard electronic transactions (See the definition of a covered entity). It also may be an indirect treatment provider, since it may be providing the product through another provider, not directly to the patient. In this example, the relevant disclosures of protected health information by any covered health care provider with a direct treatment relationship with the patient would be permitted subject to the general consent requirements of Sec. 164.506. Whether and how this rule affects the school of pharmacy is equally dependent on the specific facts. For example, if the school merely provides a patient or a physician with the name of a manufacturer and a contact phone number, it would not be functioning as a health care provider and would not be subject to the rule. However, if the school is more involved in the care of the individual, its activities could come in within the definition of ``health care provider'' under this rule. Comment: Commenters pointed out that drugs may or may not be ``covered'' under a plan. Individuals, on the other hand, may or may not be ``eligible'' for benefits under a plan. The definition should incorporate both terms to clarify that determinations of both coverage and eligibility are payment activities. Response: We agree and modify the rule to include ``eligibility''. Comment: Several commenters urged that ``concurrent and retrospective review'' were significant utilization review activities and should be incorporated. Response: We agree and modify the definition accordingly. Comment: Commenters noted that the proposed rule was not clear as to whether protected health information could be used to resolve disputes over coverage, including appeals or complaints regarding quality of care. Response: We modify the definition of payment to include resolution of payment and coverage disputes; the final definition of payment includes ``the adjudication * * * of health benefit claims.'' The other examples provided by commenters, such as arranging, conducting, or assistance with primary and appellate level review of enrollee coverage appeals, also fall within the scope of adjudication of health benefits claims. Uses and disclosures of protected health information to resolve disputes over quality of care may be made under the definition of ``health care operations'' (see above). Comment: Some commenters suggested that if an activity falls within the scope of payment it should not be considered marketing. Commenters supported an approach that would bar such an activity from being construed as ``marketing'' even if performing that [[Page 82615]] activity would result in financial gain to the covered entity. Response: We agree that the proposed rule did not clearly define ``marketing,'' leaving commenters to be concerned about whether payment activities that result in financial gain might be considered marketing. In the final rule we add a definition of marketing and clarify when certain activities that would otherwise fall within that definition can be accomplished without authorization. We believe that these changes will clarify the distinction between marketing and payment and address the concerns raised by commenters. Comment: Commenters asserted that HHS should not include long-term care insurance within the definition of ``health plan.'' If they are included, the commenters argued that the definition of payment must be modified to reflect the activities necessary to support the payment of long-term care insurance claims. As proposed, commenters argued that the definition of payment would not permit long term care insurers to use and disclose protected health information without authorization to perform functions that are ``compatible with and directly relate to * * * payment'' of claims submitted under long term care policies. Response: Long-term care policies, except for nursing home fixed- indemnity policies, are defined as health plans by the statute (see definition of ``health plan,'' above). We disagree with the assertion that the definition of payment does not permit long term care insurers to undertake these necessary activities. Processing of premium payments, claims administration, and other activities suggested for inclusion by the commenters are covered by the definition. The rule permits protected health information to be used or disclosed by a health plan to determine or fulfill its responsibility for provision of benefits under the health plan. Comment: Some commenters argued that the definition needs to be expanded to include the functions of obtaining stop-loss and ceding reinsurance. Response: We agree that use and disclosure of protected health information for these activities should be permitted without authorization, but have included them under health care operation rather than payment. Comment: Commenters asked that the definition be modified to include collection of accounts receivable or outstanding accounts. Commenters raised concern that the proposed rule, without changes, might unintentionally prevent the flow of information between medical providers and debt collectors. Response: We agree that the proposed definition of payment did not explicitly provide for ``collection activities'' and that this oversight might have impeded a covered entity's debt collection efforts. We modify the regulatory text to add ``collection activities.'' Comment: The preamble should clarify that self-insured group health and workers' compensation plans are not covered entities or business partners. Response: The statutory definition of health plan does not include workers' compensation products. See the discussion of ``health plan'' under Sec. 160.103 above. Comment: Certain commenters explained that third party administrators usually communicate with employees through Explanation of Benefit (EOB) reports on behalf of their dependents (including those who might not be minor children). Thus, the employee might be apprised of the medical encounters of his or her dependents but not of medical diagnoses unless there is an over-riding reason, such as a child suspected of drug abuse due to multiple prescriptions. The commenters urged that the current claim processing procedures be allowed to continue. Response: We agree. We interpret the definition of payment and, in particular the term ``claims management,'' to include such disclosures of protected health information. Comment: One private company noted that pursuant to the proposed Transactions Rule standard for payment and remittance advice, the ASC X12N 835 can be used to make a payment, send a remittance advice, or make a payment and send remittance advice by a health care payor and a health care provider, either directly or through a designated financial institution. Because a remittance advice includes diagnostic or treatment information, several private companies and a few public agencies believed that the proposed Transactions Rule conflicted with the proposed privacy rule. Two health plans requested guidance as to whether, pursuant to the ASC X12N 835 implementation guide, remittance advice information is considered ``required'' or ``situational.'' They sought guidance on whether covered entities could include benefits information in payment of claims and transfer of remittance information. One commenter asserted that if the transmission of certain protected health information were prohibited, health plans may be required to strip remittance advice information from the ASC X12N 835 when making health care payments. It recommended modifying the proposed rule to allow covered entities to provide banks or financial institutions with the data specified in any transaction set mandated under the Transactions Rule for health care claims payment. Similarly, a private company and a state health data organization recommended broadening the scope of permissible disclosures pursuant to the banking section to include integrated claims processing information, as contained in the ASC X12N 835 and proposed for adoption in the proposed Transactions Rule; this transaction standard includes diagnostic and treatment information. The company argued that inclusion of diagnostic and treatment information in the data transmitted in claims processing was necessary for comprehensive and efficient integration in the provider's patient accounting system of data corresponding with payment that financial institutions credit to the provider's account. A state health data organization recommended applying these rules to financial institutions that process electronic remittance advice pursuant to the Transactions Rule. Response: The Transactions Rule was published August 17, 2000, after the issuance of the privacy proposed rule. As noted by the commenters, the ASC X12N 835 we adopted as the ``Health Care Payment and Remittance Advice'' standard in the Transactions Rule has two parts. They are the electronic funds transfer (EFT) and the electronic remittance advice (ERA). The EFT part is optional and is the mechanism that payors use to electronically instruct one financial institution to move money from one account to another at the same or at another financial institution. The EFT includes information about the payor, the payee, the amount, the payment method, and a reassociation trace number. Since the EFT is used to initiate the transfer of funds between the accounts of two organizations, typically a payor to a provider, it includes no individually identifiable health information, not even the names of the patients whose claims are being paid. The funds transfer information may also be transmitted manually (by check) or by a variety of other electronic means, including various formats of electronic transactions sent through a payment network, such as the Automated Clearing House (ACH) Network. The ERA, on the other hand, contains specific information about the patients and the medical procedures for which [[Page 82616]] the money is being paid and is used to update the accounts receivable system of the provider. This information is always needed to complete a standard Health Care Payment and Remittance Advice transaction, but is never needed for the funds transfer activity of the financial institution. The only information the two parts of this transaction have in common is the reassociation trace number. Under the ASC X12N 835 standard, the ERA may be transmitted alone, directly from the health plan to the health care provider and the reassociation trace number is used by the provider to match the ERA information with a specific payment conducted in some other way (e.g., EFT or paper check). The standard also allows the EFT to be transmitted alone, directly to the financial institution that will initiate the payment. It also allows both parts to be transmitted together, even though the intended recipients of the two parts are different (the financial institution and the provider). For example, this would be done when the parties agree to use the ACH system to carry the ERA through the provider's bank to the provider when it is more efficient than sending the ERA separately through a different electronic medium. Similarly, the ASC X12N 820 standard for premium payments has two parts, an EFT part (identical to that of the 835) and a premium data part containing identity and health information about the individuals for whom health insurance premiums are being paid. The transmission of both parts of the standards are payment activities under this rule, and permitted subject to certain restrictions. Because a financial institution does not require the remittance advice or premium data parts to conduct funds transfers, disclosure of those parts by a covered entity to it (absent a business associate arrangement to use the information to conduct other activities) would be a violation of this rule. We note that additional requirements may be imposed by the final Security Rule. Under the proposed Security Rule, the ACH system and similar systems would have been considered ``open networks'' because transmissions flow unpredictably through and become available to member institutions who are not party to any business associate agreements (in a way similar to the internet). The proposed Security Rule would require any protected health information transferred through the ACH or similar system to be encrypted. Comment: A few commenters noted the Gramm-Leach-Bliley (GLB) Act (Pub. L. 106-102) allows financial holding companies to engage in a variety of business activities, such as insurance and securities, beyond traditional banking activities. Because the term ``banking'' may take on broader meaning in light of these changes, the commenter recommended modifying the proposed rule to state that disclosure of diagnostic and treatment information to