2013 01073

Transcript

1 Vol. 78 Friday, No. 17 January 25, 2013 Part II Department of Health and Human Services Office of the Secretary 45 CFR Parts 160 and 164 Modifications to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

2 5566 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations ii. Summary of Major Provisions I. Executive Summary and Background DEPARTMENT OF HEALTH AND HUMAN SERVICES This omnibus final rule is comprised A. Executive Summary of the following four final rules: i. Purpose of the Regulatory Action Office of the Secretary 1. Final modifications to the HIPAA Need for the Regulatory Action Privacy, Security, and Enforcement 45 CFR Parts 160 and 164 Rules mandated by the Health This final rule is needed to strengthen Information Technology for Economic the privacy and security protections RIN 0945–AA03 and Clinical Health (HITECH) Act, and established under the Health Insurance certain other modifications to improve Portability and Accountability of 1996 Modifications to the HIPAA Privacy, the Rules, which were issued as a Act (HIPAA) for individual’s health Security, Enforcement, and Breach proposed rule on July 14, 2010. These information maintained in electronic Notification Rules Under the Health modifications: health records and other formats. This Information Technology for Economic • Make business associates of covered final rule also makes changes to the and Clinical Health Act and the Genetic entities directly liable for compliance HIPAA rules that are designed to Information Nondiscrimination Act; with certain of the HIPAA Privacy and increase flexibility for and decrease Other Modifications to the HIPAA Security Rules’ requirements. burden on the regulated entities, as well Rules • Strengthen the limitations on the as to harmonize certain requirements use and disclosure of protected health with those under the Department’s AGENCY : Office for Civil Rights, information for marketing and Human Subjects Protections regulations. Department of Health and Human fundraising purposes, and prohibit the These changes are consistent with, and Services. sale of protected health information arise in part from, the Department’s without individual authorization. obligations under Executive Order : Final rule. ACTION • Expand individuals’ rights to 13563 to conduct a retrospective review receive electronic copies of their health of our existing regulations for the SUMMARY : The Department of Health and information and to restrict disclosures purpose of identifying ways to reduce Human Services (HHS or ‘‘the to a health plan concerning treatment costs and increase flexibilities under the Department’’) is issuing this final rule for which the individual has paid out of HIPAA Rules. We discuss our specific to: Modify the Health Insurance pocket in full. burden reduction efforts more fully in Portability and Accountability Act Require modifications to, and • the Regulatory Impact Analysis. (HIPAA) Privacy, Security, and redistribution of, a covered entity’s This final rule is comprised of four Enforcement Rules to implement notice of privacy practices. final rules, which have been combined statutory amendments under the Health Modify the individual authorization • to reduce the impact and number of Information Technology for Economic and other requirements to facilitate times certain compliance activities need and Clinical Health Act (‘‘the HITECH research and disclosure of child to be undertaken by the regulated Act’’ or ‘‘the Act’’) to strengthen the immunization proof to schools, and to entities. privacy and security protection for enable access to decedent information individuals’ health information; modify Legal Authority for the Regulatory by family members or others. Action the rule for Breach Notification for Adopt the additional HITECH Act • Unsecured Protected Health Information enhancements to the Enforcement Rule The final rule implements changes to (Breach Notification Rule) under the not previously adopted in the October the HIPAA Rules under a number of HITECH Act to address public comment 30, 2009, interim final rule (referenced authorities. First, the final rule modifies received on the interim final rule; immediately below), such as the the Privacy, Security, and Enforcement modify the HIPAA Privacy Rule to provisions addressing enforcement of Rules to strengthen privacy and security strengthen the privacy protections for noncompliance with the HIPAA Rules protections for health information and genetic information by implementing due to willful neglect. to improve enforcement as provided for section 105 of Title I of the Genetic 2. Final rule adopting changes to the by the Health Information Technology Information Nondiscrimination Act of HIPAA Enforcement Rule to incorporate for Economic and Clinical Health the increased and tiered civil money 2008 (GINA); and make certain other (HITECH) Act, enacted as part of the penalty structure provided by the modifications to the HIPAA Privacy, American Recovery and Reinvestment HITECH Act, originally published as an Security, Breach Notification, and Act of 2009 (ARRA). The rule also interim final rule on October 30, 2009. includes final modifications to the Enforcement Rules (the HIPAA Rules) to 3. Final rule on Breach Notification Breach Notification Rule, which will improve their workability and for Unsecured Protected Health replace an interim final rule originally effectiveness and to increase flexibility Information under the HITECH Act, published in 2009 as required by the for and decrease burden on the which replaces the breach notification HITECH Act. Second, the final rule regulated entities. rule’s ‘‘harm’’ threshold with a more revises the HIPAA Privacy Rule to This final rule is DATES : Effective date: objective standard and supplants an increase privacy protections for genetic effective on March 26, 2013. interim final rule published on August information as required by the Genetic 24, 2009. Information Nondiscrimination Act of Compliance date: Covered entities 4. Final rule modifying the HIPAA 2008 (GINA). Finally, the Department and business associates must comply Privacy Rule as required by the Genetic uses its general authority under HIPAA with the applicable requirements of this Information Nondiscrimination Act to make a number of changes to the final rule by September 23, 2013. (GINA) to prohibit most health plans Rules that are intended to increase : FOR FURTHER INFORMATION CONTACT from using or disclosing genetic workability and flexibility, decrease Andra Wicks 202–205–2292. information for underwriting purposes, burden, and better harmonize the which was published as a proposed rule requirements with those under other : SUPPLEMENTARY INFORMATION on October 7, 2009. Departmental regulations. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00002 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

3 5567 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register and the impossibility of monetizing the revising and distributing new notices of iii. Costs and Benefits privacy practices to inform individuals value of individuals’ privacy and This final rule is anticipated to have of their rights and how their information dignity, which we believe will be an annual effect on the economy of $100 is protected; (ii) costs to covered entities enhanced by the strengthened privacy million or more, making it an related to compliance with breach and security protections, expanded economically significant rule under notification requirements; (iii) costs to a individual rights, and improved Executive Order 12866. Accordingly, we portion of business associates to bring enforcement enabled by the rule. We have prepared a Regulatory Impact their subcontracts into compliance with also believe that some entities affected Analysis that presents the estimated business associate agreement by the rule will realize cost savings as costs and benefits of the proposed rule. requirements; and (iv) costs to a portion a result of provisions that simplify and The total cost of compliance with the of business associates to achieve full streamline certain requirements, and rule’s provisions is estimated to be compliance with the Security Rule. We increase flexibility, under the HIPAA between $114 million and $225.4 summarize these costs in Table 1 below Rules. However, we are unable to million in the first year of and explain the components and quantify such cost savings due to a lack implementation and approximately distribution of costs in detail in the of data. We describe such benefits in the $14.5 million annually thereafter. Costs Regulatory Impact Analysis. Regulatory Impact Analysis. We are not able to quantify the associated with the rule include: (i) benefits of the rule due to lack of data Costs to HIPAA covered entities of 1—E ULE T ABLE R STIMATED C OSTS OF THE F INAL Cost element Total cost Approximate number of affected entities Notices of Privacy Practices ... 700,000 covered entities ... $55.9 million. 1 Breach Notification Requirements .. 19,000 covered entities ... 14.5 million. n. Business Associate Agreements ... 250,000–500,000 business associates of covered entities ... 21 million–42 millio 200,000–400,000 business associates of covered entities ... 22.6 million–113 million. Security Rule Compliance by Busi- ness Associates. Total ... ... ... 114 million–225.4 million. with their business associates that ‘‘covered entities’’: health care providers B. Statutory and Regulatory Background provide satisfactory assurances that the who conduct covered health care i. HIPAA and the Privacy, Security, and business associates will appropriately transactions electronically, health plans, Enforcement Rules safeguard the electronic protected and health care clearinghouses. The HIPAA Privacy, Security, and health information they create, receive, The HIPAA Privacy Rule, 45 CFR Part Enforcement Rules implement certain of maintain, or transmit on behalf of the 160 and Subparts A and E of Part 164, the Administrative Simplification covered entities. requires covered entities to have provisions of title II, subtitle F, of the The HIPAA Enforcement Rule, 45 safeguards in place to ensure the Health Insurance Portability and CFR Part 160, Subparts C–E, establishes privacy of protected health information, Accountability Act of 1996 (HIPAA) rules governing the compliance sets forth the circumstances under (Pub. L. 104–191), which added a new responsibilities of covered entities with which covered entities may use or part C to title XI of the Social Security respect to the enforcement process, disclose an individual’s protected Act (sections 1171–1179 of the Social including the rules governing health information, and gives Security Act, 42 U.S.C. 1320d–1320d– investigations by the Department, rules individuals rights with respect to their 8). The HIPAA Administrative governing the process and grounds for protected health information, including Simplification provisions provided for establishing the amount of a civil money rights to examine and obtain a copy of the establishment of national standards penalty where a violation of a HIPAA their health records and to request for the electronic transmission of certain Rule has been found, and rules corrections. Covered entities that engage health information, such as standards governing the procedures for hearings business associates to work on their for certain health care transactions and appeals where the covered entity behalf must have contracts or other conducted electronically and code sets challenges a violation determination. arrangements in place with their and unique identifiers for health care business associates to ensure that the Since the promulgation of the HIPAA providers and employers. The HIPAA business associates safeguard protected Rules, legislation has been enacted Administrative Simplification health information, and use and requiring modifications to the Rules. In provisions also required the disclose the information only as particular, the Health Information establishment of national standards to permitted or required by the Privacy Technology for Economic and Clinical protect the privacy and security of Rule. Health (HITECH) Act, which was personal health information and enacted on February 17, 2009, as title The HIPAA Security Rule, 45 CFR established civil money penalties for XIII of division A and title IV of division Part 160 and Subparts A and C of Part violations of the Administrative B of the American Recovery and 164, applies only to protected health Simplification provisions. The Reinvestment Act of 2009 (ARRA), information in electronic form and Administrative Simplification Public Law 111–5, modifies certain requires covered entities to implement provisions of HIPAA apply to three provisions of the Social Security Act certain administrative, physical, and types of entities, which are known as pertaining to the HIPAA Rules, as well technical safeguards to protect this as requires certain modifications to the electronic information. Like the Privacy 1 The costs associated with breach notification Rules themselves, to strengthen HIPAA Rule, covered entities must have will be incurred on an annual basis. All other costs are expected in the first year of implementation. privacy, security, and enforcement. The contracts or other arrangements in place VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00003 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

4 5568 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register individual’s protected health implement the strengthened privacy, Act also provides new requirements for information, and the right to restrict security, and enforcement provisions notification of breaches of unsecured certain disclosures of protected health through rulemakings and related protected health information by covered information to a health plan for actions. On August 24, 2009, the entities and business associates. In payment or health care operations Department published interim final addition, the Genetic Information purposes. In addition, the NPRM regulations to implement the breach Nondiscrimination Act of 2008 (GINA) proposed to further modify the notification provisions at section 13402 calls for changes to the HIPAA Privacy Enforcement Rule to implement more of of the HITECH Act (74 FR 42740), Rule to strengthen privacy protections the HITECH Act’s changes to HIPAA which were effective September 23, for genetic information. This final rule enforcement. 2009. Similarly, the Federal Trade implements the modifications required In addition to the proposed Commission (FTC) published final by GINA, as well as most of the privacy, modifications to implement the HITECH regulations implementing the breach security, and enforcement provisions of Act, the NPRM also proposed certain notification provisions at section 13407 the HITECH Act. This final rule also other modifications to the HIPAA Rules. for personal health record vendors and includes certain other modifications to The NPRM proposed to permit the use their third party service providers on the HIPAA Rules to improve their of compound authorizations for August 25, 2009 (74 FR 42962), effective workability and effectiveness. conditioned and unconditioned September 24, 2009. For purposes of ii. The Health Information Technology research activities and requested determining to what information the for Economic and Clinical Health Act comment regarding permitting HHS and FTC breach notification The HITECH Act is designed to authorizations for future research. regulations apply, the Department also promote the widespread adoption and Additionally, the NPRM proposed to issued, first on April 17, 2009 interoperability of health information modify the Privacy Rule’s application to (published on April 27, 2009, 74 FR technology. Subtitle D of title XIII, the individually identifiable health 19006), and then later with its interim entitled ‘‘Privacy,’’ supports this goal by information of decedents and to permit final rule, the guidance required by the adopting amendments designed to covered entities that obtain the HITECH Act under 13402(h) specifying strengthen the privacy and security agreement of a parent to provide proof the technologies and methodologies that protections for health information of immunization without written render protected health information established by HIPAA. These provisions authorization to schools that are unusable, unreadable, or indecipherable include extending the applicability of required to have such information. to unauthorized individuals. certain of the Privacy and Security Additionally, to conform the provisions iii. The Genetic Information Rules’ requirements to the business of the Enforcement Rule to the HITECH Nondiscrimination Act associates of covered entities; requiring Act’s tiered and increased civil money The Genetic Information that Health Information Exchange penalty structure, which became Nondiscrimination Act of 2008 Organizations and similar organizations, effective on February 18, 2009, the (‘‘GINA’’), Pub. L. 110–233, 122 Stat. as well as personal health record Department published an interim final 881, prohibits discrimination based on vendors that provide services to covered rule on October 30, 2009 (74 FR 56123), entities, shall be treated as business an individual’s genetic information in effective November 30, 2009. associates; requiring HIPAA covered both the health coverage (Title I) and The Department published a notice of entities and business associates to employment (Title II) contexts. In proposed rulemaking (NPRM) on July provide for notification of breaches of addition to the nondiscrimination 14, 2010, (75 FR 40868) to implement ‘‘unsecured protected health provisions, section 105 of Title I of many of the remaining privacy, security, information’’; establishing new GINA contains new privacy protections and enforcement provisions of the limitations on the use and disclosure of for genetic information, which require HITECH Act. The public was invited to protected health information for the Secretary of HHS to revise the comment on the proposed rule for 60 marketing and fundraising purposes; Privacy Rule to clarify that genetic days following publication. The prohibiting the sale of protected health information is health information and to comment period closed on September information; and expanding individuals’ 13, 2010. The Department received prohibit group health plans, health rights to access their protected health about 300 comments on the NPRM. insurance issuers (including HMOs), information, and to obtain restrictions The NPRM proposed to extend the and issuers of Medicare supplemental on certain disclosures of protected applicability of certain of the Privacy policies from using or disclosing genetic and Security Rules’ requirements to the health information to health plans. In information for underwriting purposes. business associates of covered entities, addition, subtitle D adopts provisions On October 7, 2009, the Department making business associates directly designed to strengthen and expand published a proposed rule to strengthen liable for violations of these HIPAA’s enforcement provisions. the privacy protections for genetic We discuss these statutory provisions requirements. Additionally, the NPRM information under the HIPAA Privacy in more detail below where we describe proposed to define a subcontractor as a Rule by implementing the protections section-by-section how this final rule business associate to ensure any for genetic information required by implements the provisions. We do not protected health information the GINA and making related changes to the subcontractor creates or receives on address in this rulemaking the Rule. The 60-day public comment behalf of the business associate is accounting for disclosures requirement period for the proposed rule closed on appropriately safeguarded. The NPRM in section 13405 of the Act, which is the December 7, 2009. The Department proposed to establish new limitations subject of a separate proposed rule received about 25 comments on the on the use and disclosure of protected published on May 31, 2011, at 76 FR proposed rule. health information for marketing and 31426, or the penalty distribution II. Overview of the Final Rule fundraising purposes and to prohibit the methodology requirement in section In this final rule the Department sale of protected health information 13410(c) of the Act, which will be the finalizes the modifications to the HIPAA without an authorization. The NPRM subject of a future rulemaking. Privacy, Security, and Enforcement also proposed to expand an individual’s Since enactment of the HITECH Act a Rules to implement many of the right to obtain an electronic copy of an number of steps have been taken to VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00004 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