banks along with payment information would constitute a violation of the rule. Specifically, the organization recommended clarifying in the final rule that the provisions included in the proposed section on banking and payment processes (proposed Sec. 164.510(i)) govern payment processes only and that all activities of financial institutions that did not relate directly to payment processes must be conducted through business partner contracts. Furthermore, this group recommended clarifying that if financial institutions act as payors, they will be covered entities under the rule. Response: We recognize that implementation of the GLB Act will expand significantly the scope of activities in which financial holding companies engage. However, unless a financial institution also meets the definition of a ``covered entity,'' it cannot be a covered entity under this rule. We agree with the commenters that disclosure of diagnostic and specific treatment information to financial institutions for many banking and funds processing purposes may not be consistent with the minimum necessary requirements of this final rule. We also agree with the commenters that financial institutions are business associates if they receive protected health information when they engage in activities other than funds processing for covered entities. For example, if a health care provider contracts with a financial institution to conduct ``back office'' billing and accounts receivable activities, we require the provider to enter into a business associate contract with the institution. Comment: Two commenters expressed support for the proposed rule's approach to disclosure for banking and payment processes. On the other hand, many other commenters were opposed to disclosure of protected health information without authorization to banks. One commenter said that no financial institution should have individually identifiable health information for any reason, and it said there were technological means for separating identity from information necessary for financial transactions. Some commenters believed that implementation of the proposed rule's banking provisions could lead banks to deny loans on the basis of individuals' health information. Response: We seek to achieve a balance between protecting patient privacy and facilitating the efficient operation of the health care system. While we agree that financial institutions should not have access to extensive information about individuals' health, we recognize that even the minimal information required for processing of payments may effectively reveal a patient's health condition; for example, the fact that a person has written a check to a provider suggests that services were rendered to the person or a family member. Requiring authorization for disclosure of protected health information to a financial institution in order to process every payment transaction in the health care system would make it difficult, if not impossible, for the health care system to operate effectively. See also discussion of section 1179 of the Act above. Comment: Under the proposed rule, covered entities could have disclosed the following information without consent to financial institutions for the purpose of processing payments: (1) The account holder's name and address; (2) the payor or provider's name and address; (3) the amount of the charge for health services; (4) the date on which services were rendered; (5) the expiration date for the payment mechanism, if applicable (e.g., credit card expiration date); and (6) the individual's signature. The proposed rule solicited comments on whether additional data elements would be necessary to process payment transactions from patients to covered entities. One commenter believed that it was unnecessary to include this list in the final rule, because information that could have been disclosed under the proposed minimum necessary rule would have been sufficient to process banking and payment information. Another private company said that its extensive payment systems experience indicated that we should avoid attempts to enumerate a list of information allowed to be disclosed for banking and payment processing. Furthermore, the commenter said, the proposed rule's list of information allowed to be disclosed was not sufficient to perform the range of activities necessary for the operation of modern electronic payment systems. Finally, the commenter said, inclusion of specific data elements allowed to be [[Page 82617]] disclosed for banking and payment processes rule would stifle innovation in continually evolving payment systems. Thus, the commenter recommended that in the final rule, we eliminate the minimum necessary requirement for banking and payment processing and that we do not include a list of specific types of information allowed to be disclosed for banking and payment processes. On the other hand, several other commenters supported applying the minimum necessary standard to covered entities' disclosures to financial institutions for payment processing. In addition, these groups said that because financial institutions are not covered entities under the proposed rule, they urged Congress to enact comprehensive privacy legislation to limit financial institutions' use and re-disclosure of the minimally necessary protected health information they could receive under the proposed rule. Several of these commenters said that, in light of the increased ability to manipulate data electronically, they were concerned that financial institutions could use the minimal protected health information they received for making financial decisions. For example, one of these commenters said that a financial institution could identify an individual who had paid for treatment of domestic violence injuries and subsequently could deny the individual a mortgage based on that information. Response: We agree with the commenters who were concerned that a finite list of information could hamper systems innovation, and we eliminate the proposed list of data items. However, we disagree with the commenters who argued that the requirement for minimum necessary disclosures not apply to disclosures to financial institution or for payment activities. They presented no persuasive reasons why these disclosures differ from others to which the standard applies, nor did they suggest alternative means of protecting individuals' privacy. Further, with elimination of the proposed list of items that may be disclosed, it will be necessary to rely on the minimum necessary disclosure requirement to ensure that disclosures for payment purposes do not include information unnecessary for that purposes. In practice, the following is the information that generally will be needed: the name and address of the individual; the name and address of the payor or provider; the amount of the charge for health services; the date on which health services were rendered; the expiration date for the payment mechanism, if applicable (i.e., credit card expiration date); the individual's signature; and relevant identification and account numbers. Comment: One commenter said that the minimum necessary standard would be impossible to implement with respect to information provided on its standard payment claim, which, it said, was used by pharmacies for concurrent drug utilization review and that was expected to be adopted by HHS as the national pharmacy payment claim. Two other commenters also recommended clarifying in the final rule that pharmacy benefit cards are not considered a type of ``other payment card'' pursuant to the rule's provisions governing payment processes. These commenters were concerned that if pharmacy benefit cards were covered by the rule's payment processing provisions, their payment claim, which they said was expected to be adopted by HHS as the national pharmacy payment claim, may have to be modified to comply with the minimum necessary standard that would have been required pursuant to proposed Sec. 164.510(i) on banking and payment processes. One of these commenters noted that its payment claim facilitates concurrent drug utilization review, which was mandated by Congress pursuant to the Omnibus Budget Reconciliation Act of 1990 and which creates the real- time ability for pharmacies to gain access to information that may be necessary to meet requirements of this and similar state laws. The commenter said that information on its standard payment claim may include information that could be used to provide professional pharmacy services, such as compliance, disease management, and outcomes programs. The commenter opposed restricting such information by applying the minimum necessary standard. Response: We make an exception to the minimum necessary disclosure provision of this rule for the required and situational data elements of the standard transactions adopted in the Transactions Rule, because those elements were agreed to through the ANSI-accredited consensus development process. The minimum necessary requirements do apply to optional elements in such standard transactions, because industry consensus has not resulted in precise and unambiguous situation specific language to describe their usage. This is particularly relevant to the NCPDP standards for retail pharmacy transactions referenced by these commenters, in which the current standard leaves most fields optional. For this reason, we do not accept this suggestion. The term `payment card' was intended to apply to a debit or credit card used to initiate payment transactions with a financial institution. We clarify that pharmacy benefit cards, as well as other health benefit cards, are used for identification of individual, plan, and benefits and do not qualify as ``other payment cards.'' Comment: Two commenters asked the following questions regarding the banking provisions of the proposed rule: (1) Does the proposed regulation stipulate that disclosures to banks and financial institutions can occur only once a patient has presented a check or credit card to the provider, or pursuant to a standing authorization?; and (2) Does the proposed rule ban disclosure of diagnostic or other related detailed payment information to financial institutions? Response: We do not ban disclosure of diagnostic information to financial institutions, because some such information may be evident simply from the name of the payee (e.g., when payment is made to a substance abuse clinic). This type of disclosure, however, is permitted only when reasonably necessary for the transaction (see requirements for minimum necessary disclosure of protected health information, in Sec. 164.502 and Sec. 164.514). Similarly, we do not stipulate that such disclosure may be made only once a patient has presented a check or credit card, because some covered entities hire financial institutions to perform services such as management of accounts receivables and other back office functions. In providing such services to covered entities, the financial institution will need access to protected health information. (In this situation, the disclosure will typically be made under a business associate arrangement that includes provisions for protection of the information.) Comment: One commenter was concerned that the proposed rule's section on financial institutions, when considered in conjunction with the proposed definition of ``protected health information,'' could have been construed as making covered entities' disclosures of consumer payment history information to consumer reporting agencies subject to the rule. It noted that covered entities' reporting of payment history information to consumer reporting agencies was not explicitly covered by the proposed rule's provisions regarding disclosure of protected health information without authorization. It was also concerned that the proposed rule's minimum necessary standard could have been interpreted to [[Page 82618]] prevent covered entities and their business partners from disclosing appropriate and complete information to consumer reporting agencies. As a result, it said, consumer reporting agencies might not be able to compile complete consumer reports, thus potentially creating an inaccurate picture of a consumer's credit history that could be used to make future credit decisions about the individual. Furthermore, this commenter said, the proposed rule could have been interpreted to apply to any information disclosed to consumer reporting agencies, thus creating the possibility for conflicts between the rule's requirements and those of the Fair Credit Reporting Act. They indicated that areas of potential overlap included: limits on subsequent disclosures; individual access rights; safeguards; and notice requirements. Response: We have added to the definition of ``payment'' disclosure of certain information to consumer reporting agencies. With respect to the remaining concerns, this rule does not apply to consumer reporting agencies if they are not covered entities. Comment: Several commenters recommended prohibiting disclosure of psychotherapy notes under this provision and under all of the sections governing disclosure without consent for national priority purposes. Response: We agree that psychotherapy notes should not be disclosed without authorization for payment purposes, and the final rule does not allow such disclosure. See the discussion under Sec. 164.508. Protected Health Information Comment: An overwhelmingly large number of commenters urged the Secretary to expand privacy protection to all individually identifiable health information, regardless of form, held or transmitted by a covered entity. Commenters provided many arguments in support of their position. They asserted that expanding the scope of covered information under the rule would increase patient confidence in their health care providers and the health care system in general. Commenters stated that patients may not seek care or honestly discuss their health conditions with providers if they do not believe that all of their health information is confidential. In particular, many suggested that this fear would be particularly strong with certain classes of patients, such as persons with disabilities, who may be concerned about potential discrimination, embarrassment or stigmatization, or domestic violence victims, who may hide the real cause of their injuries. In addition, commenters felt that a more uniform standard that covered all records would reduce the complexity, burden, cost, and enforcement problems that would result from the NPRM's proposal to treat electronic and non-electronic records differently. Specifically, they suggested that such a standard would eliminate any confusion regarding how to treat mixed records (paper records that include information that has been stored or transmitted electronically) and would eliminate the need for health care providers to keep track of which portions of a paper record have been (or will be) stored or transmitted electronically, and which are not. Many of these commenters argued that limiting the definition to information that is or has at one time been electronic would result in different protections for electronic and paper records, which they believe would be unwarranted and give consumers a false sense of security. Other comments argued that the proposed definition would cause confusion for providers and patients and would likely cause difficulties in claims processing. Many others complained about the difficulty of determining whether information has been maintained or transmitted electronically. Some asked us to explicitly list the electronic functions that are intended to be excluded, such as voice mail, fax, etc. It was also recommended that the definitions of ``electronic transmission'' and ``electronic maintenance'' be deleted. It was stated that the rule may apply to many medical devices that are regulated by the FDA. A commenter also asserted that the proposal's definition was technically flawed in that computers are also involved in analog electronic transmissions such as faxes, telephone, etc., which is not the intent of the language. Many commenters argued that limiting the definition to information that has been electronic would create a significant administrative burden, because covered entities would have to figure out how to apply the rule to some but not all information. Others argued that covering all individually identifiable health information would eliminate any disincentives for covered entities to convert from paper to computerized record systems. These commenters asserted that under the proposed limited coverage, contrary to the intent of HIPAA's administrative simplification standards, providers would avoid converting paper records into computerized systems in order to bypass the provisions of the regulation. They argued that treating all records the same is consistent with the goal of increasing the efficiency of the administration of health care services. Lastly, in the NPRM, we explained that while we chose not to extend our regulatory coverage to all records, we did have the authority to do so. Several commenters agreed with our interpretation of the statute and our authority and reiterated such statements in arguing that we should expand the scope of the rule in this regard. Response: We find these commenters' arguments persuasive and extend protections to individually identifiable health information transmitted or maintained by a covered entity in any form (subject to the exception for ``education records'' governed by FERPA and records described at 20 U.S.C. 1232g(a)(4)(B)(iv)). We do so for the reasons described by the commenters and in our NPRM, as well as because we believe that the approach in the final rule creates a logical, consistent system of protections that recognizes the dynamic nature of health information use and disclosure in a continually shifting health care environment. Rules that are specific to certain formats or media, such as ``electronic'' or ``paper,'' cannot address the privacy threats resulting from evolving forms of data capture and transmission or from the transfer of the information from one form to another. This approach avoids the somewhat artificial boundary issues that stem from defining what is and is not electronic. In addition, we have reevaluated our reasons for not extending privacy protections to all paper records in the NPRM and after review of comments believe such justifications to be less compelling than we originally thought. For example, in the NPRM, we explained that we chose not to cover all paper records in order to focus on the public concerns about health information confidentiality in electronic communications, and out of concern that the potential additional burden of covering all records may not be justified because of the lower privacy risks presented by records that are in paper form only. As discussed above however, a great many commenters asserted that dealing with a mixture of protected and non-protected records is more burdensome, and that public concerns over health information confidentiality are not at all limited to electronic communications. We note that medical devices in and of themselves, for example, pacemakers, are not protected health information for purposes of this regulation. However, information in or from the device may [[Page 82619]] be protected health information to the extent that it otherwise meets the definition. Comment: Numerous commenters argued that the proposed coverage of any information other than that which is transmitted electronically and/or in a HIPAA transaction exceeds the Secretary's authority under section 264(c)(1) of HIPAA. The principal argument was that the initial language in section 264(c)(1) (``If language governing standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a) of the Social Security Act * * * is not enacted by [August 21, 1999], the Secretary * * * shall promulgate final regulations containing such standards* * * '') limits the privacy standards to ``information transmitted in connection with the [HIPAA] transactions.'' The precise argument made by some commenters was that the grant of authority is contained in the words ``such standards,'' and that the referent of that phrase was ``standards with respect to the privacy of individually identifiable health information transmitted in connection with the transactions described in section 1173(a)* * *''. Commenters also argued that this limitation on the Secretary's authority is discernible from the statutory purpose statement at section 261 of HIPAA, from the title to section 1173(a) (``Standards to Enable Electronic Exchange''), and from various statements in the legislative history, such as the statement in the Conference Report that the ``Secretary would be required to establish standards and modifications to such standards regarding the privacy of individually identifiable health information that is in the health information network.'' H. Rep. No. 104-736,104th Cong., 2d Sess., at 265. It was also argued that extension of coverage beyond the HIPAA transactions would be inconsistent with the underlying statutory trade-off between facilitating accessibility of information in the electronic transactions for which standards are adopted under section 1173(a) and protecting that information through the privacy standards. Other commenters argued more generally that the Secretary's authority was limited to information in electronic form only, not information in any other form. These comments tended to focus on the statutory concern with regulating transactions in electronic form and argued that there was no need to have the privacy standards apply to information in paper form, because there is significantly less risk of breach of privacy with respect to such information. The primary justifications provided by commenters for restricting the scope of covered individually identifiable health information under the regulation were that such an approach would reduce the complexity, burden, cost, and enforcement problems that would result from a rule that treats electronic and non-electronic records differently; would appropriately limit the rule's focus to the security risks that are inherent in electronic transmission or maintenance of individually identifiable health information; and would conform these provisions of the rule more closely with their interpretation of the HIPAA statutory language. Response: We disagree with these commenters. We believe that restricting the scope of covered information under the rule consistent with any of the comments described above would generate a number of policy concerns. Any restriction in the application of privacy protections based on the media used to maintain or transmit the information is by definition arbitrary, unrelated to the potential use or disclosure of the information itself and therefore not responsive to actual privacy risks. For example, information contained in a paper record may be scanned and transmitted worldwide almost as easily as the same information contained in an electronic claims transaction, but would potentially not be protected. In addition, application of the rule to only the standard transactions would leave large gaps in the amount of health information covered. This limitation would be particularly harmful for information used and disclosed by health care providers, who are likely to maintain a great deal of information never contained in a transaction. We disagree with the arguments that the Secretary lacks legal authority to cover all individually identifiable health information transmitted or maintained by covered entities. The arguments raised by these comments have two component parts: (1) That the Secretary's authority is limited by form, to individually identifiable health information in electronic form only; and (2) that the Secretary's authority is limited by content, to individually identifiable health information that is contained in what commenters generally termed the ``HIPAA transactions,'' i.e., information contained in a transaction for which a standard has been adopted under section 1173(a) of the Act. With respect to the issue of form, the statutory definition of ``health information'' at section 1171(4) of the Act defines such information as ``any information, whether oral or recorded in any form or medium'' (emphasis added) which is created or received by certain entities and relates to the health condition of an individual or the provision of health care to an individual (emphasis added). ``Individually identifiable health information'', as defined at section 1171(6) of the Act, is information that is created or received by a subset of the entities listed in the definition of ``health information'', relates to the same subjects as ``health information,'' and is, in addition, individually identifiable. Thus, ``individually identifiable health information'' is, as the term itself implies, a subset of ``health information.'' As ``health information,'' ``individually identifiable health information'' means, among other things, information that is ``oral or recorded in any form or medium.'' Therefore, the statute does not limit ``individually identifiable health information'' to information that is in electronic form only. With respect to the issue of content, the limitation of the Secretary's authority to information in HIPAA transactions under section 264(c)(1) is more apparent than real. While the first sentence of section 264(c)(1) may be read as limiting the regulations to standards with respect to the privacy of individually identifiable health information ``transmitted in connection with the [HIPAA] transactions,'' what that sentence in fact states is that the privacy regulations must ``contain'' such standards, not be limited to such standards. The first sentence thus sets a statutory minimum, first for Congress, then for the Secretary. The second sentence of section 264(c)(1) directs that the regulations ``address at least the subjects in subsection (b) (of section 264).'' Section 264(b), in turn, refers only to ``individually identifiable health information'', with no qualifying language, and refers back to subsection (a) of section 264, which is not limited to HIPAA transactions. Thus, the first and second sentences of section 264(c)(1) can be read as consistent with each other, in which case they direct the issuance of privacy standards with respect to individually identifiable health information. Alternatively, they can be read as ambiguous, in which case one must turn to the legislative history. The legislative history of section 264 does not reflect the content limitation of the first sentence of section 264(c)(1). Rather, the Conference Report [[Page 82620]] summarizes this section as follows: ``If Congress fails to enact privacy legislation, the Secretary is required to develop standards with respect to privacy of individually identifiable health information not later than 42 months from the date of enactment.'' Id., at 270. This language indicates that the overriding purpose of section 264(c)(1) was to postpone the Secretary's duty to issue privacy standards (which otherwise would have been controlled by the time limits at section 1174(a)), in order to give Congress more time to pass privacy legislation. A corollary inference, which is also supported by other textual evidence in section 264 and Part C of title XI, is that if Congress failed to act within the time provided, the original statutory scheme was to kick in. Under that scheme, which is set out in section 1173(e) of the House bill, the standards to be adopted were ``standards with respect to the privacy of individually identifiable health information.'' Thus, the legislative history of section 264 supports the statutory interpretation underlying the rules below. Comment: Many commenters were opposed to the rule covering specific forms of communication or records that could potentially be considered covered information, i.e., faxes, voice mail messages, etc. A subset of these commenters took issue particularly with the inclusion of oral communications within the scope of covered information. The commenters argued that covering information when it takes oral form (e.g., verbal discussions of a submitted claim) makes the regulation extremely costly and burdensome, and even impossible to administer. Another commenter also offered that it would make it nearly impossible to discuss health information over the phone, as the covered entity cannot verify that the person on the other end is in fact who he or she claims to be. Response: We disagree. Covering oral communications is an important part of keeping individually identifiable health information private. If the final rule were not to cover oral communication, a conversation about a person's protected health information could be shared with anyone. Therefore, the same protections afforded to paper and electronically based information must apply to verbal communication as well. Moreover, the Congress explicitly included ``oral'' information in the statutory definition of health information. Comment: A few commenters supported, without any change, the approach proposed in the NPRM to limit the scope of covered information to individually identifiable health information in any form once the information is transmitted or maintained electronically. These commenters asserted that our statutory authority limited us accordingly. Therefore, they believed we had proposed protections to the extent possible within the bounds of our statutory authority and could not expand the scope of such protections without new legislative authority. Response: We disagree with these commenters regarding the limitations under our statutory authority. As explained above, we have the authority to extend the scope of the regulation as we have done in the final rule. We also note here that most of these commenters who supported the NPRM's proposed approach, voiced strong support for extending the scope of coverage to all individually identifiable health information in any form, but concluded that we had done what we could within the authority provided. Comment: One commenter argued that the term ``transaction'' is generally understood to denote a business matter, and that the NPRM applied the term too broadly by including hospital directory information, communication with a patient's family, researchers' use of data and many other non-business activities. Response: This comment reflects a misunderstanding of our use of the term ``transaction.'' The uses and disclosures described in the comment are not ``transactions'' as defined in Sec. 160.103. The authority to regulate the types of uses and disclosures described is provided under section 264 of Pub. L. 104-191. The conduct of the activities noted by the commenters are not related to the determination of whether a health care provider is a covered entity. We explain in the preamble that a health care provider is a covered entity if it transmits health information in electronic form in connection with transactions referred to in section 1173(a)(1) of the Act. Comment: A few commenters asserted that the Secretary has no authority to regulate ``use'' of protected health information. They stated that although section 264(b) mentions that the Secretary should address ``uses and disclosures,'' no other section of HIPAA employs the term ``use.'' Response: We disagree with these commenters. As they themselves note, the authority to regulate use is given in section 264(b) and is sufficient. Comment: Some commenters requested clarification as to how certain types of health information, such as photographs, faxes, X-Rays, CT- scans, and others would be classified as protected or not under the rule. Response: All types of individually identifiable health information in any form, including those described, when maintained or transmitted by a covered entity are covered in the final rule. Comment: A few commenters requested clarification with regard to the differences between the definitions of individually identifiable health information and protected health information. Response: In expanding the scope of covered information in the final rule, we have simplified the distinction between the two definitions. In the final rule, protected health information is the subset of individually identifiable health information that is maintained or transmitted by covered entity, and thereby protected by this rule. For additional discussion of protected health information and individually identifiable health information, see the descriptive summary of Sec. 164.501. Comment: A few commenters remarked that the federal government has no right to access or control any medical records and that HHS must get consent in order to store or use any individually identifiable health information. Response: We understand the commenters' concern. It is not our intent, nor do we through this rule create any government right of access to medical records, except as needed to investigate possible violations of the rule. Some government programs, such as Medicare, are authorized under other law to gain access to certain beneficiary records for administrative purposes. However, these programs are covered by the rule and its privacy protections apply. Comment: Some commenters asked us to clarify how schools would be treated by the rule. Some of these commenters worried that privacy would be compromised if schools were exempted from the provisions of the final rule. Other commenters thought that school medical records were included in the provisions of the NPRM. Response: We agree with the request for clarification and provide guidance regarding the treatment of medical records in schools in the ``Relationship to Other Federal Laws'' preamble discussion of FERPA, which governs the privacy of education records. Comment: One commenter was concerned that only some information from a medical chart would be included as covered information. The commenter was especially concerned that transcribed material might not be considered covered information. [[Page 82621]] Response: As stated above, all individually identifiable health information in any form, including transcribed or oral information, maintained or transmitted by a covered entity is covered under the provisions of the final rule. Comment: In response to our solicitation of comments on the scope of the definition of protected health information, many commenters asked us to narrow the scope of the proposed definition to include only information in electronic form. Others asked us to include only information from the HIPAA standard transactions. Response: For the reasons stated by the commenters who asked us to expand the proposed definition, we reject these comments. We reject these approaches for additional reasons, as well. Limiting the protections to electronic information would, in essence, protect information only as long as it remained in a computer or other electronic media; the protections in the rule could be avoided simply by printing out the information. This approach would thus result in the illusion, but not the reality, of privacy protections. Limiting protection to information in HIPAA transactions has many of the problems in the proposed approach: it would fail to protect significant amounts of health information, would force covered entities to figure out which information had and had not been in such a transaction, and could cause the administrative burdens the commenters feared would result from protecting some but not all information. Comment: A few commenters asserted that the definition of protected health information should explicitly include ``genetic'' information. It was argued that improper disclosure and use of such information could have a profound impact on individuals and families. Response: We agree that the definition of protected health information includes genetic information that otherwise meets the statutory definition. But we believe that singling out specific types of protected health information for special mention in the regulation text could wrongly imply that other types are not included. Comment: One commenter recommended that the definition of protected health information be modified to clarify that an entity does not become a `covered entity' by providing a device to an individual on which protected health information may be stored, provided that the company itself does not store the individual's health information.'' Response: We agree with the commenter's analysis, but believe the definition is sufficiently clear without a specific amendment to this effect. Comment: One commenter recommended that the definition be amended to explicitly exclude individually identifiable health information maintained, used, or disclosed pursuant to the Fair Credit Reporting Act, as amended, 15 U.S.C. 1681. It was stated that a disclosure of payment history to a consumer reporting agency by a covered entity should not be considered protected health information. Another commenter recommended that health information, billing information, and a consumer's credit history be exempted from the definition because this flow of information is regulated by both the Fair Credit Reporting Act (FCRA) and the Fair Debt Collection Practices Act (FDCPA). Response: We disagree. To the extent that such information meets the definition of protected health information, it is covered by this rule. These statutes are designed to protect financial, not health, information. Further, these statutes primarily regulate entities that are not covered by this rule, minimizing the potential for overlap or conflict. The protections in this rule are more appropriate for protecting health information. However, we add provisions to the definition of payment which should address these concerns. See the definition of `payment' in Sec. 164.501. Comment: An insurance company recommended that the rule require that medical records containing protected health information include a notation on a cover sheet on such records. Response: Since we have expanded the scope of protected health information, there is no need for covered entities to