5 5569 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations the modifications to the Breach modifications to the HIPAA Rules, and privacy, security, and enforcement Notification Rule and the changes to the we proposed to add a provision at provisions of the HITECH Act and make HIPAA Privacy Rule under GINA. We § 160.105 to address the compliance other changes to the Rules; modifies the understand that some covered entities, date generally for implementation of Breach Notification Rule; finalizes the business associates, and subcontractors new or modified standards in the modifications to the HIPAA Privacy remain concerned that a 180-day period HIPAA Rules. We proposed that Rule to strengthen privacy protections does not provide sufficient time to come § 160.105 would provide that with for genetic information; and responds to into compliance with the modifications. respect to new standards or the public comments received on the However, we believe not only that implementation specifications or proposed and interim final rules. providing a 180-day compliance period modifications to standards or Section III below describes the effective best comports with section 1175(b)(2) of implementation specifications in the and compliance dates of the final rule. the Social Security Act, 42 U.S.C. HIPAA Rules, except as otherwise Section IV describes the changes to the 1320d–4, and our implementing provided, covered entities and business HIPAA Privacy, Security, and provision at § 160.104(c)(1), which associates would be required to comply Enforcement Rules under the HITECH require the Secretary to provide at least with the applicable new or modified Act and other modifications that were a 180-day period for covered entities to standards or implementation proposed in July 2010, as well as the comply with modifications to standards specifications no later than 180 days modifications to the Enforcement Rule and implementation specifications in from the effective date of any such under the HITECH Act that were the HIPAA Rules, but also that change. For future modifications to the addressed in the interim final rule providing a 180-day compliance period HIPAA Rules necessitating a longer published in October 2009. Section V best protects the privacy and security of compliance period, we would specify a describes the changes to the Breach patient information, in accordance with longer period in the regulatory text. Notification Rule. Section VI discusses the goals of the HITECH Act. Finally, we proposed to retain the the changes to the HIPAA Privacy Rule In addition, to make clear to the compliance date provisions at to strengthen privacy protections for industry our expectation that going §§ 164.534 and 164.318, which provide genetic information. forward we will provide a 180-day the compliance dates of April 14, 2003, III. Effective and Compliance Dates compliance date for future and April 20, 2005, for initial With respect to the HITECH Act modifications to the HIPAA Rules, we implementation of the HIPAA Privacy requirements, section 13423 of the Act adopt the provision we proposed at and Security Rules, respectively, for provides that the provisions in subtitle § 160.105, which provides that with historical purposes only. D took effect one year after enactment, respect to new or modified standards or Overview of Public Comments i.e., on February 18, 2010, except as implementation specifications in the Most of the comments addressing the specified otherwise. However, there are HIPAA Rules, except as otherwise proposed compliance periods as a number of exceptions to this general provided, covered entities and business outlined above fell into three categories. rule. For example, the tiered and associates must comply with the First, several commenters supported the increased civil money penalty applicable new or modified standards or proposed compliance timelines and provisions of section 13410(d) were implementation specifications no later agreed that 180 days is sufficient time effective for violations occurring after than 180 days from the effective date of for covered entities, business associates, the date of enactment, and sections any such change. In cases where a and subcontractors of all sizes to come 13402 and 13407 of the Act regarding future modification necessitates a longer into compliance with the final rule. breach notification required interim compliance period, the Department will Second, a few commenters supported final rules within 180 days of expressly provide for one, as it has done the proposed 180-day compliance enactment, with effective dates 30 days in this rulemaking with respect to the period, but expressed concern that the after the publication of such rules. Other time permitted for business associate Department may wish to extend the 180- provisions of the Act have later effective agreements to be modified. day compliance period in the future, if dates. For example, the provision at For the reasons proposed, the final rule also retains the compliance date it issues modifications or new section 13410(a)(1) of the Act providing provisions at §§ 164.534 and 164.318, provisions that require a longer that the Secretary’s authority to impose which provide the compliance dates of compliance period. Third, several a civil money penalty will only be April 14, 2003, and April 20, 2005, for commenters requested that the barred to the extent a criminal penalty initial implementation of the HIPAA Department extend the 180-day has been imposed, rather than in cases Privacy and Security Rules, compliance period both with regard to in which the offense in question merely respectively. We note that § 160.105 the modifications contained in this final constitutes an offense that is criminally regarding the compliance date of new or rule and with regard to the more general punishable, became effective for modified standards or implementation proposed compliance deadline, as they violations occurring on or after February specifications does not apply to believe 180 days is an insufficient 18, 2011. The discussion below modifications to the provisions of the amount of time for covered entities, generally pertains to the statutory HIPAA Enforcement Rule, because such business associates, and subcontractors provisions that became effective on provisions are not standards or to come into compliance with the February 18, 2010, or, in a few cases, on implementation specifications (as the modified rules, particularly with regard a later date. terms are defined at § 160.103). Such to changes in technology. Proposed Rule provisions are in effect and apply at the Final Rule We proposed that covered entities and time the final rule becomes effective or The final rule is effective on March business associates would have 180 as otherwise specifically provided. In 26, 2013. Covered entities and business days beyond the effective date of the addition, as explained above, our associates of all sizes will have 180 days final rule to come into compliance with general rule for a 180-day compliance period for new or modified standards beyond the effective date of the final most of the rule’s provisions. We would not apply where we expressly rule to come into compliance with most believed that a 180-day compliance provide a different compliance period in of the final rule’s provisions, including period would suffice for future VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00005 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

6 5570 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations covered entity and, thus, information of the regulatory changes below are the regulation for one or more reported to a PSO may include based. provisions. For purposes of this rule, the protected health information that the 180-day compliance period would not 2. Subpart A—General Provisions, PSO may analyze on behalf of the govern the time period required to Section 160.102—Applicability covered provider. The analysis of such modify those business associate This section sets out to whom the information is a patient safety activity agreements that qualify for the longer HIPAA Rules apply. We proposed to for purposes of PSQIA and the Patient transition period in § 164.532, as we add and include in this final rule a new Safety Rule, 42 CFR 3.10, et seq. While discuss further below. paragraph (b) to make clear, consistent the HIPAA Rules as written would treat Finally, the provisions of section with the HITECH Act, that certain of the a PSO as a business associate when the 13402(j) of the HITECH Act apply to standards, requirements, and PSO was performing quality analyses breaches of unsecured protected health implementation specifications of the and other activities on behalf of a information discovered on or after subchapter apply to business associates. covered health care provider, we September 23, 2009, the date of the proposed this change to the definition of publication of the interim final rule. 3. Subpart A—General Provisions, ‘‘business associate’’ to more clearly Thus, during the 180 day period before Section 160.103—Definitions align the HIPAA and Patient Safety compliance with this final rule is Section 160.103 contains definitions Rules. required, covered entities and business of terms that appear throughout the associates are still required to comply Overview of Public Comment HIPAA Rules. The final rule modifies a with the breach notification number of these definitions to Commenters on this topic supported requirements under the HITECH Act implement the HITECH Act and make the express inclusion of patient safety and must continue to comply with the other needed changes. activities within the definition of requirements of the interim final rule. ‘‘business associate.’’ a. Definition of ‘‘Business Associate’’ We believe that this transition period Final Rule provides covered entities and business The HIPAA Privacy and Security associates with adequate time to come Rules permit a covered entity to disclose The final rule adopts the proposed into compliance with the revisions in protected health information to a modification. this final rule and at the same time to business associate, and allow a business ii. Inclusion of Health Information continue to fulfill their breach associate to create, receive, maintain, or Organizations (HIO), E-Prescribing notification obligations under the transmit protected health information Gateways, and Other Persons That HITECH Act. on its behalf, provided the covered Facilitate Data Transmission; as Well as entity obtains satisfactory assurances in IV. Modifications to the HIPAA Vendors of Personal Health Records the form of a contract or other Privacy, Security, and Enforcement arrangement that the business associate Proposed Rule Rules Under the HITECH Act; Other will appropriately safeguard the Section 13408 of the HITECH Act Modifications to the HIPAA Rules information. The HIPAA Rules define provides that an organization, such as a ‘‘business associate’’ generally to mean The discussion below provides a Health Information Exchange a person who performs functions or section-by-section description of the Organization, E-prescribing Gateway, or activities on behalf of, or certain final rule, as well as responds to public Regional Health Information services for, a covered entity that comments where substantive comments Organization, that provides data involve the use or disclosure of were received regarding particular transmission of protected health protected health information. We provisions. information to a covered entity (or its proposed a number of modifications to business associate) and that requires A. Subparts A and B of Part 160: the definition of ‘‘business associate’’ to access on a routine basis to such Statutory Basis and Purpose, implement the HITECH Act, to conform protected health information must be Applicability, Definitions, and the term to the statutory provisions of treated as a business associate for Preemption of State Law the Patient Safety and Quality purposes of the Act and the HIPAA Improvement Act of 2005 (PSQIA), 42 Subpart A of Part 160 of the HIPAA Privacy and Security Rules. Section U.S.C. 299b–21, et seq., and to make Rules contains general provisions that 13408 also provides that a vendor that other changes to the definition. apply to all of the HIPAA Rules. Subpart contracts with a covered entity to allow B of Part 160 contains the regulatory the covered entity to offer a personal i. Inclusion of Patient Safety provisions implementing HIPAA’s health record to patients as part of the Organizations preemption provisions. We proposed to covered entity’s electronic health record Proposed Rule amend a number of these provisions. shall be treated as a business associate. Some of the proposed, and now final, We proposed to add patient safety Section 13408 requires that such changes are necessitated by the statutory activities to the list of functions and organizations and vendors enter into a changes made by the HITECH Act and activities a person may undertake on written business associate contract or GINA, while others are of a technical or behalf of a covered entity that give rise other arrangement with the covered conforming nature. to a business associate relationship. entity in accordance with the HIPAA PSQIA, at 42 U.S.C. 299b–22(i)(1), Rules. 1. Subpart A—General Provisions, provides that Patient Safety In accordance with the Act, we Section 160.101—Statutory Basis and proposed to modify the definition of Organizations (PSOs) must be treated as Purpose ‘‘business associate’’ to explicitly business associates when applying the designate these persons as business Privacy Rule. PSQIA provides for the This section sets out the statutory associates. Specifically, we proposed to establishment of PSOs to receive reports basis and purpose of the HIPAA Rules. include in the definition: (1) A Health of patient safety events or concerns from We proposed and include in this final Information Organization, E-prescribing providers and provide analyses of rule a technical change to include Gateway, or other person that provides events to reporting providers. A references to the provisions of GINA data transmission services with respect reporting provider may be a HIPAA and the HITECH Act upon which most VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00006 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