distinguish among their records, and such a notation is not needed. This uniform coverage eliminates the mixed record problem and resultant potential for confusion. Comment: A government agency requested clarification of the definition to address the status of information that flows through dictation services. Response: A covered entity may disclose protected health information for transcription of dictation under the definition of health care operations, which allows disclosure for ``general administrative'' functions. We view transcription and clerical services generally as part of a covered entity's general administrative functions. An entity transcribing dictation on behalf of a covered entity meets this rule's definition of business associate and may receive protected health information under a business associate contract with the covered entity and subject to the other requirements of the rule. Comment: A commenter recommended that information transmitted for employee drug testing be exempted from the definition. Response: We disagree that is necessary to specifically exclude such information from the definition of protected health information. If a covered entity is involved, triggering this rule, the employer may obtain authorization from the individuals to be tested. Nothing in this rule prohibits an employer from requiring an employee to provide such an authorization as a condition of employment. Comment: A few commenters addressed our proposal to exclude individually identifiable health information in education records covered by FERPA. Some expressed support for the exclusion. One commenter recommended adding another exclusion to the definition for the treatment records of students who attend institutions of post secondary education or who are 18 years old or older to avoid confusion with rules under FERPA. Another commenter suggested that the definition exclude health information of participants in ``Job Corps programs'' as it has for educational records and inmates of correctional facilities. Response: We agree with the commenter on the potential for confusion regarding records of students who attend post-secondary schools or who are over 18, and therefore in the final rule we exclude records defined at 20 U.S.C. 1232g(a)(4)(B)(iv) from the definition of protected health information. For a detailed discussion of this change, refer to the ``Relationship to Other Federal Laws'' section of the preamble. We find no similar reason to exclude ``Job Corps programs'' from the requirements of this regulation. Comment: Some commenters voiced support for the exclusion of the records of inmates from the definition of protected health information, maintaining that correctional agencies have a legitimate need to share some health information internally without authorization between health service units in various facilities and for purposes of custody and security. Other commenters suggested that the proposed exclusion be extended to individually identifiable health information: created by covered entities providing services to inmates or detainees under contract to such facilities; of ``former'' inmates; and of persons who are in the custody of law enforcement officials, such as the United States Marshals Service and local police agencies. They stated that [[Page 82622]] corrections and detention facilities must be able to share information with law enforcement agencies such as the United States Marshals Service, the Immigration and Naturalization Services, county jails, and U.S. Probation Offices. Another commenter said that there is a need to have access to records of individuals in community custody and explained that these individuals are still under the control of the state or local government and the need for immediate access to records for inspections and/or drug testing is necessary. A number of commenters were opposed to the proposed exclusion to the definition of protected health information, arguing that the proposal was too sweeping. Commenters stated that while access without consent is acceptable for some purposes, it is not acceptable in all circumstances. Some of these commenters concurred with the sharing of health care information with other medical facilities when the inmate is transferred for treatment. These commenters recommended that we delete the exception for jails and prisons and substitute specific language about what information could be disclosed and the limited circumstances or purposes for which such disclosures could occur. Others recommended omission of the proposed exclusion entirely, arguing that excluding this information from protection sends the message that, with respect to this population, abuses do not matter. Commenters argued that inmates and detainees have a right to privacy of medical records and that individually identifiable health information obtained in these settings can be misused, e.g., when communicated indiscriminately, health information can trigger assaults on individuals with stigmatized conditions by fellow inmates or detainees. It can also lead to the denial of privileges, or inappropriately influence the deliberations of bodies such as parole boards. A number of commenters explicitly took issue with the exclusion relative to individuals, and in particular youths, with serious mental illness, seizure disorders, and emotional or substance abuse disorders. They argued that these individuals come in contact with criminal justice authorities as a result of behaviors stemming directly from their illness and assert that these provisions will cause serious problems. They argue that disclosing the fact that an individual was treated for mental illness while incarcerated could seriously impair the individual's reintegration into the community. Commenters stated that such disclosures could put the individual or family members at risk of discrimination by employers and in the community at large. Some commenters asserted that the rule should be amended to prohibit jails and prisons from disclosing private medical information of individuals who have been discharged from these facilities. They argued that such disclosures may seriously impair individuals' rehabilitation into society and subject them to discrimination as they attempt to re-establish acceptance in the community. Response: We find commenters' arguments against a blanket exemption from privacy protection for inmates persuasive. We agree health information in these settings may be misused, which consequently poses many risks to the inmate or detainee and in some cases, their families as described above by the commenters. Accordingly, we delete this exception from the definition of ``protected health information'' in the final rule. The final rule considers individually identifiable health information of individuals who are prisoners and detainees to be protected health information to the extent that it meets the definition and is maintained or transmitted by a covered entity. At the same time, we agree with those commenters who explained that correctional facilities have legitimate needs for use and sharing of individually identifiable health information inmates without authorization. Therefore, we add a new provision (Sec. 164.512(k)(5)) that permits a covered entity to disclose protected health information about inmates without individual consent, authorization, or agreement to correctional institutions for specified health care and other custodial purposes. For example, covered entities are permitted to disclose for the purposes of providing health care to the individual who is the inmate, or for the health and safety of other inmates or officials and employees of the facility. In addition, a covered entity may disclose protected health information as necessary for the administration and maintenance of the safety, security, and good order of the institution. See the preamble discussion of the specific requirements at Sec. 164.512(k)(5), as well as discussion of certain limitations on the rights of individuals who are inmates with regard to their protected health information at Secs. 164.506, 164.520, 164.524, and 164.528. We also provide the following clarifications. Covered entities that provide services to inmates under contract to correctional institutions must treat protected health information about inmates in accordance with this rule and are permitted to use and disclose such information to correctional institutions as allowed under Sec. 164.512(k)(5). As to former inmates, the final rule considers such persons who are released on parole, probation, supervised release, or are otherwise no longer in custody, to be individuals who are not inmates. Therefore, the permissible disclosure provision at Sec. 164.512(k)(5) does not apply in such cases. Instead, a covered entity must apply privacy protections to the protected health information about former inmates in the same manner and to the same extent that it protects the protected health information of other individuals. In addition, individuals who are former inmates hold the same rights as all other individuals under the rule. As to individuals in community custody, the final rule considers inmates to be those individuals who are incarcerated in or otherwise confined to a correctional institution. Thus, to the extent that community custody confines an individual to a particular facility, Sec. 164.512(k)(5) is applicable. Psychotherapy Notes Comment: Some commenters thought the definition of psychotherapy notes was contrary to standard practice. They claimed that reports of psychotherapy are typically part of the medical record and that psychologists are advised, for ethical reasons and liability risk management purposes, not to keep two separate sets of notes. Others acknowledged that therapists may maintain separate notations of therapy sessions for their own purpose. These commenters asked that we make clear that psychotherapy notes, at least in summary form, should be included in the medical record. Many plans and providers expressed concern that the proposed definition would encourage the creation of ``shadow'' records which may be dangerous to the patient and may increase liability for the health care providers. Some commenters claimed that psychotherapy notes contain information that is often essential to treatment. Response: We conducted fact-finding with providers and other knowledgeable parties to determine the standard practice of psychotherapists and determined that only some psychotherapists keep separate files with notes pertaining to psychotherapy sessions. These notes are often referred to as ``process notes,'' distinguishable from ``progress notes,'' ``the medical record,'' or ``official records.'' These process notes capture the therapist's [[Page 82623]] impressions about the patient, contain details of the psychotherapy conversation considered to be inappropriate for the medical record, and are used by the provider for future sessions. We were told that process notes are often kept separate to limit access, even in an electronic record system, because they contain sensitive information relevant to no one other than the treating provider. These separate ``process notes'' are what we are calling ``psychotherapy notes.'' Summary information, such as the current state of the patient, symptoms, summary of the theme of the psychotherapy session, diagnoses, medications prescribed, side effects, and any other information necessary for treatment or payment, is always placed in the patient's medical record. Information from the medical record is routinely sent to insurers for payment. Comment: Various associations and their constituents asked that the exceptions for psychotherapy notes be extended to health care information from other health care providers. These commenters argued that psychotherapists are not the only providers or even the most likely providers to discuss sensitive and potentially embarrassing issues, as treatment and counseling for mental health conditions, drug abuse, HIV/AIDS, and sexual problems are often provided outside of the traditional psychiatric settings. One writer stated, ``A prudent health care provider will always assess the past and present psychiatric medical history and symptoms of a patient.'' Many commenters believed that the psychotherapy notes should include frequencies of treatment, results of clinical tests, and summary of diagnosis, functional status, the treatment plan, symptoms, prognosis and progress to date. They claimed that this information is highly sensitive and should not be released without the individual's written consent, except in cases of emergency. One commenter suggested listing the types of mental health information that can be requested by third party