7 5571 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register that a vendor offering a personal health health information through a network, to protected health information to a record to a patient on behalf of a including providing record locator covered entity and that requires routine covered entity only acts as a conduit services and performing various access to such protected health because there is no access by the vendor oversight and governance functions for information; and (2) a person who offers to protected health information; another electronic health information exchange, a personal health record to one or more commenter suggested that personal have more than ‘‘random’’ access to individuals on behalf of a covered health record vendors be business protected health information and thus, entity. We proposed to refer to ‘‘Health associates only when they have routine would fall within the definition of Information Organization’’ in the NPRM access to protected health information. ‘‘business associate.’’ rather than ‘‘Health Information Final Rule Overview of Public Comments Exchange Organization’’ as used in the The final rule adopts the language Commenters generally supported the Act because it is our understanding that that expressly designates as business inclusion of Health Information ‘‘Health Information Organization’’ is associates: (1) A Health Information Organizations, personal health record the more widely recognized and Organization, E-prescribing Gateway, or vendors, and similar entities in the accepted term to describe an other person that provides data definition of ‘‘business associate.’’ organization that oversees and governs transmission services with respect to However, commenters sought various the exchange of health-related 2 protected health information to a clarifications as discussed below. information among organizations. The Commenters generally supported use covered entity and that requires routine Act also specifically refers to Regional of the term Health Information access to such protected health Health Information Organizations; Organization in lieu of more restrictive information; and (2) a person who offers however, we did not believe the terms, such as Regional Health a personal health record to one or more inclusion of the term in the definition Information Organization. Some individuals on behalf of a covered of ‘‘business associate’’ was necessary as commenters suggested that the term entity. a Regional Health Information We decline to provide a definition for Health Information Organization be Organization is simply a Health Health Information Organization. We defined, so as to avoid confusion as the Information Organization that governs recognize that the industry continues to industry develops, and suggested health information exchange among develop and thus the type of entities various alternatives for doing so. Several organizations within a defined 3 that may be considered Health commenters recommended that the Further, the specific geographic area. Information Organizations continues to Office for Civil Rights (OCR) maintain a terms of ‘‘Health Information evolve. For this reason, we do not think Web site link that lists current terms for Organization’’ and ‘‘E-prescribing it prudent to include in the regulation entities that OCR considers to be Health Gateway’’ were included as merely a specific definition at this time. We Information Organizations. illustrative of the types of organizations Other commenters requested anticipate continuing to issue guidance that would fall within this paragraph of clarification on what it means to have in the future on our web site on the the definition of ‘‘business associate.’’ ‘‘access on a routine basis’’ to protected types of entities that do and do not fall We requested comment on the use of health information for purposes of the within the definition of business these terms within the definition and definition and determining whether associate, which can be updated as the whether additional clarifications or certain entities are excluded as mere industry evolves. additions were necessary. Regarding what it means to have conduits. For example, commenters Section 13408 also provides that the ‘‘access on a routine basis’’ to protected asked whether the definition of business data transmission organizations that the health information with respect to associate would include broadband Act requires to be treated as business determining which types of data suppliers or internet service providers, associates are those that require access transmission services are business vendors that only have the potential to to protected health information on a associates versus mere conduits, such a come into contact with protected health routine basis. Conversely, data determination will be fact specific based information, or entities contracted on a transmission organizations that do not on the nature of the services provided contingency basis that may at some require access to protected health and the extent to which the entity needs point in the future have access to information on a routine basis would access to protected health information protected health information. Several not be treated as business associates. to perform the service for the covered document storage companies argued This is consistent with our prior entity. The conduit exception is a that entities like theirs should be interpretation of the definition of narrow one and is intended to exclude characterized as conduits, as they do not ‘‘business associate,’’ through which we only those entities providing mere view the protected health information have stated that entities that act as mere courier services, such as the U.S. Postal they store. conduits for the transport of protected Service or United Parcel Service and Several commenters sought health information but do not access the their electronic equivalents, such as clarification regarding when personal information other than on a random or internet service providers (ISPs) health record vendors would be infrequent basis are not business providing mere data transmission considered business associates. For associates. See http://www.hhs.gov/ocr/ services. As we have stated in prior example, commenters asked whether privacy/hipaa/faq/providers/business/ guidance, a conduit transports personal health record vendors would 245.html . In contrast, entities that information but does not access it other be business associates when the vendor manage the exchange of protected than on a random or infrequent basis as provided the personal health record in necessary to perform the transportation collaboration with the covered entity, 2 Department of Health and Human Services service or as required by other law. For when the personal health record is Office of the National Coordinator for Health Information Technology, The National Alliance for example, a telecommunications linked to a covered entity’s electronic Health Information Technology Report to the Office company may have occasional, random health record, or when the personal of the National Coordinator for Health Information access to protected health information health record is offered independently Technology: Defining Key Health Information when it reviews whether the data to the individual, among other Terms, Pg. 24 (2008). 3 Id. at 25. transmitted over its network is arriving scenarios. One commenter suggested VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00007 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

8 5572 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Response to Other Public Comments vendor is not a business associate of a at its intended destination. Such occasional, random access to protected covered entity solely by virtue of One commenter Comment: health information would not qualify entering into an interoperability recommended that the term ‘‘person’’ the company as a business associate. In relationship with a covered entity. For used in describing who provides contrast, an entity that requires access to example, when a personal health record transmission services to a covered entity protected health information in order to vendor and a covered entity establish be clarified to apply also to entities and perform a service for a covered entity, the electronic means for a covered organizations. such as a Health Information entity’s electronic health record to send Response: The term ‘‘person’’ as Organization that manages the exchange protected health information to the defined at § 160.103 includes entities as of protected health information through personal health record vendor pursuant well as natural persons. a network on behalf of covered entities to the individual’s written One commenter asked Comment: through the use of record locator authorization, it does not mean that the whether subcontractors that support services for its participants (and other personal health record vendor is business associates with personal health services), is not considered a conduit offering the personal health record on record related functions are subject to and, thus, is not excluded from the behalf of the covered entity, even if the breach notification requirements definition of business associate. We there is an agreement between the under the HIPAA Breach Notification intend to issue further guidance in this Rule or that of the FTC. personal health record vendor and the area as electronic health information Response: As discussed below, a covered entity governing the exchange exchange continues to evolve. subcontractor that creates, receives, of data (such as an agreement specifying We note that the conduit exception is maintains, or transmits protected health the technical specifications for limited to transmission services information on behalf of a business exchanging of data or specifying that (whether digital or hard copy), associate, including with respect to such data shall be kept confidential). In including any temporary storage of personal health record functions, is a contrast, when a covered entity hires a transmitted data incident to such HIPAA business associate and thus, is vendor to provide and manage a transmission. In contrast, an entity that subject to the HIPAA Breach personal health record service the maintains protected health information Notification Rule and not that of the covered entity wishes to offer its on behalf of a covered entity is a FTC. The analysis of whether a patients or enrollees, and provides the business associate and not a conduit, subcontractor is acting on behalf of a vendor with access to protected health even if the entity does not actually view business associate is the same analysis information in order to do so, the the protected health information. We as discussed above with respect to personal health record vendor is a recognize that in both situations, the whether a business associate is acting business associate. entity providing the service to the on behalf of a covered entity. covered entity has the opportunity to A personal health record vendor may iii. Inclusion of Subcontractors access the protected health information. offer personal health records directly to However, the difference between the individuals and may also offer personal Proposed Rule two situations is the transient versus health records on behalf of covered We proposed in the definition of persistent nature of that opportunity. entities. In such cases, the personal ‘‘business associate’’ to provide that For example, a data storage company health record vendor is only subject to subcontractors of a covered entity, i.e., that has access to protected health HIPAA as a business associate with those persons that perform functions for information (whether digital or hard respect to personal health records that or provide services to a business copy) qualifies as a business associate, are offered to individuals on behalf of associate other than in the capacity as even if the entity does not view the covered entities. a member of the business associate’s information or only does so on a We also clarify that, contrary to one workforce, are also business associates random or infrequent basis. Thus, commenter’s suggestion, a personal to the extent that they require access to document storage companies health record vendor that offers a protected health information. We also maintaining protected health personal health record to a patient on proposed to define ‘‘subcontractor’’ in information on behalf of covered behalf of a covered entity does not act § 160.103 as a person who acts on behalf entities are considered business merely as a conduit. Rather, the of a business associate, other than in the associates, regardless of whether they personal health record vendor is capacity of a member of the workforce actually view the information they hold. maintaining protected health of such business associate. Even though To help clarify this point, we have information on behalf of the covered we used the term ‘‘subcontractor,’’ modified the definition of ‘‘business entity (for the benefit of the individual). which implies there is a contract in associate’’ to generally provide that a Further, a personal health record vendor place between the parties, the definition business associate includes a person that operates a personal health record would apply to an agent or other person maintains, or who ‘‘creates, receives, on behalf of a covered entity is a who acts on behalf of the business transmits’’ (emphasis added) protected business associate if it has access to associate, even if the business associate health information on behalf of a protected health information, regardless has failed to enter into a business covered entity. of whether the personal health record associate contract with the person. We Several commenters sought vendor actually exercises this access. requested comment on the use of the clarification on when a personal health We believe the revisions to the record vendor would be providing a term ‘‘subcontractor’’ and its proposed definition of ‘‘business associate’’ personal health record ‘‘on behalf of’’ a definition. The intent of the proposed extension discussed above clarify these points. As covered entity and thus, would be a of the Rules to subcontractors was to with other aspects of the definition of business associate for purposes of the avoid having privacy and security ‘‘business associate,’’ we intend to HIPAA Rules. As with data transmission protections for protected health provide future guidance on when a services, determining whether a information lapse merely because a personal health record vendor is a personal health record vendor is a function is performed by an entity that business associate for purposes of the business associate is a fact specific is a subcontractor rather than an entity HIPAA Rules. determination. A personal health record VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00008 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

9 5573 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations ‘‘subcontractor’’ with another, as we commenters asked how far down the with a direct relationship with a were not persuaded by any of the ‘‘chain’’ of subcontractors do the HIPAA covered entity. Allowing such a lapse in alternatives suggested by commenters Rules apply—i.e., do the Rules apply privacy and security protections could (e.g., ‘‘business associate contractor,’’ only to the first tier subcontractor or to allow business associates to avoid ‘‘downstream business associate,’’ or all subcontractors down the chain. liability imposed upon them by sections In response to our request for ‘‘downstream entity’’). 13401 and 13404 of the Act. Further, We disagree with the commenters that comment on this issue, several applying HIPAA privacy and security suggested that applying the business commenters were concerned that use of requirements directly to subcontractors associate provisions of the HIPAA Rules the term subcontractor was confusing also ensures that the privacy and to subcontractors is beyond the and instead suggested a different term security protections of the HIPAA Rules Department’s statutory authority. In the be used, such as business associate extend beyond covered entities to those HITECH Act, Congress created direct contractor or downstream business entities that create or receive protected liability under the HIPAA Privacy and associate, to avoid confusion between health information in order for the Security Rules for persons that are not primary business associates of a covered covered entity to perform its health care covered entities but that create or entity and subcontractors. Other functions. Therefore, we proposed that receive protected health information in commenters suggested changes to the downstream entities that work at the order for a covered entity to perform its definition of subcontractor itself to direction of or on behalf of a business health care functions, to ensure better clarify the scope of the definition. associate and handle protected health Several commenters requested individuals’ personal health information information would also be required to specific guidance on who is and is not remains sufficiently protected in the comply with the applicable Privacy and a subcontractor under the definitions of hands of these entities. As stated in the Security Rule provisions in the same ‘‘business associate’’ and NPRM, applying the business associate manner as the primary business ‘‘subcontractor.’’ For example, one provisions only to those entities that associate, and likewise would incur commenter asked whether an entity that have a direct relationship with a liability for acts of noncompliance. This shreds documents for a business covered entity does not achieve that proposed modification would not associate for the business associate’s intended purpose. Rather, it allows require the covered entity to have a activities and not for the covered entity, privacy and security protections for contract with the subcontractor; rather, would qualify as a subcontractor. protected health information to lapse the obligation would remain on each Another commenter asked whether once a subcontractor is enlisted to assist business associate to obtain satisfactory disclosures by a business associate of in performing a function, activity, or assurances in the form of a written protected health information for its own service for the covered entity, while at contract or other arrangement that a management and administration or legal the same time potentially allowing subcontractor will appropriately needs creates a subcontractor certain primary business associates to safeguard protected health information. relationship. Other commenters avoid liability altogether for the For example, if a business associate, recommended that subcontractors protection of the information the such as a third party administrator, without routine access to protected covered entity has entrusted to the hires a company to handle document health information, or who do not business associate. Further, section and media shredding to securely access protected health information at 13422 of the HITECH Act provides that dispose of paper and electronic all for their duties, not be considered each reference in the Privacy subtitle of protected health information, then the business associates. the Act to a provision of the HIPAA shredding company would be directly Rules refers to such provision as in required to comply with the applicable Final Rule effect on the date of enactment of the requirements of the HIPAA Security The final rule adopts the proposal to Act or to the most recent update of such Rule (e.g., with respect to proper apply the business associate provisions provision (emphasis added). Thus, the disposal of electronic media) and the of the HIPAA Rules to subcontractors Act does not bar the Department from Privacy Rule (e.g., with respect to and thus, provides in the definition of modifying definitions of terms in the limiting its uses and disclosures of the ‘‘business associate’’ that a business HIPAA Rules to which the Act refers. protected health information in associate includes a ‘‘subcontractor that Rather, the statute expressly accordance with its contract with the creates, receives, maintains, or transmits contemplates that modifications to the business associate). protected health information on behalf terms may be necessary to carry out the Overview of Public Comments of the business associate.’’ In response provisions of the Act or for other to comments, we clarify the definition While some commenters generally purposes. of ‘‘subcontractor’’ in § 160.103 to supported extending the business Further, we do not agree that covered provide that subcontractor means: ‘‘a associate provisions of the Rules to entities will be confused and seek to person to whom a business associate subcontractors, many opposed such an establish direct business associate delegates a function, activity, or service, extension arguing, among other things, contracts with subcontractors or will other than in the capacity of a member that doing so was not the intent of prohibit business associates from of the workforce of such business Congress and beyond the statutory engaging subcontractors to perform associate.’’ Thus, a subcontractor is a authority of the Department, that functions or services that require access person to whom a business associate has confusion may ensue with covered to protected health information. The delegated a function, activity, or service entities seeking to establish direct final rule makes clear that a covered the business associate has agreed to business associate contracts with entity is not required to enter into a perform for a covered entity or business subcontractors or prohibiting business contract or other arrangement with a associate. A subcontractor is then a associates from establishing business associate that is a business associate where that function, subcontractor relationships altogether, subcontractor. See §§ 164.308(b)(1) and activity, or service involves the creation, and/or that creating direct liability for 164.502(e)(1)(i). In addition, as commenters did not present direct receipt, maintenance, or transmission of subcontractors will discourage such evidence to the contrary, we do not protected health information. We also entities from operating and participating believe that covered entities will begin decline to replace the term in the health care industry. Some VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00009 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