payors to make payment determinations and defining the meaning of each term. Response: As discussed above and in the NPRM, the rationale for providing special protection for psychotherapy notes is not only that they contain particularly sensitive information, but also that they are the personal notes of the therapist, intended to help him or her recall the therapy discussion and are of little or no use to others not involved in the therapy. Information in these notes is not intended to communicate to, or even be seen by, persons other than the therapist. Although all psychotherapy information may be considered sensitive, we have limited the definition of psychotherapy notes to only that information that is kept separate by the provider for his or her own purposes. It does not refer to the medical record and other sources of information that would normally be disclosed for treatment, payment, and health care operations. Comment: One commenter was particularly concerned that the use of the term ``counseling'' in the definition of psychotherapy notes would lead to confusion because counseling and psychotherapy are different disciplines. Response: In the final rule, we continue to use the term ``counseling'' in the definition of ``psychotherapy.'' During our fact- finding, we learned that ``counseling'' had no commonly agreed upon definition, but seemed to be widely understood in practice. We do not intend to limit the practice of psychotherapy to any specific professional disciplines. Comment: One commenter noted that the public mental health system is increasingly being called upon to integrate and coordinate services among other providers of mental health services and they have developed an integrated electronic medical record system for state-operated hospitals, part of which includes psychotherapy notes, and which cannot be easily modified to provide different levels of confidentiality. Another commenter recommended allowing use or disclosure of psychotherapy notes by members of an integrated health care facility as well as the originator. Response: The final rule makes it clear that any notes that are routinely shared with others, whether as part of the medical record or otherwise, are, by definition, not psychotherapy notes, as we have defined them. To qualify for the definition and the increased protection, the notes must be created and maintained for the use of the provider who created them i.e., the originator, and must not be the only source of any information that would be critical for the treatment of the patient or for getting payment for the treatment. The types of notes described in the comment would not meet our definition for psychotherapy notes. Comment: Many providers expressed concern that if psychotherapy notes were maintained separately from other protected health information, other health providers involved in the individual's care would be unable to treat the patient properly. Some recommended that if the patient does not consent to sharing of psychotherapy notes for treatment purposes, the treating provider should be allowed to decline to treat the patient, providing a referral to another provider. Response: The final rule retains the policy that psychotherapy notes be separated from the remainder of the medical record in order to receive additional protection. We based this decision on conversations with mental health providers who have told us that information that is critical to the treatment of individuals is normally maintained in the medical record and that psychotherapy notes are used by the provider who created them and rarely for other purposes. A strong part of the rationale for the special treatment of psychotherapy notes is that they are the personal notes of the treating provider and are of little or no use to others who were not present at the session to which the notes refer. Comment: Several commenters requested that we clarify that the information contained in psychotherapy notes is being protected under the rule and not the notes themselves. They were concerned that the protection for psychotherapy notes would not be meaningful if health plans could demand the same information in a different format. Response: This rule provides special protection for the information in psychotherapy notes, but it does not extend that protection to the same information that may be found in other locations. We do not require the notes to be in a particular format, such as hand-written. They may be typed into a word processor, for example. Copying the notes into a different format, per se, would not allow the information to be accessed by a health plan. However, the requirement that psychotherapy notes be kept separate from the medical record and solely for the use of the provider who created them means that the special protection does not apply to the same information in another location. Public Health Authority Comment: A number of the comments called for the elimination of all permissible disclosures without authorization, and some specifically cited the public health section and its liberal definition of public health authority as an inappropriately broad loophole that would allow unfettered access to private medical information by various government authorities. Other commenters generally supported the provision allowing disclosure to public health authorities and to non-governmental entities [[Page 82624]] authorized by law to carry out public health activities. They further supported the broad definition of public health authority and the reliance on broad legal or regulatory authority by public health entities although explicit authorities were preferable and better informed the public. Response: In response to comments arguing that the provision is too broad, we note that section 1178(b) of the Act, as explained in the NPRM, explicitly carves out protection for state public health laws. This provision states that: ``[N]othing in this part shall be construed to invalidate or limit the authority, power, or procedures established under any law providing for the reporting of disease or injury, child abuse, birth or death, public health surveillance, or public health investigation or intervention.'' In light of this broad Congressional mandate not to interfere with current public health practices, we believe the broad definition of ``public health authority'' is appropriate to achieve that end. Comment: Some commenters said that they performed public health activities in analyzing data and information. These comments suggested that activities conducted by provider and health plan organizations that compile and compare data for benchmarking performance, monitoring, utilization, and determining the health needs of a given market should be included as part of the public health exemption. One commenter recommended amending the regulation to permit covered entities to disclose protected health information to private organizations for public health reasons. Response: We disagree that such a change should be made. In the absence of some nexus to a government public health authority or other underlying legal authority, covered entities would have no basis for determining which data collections are ``legitimate'' and how the confidentiality of the information will be protected. In addition, the public health functions carved out for special protection by Congress are explicitly limited to those established by law. Comment: Two commenters asked for additional clarification as to whether the Occupational Safety and Health Administration (OSHA) and the Mine Safety and Health Administration (MSHA) would be considered public health authorities as indicated in the preamble. They suggested specific language for the final rule. Commenters also suggested that we specify that states operating OSHA-approved programs also are considered public health authorities. One comment applauded the Secretary's recognition of OSHA as both a health oversight agency and public health authority. It suggested adding OSHA-approved programs that operate in states to the list of entities included in these categories. In addition, the comment requested the final regulation specifically mention these entities in the text of the regulation as well. Response: We agree that OSHA, MSHA and their state equivalents are public health authorities when carrying out their activities related to the health and safety of workers. We do not specifically reference any agencies in the regulatory definition, because the definition of public health authority and this preamble sufficiently address this issue. As defined in the final rule, the definition of ``public health authority'' at Sec. 164.501 continues to include OSHA as a public health authority. State agencies or authorities responsible for public health matters as part of their official mandate, such as OSHA-approved programs, also come within this definition. See discussion of Sec. 164.512(b) below. We have refrained, however, from listing specific agencies and have retained a general descriptive definition. Comments: Several commenters recommended expanding the definition of public health authority to encompass other governmental entities that may collect and hold health data as part of their official duties. One recommended changing the definition of public health authority to read as follows: Public health authority means an agency or authority * * * that is responsible for public health matters or the collection of health data as part of its official mandate. Response: We do not adopt this recommendation. The public health provision is not intended to cover agencies that are not responsible for public health matters but that may in the course of their responsibilities collect health-related information. Disclosures to such authorities may be permissible under other provision of this rule. Comment: Many commenters asked us to include a formal definition of ``required by law'' incorporating the material noted in this preamble and additional suggested disclosures. Response: We agree generally and modify the definition accordingly. See discussion above. Research Comment: We received many comments from supporting the proposed definition of ``research.'' These commenters agreed that the definition of ``research'' should be the same as the definition in the Common Rule. These commenters argued that it was important that the definition of ``research'' be consistent with the Common Rule's definition to ensure the coherent oversight of medical research. In addition, some of these commenters also supported this definition because they believed it was already well-understood by researchers and provided reasonably clear guidance needed to distinguish between research and health care operations. Some commenters, believed that the NPRM's definition was too narrow. Several of these commenters agreed that the Common Rule's definition should be adopted in the final rule, but argued that the proposed definition of ``generalizable knowledge'' within the definition of ``research,'' which limited generalizable knowledge to knowledge that is ``related to health,'' was too narrow. For example, one commenter stated that gun shot wound, spousal abuse, and other kinds of information from emergency room statistics are often used to conduct research with ramifications for social policy, but may not be ``related to health.'' Several of these commenters recommended that the definition of research be revised to delete the words ``related to health.'' Additional commenters who argued that the definition was too narrow raised the following concerns: the difference between ``research'' and ``health care operations'' is irrelevant from the patients' perspective, and therefore, the proposed rule should have required documentation of approval by an IRB or privacy board before protected health information could be used or disclosed for either of these purposes, and the proposed definition was too limited because it did not capture research conducted by non-profit entities to ensure public health goals, such as disease-specific registries. Commenters who argued that the definition was too broad recommended that certain activities should be explicitly excluded from the definition. In general, these commenters were concerned that if certain activities were considered to be ``research'' the rule's research requirements would represent a problematic level of regulation on industry initiatives. Some activities that these commenters recommended be explicitly excluded from the definition of ``research'' included: marketing research, health and productivity management, quality assessment and improvement activities, and internal research conducted to improve health. Response: We agree that the