10 5574 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register entity meets the definition of ‘‘business requires that the business associate prohibiting business associates from associate,’’ even if a covered entity, or engaging subcontractors as a result of obtain reasonable assurances from the business associate with respect to a the final rule, in cases where they were person to whom the information is subcontractor, fails to enter into the not doing so before. Rather, we believe disclosed that it will be held required business associate contract that making subcontractors directly confidentially and used or further with the person or entity. liable for violations of the applicable disclosed only as required by law or for provisions of the HIPAA Rules will help the purposes for which it was disclosed Final Rule to alleviate concern on the part of to the person and the person notifies the The Department did not receive covered entities that protected health business associate of any instances of substantive public comment on this information is not adequately protected which it is aware that the proposal. The final rule includes the when provided to subcontractors. confidentiality of the information has exceptions within the definition of The Department also believes that the been breached. See ‘‘business associate.’’ privacy and security protections for an § 164.504(e)(4)(ii)(B). individual’s personal health information In contrast, disclosures of protected v. Technical Changes to the Definition and associated liability for health information by the business Proposed Rule noncompliance with the Rules should associate to a person who will assist the not lapse beyond any particular For clarity and consistency, we also business associate in performing a business associate that is a proposed to change the term function, activity, or service for a subcontractor. Thus, under the final ‘‘individually identifiable health covered entity or another business rule, covered entities must ensure that information’’ in the current definition of associate may create a business they obtain satisfactory assurances ‘‘business associate’’ to ‘‘protected associate relationship depending on the required by the Rules from their health information,’’ since a business circumstances. For example, an entity business associates, and business associate has no obligation under the hired by a business associate to associates must do the same with regard HIPAA Rules with respect to appropriately dispose of documents that to subcontractors, and so on, no matter individually identifiable health contain protected health information is how far ‘‘down the chain’’ the information that is not protected health also a business associate and subject to information flows. This ensures that information. the applicable provisions of the HIPAA individuals’ health information remains Rules. If the documents to be shredded Final Rule protected by all parties that create, do not contain protected health The Department did not receive receive, maintain, or transmit the information, then the entity is not a substantive public comment on this information in order for a covered entity business associate. We also clarify that proposal. The final rule adopts the to perform its health care functions. For the same interpretations that apply to proposed modification to the definition. example, a covered entity may contract determining whether a first tier Additionally, as indicated above, we with a business associate (contractor), contractor is a business associate also have revised the definition of business the contractor may delegate to a apply to determining whether a associate to clarify that a business subcontractor (subcontractor 1) one or subcontractor is a business associate. associate includes an entity that more functions, services, or activities Thus, our interpretation of who is and ‘‘creates, receives, maintains, or the business associate has agreed to is not excluded from the definition of perform for the covered entity that transmits’’ protected health information business associate as a conduit also require access to protected health on behalf of a covered entity. This applies in the context of subcontractors information, and the subcontractor may change is intended to make the as well. We refer readers to the above in turn delegate to another definition more consistent with discussion regarding transmission subcontractor (subcontractor 2) one or language at § 164.308(b) of the Security services and conduits. more functions, services, or activities it Rule and § 164.502(e) of the Privacy iv. Exceptions to Business Associate has agreed to perform for the contractor Rule, as well as to clarify that entities that require access to protected health that maintain or store protected health Proposed Rule information, and so on. Both the information on behalf of a covered Sections 164.308(b)(2) and contractor and all of the subcontractors entity are business associates, even if 164.502(e)(1)(ii) of the HIPAA Rules are business associates under the final they do not actually view the protected currently describe certain rule to the extent they create, receive, health information. circumstances, such as when a covered maintain, or transmit protected health vi. Response to Other Public Comments entity discloses protected health information. information to a health care provider With respect to requests for specific Comment: One commenter suggested concerning the treatment of an guidance on who is and is not a that some covered entities do not treat individual, in which a covered entity is subcontractor, we believe the above third party persons that handle not required to enter into a business changes to the definition provide further protected health information onsite as a associate contract or other arrangement clarity. We also provide the following in business associate. with the recipient of the protected Response: A covered entity may treat response to specific comments. health information. We proposed to a contractor who has his or her duty Disclosures by a business associate move these provisions to the definition pursuant to § 164.504(e)(4) and its station onsite at a covered entity and of ‘‘business associate’’ itself as its own business associate contract for who has more than incidental access to exceptions to make clear that the management and administration or legal protected health information as either a Department does not consider the responsibilities do not create a business member of the covered entity’s recipients of the protected health associate relationship with the recipient workforce or as a business associate for information in these circumstances to be of the protected health information purposes of the HIPAA Rules. Comment: A few commenters asked business associates. The movement of because such disclosures are made for confirmation that researchers are not these exceptions also was intended to outside of the entity’s role as a business considered business associates. In help clarify that a person or an entity is associate. However, for such disclosures addition, the Secretary’s Advisory a business associate if the person or that are not required by law, the Rule VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00010 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

11 5575 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations That definition was subsequently financial institutions with respect to the Committee on Human Research revised and moved to § 160.103. The Protections, in its November 23, 2010, payment processing activities identified purpose of that revision was to clarify letter to the Secretary providing in § 1179 of the HIPAA statute, for that the physical movement of comments on the NPRM, asked the example, the activity of cashing a check electronic media from place to place is Department to confirm that outsourced or conducting a funds transfer. Section not limited to magnetic tape, disk, or research review, approval, and 1179 of HIPAA exempts certain compact disk, so as to allow for future continuing oversight functions (such as activities of financial institutions from technological innovation. We further through using an external or the HIPAA Rules, to the extent that clarified that transmission of independent Institutional Review these activities constitute authorizing, information not in electronic form Board) similarly do not give rise to a processing, clearing, settling, billing, before the transmission (e.g., paper or business associate relationship. transferring, reconciling, or collecting Response: A person or entity is a voice) is not covered by this definition. payments for health care or health plan business associate only in cases where See 68 FR 8339, Feb. 20, 2003. premiums. However, a banking or In the NPRM, we proposed to revise the person or entity is conducting a financial institution may be a business the definition of ‘‘electronic media’’ in function or activity regulated by the associate where the institution performs the following ways. First, we proposed HIPAA Rules on behalf of a covered functions above and beyond the to revise paragraph (1) of the definition entity, such as payment or health care payment processing activities identified to replace the term ‘‘electronic storage operations, or providing one of the above on behalf of a covered entity, media’’ with ‘‘electronic storage services listed in the definition of such as performing accounts receivable material’’ to conform the definition of ‘‘business associate,’’ and in the functions on behalf of a health care ‘‘electronic media’’ to its current usage, performance of such duties the person provider. as set forth in the National Institute for or entity has access to protected health We clarify that our inclusion of Standards and Technology (NIST) information. Thus, an external subcontractors in the definition of ‘‘Guidelines for Media Sanitization’’ researcher is not a business associate of business associate does not impact the NIST SP 800–88, ( Definition of Medium, a covered entity by virtue of its research exclusion of financial institutions from Glossary B, p. 27 (2006)). The NIST activities, even if the covered entity has the definition of ‘‘business associates’’ definition, which was updated hired the researcher to perform the when they are only conducting payment subsequent to the issuance of the http://www.hhs.gov/ocr/ research. See processing activities that fall under Privacy and Security Rules, was _ associates/ privacy/hipaa/faq/business § 1179 of the HIPAA statute. developed in recognition of the 239.html . Similarly, an external or Accordingly, a business associate need likelihood that the evolution of the independent Institutional Review Board not enter into a business associate development of new technology would is not a business associate of a covered agreement with a financial institution make use of the term ‘‘electronic storage entity by virtue of its performing that is solely conducting payment media’’ obsolete in that there may be research review, approval, and activities that are excluded under ‘‘storage material’’ other than ‘‘media’’ continuing oversight functions. § 1179. However, a researcher may be a that house electronic data. Second, we Comment: One commenter sought business associate if the researcher proposed to add to paragraph (2) of the clarification of the status of a risk performs a function, activity, or service definition of ‘‘electronic media’’ a management group or malpractice for a covered entity that does fall within reference to intranets, to clarify that insurance company that receives the definition of business associate, intranets come within the definition. protected health information when such as the health care operations Third, we proposed to change the word contracted with a covered entity to function of creating a de-identified or ‘‘because’’ to ‘‘if’’ in the final sentence mitigate the covered entity’s risk and limited data set for the covered entity. of paragraph (2) of the definition of then contracts with legal groups to See paragraph (6)(v) of the definition of ‘‘electronic media.’’ The definition represent the covered entity during ‘‘health care operations.’’ Where the assumed that no transmissions made by malpractice claims. researcher is also the intended recipient voice via telephone existed in electronic A business associate Response: of the de-identified data or limited data form before transmission; the evolution agreement is not required where a set, the researcher must return or of technology has made this assumption covered entity purchases a health plan destroy the identifiers at the time the obsolete since some voice technology is product or other insurance, such as business associate relationship to create digitally produced from an information medical liability insurance, from an the data set terminates and the system and transmitted by phone. insurer. However, a business associate researcher now wishes to use the de- Overview of Public Comments relationship could arise if the insurer is identified data or limited data set performing a function on behalf of, or The Department received comments (subject to a data use agreement) for a providing services to, the covered entity in support of the revised definition and research purpose. that does not directly relate to the the flexibility created to account for Comment: A few commenters asked provision of insurance benefits, such as later technological developments. for clarification as to whether the performing risk management or Certain other commenters raised business associate provisions applied to assessment activities or legal services concerns that changes to the definition banking and financial institutions. for the covered entity, that involve could have unintended impacts when Commenters sought clarification as to access to protected health information. applied to the administrative whether the exemption at § 1179 of the transaction and code set requirements. HIPAA statute for financial institutions b. Definition of ‘‘Electronic Media’’ One commenter specifically supported was applicable to subcontractors. Proposed Rule the change in language from ‘‘because’’ This final rule is not Response: to ‘‘if,’’ noting the distinction was The term ‘‘electronic media’’ was intended to affect the status of financial important to provide protection for originally defined in the Transactions institutions with respect to whether digital audio recordings containing and Code Sets Rule issued on August they are business associates. The HIPAA protected health information. One 17, 2000 (65 FR 50312) and was Rules, including the business associate commenter suggested including the included in the definitions at § 162.103. provisions, do not apply to banking and VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00011 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

12 5576 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Final Rule stored information, covered entities and word ‘‘immediately’’ in the final sentence of paragraph (2) to indicate business associates should be aware of The Department did not receive that fax transmissions are excluded from the capabilities of these devices to store substantive public comment on this the definition of electronic media if the protected health information and must proposal and the final rule adopts the information being exchanged did not ensure any protected health information proposed modifications to the definition immediately exist in electronic form stored on such devices is appropriately of ‘‘State.’’ before the transmission. Several protected and secured from e. Other Changes to the Definitions in commenters sought clarification as to inappropriate access, such as by Section 160.103 whether data that is retained in office monitoring or restricting physical access machines, such as facsimiles and to a photocopier or a fax machine that In addition to the changes discussed photocopiers, is subject to the Privacy is used for copying or sending protected above, the final rule makes the and Security Rules. health information. Further, before following changes as proposed in the removal of the device from the covered NPRM to various definitions in Final Rule entity or business associate, such as at § 160.103: The final rule adopts the definition as the end of the lease term for a (1) Relocates the definitions of proposed with two additional photocopier machine, proper safeguards ‘‘administrative simplification modifications. First, in paragraph (2) we should be followed to remove the provision,’’ ‘‘ALJ,’’ ‘‘civil money remove the parenthetical language electronic protected health information penalty,’’ ‘‘respondent,’’ and ‘‘violation referring to ‘‘wide open’’ with respect to from the media. or violate’’ from § 160.302 to § 160.103 the Internet and ‘‘using Internet for ease of reference; c. Definition of ‘‘Protected Health technology to link a business with (2) Adds a reference to sections Information’’ information accessible only to 13400–13424 of the HITECH Act to the collaborating parties’’ with respect to Proposed Rule definition of ‘‘administrative extranets and intranets. The simplification provision’’; For consistency with the proposed parenthetical language initially helped (3) Removes a comma from the modifications to the period of protection clarify what was intended by key words definition of ‘‘disclosure’’ inadvertently for decedent information at § 164.502(f) within the definition. As these key inserted into the definition in a prior (discussed below), the Department words have become more generally rulemaking; proposed to modify the definition of understood and guidance has become (4) Replaces the term ‘‘individually ‘‘protected health information’’ at available through the NIST regarding identifiable health information’’ with § 160.103 to provide that the Privacy specific key terms, such as intranet, ‘‘protected health information’’ in the and Security Rules do not protect the extranet, and internet, (see, for example, definition of ‘‘standard’’ to better reflect individually identifiable health NIST IR 7298 Revision 1, Glossary of the scope of the Privacy and Security information of persons who have been Key Information Security Terms, Rules; deceased for more than 50 years. http:// February 2011, available at (5) Adds a reference to ‘‘business csrc.nist.gov/publications/nistir/ir7298- associate’’ following the reference to Overview of Public Comment ), we rev1/nistir-7298-revision1.pdf ‘‘covered entity’’ in the definitions of The public comments received on this believe the parenthetical language is no ‘‘respondent’’ and ‘‘compliance date,’’ proposal are discussed and responded longer helpful. Second, we do accept in recognition of the potential liability to below in the section describing the the recommendation that we alter the imposed on business associates for modifications to § 164.502(f). language in paragraph (2) to include the violations of certain provisions of the word ‘‘immediately,’’ to exclude Final Rule Privacy and Security Rules by sections transmissions when the information 13401 and 13404 of the Act; and For the reasons stated in the section exchanged did not exist in electronic (6) Revises the definition of regarding § 164.502(f), the final rule form immediately before transmission. ‘‘workforce member’’ in § 160.103 to adopts the proposed modification to the This modification clarifies that a make clear that the term includes the definition of ‘‘protected health facsimile machine accepting a hardcopy employees, volunteers, trainees, and information.’’ document for transmission is not a other persons whose conduct, in the covered transmission even though the d. Definition of ‘‘State’’ performance of work for a business document may have originated from associate, is under the direct control of Proposed Rule printing from an electronic file. the business associate, because some The HITECH Act at section 13400 We do not believe these changes will provisions of the Act and the Privacy includes a definition of ‘‘State’’ to mean have unforeseen impacts on the and Security Rules place obligations on ‘‘each of the several States, the District application of the term in the the business associate with respect to of Columbia, Puerto Rico, the Virgin transactions and code sets requirements workforce members. Islands, Guam, American Samoa, and at Part 162. 4. Subpart B—Preemption of State Law the Northern Mariana Islands.’’ This In response to commenters’ concerns definition varies from paragraph (2) of that photocopiers, facsimiles, and other a. Section 160.201—Statutory Basis the HIPAA definition of ‘‘State’’ at office machines may retain electronic Proposed Rule § 160.103, which does not include data, potentially storing protected We proposed to modify § 160.201 reference to American Samoa and the health information when used by regarding the statutory basis for the Northern Mariana Islands. Thus, for covered entities or business associates, preemption of State law provisions to consistency with the definition applied we clarify that protected health add a reference to section 264(c) of to the HIPAA Rules by the HITECH Act, information stored, whether HIPAA, which contains the statutory we proposed to add reference to intentionally or not, in photocopier, basis for the exception to preemption at American Samoa and the facsimile, and other devices is subject to § 160.203(b) for State laws that are more Commonwealth of the Northern Mariana the Privacy and Security Rules. stringent than the HIPAA Privacy Rule. Islands in paragraph (2) of the definition Although such devices are not generally We also proposed to add a reference to of ‘‘State’’ at § 160.103. relied upon for storage and access to VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00012 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

13 5577 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations that is timely corrected, as long as the changes would give effect to section section 13421(a) of the HITECH Act, 13421(a). which applies HIPAA’s preemption violation was not due to willful neglect. rules to the HITECH Act’s privacy and The IFR updated the HIPAA Final Rule security provisions. Finally, we Enforcement Rule to reflect these The Department did not receive proposed to re-title the provision to read statutory amendments. The IFR did not substantive public comment on this ‘‘Statutory basis’’ instead of make amendments with respect to those proposal. The final rule adopts the ‘‘Applicability.’’ enforcement provisions of section 13410 proposed modifications. of the HITECH Act that were not Overview of Public Comments ii. Definition of ‘‘More Stringent’’ effective immediately upon enactment. Several commenters expressed Proposed Rule In its July 2010 NPRM, the concerns about the lack of uniform Department proposed a number of The term ‘‘more stringent’’ is part of Federal and State privacy laws and the additional modifications to the the statutory preemption language resultant confusion and expense Enforcement Rule to reflect other under HIPAA. HIPAA preempts State associated with determining which laws provisions of section 13410 of the law that is contrary to a HIPAA privacy apply to a given circumstance, HITECH Act, some of which became standard unless, among other particularly as more and more health effective on February 18, 2010, or were exceptions, the State law is more care entities operate across multiple stringent than the contrary HIPAA to become effective at a later date: (1) state lines. Commenters recommended privacy standard. We proposed to Requiring that the Secretary formally that the Department make efforts to amend the definition to add a reference investigate complaints indicating engage States and other partners to to business associates. violations due to willful neglect, and examine divergent Federal and State impose civil money penalties upon requirements and to attempt to Final Rule finding violations due to willful neglect; coordinate various disclosure rules to The Department did not receive drive Federal-State consensus. (2) making business associates of substantive public comment on this covered entities directly liable for civil proposal. The final rule adopts the Final Rule money penalties for violations of certain proposed modification. provisions of the HIPAA Rules; (3) The final rule adopts the proposed B. Subparts C and D of Part 160: modifications. In response to the requiring the Secretary to determine Amendments to the Enforcement Rule comments concerned with the lack of civil money penalty amounts based uniform Federal and State privacy laws, upon the nature and extent of the harm Section 13410 of the HITECH Act we note that the preemption provisions made several amendments to the Social resulting from a violation; and (4) of the HIPAA Rules are based on section Security Act to strengthen the HIPAA providing that the Secretary’s authority 1178 of the Social Security Act and Enforcement Rule, which applies to the to impose a civil money penalty will be section 264(c)(2) of HIPAA. Through Secretary’s enforcement of all of the barred only to the extent a criminal these statutory provisions, Congress HIPAA Administrative Simplification penalty has been imposed with respect made clear that the HIPAA privacy Rules, as well as the Breach Notification to an act under Section 1177, rather requirements are to supersede only Rule. than in cases in which the act On October 30, 2009, the Department contrary provisions of State law, and not constitutes an offense that is criminally issued an interim final rule (IFR) even in all such cases, such as where punishable under Section 1177. revising the Enforcement Rule to the provision of State law provides more The following discussion describes incorporate the provisions of section stringent privacy protections than the the enforcement provisions of the IFR 13410(d) of the HITECH Act that took HIPAA Privacy Rule. Accordingly, the and the NPRM, responds to public effect immediately to apply to violations HIPAA Privacy Rule provides a Federal comment received by the Department on of the HIPAA Rules occurring after the floor of privacy protections, with States enactment date of February 18, 2009. both rules, and describes the final free to impose more stringent privacy See 74 FR 56123. In general, section modifications to the Enforcement Rule protections should they deem 13410(d) of the HITECH Act revised appropriate. adopted by this final rule. In addition to section 1176(a) of the Social Security the modifications discussed below, this b. Section 160.202—Definitions Act to establish four categories of final rule also adopts the NPRM i. Definition of ‘‘Contrary’’ violations that reflect increasing levels proposal to add the term ‘‘business of culpability and four corresponding associate’’ to the following provisions of Proposed Rule tiers of penalty amounts that the Enforcement Rule: §§ 160.300; significantly increased the minimum The term ‘‘contrary’’ is defined in 160.304; 160.306(a) and (c); 160.308; penalty amount for each violation, with § 160.202 to make clear when the 160.310; 160.312; 160.316; 160.401; a maximum penalty amount of $1.5 preemption provisions of HIPAA apply 160.402; 160.404(b); 160.406; 160.408(c) million annually for all violations of an to State law. For the reasons set forth on and (d); and 160.410(a) and (c). This is identical provision. Section 13410(d) page 40875 of the July 2010 NPRM, we done to implement sections 13401 and also amended section 1176(b) of the proposed to amend the definition of 13404 of the Act, which impose direct Social Security Act by removing the ‘‘contrary’’ by inserting references to civil money penalty liability on previous affirmative defense to the business associates in paragraph (1) of business associates for their violations imposition of penalties if the covered the definition. We also expanded the of certain provisions of the HIPAA entity did not know and with the reference to the HITECH statutory Rules. exercise of reasonable diligence would provisions in paragraph (2) of the not have known of the violation (these definition to encompass all of the violations are now punishable under the sections of subtitle D of the HITECH lowest tier of penalties), and by Act, rather than merely to section providing a prohibition on the 13402, which was added by the breach imposition of penalties for any violation notifications interim final rule. These VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00013 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

14 5578 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations rather than ‘‘possible,’’ violation due to strengthen enforcement with respect to 1. Subpart C of Part 160—Compliance willful neglect to limit the likelihood of potential violations of willful neglect and Investigations unnecessary formal investigations or and would ensure that investigations, a. Sections 160.304, 160.306, 160.308, compliance reviews. While one whether or not initiated by a complaint, and 160.312—Noncompliance Due to commenter supported the proposal to would be handled in a consistent Willful Neglect require a compliance review in manner. Under proposed § 160.308(b), Proposed Rule circumstances indicating a possible the Secretary would continue to have violation due to willful neglect, others discretion to conduct compliance Section 13410(a) of the HITECH Act argued that requiring compliance reviews in circumstances not indicating adds a new subsection (c) to section reviews in such circumstances is not willful neglect. 1176 of the Social Security Act, which Third, given the HITECH Act’s required by the statute, will detract from requires the Department to formally requirement that the Secretary impose a resources to investigate complaints, and investigate a complaint if a preliminary penalty for any violation due to willful will be duplicative if a formal complaint investigation of the facts of the neglect, the Department proposed investigation is also underway. complaint indicates a possible violation Several commenters expressed changes to § 160.312, which currently due to willful neglect (section concern over the proposal at requires the Secretary to attempt to 1176(c)(2)) and to impose a civil money § 160.312(a) to give the Secretary resolve investigations or compliance penalty for a violation due to willful discretion, rather than to require the reviews indicating noncompliance by neglect (section 1176(c)(1)). The Secretary, to attempt to resolve informal means. The NPRM proposed to Department proposed a number of investigations or compliance reviews provide instead in § 160.312(a) that the modifications to Subpart C of the indicating noncompliance by informal Secretary ‘‘may’’ rather than ‘‘will’’ Enforcement Rule to implement these means, even in cases of noncompliance attempt to resolve investigations or provisions. that did not involve willful neglect (e.g., compliance reviews indicating First, § 160.306(c) of the Enforcement cases involving reasonable cause or lack noncompliance by informal means. This Rule currently provides the Secretary of knowledge of a violation). change would permit the Department to with discretion to investigate HIPAA Commenters indicated support for the proceed with a willful neglect violation complaints through the use of the word Department’s seeking compliance determination as appropriate, while also ‘‘may.’’ As a practical matter, however, through voluntary corrective action as permitting the Department to seek the Department currently conducts a opposed to formal enforcement resolution of complaints and preliminary review of every complaint proceedings and argued that the compliance reviews that did not received and proceeds with the Department should retain the indicate willful neglect violations by investigation in every eligible case requirement for the Secretary to attempt informal means (e.g., where the covered where its preliminary review of the facts informal resolution in all circumstances entity or business associate did not indicates a possible violation of the except those involving willful neglect. know and by exercising reasonable HIPAA Rules. Nonetheless, to One commenter recommended that the diligence would not have known of a implement section 1176(c)(2), the Secretary be able to assess penalties violation, or where the violation is due Department proposed to add a new regardless of whether corrective action to reasonable cause). paragraph (1) to § 160.306(c) (and to Finally, the Department proposed a was obtained. make conforming changes to the conforming change to § 160.304(a), Final Rule remainder of § 160.306(c)) to make clear which currently requires the Secretary that the Secretary will investigate any The final rule adopts the to seek, to the extent practicable, the complaint filed under this section when modifications to §§ 160.304, 160.306, cooperation of covered entities in a preliminary review of the facts 160.308, and 160.312, as proposed in obtaining compliance with the HIPAA indicates a possible violation due to the NPRM. The Department believes Rules. The NPRM proposed to clarify willful neglect. Under proposed these changes to the enforcement that the Secretary would continue to do § 160.306(c)(2), the Secretary would provisions to be appropriate given the so ‘‘consistent with the provisions of have continued discretion with respect HITECH Act’s requirements at section this subpart’’ in recognition of the new to investigating any other complaints. 13410(a) with respect to circumstances HITECH Act requirement to impose a Second, the Department proposed to indicating or involving noncompliance civil money penalty for a violation due modify § 160.308 by adding a new due to willful neglect. We do not to willful neglect. While the Secretary paragraph (a) to provide that the provide in the Rule that the Secretary often will still seek to correct Secretary will conduct a compliance will investigate when a preliminary indications of noncompliance through review to determine whether a covered review of the facts indicates a voluntary corrective action, there may entity or business associate is ‘‘probable’’ rather than ‘‘possible’’ be circumstances (such as complying with the applicable violation due to willful neglect as the circumstances indicating willful administrative simplification provision statute requires an investigation even in neglect), where the Secretary may cases indicating a ‘‘possible’’ violation when a preliminary review of the facts proceed directly to formal enforcement. due to willful neglect. In response to indicates a possible violation due to Overview of Public Comments commenters concerned about requiring willful neglect. Like § 160.306(c) with the Secretary to conduct compliance One commenter supported respect to complaints, the current reviews in circumstances in which facts maintaining the current language at § 160.308(c) provides the Secretary with indicate a possible violation due to §§ 160.306 and 160.308 of the discretion to conduct compliance willful neglect, we continue to believe Enforcement Rule, providing the reviews. While section 13410(a) of the that, while not expressly required by the Secretary with discretion to conduct HITECH Act specifically mentions statute, doing so appropriately complaint investigations and complaints and not compliance reviews strengthens enforcement with respect to compliance reviews, regardless of with respect to willful neglect, the violations due to willful neglect and indications of willful neglect. One Department proposed to treat ensures consistency in the handling of commenter suggested that OCR look to compliance reviews in the same manner complaints and compliance reviews in whether facts indicate a ‘‘probable,’’ because it believed doing so would VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00014 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