final rule's definition of ``research'' should be [[Page 82625]] consistent with the Common Rule's definition of this term. We also agree that our proposal to limit ``generalizable knowledge'' to knowledge that is ``related to health,'' and ``knowledge that could be applied to populations outside of the population served by the covered entity,'' was too narrow. Therefore, in the final rule, we retain the Common Rule's definition of ``research'' and eliminate the further elaboration of ``generalizable knowledge.'' We understand knowledge to be generalizable when it can be applied to either a population inside or outside of the population served by the covered entity. Therefore, knowledge may be ``generalizable'' even if a research study uses only the protected health information held within a covered entity, and the results are generalizable only to the population served by the covered entity. For example, generalizable knowledge could be generated from a study conducted by the HCFA, using only Medicare data held by HCFA, even if the knowledge gained from the research study is applicable only to Medicare beneficiaries. We rejected the other arguments claiming that the definition of ``research'' was either too narrow or too broad. While we agree that it is sometimes difficult to distinguish between ``research'' and ``health care operations,'' we disagree that the difference between these activities is irrelevant from the patients' perspective. We believe, based on many of the comments, that individuals expect that individually identifiable health information about themselves will be used for health care operations such as reviewing the competence or qualifications of health care professionals, evaluating provider and plan performance, and improving the quality of care. A large number of commenters, however, indicated that they did not expect that individually identifiable health information about themselves would be used for research purposes without their authorization. Therefore, we retain more stringent protections for research disclosures without patient authorization. We also disagree with the commenters who were concerned that the proposed definition was too limited because it did not capture research conducted by non-profit entities to ensure public health goals, such as disease-specific registries. Such activities conducted by either non- profit or for-profit entities could meet the rule's definition of research, and therefore are not necessarily excluded from this definition. We also disagree with many of the commenters who argued that certain activities should be explicitly excluded from the definition of research. We found no persuasive evidence that, when particular activities are also systematic investigations designed to contribute to generalizable knowledge, they should be treated any different from other such activities. We are aware that the National Bioethics Advisory Commission (NBAC) is currently assessing the Common Rule's definition of ``research'' as part of a report they are developing on the implementation and adequacy of the Common Rule. Since we agree that a consistent definition is important to the conduct and oversight of research, if the Common Rule's definition of ``research'' is modified in the future, the Department of Health and Human Services will consider whether the definition should also be modified for this subpart. Comment: Some commenters urged the Department to establish precise definitions for ``health care operations'' and ``research'' to provide clear guidance to covered entities and adequate privacy protections for the subjects of the information whose information is disclosed for these purposes. One commenter supported the definition of ``research'' proposed in the NPRM, but was concerned about the ``crossover'' from data analyses that begin as health care operations but later become ``research'' because the analytical results are of such importance that they should be shared through publication, thereby contributing to generalizable knowledge. To distinguish between the definitions of ``health care operations'' and ``research,'' a few commenters recommended that the rule make this distinction based upon whether the activity is a ``use'' or a ``disclosure.'' These commenters recommend that the ``use'' of protected health information for research without patient authorization should be exempt from the proposed research provisions provided that protected health information was not disclosed in the final analysis, report, or publication. Response: We agree with commenters that at times it may be difficult to distinguish projects that are health operations and projects that are research. We note that this ambiguity exists today, and disagree that we can address this issue with more precise definitions of research and health care operations. Today, the issue is largely one of intent. Under the Common Rule, the ethical and regulatory obligations of the researcher stem from the intent of the activity. We follow that approach here. If such a project is a systematic investigation that designed to develop or contribute to generalizable knowledge, it is considered to be ``research,'' not ``health care operations.'' In some instances, the primary purpose of the activity may change as preliminary results are analyzed. An activity that was initiated as an internal outcomes evaluation may produce information that could be generalized. If the purpose of a study changes and the covered entity does intend to generalize the results, the covered entity should document the fact as evidence that the activity was not subject to Sec. 164.512(i) of this rule. We understand that for research that is subject to the Common Rule, this is not the case. The Office for Human Research Protection interprets 45 CFR part 46 to require IRB review as soon as an activity meets the definition of research, regardless of whether the activity began as ``health care operations'' or ``public health,'' for example. The final rule does not affect the Office of Human Research Protection's interpretation of the Common Rule. We were not persuaded that an individual's privacy interest is of less concern when covered entities use protected health information for research purposes than when covered entities disclose protected health information for research purposes. We do not agree generally that internal activities of covered entities do not potentially compromise the privacy interests of individuals. Many persons within a covered entity may have access to protected health information. When the activity is a systematic investigation, the number of persons who may be involved in the records review and analysis may be substantial. We believe that IRB or privacy board approval of the waiver of authorization will provide important privacy protections to individuals about whom protected health information is used or disclosed for research. If a covered entity wishes to use protected health information about its enrollees for research purposes, documentation of an IRBs' or privacy board's assessment of the privacy impact of such a use is as important as if the same research study required the disclosure of protected health information. This conclusion is consistent with the Common Rule's requirement for IRB review of all human subjects research. Treatment Comment: Some commenters advocated for a narrow interpretation of [[Page 82626]] treatment that applies only to the individual who is the subject of the information. Other commenters asserted that treatment should be broadly defined when activities are conducted by health care providers to improve or maintain the health of the patient. A broad interpretation may raise concerns about potential misuse of information, but too limited an interpretation will limit beneficial activities and further contribute to problems in patient compliance and medical errors. Response: We find the commenters' arguments for a broad definition of treatment persuasive. Today, health care providers consult with one another, share information about their experience with particular therapies, seek advice about how to handle unique or challenging cases, and engage in a variety of other discussions that help them maintain and improve the quality of care they provide. Quality of care improves when providers exchange information about treatment successes and failures. These activities require sharing of protected health information. We do not intend this rule to interfere with these important activities. We therefore define treatment broadly and allow use and disclosure of protected health information about one individual for the treatment of another individual. Under this definition, only health care providers or a health care provider working with a third party can perform treatment activities. In this way, we temper the breadth of the definition by limiting the scope of information sharing. The various codes of professional ethics also help assure that information sharing among providers for treatment purposes will be appropriate. We note that poison control centers are health care providers for purposes of this rule. We consider the counseling and follow-up consultations provided by poison control centers with individual providers regarding patient outcomes to be treatment. Therefore, poison control centers and other health care providers can share protected health information about the treatment of an individual without a business associate contract. Comment: Many commenters suggested that ``treatment'' activities should include services provided to both a specific individual and larger patient populations and therefore urged that the definition of treatment specifically allow for such activities, sometimes referred to as ``disease management'' activities. Some argued that an analysis of an overall population is integral to determining which individuals would benefit from disease management services. Thus, an analysis of health care claims for enrolled populations enables proactive contact with those identified individuals to notify them of the availability of services. Certain commenters noted that ``disease management'' services provided to their patient populations, such as reminders about recommended tests based on nationally accepted clinical guidelines, are integral components of quality health care. Response: We do not agree that population based services should be considered treatment activities. The definition of ``treatment'' is closely linked to the Sec. 160.103 definition of ``health care,'' which describes care, services and procedures related to the health of an individual. The activities described by ``treatment,'' therefore, all involve health care providers supplying health care to a particular patient. While many activities beneficial to patients are offered to entire populations or involve examining health information about entire populations, treatment involves health services provided by a health care provider and tailored to the specific needs of an individual patient. Although a population-wide analysis or intervention may prompt a health care provider to offer specific treatment to an individual, we consider the population-based analyses to improve health care or reduce health care costs to be health care operations (see definition of ``health care operations,'' above). Comment: A number of commenters requested clarification about whether prescription drug compliance management programs would be considered ``treatment.'' One commenter urged HHS to clarify that provision by a pharmacy to a patient of customized prescription drug information about the risks, benefits, and conditions of use of a prescription drug being dispensed is considered a treatment activity. Others asked that the final rule expressly recognize that prescription drug advice provided by a dispensing pharmacist, such as a customized pharmacy letter, is within the scope of treatment. Response: The activities that are part of prescription drug compliance management programs were not fully described by these commenters, so we cannot state a general rule regarding whether such activities constitute treatment. We agree that pharmacists' provision of customized prescription drug information and advice about the prescription drug being dispensed is a treatment activity. Pharmacists' provisions of information and counseling about pharmaceuticals to their customers constitute treatment, and we exclude certain communications made in the treatment context from the definition of marketing. (See discussion above.) Comment: Some commenters noted the issues and recommendations raised in the Institutes of Medicine report ``To Err Is Human'' and the critical need to share information about