15 5579 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register residents pursuant to section 13410(e) of review of the allegations asserted in a which violations due to willful neglect the Act, or the FTC pursuing remedies complaint. are indicated. We emphasize that the Response: As noted above, currently under other consumer protection Department retains discretion to decide the Department conducts a preliminary authorities. whether to conduct a compliance review of every complaint received and review (or complaint investigation) Overview of Public Comments proceeds with the investigation in every where a preliminary review of the facts One commenter requested eligible case where its preliminary indicates a degree of culpability less clarification and transparency on how review of the facts indicates a possible than willful neglect. Further, with or if Federal regulators such as OCR and violation of the HIPAA Rules. The respect to commenter concerns about the FTC will collaborate, when such Department anticipates that some duplication between complaint information sharing will be initiated or complaints, on their face, or reports or investigations and compliance reviews, occur as a routine process, or whether referrals that form the basis of a we clarify that the Department generally Federal and State agencies will work potential compliance review, will conducts compliance reviews to together to enforce suspected violations. contain sufficient information to investigate allegations of violations of indicate a possible violation due to the HIPAA Rules brought to the Final Rule willful neglect, and some may not. In Department’s attention through a To facilitate cooperation between the any event, the Department may on a mechanism other than a complaint. For Department and other law enforcement case-by-case basis expand the example, the Department may use a agencies, the final rule adopts the preliminary review and conduct compliance review to investigate modifications to § 160.310(c)(3) as additional inquiries for purposes of allegations of violations of the Rules proposed in the NPRM. In response to identifying a possible violation due to brought to our attention through a the comment regarding transparency in willful neglect. Notwithstanding the media report, or from a State or another how the Department is or will cooperate scope of a preliminary review, OCR will Federal agency. If the Department with other agencies in enforcement, we determine if an indicated violation was initiates an investigation of a complaint note that the Department’s web site at due to willful neglect based on the because its preliminary review of the http://www.hhs.gov/ocr/enforcement/ evidence from its investigation of the facts indicates a possible violation due contains information about how the allegations, even if a violation due to to willful neglect, the Department is not Department coordinates with the willful neglect was not indicated at the also required to initiate a compliance Department of Justice to refer cases preliminary review stage. review under § 160.308 because doing involving possible criminal HIPAA so would initiate a duplicative violations and how the Department has b. Section 160.310—Protected Health investigation. worked with the FTC to coordinate Information Obtained by the Secretary With respect to § 160.312, where the enforcement actions for violations that Proposed Rule Rule previously mandated that the implicate both HIPAA and the FTC Act. Secretary attempt to resolve indicated Section 160.310 requires that covered Further, the Department will be working violations of the HIPAA Rules by entities make information available to closely with State Attorneys General to informal means, the final rule now and cooperate with the Secretary during coordinate enforcement in appropriate provides the Secretary with the complaint investigations and cases, as provided under section discretion to do so, to reflect Section compliance reviews. Section 13410(e) of the HITECH Act. The 13410 of the HITECH Act with regard to 160.310(c)(3) provides that any Department will continue to update its violations due to willful neglect. protected health information obtained web site as necessary and appropriate to Nothing in Section 13410 of the by the Secretary in connection with an maintain transparency with the public HITECH Act limits the Secretary’s investigation or compliance review will and the regulated community about ability to resolve such cases by informal not be disclosed by the Secretary, except these coordinated activities and its other means. However, through its as necessary for determining and enforcement actions and activities. introduction of higher penalties and its enforcing compliance with the HIPAA 2. Subpart D—Imposition of Civil mandate for formal investigations with Rules or as otherwise required by law. Money Penalties regard to possible violations due to In the proposed rule, we proposed to a. Section 160.401—Definitions willful neglect, Section 13410 modify this paragraph to also allow the strengthens enforcement and Secretary to disclose protected health Section 160.401 defines ‘‘reasonable accordingly we have revised § 160.312 information if permitted under the cause,’’ ‘‘reasonable diligence,’’ and so that the Secretary may move directly Privacy Act at 5 U.S.C. 552a(b)(7). ‘‘willful neglect.’’ Given that section to a civil money penalty without Section 5 U.S.C. 552a(b)(7) permits the 13410(d) of the HITECH Act uses these exhausting informal resolution efforts at disclosure of a record on an individual terms to describe the increasing levels of her discretion, particularly in cases contained within a government system culpability for which increasing involving willful neglect violations. of records protected under the Privacy minimum levels of penalties may be Act to another agency or instrumentality imposed, the Department moved these Response to Other Public Comments of any governmental jurisdiction within definitions in the IFR from their prior or under the control of the United States Comment: A number of commenters placement at § 160.410, which pertains for a civil or criminal law enforcement requested further clarification on the only to affirmative defenses, to activity if the activity is authorized by scope and depth of what constitutes a § 160.401, so that they would apply to law and if the agency has made a ‘‘preliminary review of the facts’’ for the entirety of Subpart D of Part 160 and written request to the agency that purposes of determining whether facts the provisions regarding the imposition maintains the record. The proposed indicate a possible violation due to of civil money penalties. The IFR did change would permit the Secretary to willful neglect and thus, warrant a not modify the definitions themselves as coordinate with other law enforcement formal complaint investigation or the HITECH Act did not amend the agencies, such as the State Attorneys compliance review. Certain commenters definitions. Even though the HITECH Act did not General pursuing civil actions to enforce suggested that a preliminary review of amend the definitions of these terms, the HIPAA Rules on behalf of State the facts should go beyond merely a VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00015 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

16 5580 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register administrative simplification provision. circumstances where the violation was the Department in its NPRM proposed Section 164.402, in paragraphs (b) and due to willful neglect that is corrected certain modifications to the definition of (c), provides the basis for a civil money within a certain time period (second ‘‘reasonable cause’’ to clarify the mens penalty against a covered entity where highest penalty tier) and willful neglect rea (state of mind) required for this more than one covered entity is that is not corrected (highest penalty category of violations, and to avoid the responsible for a violation, where an tier). The mens rea, or state of mind, situation where certain violations would affiliated covered entity is responsible associated with the tiers is clear with not fall within one of the established for a violation, and where an agent of a respect to the first, third, and fourth penalty tiers. This modification is covered entity is responsible for a categories, in that there is no mens rea discussed below. The Department did violation. with respect to the lowest category of not propose modifications to the The proposed rule proposed to violation, while the existence of mens definitions of ‘‘reasonable diligence’’ remove the exception at § 160.402(c) for rea is presumed with respect to the third and ‘‘willful neglect.’’ covered entity liability for the acts of its and fourth categories of violation. In the NPRM, the Department also agent in cases where the agent is a However, the current definition of included examples and guidance as to business associate, the relevant contract ‘‘reasonable cause’’ does not address how the Department planned to apply requirements have been met, the mens rea with respect to the second the definitions of ‘‘reasonable cause,’’ covered entity did not know of a pattern category of violations. Therefore, the ‘‘reasonable diligence,’’ and ‘‘willful or practice of the business associate in Department proposed to amend the neglect’’ to distinguish among the tiers violation of the contract, and the definition of ‘‘reasonable cause’’ at of culpability. 75 FR 40877–40879. As covered entity did not fail to act as § 160.401 to clarify the mens rea commenters generally found this required by the Privacy or Security Rule associated with the reasonable cause guidance helpful, the Department with respect to such violations. The category of violations and to clarify the intends to publish the guidance on its proposed rule also proposed to add a full scope of violations that will come web site. parallel provision in a new paragraph within the category. Specifically, the Modifications to the Definition of (2) at § 160.402(c) that would provide Department proposed to modify the ‘‘Reasonable Cause’’ for civil money penalty liability against definition of ‘‘reasonable cause’’ to a business associate for the acts of its mean ‘‘an act or omission in which a Proposed Rule agent. The existing language of covered entity or business associate Reasonable cause is currently defined § 160.402(c) regarding the liability of knew, or by exercising reasonable at § 160.401 to mean: ‘‘circumstances covered entities for the acts of their diligence would have known, that the that would make it unreasonable for the agents would be re-designated as act or omission violated an covered entity, despite the exercise of paragraph (1). administrative simplification provision, ordinary business care and prudence, to These proposed changes would make but in which the covered entity or comply with the administrative covered entities and business associates business associate did not act with simplification provision violated.’’ This liable under § 160.402(c) for the acts of willful neglect.’’ Thus, the proposed definition is consistent with the their business associate agents, in definition would now include violations United States Supreme Court’s ruling in accordance with the Federal common due both to circumstances that would v. 469 U.S. 241, 245 (1985), Boyle, law of agency, regardless of whether the make it unreasonable for the covered which focused on whether covered entity has a compliant business entity or business associate, despite the circumstances were beyond the associate agreement in place. Section exercise of ordinary business care and regulated person’s control, thereby 160.402(c) closely tracks the language in prudence, to comply with the making compliance unreasonable. See section 1128A(l) of the Social Security administrative simplification provision 70 FR 20224, 20238. Prior to the Act, which is made applicable to HIPAA violated, as well as to other HITECH Act, section 1176 of the Social by section 1176(a)(2) of such Act, which circumstances in which a covered entity Security Act provided an affirmative states that ‘‘a principal is liable for or business associate has knowledge of defense to the imposition of a civil penalties * * * under this section for a violation but lacks the conscious money penalty if the covered entity the actions of the principal’s agents intent or reckless indifference established that its violation was due to acting within the scope of the agency.’’ associated with the willful neglect reasonable cause and not willful neglect One reason for removing the exception category of violations. and was corrected within a 30-day to the general provision at § 160.402(c), Overview of Public Comments period (or such additional period as we explained in the NPRM, is to determined by the Secretary to be Commenters addressing the definition ensure, where a covered entity or appropriate). of ‘‘reasonable cause’’ expressed general business associate has delegated out an As described above, section 13410(d) support for the proposed clarifications obligation under the HIPAA Rules, that of the HITECH Act revised section 1176 to the scope of this category of a covered entity or business associate of the Social Security Act to establish violations. would remain liable for penalties for the four tiers of increasing penalty amounts failure of its business associate agent to Final Rule to correspond to the levels of culpability perform the obligation on the covered The final rule adopts the proposed associated with the violation. The first entity or business associate’s behalf. modifications to the definition. category of violation (and lowest Overview of Public Comments penalty tier) covers situations where the b. Section 160.402—Basis for a Civil Several commenters requested that covered entity or business associate did Money Penalty the Department clarify and provide not know, and by exercising reasonable Proposed Rule additional guidance regarding how the diligence would not have known, of a Federal common law of agency applies Section 160.402(a) states generally violation. The second category of to business associate relationships. that the Secretary will impose a civil violation (and next highest penalty tier) These commenters expressed an overall money penalty upon a covered entity if applies to violations due to reasonable concern that applying the Federal the Secretary determines that the cause and not to willful neglect. The common law of agency to business covered entity violated an third and fourth categories apply to VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00016 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

17 5581 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations provided by or under the direction of a important because of HIPAA’s express associate relationships would add covered entity,’’ then this would create objective of furthering the efficiency and unnecessary confusion to and place an an agency relationship between the effectiveness of the health care system undue burden on business associate covered entity and business associate as a whole. Further, adopting the relationships. Several commenters for this activity because the covered Federal common law here is consistent argued that the proposed change would entity has a right to give interim with the precept that Federal statutes require covered entities and business instructions and direction during the are meant to have uniform nationwide associates to determine whether their course of the relationship. An agency application. Therefore, we disagree with business associates or business associate relationship also could exist between a the comment that argued that Federal subcontractors are agents, resulting in covered entity and its business associate common law should not be applied with costly and burdensome challenges when if a covered entity contracts out or respect to relationships between drafting business associate contracts and delegates a particular obligation under covered entities and business associates. monitoring ongoing relationships. One An analysis of whether a business the HIPAA Rules to its business commenter argued that the Federal associate is an agent will be fact associate. As discussed above, whether common law of agency should not be specific, taking into account the terms of or not an agency relationship exists in applied to covered entity and business a business associate agreement as well this circumstance again would depend associate relationships because it does as the totality of the circumstances on the right or authority to control the not generally control when the parties involved in the ongoing relationship business associate’s conduct in the have entered into a contractual between the parties. The essential factor performance of the delegated service agreement that specifies their respective in determining whether an agency based on the right of a covered entity to rights and obligations. Instead, the relationship exists between a covered give interim instructions. commenter argued, the contractual While these principles are well entity and its business associate (or provisions control, and are interpreted established under the Federal common business associate and its subcontractor) and enforced in accordance with State law of agency, we again note that any is the right or authority of a covered law specified by the contract. analysis regarding scope of agency entity to control the business associate’s Final Rule depends on the facts of each conduct in the course of performing a This final rule adopts the proposed circumstance. Several factors are service on behalf of the covered entity. modifications to § 160.402(c). We do not important to consider in any analysis to The right or authority to control the believe that this change will place an determine the scope of agency: (1) The business associate’s conduct also is the undue burden on covered entities and time, place, and purpose of a business essential factor in determining whether business associates. As we explained in associate agent’s conduct; (2) whether a an agency relationship exists between a the NPRM, a covered entity’s liability business associate agent engaged in a business associate and its business for acts of its agents is customary under course of conduct subject to a covered associate subcontractor. Accordingly, common law. See 75 FR 40880. Further, entity’s control; (3) whether a business this guidance applies in the same section 1128A(l) of the Social Security associate agent’s conduct is commonly manner to both covered entities (with Act, applicable to HIPAA covered done by a business associate to regard to their business associates) and entities and now business associates by accomplish the service performed on business associates (with regard to their section 1176(a)(2) of the Act, states that behalf of a covered entity; and (4) subcontractors). a principal is liable for civil money The authority of a covered entity to whether or not the covered entity penalties for the actions of the give interim instructions or directions is reasonably expected that a business principal’s agent acting within the scope the type of control that distinguishes associate agent would engage in the of agency. Before the changes to covered entities in agency relationships conduct in question. § 160.402(c) were finalized in this rule, The terms, statements, or labels given from those in non-agency relationships. if a covered entity failed to comply with to parties (e.g., independent contractor) A business associate generally would the business associate provisions in the do not control whether an agency not be an agent if it enters into a HIPAA Rules, a covered entity relationship exists. Rather, the manner business associate agreement with a potentially would have been liable for and method in which a covered entity covered entity that sets terms and the actions of its business associate actually controls the service provided conditions that create contractual agent. Thus, we believe that the notion decides the analysis. As mentioned obligations between the two parties. that a principal is liable for the acts of above, an analysis of whether a business Specifically, if the only avenue of its agent should not be an unfamiliar associate is an agent will be fact specific control is for a covered entity to amend concept to covered entities and business and consider the totality of the the terms of the agreement or sue for associates. However, we appreciate and circumstances involved in the ongoing breach of contract, this generally understand the commenters’ concerns relationship between the parties. We indicates that a business associate is not and take this opportunity to provide note here several circumstances that are acting as an agent. In contrast, a additional guidance. important. The type of service and skill business associate generally would be While section 1128A(l) is silent as to level required to perform the service are an agent if it enters into a business how to define ‘‘principal,’’ ‘‘agent,’’ and relevant factors in determining whether associate agreement with a covered ‘‘scope of agency,’’ § 160.402(c) a business associate is an agent. For entity that granted the covered entity references the Federal common law of example, a business associate that is the authority to direct the performance agency. As we explained in the hired to perform de-identification of of the service provided by its business Enforcement Rule preamble, 71 FR protected health information for a small associate after the relationship was 8390, 8403–04, adopting the Federal provider would likely not be an agent established. For example, if the terms of common law to determine the because the small provider likely would a business associate agreement between definitions and application of these not have the expertise to provide a covered entity and its business terms achieves nationwide uniformity interim instructions regarding this associate stated that ‘‘a business activity to the business associate. Also, associate must make available protected in the implementation of the HIPAA an agency relationship would not likely health information in accordance with Rules. We believe that relying on the exist when a covered entity is legally or § 164.524 based on the instructions to be Federal common law is particularly VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00017 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

18 5582 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations or the business associate disregarded a otherwise prevented from performing c. Section 160.404—Amount of a Civil the service or activity performed by its Monetary Penalty covered entity’s specific instruction. For business associate. For example, the example, a business associate agent Interim Final Rule accreditation functions performed by a would likely be acting within the scope The IFR amended § 160.404 to revise business associate cannot be performed of agency if it impermissibly disclosed the range of potential civil money by a covered entity seeking more than the minimum necessary penalty amounts a covered entity (or accreditation because a covered entity information to a health plan for business associate) will be subject to for cannot perform an accreditation survey purposes of payment, even if the violations occurring on or after February or award accreditation. We also note disclosure is contrary to clear 18, 2009, as a result of section 13410(d) that a business associate can be an agent instructions of the covered entity. In of the HITECH Act. of a covered entity: (1) Despite the fact contrast, a business associate agent’s Prior to the HITECH Act, section that a covered entity does not retain the conduct generally is outside the scope 1176(a) of the Social Security Act right or authority to control every aspect of agency when its conduct is solely for authorized the Secretary to impose a of its business associate’s activities; (2) its own benefit (or that of a third party), civil money penalty of not more than even if a covered entity does not $100 for each violation, with the total or pursues a course of conduct not exercise the right of control but amount imposed on a covered entity for intended to serve any purpose of the evidence exists that it holds the all violations of an identical covered entity. authority to exercise that right; and (3) requirement or prohibition during a even if a covered entity and its business One commenter stated that Comment: calendar year not to exceed $25,000. As associate are separated by physical the proposed change would impose described above, section 13410(d) of the distance (e.g., if a covered entity and strict liability on covered entities for the HITECH Act modified section 1176(a) to business associate are located in actions of third parties not under their establish tiers of increasing penalty different countries). control. Another commenter stated that amounts for violations based on an agent would always fall within the Response to Other Public Comments increasing levels of culpability scope of a workforce member, which by associated with each tier. One commenter asked Comment: definition is not a business associate. Accordingly, the IFR adopted at whether the Department intends to § 160.404(b) the new penalty scheme eliminate the exceptions afforded by the Response: We disagree with both provided for at section 13410(d) of the Federal common law of agency. This comments and believe that the HITECH Act for violations occurring on commenter also argued that if a business comments may reflect a or after February 18, 2009. The IFR associate were an agent of a covered misunderstanding of the proposed retained the pre-HITECH maximum entity, and a HIPAA compliant business change. First, as explained above, penalty amounts of not more than $100 associate agreement was in place, any § 160.402(c) closely tracks the language per violation and $25,000 for identical deviation from the terms in the in section 1128A(l) of the Social violations during a calendar year, for agreement would be by definition Security Act, which is made applicable violations occurring before February 18, outside the scope of agency. to HIPAA by section 1176(a)(2) of such 2009. Response: As we discussed above, Act. It does not make a covered entity In adopting the HITECH Act’s penalty § 160.402(c) provides that covered or business associate liable for the acts scheme, the Department recognized that entities and business associates are of third parties that are not under its section 13410(d) contained apparently liable for the acts of their business control because such third parties are inconsistent language (i.e., its reference associate agents, in accordance with the not its agents. With regard to the second to two penalty tiers ‘‘for each violation,’’ Federal common law of agency. Section comment, an agent could always fall each of which provided a penalty 160.402(c) is derived from section within the definition of a workforce amount ‘‘for all such violations’’ of an 1128A(l) of the Social Security Act member because of the direct control identical requirement or prohibition in which states that ‘‘a principal is liable requirement in that definition, but the a calendar year). To resolve this for penalties * * * under this section definition of business associate excludes inconsistency, with the exception of for the actions of the principal’s agents acting within the scope of the agency.’’ violations due to willful neglect that are a workforce member. This definitional Accordingly, § 160.402(c) incorporates not timely corrected, the IFR adopted a exclusion allows the covered entity to the Federal common law of agency, range of penalty amounts between the determine whether, for example, to which includes the understanding that minimum given in one tier and the provide training to the agent under the for a principal to be liable for the maximum given in the second tier for Privacy Rule. A covered entity would be actions of an agent, the agent must be each violation and adopted the amount required to provide training to a acting within the scope of agency. Thus, of $1.5 million as the limit for all workforce member but not to a business the exceptions to the Federal common violations of an identical provision of associate agent. However, the covered law of agency (as the commenter the HIPAA rules in a calendar year. For entity is required to enter into a identified them) are incorporated in the violations due to willful neglect that are business associate agreement with a final rule at § 160.402(c). not timely corrected, the IFR adopted business associate agent that it does not We do not agree with the commenter the penalty amount of $50,000 as the treat as a workforce member. The that any deviation from the terms in a minimum for each violation and $1.5 proposed change to § 160.402(c) simply business associate contract would be by million for all such violations of an makes the covered entity or business definition outside the scope of agency. identical requirement or prohibition in associate liable for the acts of its agents A business associate agent’s conduct a calendar year. acting within the scope of agency, generally is within the scope of agency Specifically, the IFR revised § 160.404 whether the agents are workforce when its conduct occurs during the to provide, for violations occurring on members or business associates. See the performance of the assigned work or or after February 18, 2009, the new definitions of ‘‘business associate’’ and incident to such work, regardless of HITECH penalty scheme, as follows: (1) ‘‘workforce member’’ at § 160.103. whether the work was done carelessly, For violations in which it is established a mistake was made in the performance, that the covered entity did not know VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00018 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

19 5583 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register was due to willful neglect and was not $1000 or more than $50,000 for each and, by exercising reasonable diligence, timely corrected, an amount not less violation; (3) for a violation in which it would not have known that the covered than $50,000 for each violation; except is established that the violation was due entity violated a provision, an amount that a penalty for violations of the same to willful neglect and was timely not less than $100 or more than $50,000 requirement or prohibition under any of corrected, an amount not less than for each violation; (2) for a violation in these categories may not exceed $10,000 or more than $50,000 for each which it is established that the violation $1,500,000 in a calendar year. See Table violation; and (4) for a violation in was due to reasonable cause and not to 2 below. which it is established that the violation willful neglect, an amount not less than V IOLATIONS AND R ESPECTIVE T ENALTY A MOUNTS A VAILABLE ABLE 2—C ATEGORIES OF P All such violations of an identical provision Each violation Violation category—Section 1176(a)(1) in a calendar year (A) Did Not Know ... ... $100–$50,000 $1,500,000 ... (B) Reasonable Cause ... 1,000–50,000 1,500,000 (C)(i) Willful Neglect-Corrected ... 10,000–50,000 1,500,000 ... ... 50,000 1,500,000 (C)(ii) Willful Neglect-Not Corrected ... set forth at § 160.408. In response to Some commenters specifically In applying these amounts, the those commenters particularly expressed concern about the maximum Department will not impose the concerned about the impact of penalties penalty amounts set forth for each maximum penalty amount in all cases on smaller entities, we note that the violation (i.e., $50,000) and for all but rather will determine the penalty other factors include both the financial violations of an identical provision in a amounts as required by the statute at condition and size of the covered entity calendar year ($1,500,000). Commenters section 1176(a)(1) and the regulations at or business associate. These factors are argued that the IFR’s penalty scheme is § 160.408 (i.e., based on the nature and discussed more fully below. inconsistent with the HITECH Act’s extent of the violation, the nature and establishment of different tiers based on extent of the resulting harm, and the In addition, with respect to comments culpability because the outside limits other factors set forth at § 160.408). expressing specific concern about were the same for all culpability fairness regarding those violations of Further, for counting violations, the categories and this ignored the outside which an entity did not know or by Department continues to utilize the limits set forth by the HITECH Act exercising reasonable diligence would methodology discussed in prior within the lower penalty tiers, rendering not have known or for which there was preambles of the Enforcement Rule. See those limits meaningless. A few a reasonable cause and not willful 70 FR 20224, 20233–55 (April 18, 2005) commenters expressed particular neglect, we note that in both cases an and 71 FR 8390, 8404–07 (February 16, concern with what they believed to be entity may establish that an affirmative 2006). For violations that began prior to the unfair ability of the Secretary to defense applies under § 160.410, where February 18, 2009, and continue after impose the maximum penalty amounts the entity corrects the violation within that date, the Department will treat to violations falling within the two 30 days from the date the entity had violations occurring before February 18, lowest categories of culpability (i.e., did knowledge of the violation or with the 2009, as subject to the penalties in effect not know violations and violations due exercise of reasonable diligence would prior to February 18, 2009, and to reasonable cause and not willful have had knowledge of the violation, or violations occurring on or after February neglect). during a period determined appropriate 18, 2009, as subject to the penalties in by the Secretary based upon the nature effect on or after February 18, 2009. Final Rule and extent of the entity’s failure to Overview of Public Comments This final rule retains the revised comply. These affirmative defenses are penalty structure in § 160.404(b) as described more fully below. Most comments on the civil money implemented by the IFR. We continue to In addition, Section 13410(d) of the penalty amounts expressed concern believe the penalty amounts are HITECH Act and Section 1176(a) of the with the new penalty structure set forth appropriate and reflect the most logical Social Security Act, give the Secretary in the IFR. A few of these commenters reading of the HITECH Act, which further ability to waive a civil money expressed a generalized concern about provides the Secretary with discretion penalty, in whole or in part, under the potential impact the available to impose penalties for each category of certain circumstances. Thus, to the penalty amounts might have on covered culpability up to the maximum amount extent an entity fails to correct such entities, particularly smaller entities. described in the highest penalty tier. violations within the mandated One commenter argued that the timeframe, the Secretary may also With respect to those comments Secretary should not fine entities for utilize her waiver authority provided for expressing concern about the discretion violations of which a covered entity had at § 160.412, to waive the penalty available to the Secretary under the no knowledge or those due to amount in whole or in part, to the extent adopted scheme we emphasize again reasonable cause, and that civil money that payment of the penalty would be that the Department will not impose the penalties should only be imposed as a excessive relative to the violation. maximum penalty amount in all cases last resort. A few commenters expressed Further, pursuant to 42 U.S.C. 1320a– but will rather determine the amount of concern with the Secretary’s wide range 7a(f), the Secretary always has the a penalty on a case-by-case basis, of discretion in determining a civil discretion to settle any issue or case or depending on the nature and extent of money penalty amount and suggested to compromise the amount of a civil the violation and the nature and extent that the regulations or guidance should money penalty assessed for a violation of the resulting harm, as required by the further define how the Secretary would of the HIPAA Rules. HITECH Act, as well as the other factors determine such an amount. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00019 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