adverse drug and other medical events, evaluation of the information, and its use to prevent future medical errors. They noted that privacy rules should not be so stringent as to prohibit the sharing of patient data needed to reduce errors and optimize health care outcomes. To bolster the notion that other programs associated with the practice of pharmacy must be considered as integral to the definition of health care and treatment, they reference OBRA '90 (42 U.S.C. 1396r-8) and the minimum required activities for dispensing drugs; they also note that virtually every state Board of Pharmacy adopted regulations imposing OBRA'90 requirements on pharmacies for all patients and not just Medicaid recipients. Response: We agree that reducing medical errors is critical, and do not believe that this regulation impairs efforts to reduce medical errors. We define treatment broadly and include quality assessment and improvement activities in the definition of health care operations. Covered pharmacies may conduct such activities, as well as treatment activities appropriate to improve quality and reduce errors. We believe that respect for the privacy rights of individuals and appropriate protection of the confidentiality of their health information are compatible with the goal of reducing medical errors. Comment: Some commenters urged us to clarify that health plans do not perform ``treatment'' activities; some of these were concerned that a different approach in this regulation could cause conflict with state corporate practice of medicine restrictions. Some commenters believed that the proposed definition of treatment crossed into the area of cost containment, which would seem to pertain more directly to payment. They supported a narrower definition that would eliminate any references to third party payors. One commenter argued that the permissible disclosure of protected health information to carry out treatment is too broad for health plans and that health plans that have no responsibility for treatment or care coordination should have no authority to release health information without authorization for treatment purposes. Response: We do not consider the activities of third party payors, including health plans, to be [[Page 82627]] ``treatment.'' Only health care providers, not health plans, conduct ``treatment'' for purposes of this rule. A health plan may, however, disclose protected health information without consent or authorization for treatment purposes if that disclosure is made to a provider. Health plans may have information the provider needs, for example information from other providers or information about the patient's treatment history, to develop an appropriate plan of care. Comment: We received many comments relating to ``disease management'' programs and whether activities described as disease management should be included in the definition of treatment. One group of commenters supported the proposed definition of treatment that includes disease management. One commenter offered the position that disease management services are more closely aligned with treatment because they involve the coordination of treatment whereas health care operations are more akin to financial and ministerial functions of plans. Some recommended that the definition of treatment be limited to direct treatment of individual patients and not allow for sharing of information for administrative or other programmatic reasons. They believed that allowing disclosures for disease management opens a loophole for certain uses and disclosures, such as marketing, that should only be permitted with authorization. Others recommended that the definition of disease management be restricted to prevent unauthorized use of individual health records to target individuals in a health plan or occupational health program. Many asked that the definition of disease management be clarified to identify those functions that, although some might consider them to be subsumed by the term, are not permitted under this regulation without authorization, such as marketing and disclosures of protected health information to employers. They suggested that disease management may describe desirable activities, but is subject to abuse and therefore should be restricted and controlled. One commenter recommends that we adopt a portion of the definition adopted by the Disease Management Association of America in October 1999. On the other hand, many comments urged that disease management be part of the ``treatment'' definition or the ``health care operations'' definition and asked that specific activities be included in a description of the term. They viewed disease management as important element of comprehensive health care services and cost management efforts. They recommended that the definition of disease management include services directed at an entire population and not just individual care, in order to identify individuals who would benefit from services based on accepted clinical guidelines. They recommended that disease management be included under health care operations and include population level services. A commenter asserted that limiting disease management programs to the definition of treatment ignores that these programs extend beyond providers, especially since NCQA accreditation standards strongly encourage plans and insurers to provide these services. Response: Disease management appeared to represent different activities to different commenters. Our review of the literature, industry materials, state and federal statutes,\6\ and discussions with physician groups, health plan groups and disease management associations confirm that a consensus definition from the field has not yet evolved, although efforts are underway. Therefore, rather than rely on this label, we delete ``disease management'' from the treatment definition and instead include the functions often discussed as disease management activities in this definition or in the definition of health care operations and modify both definitions to address the commenters' concerns. --------------------------------------------------------------------------- \6\ Definition of Disease Management, October 1999 (from web site of Disease Management Association of America (www.dmaa.org/ definition.html) accessed May 21, 2000. Other references used for our analysis include: Mary C. Gurnee, et al, Constructing Disease Management Programs, Managed Care, June 1997, accessed at http:// managedcaremag.com, 5/19/2000; Peter Wehrwein, Disease Management Gains a Degree of Respectability, Managed Care, August 1997, accessed at www.managedcaremag.com, 5/18/00; John M. Harris, Jr., disease management: New Wine in Old Bottles, 124 Annals of Internal Medicine 838 (1996); Robert S. Epstein and Louis M. Sherwood, From Outcomes research to disease management: A Guide for the Perplexed, 124 Annals of Internal Medicine 832 (1996); Anne Mason et al, disease management, the Pharmaceutical Industry and the NHS, Office of Health Economics (United Kingdom), accessed at www.ohe.org, 5/19/ 2000; Thomas Bodenheimer, Disease Management--Promises and Pitfalls, 340 New Eng. J. Med, April 15, 1999, accessed at www.nejm.org, 4/20/ 99; Bernard Lo and Ann Alpers, Uses and Abuses of Prescription Drug information in pharmacy benefits Management Programs, 283 JAMA 801 (2000); Robert F. DeBusk, Correspondence, Disease Management, and Regina E. Herzlinger, Correspondence, Disease Management, 341 New Eng. J. Med, Sept 2, 1999, accessed 9/2/99; Letter, John A. Gans, American Pharmaceutical Association, to Health Care Financing Administration, Reference HCFA-3002-P, April 12, 1999, accessed at www.aphanet.org, 1/18/2000; Ronald M. Davis, et al, Editorial, Advances in Managing Chronic Disease, 320 BMJ 525 (2000), accessed at www.bmj.com, 2/25/00; Thomas Bodenheimer, Education and Debate, disease management in the American Market, 320 BMJ 563 (2000), accessed at www.bmj.com, 2/25/2000; David J. Hunter, disease management: has it a future?, 320 BMJ 530 (2000), accessed www.bmj.com 2/25/2000; Trisha Greenhalgh, Commercial partnerships in chronic disease management: proceeding with caution, 320 BMJ 566 (2000); Edmund X. DeJesus, disease management in a Warehouse, Healthcare Informatics, September 1999, accessed at www.healthcare- informatics.com, 5/19/00; Regulation, 42 CFR 422.112, Medicare+Choice Program, subpart C, Benefits and Beneficiary Protections, sec. 422.112, Access to Services; and Arnold Chen, Best Practices in Coordinated Care, Submitted by Mathematica Policy Research, Inc., to Health Care Financing Administration, March 22, 2000. --------------------------------------------------------------------------- We add population-based activities to improve health care or reduce health care costs to the definition of health care operations. Outreach programs as described by the commenter may be considered either health care operations or treatment, depending on whether population-wide or patient-specific activities occur, and if patient-specific, whether the individualized communication with a patient occurs on behalf of health care provider or a health plan. For example, a call placed by a nurse in a doctor's office to a patient to discuss follow-up care is a treatment activity. The same activity performed by a nurse working for a health plan would be a health care operation. In both cases, the database analysis that created a list of patients that would benefit from the intervention would be a health care operation. Use or disclosure of protected health information to provide education materials to patients may similarly be either treatment or operations, depending on the circumstances and on who is sending the materials. We cannot say in the abstract whether any such activities constitute marketing under this rule. See Secs. 164.501 and 164.514 for details on what communications are marketing and when the authorization of the individual may be required. Comment: Many commenters were concerned that the definition of treatment would not permit Third Party Administrators (TPAs) to be involved with disease management programs without obtaining authorization. They asserted that while the proposed definition of treatment included disease management conducted by health care providers it did not recognize the role of employers and TPAs in the current disease management process. Response: Covered entities disclose protected health information to other persons, including TPAs, that they hire to perform services for them or on their behalf. If a covered entity hires a TPA to perform the disease management activities included in the rule's definitions of treatment and health care operations that disclosure will not [[Page 82628]] require authorization. The relationship between the covered entity and the TPA may be subject to the business associate requirements of Secs. 164.502 and 164.504. Disclosures by covered entities to plan sponsors, including employers, for the purpose of plan administration are addressed in Sec. 164.504. Comment: Commenters suggested that as disease management is defined only as an element of treatment, it could only be carried out by health care providers, and not health plans. They opposed this approach because health plans also conduct such programs, and are indeed required to do it by accreditation standards and HCFA Managed Care Organization standards. Response: We agree that the placement of disease management in the proposed definition of treatment suggested that health plans could not conduct such programs. We revise the final rule to clarify that health plans may conduct population based care management programs as a health care operation activity. Comment: Some commenters stated that the rule should require that disease management only be done with the approval of the treating physician or at least with the knowledge of the physician. Response: We disagree with this comment because we do not believe that this privacy rule is an appropriate venue for setting policies regarding the management of health care costs or treatment. Comment: Some industry groups stated that if an activity involves selling products, it is not disease management. They asked for a definition that differentiates use of information for the best interests of patient from uses undertaken for ``ulterior purposes'' such as advertising, marketing, or promoting separate products. Response: We eliminate the definition of ``disease management'' from the rule. Often however, treatment decisions involve discussing the relevant advantages and disadvantages of products and services. Health plans, as part of payment and operations, sometimes communicate with individuals about particular products and services. We address these disti