20 5584 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations The proposed rule proposed to revise With respect to whether the aggregate Finally, in the event an entity believes the structure and list of factors at CMP limit of $1.5 million would apply that a civil money penalty has been § 160.408 to make explicit the new to all violations in a given calendar year, imposed unfairly, the entity could HITECH Act requirement that the across an entire enterprise, regardless of exercise its right under § 160.504 to Secretary consider the nature and extent violations occurring in different appeal the imposition of a civil money of the violation and the nature and business units of the enterprise, we note penalty in a hearing before an extent of the harm resulting from the that the Enforcement Rule’s penalty administrative law judge. violation, in addition to those factors scheme, and thus the limit for identical Response to Other Public Comments enumerated in section 1128A. We violations in a calendar year applies to proposed to exclude, however, the the legal entity that is a covered entity We received a few Comment: factor at § 160.408(c) regarding the or business associate. However, as we comments in response to the IFR and degree of culpability of the covered indicated above, a covered entity or NPRM requesting clarification as to how entity, which originated in section business associate may be liable for the Secretary will count violations for 1128A, because culpability is now multiple violations of multiple purposes of calculating civil money reflected in the penalty tiers. requirements, and a violation of each penalties. One commenter requested Specifically, the Department proposed requirement may be counted separately. clarification as to how the numbers of to revise § 160.408(a) to identify ‘‘the As such, one covered entity or business ‘‘occurrences’’ are determined, nature and extent of the violation,’’ ‘‘the associate may be subject to multiple suggesting that penalties could be very nature and extent of the harm resulting violations of up to a $1.5 million cap for significant, and vary significantly, from the violation,’’ and the ‘‘history of each violation, which would result in a depending on the counting methodology prior compliance with the total penalty above $1.5 million. utilized. The Department also received administrative simplification provision, one comment asking whether a violation d. Section 160.408—Factors Considered including violations by the covered is defined as one event. This commenter in Determining the Amount of a Civil entity or business associate,’’ the queried, for example, whether the loss Money Penalty ‘‘financial condition of the covered of unsecured electronic media would be entity or business associate,’’ and ‘‘such Proposed Rule considered as a single violation, even if other matters as justice may require,’’ as the media contained several hundred Section 160.408 implements section the five general factors the Secretary records. The commenter also asked for 1176(a)(2) of the Social Security Act, will consider in determining a civil confirmation that $1,500,000 is the which requires the Secretary, when money penalty. Under each of these aggregate limit of all fines for all imposing a civil money penalty, to categories, we proposed to reorganize violations in a given calendar year apply the provisions of section 1128A of and list the specific factors that may be which would apply across an entire the Social Security Act ‘‘in the same considered. enterprise, regardless of violations In addition, in the first, second, and manner as such provisions apply to the occurring in different business units. third factors, we proposed to add certain imposition of a civil money penalty How violations are counted Response: circumstances which may be considered under section 1128A.’’ In determining a for purposes of calculating a civil in determining a penalty amount. Under penalty amount, section 1128A requires money penalty vary depending on the the first factor, we proposed to add ‘‘the the Secretary to take into account the circumstances surrounding the number of individuals affected’’ as nature of the claims and the noncompliance. Generally speaking, relevant to the extent of a violation. circumstances under which they were where multiple individuals are affected Under the second factor, we proposed to presented; the degree of culpability, by an impermissible use or disclosure, add ‘‘reputational harm’’ to the specific history of prior offenses and financial such as in the case of a breach of circumstances which may be condition of the person presenting the unsecured protected health information, considered, to make clear that claims; and such other matters as justice it is anticipated that the number of reputational harm is as cognizable a may require. identical violations of the Privacy Rule form of harm as physical or financial Section 160.408 adopted these factors standard regarding permissible uses and harm. Finally, in the third factor, the and provided a more specific list of disclosures would be counted by the Department proposed to modify the circumstances within each. Because the number of individuals affected. Further, phrase ‘‘prior violations’’ to Enforcement Rule applies to a number with respect to continuing violations, ‘‘indications of noncompliance,’’ of rules, which apply to an enormous such as lack of appropriate safeguards because use of the term ‘‘violation’’ is number of entities and circumstances, for a period of time, it is anticipated that generally reserved for instances where the Secretary has the discretion to the number of identical violations of the the Department has made a formal decide whether and how to consider the safeguard standard would be counted on finding of a violation through a notice factors (i.e., as either aggravating or a per day basis (i.e., the number of days of proposed determination. However, a mitigating) in determining the amount the entity did not have appropriate covered entity’s general history of of a civil money penalty. safeguards in place to protect the HIPAA compliance is relevant in As previously indicated, section protected health information). Note also determining the amount of a civil 13410(d) of the HITECH Act modified that in many breach cases, there will be money penalty within the penalty range. section 1176(a)(1) of the Social Security both an impermissible use or disclosure, The Department did not propose to Act to require that the Department base as well as a safeguards violation, for modify the Secretary’s discretion in how determinations of appropriate penalty each of which the Department may to apply the factors—i.e., as either amounts on the nature and extent of the calculate a separate civil money penalty. mitigating or aggravating. violation and the nature and extent of We refer readers to prior Enforcement Overview of Public Comments the harm resulting from such violation. Rule preambles for additional We received one comment requesting However, the HITECH Act did not discussion on the counting that the Department limit the number of modify section 1176(a)(2),which methodology. See 70 FR 20224, 20233– mitigating factors it will consider when continues to require application of the 55 (April 18, 2005) and 71 FR 8390, determining penalty amounts and apply factors in section 1128A. 8404–07 (February 16, 2006). VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00020 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

21 5585 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations ‘‘other’’ harm or whether unauthorized requested that, to prevent uncertainty, civil money penalties in every case of the Department either retain the term noncompliance, including where access has occurred, we reiterate that, in ‘‘violations’’ or provide a clear resolution and compliance have been determining the nature and extent of the definition, including examples, of achieved by informal means. The harm involved, we may consider all ‘‘indications of noncompliance.’’ commenter also argued that a covered relevant factors, not just those expressly Finally, we received several entity’s or business associate’s financial included in the text of the regulation. comments requesting additional condition or financial difficulties Regarding the shift in terminology examples and guidance on how the should not be considered as mitigating from ‘‘history of violations’’ to ‘‘prior Department will apply the factors in factors in determining the amount of indications of noncompliance,’’ we note assessing penalty amounts. civil money penalties. The commenter that use of the terms ‘‘violation’’ or recommended that penalties should ‘‘violate’’ generally indicates that the Final Rule apply to all violators except those who Department has made a formal finding The final rule adopts the proposed despite due diligence could not discover of a violation through a notice of modifications. We do not eliminate the the violation, who reported the violation proposed determination. Because the factors concerning an entity’s financial immediately, and who fully corrected Department has a number of condition, as such factors are based on the problem within 30 days of enforcement tools, such as informal the requirement in section 1128A(d) of discovery. resolution through a corrective action the Social Security Act. We emphasize We received two comments in plan, the number of ‘‘violations’’ that the goal of enforcement is to ensure support of considering reputational incurred by a covered entity or business that violations do not recur without harm in the computation of civil money associate does not constitute an accurate impeding access to care. Further, we penalties. One commenter emphasized picture of a covered entity’s or business note that an entity’s financial condition that reputational harm addresses harm associate’s general history of can affect a civil money penalty in to individuals’ dignity interest and compliance with all HIPAA Rules, either direction, that is, while an entity recommended the inclusion of ‘‘other’’ which is relevant in determining the in poor financial condition may face a harm as well. However, another covered amount of a civil money penalty within lesser penalty if its financial condition entity expressed concern that damages the penalty range. See 71 FR 8390, 8408. affected its ability to comply, an entity for reputational harm are difficult to As such, the Department modified the with greater financial resources could be quantify and, therefore, claims might provision to reflect the Department’s subject to higher penalties for lead to protracted litigation and policy of considering the covered violations, in part because it had the expensive settlements, ultimately entity’s or business associate’s general resources to maintain compliance. increasing the costs of health care. history of compliance with the HIPAA When considering the nature of the Finally, we received one comment Rules when determining a civil money violation, the Department intends to requesting examples of situations penalty. consider factors such as the time period involving a cognizable claim of With regard to the phrase ‘‘indications during which the violation(s) occurred reputational harm. of noncompliance,’’ we first clarify that and the number of individuals affected. We also received several comments a mere complaint does not constitute an Such considerations reflect the nature of requesting that the Department continue indication of noncompliance. Instead, the violation, specifically with respect to consider the degree of culpability prior indications of noncompliance may to potential violations that affect a large when determining the amount of a civil refer to the number of times the number of individuals, for example, money penalty. One commenter Department has investigated an entity in where disclosure of protected health specifically recommended that the the past and discovered indications of information in multiple explanation of Department consider whether noncompliance that the Department benefits statements (EOBs) that were unauthorized access has occurred when resolved by informal means, such as mailed to the wrong individuals determining civil money penalty satisfactory corrective action voluntarily resulted from one inadequate safeguard amounts. We also received one taken by the covered entity. Finally, we but affected a large number of comment suggesting that the agree that an entity’s history of beneficiaries. However, we do recognize Department revise proposed compliance—not only a history of that these specific circumstances might § 160.408(c) to recognize as a mitigating noncompliance—is important, and will also be considered under § 160.406, factor whether the current violation is consider such a factor. with respect to counting violations. See inconsistent with an entity’s prior 71 FR 8390, 8409. history of compliance. e. Section 160.410—Affirmative Whether reputational harm is With respect to the evaluation of a Defenses implicated in a HIPAA violation will be covered entity’s or business associate’s Interim Final Rule and Proposed Rule a fact-specific inquiry. We emphasize, history of prior compliance, we received As noted above, the IFR made changes however, that we do not consider a number of comments expressing to the affirmatives defenses found in the reputational harm to arise solely from concern that replacing ‘‘violations’’ with Enforcement Rule at § 160.410 to the unlawful disclosure of protected ‘‘indications of noncompliance’’ would implement the modifications to section health information relating to medical create ambiguity, and would not 1176(b) of the Social Security Act made diagnoses that may be considered adequately inform covered entities and by section 13410(d) of the HITECH Act. especially sensitive, such as sexually business associates of the factors that Specifically, the IFR removed the transmitted infections or mental health the Department will consider when previous affirmative defense to the disorders. Rather, the facts of the determining civil money penalty imposition of penalties if the covered situation will determine whether amounts. The commenters expressed entity did not know and with the reputational harm has occurred, such as concern that expanding the evaluation exercise of reasonable diligence would whether the unlawful disclosure of prior compliance beyond not have known of the violation (since resulted in adverse effects on documented, formal findings of such violations are now punishable employment, standing in the noncompliance would permit the under the lowest tier of penalties), and community, or personal relationships. Department to rely on information of by providing a prohibition on the With respect to requests to consider dubious credibility. Commenters VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00021 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

22 5586 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Final Rule violations occur before, on, or after imposition of penalties for any violation that is corrected within a 30-day time February 18, 2009, the Secretary had the The Department did not receive period, as long as the violation was not authority to provide a waiver for substantive public comment on this due to willful neglect. violations due to reasonable cause and proposal. The final rule adopts the The proposed rule included not willful neglect that are not timely proposed modification to § 160.418. additional modifications to § 160.410 to corrected (pursuant to the correction conform to the changes made to section h. Section 160.420—Notice of Proposed period in revised § 160.410(a)(3)(ii) or 1176(b) by the HITECH Act. Determination (b)(2)(ii), as applicable).’’ See 74 FR Specifically, we proposed to implement 56129. Interim Final Rule the revision of section 1176(b)(1) of the The proposed rule included Social Security Act by providing in The Enforcement IFR also amended conforming changes to § 160.412 to § 160.410(a)(1) and (2) that the § 160.420(a)(4) to add the requirement align the provision with the revisions to affirmative defense of criminally that, in addition to the proposed penalty § 160.410. See 75 FR 40881. The ‘‘punishable’’ is applicable to penalties amount, the Secretary identify in a proposed revision would effectively imposed prior to February 18, 2011, and notice of proposed determination the provide the Secretary with the authority on or after February 18, 2011, the applicable violation category in to waive a civil money penalty, in Secretary’s authority to impose a civil § 160.404 upon which the proposed whole or in part, for violations money penalty will only be barred to penalty amount is based. While not described in § 160.410(b)(2) (occurring the extent a covered entity or business statutorily required, the Enforcement prior to February 18, 2009, and due to associate can demonstrate that a IFR included this amendment to circumstances that would make it criminal penalty has been imposed. provide covered entities and business unreasonable for the covered entity, Additionally, the Department also associates with additional information despite the exercise of ordinary business proposed modifications to the that would increase their understanding care and prudence, to comply with the affirmative defenses in § 160.410 for of the violation findings in the notice of administrative simplification provision violations occurring prior to February proposed determination. violated) or § 160.410(c) (occurring on 18, 2009, to ensure the prior definition or after February 18, 2009, and Overview of Public Comment of ‘‘reasonable cause’’ continued to involving an establishment to the apply in such circumstances and The Department received three satisfaction of the Secretary that the avoiding any potential issues regarding comments supporting this amendment. violation is not due to willful neglect) a retroactive application of the revised and that are not corrected within the Final Rule term. period specified under such paragraphs. The final rule retains the provision as Final Rule Overview of Public Comments modified in the IFR. The final rule adopts the proposed i. Calculation of the 30-Day Cure Period modifications to § 160.410. The The Department received a few for Willful Neglect Violations Department did not receive any comments in response to the IFR comments in response to the NPRM’s regarding the Secretary’s authority to Interim Final Rule proposed revisions to this section. waive the imposition of a civil money In its discussion of the HITECH Act’s penalty for violations occurring on or f. Section 160.412—Waiver revision of affirmative defenses, the after February 18, 2009, each of which Department noted that section Prior to February 18, 2009, § 160.412 urged that the Secretary’s waiver 1176(b)(2)(A) of the Social Security Act stated that ‘‘[f]or violations described in authority be extended to apply also to still operates to exclude violations due § 160.410(b)(3)(i) that are not corrected penalties for violations of which a to willful neglect from those that, if within the period described in covered entity did not know, or through timely corrected, would be exempt from § 160.410(b)(3)(ii), the Secretary may the exercise of reasonable diligence, the Secretary’s imposition of a civil waive the civil money penalty, in whole would not have known, in addition to money penalty. However, a covered or in part, to the extent that payment of reasonable cause violations, because entity’s timely action to correct still the penalty would be excessive relative ‘‘did not know’’ violations are a less would be determinative with respect to to the violation.’’ This language culpable category of violation than which of the two tiers of willful neglect implicitly recognized a covered entity’s reasonable cause violations. penalty amounts would apply. To ability to claim an affirmative defense to Final Rule determine the appropriate penalty tier the imposition of a civil money penalty, for such violations, the Department under what was then § 160.410(b)(2), by The final rule adopts the stated it would calculate the 30-day cure establishing that it did not have modifications to § 160.412 proposed in period in the same manner as described knowledge of the violation, determined the NPRM, which addresses the for determining whether an affirmative in accordance with the Federal common concerns of the above commenters on defense applied. That is, the Department law of agency, and by exercising the IFR. would look at when a covered entity reasonable diligence, would not have g. Section 160.418—Penalty Not first had actual or constructive known that the violation occurred. Exclusive knowledge of a violation due to willful While section 13410(d) of the HITECH neglect, based on evidence gathered Act revised section 1176(b) of the Social Proposed Rule during its investigation, on a case-by- Security Act to eliminate the affirmative case basis. See 74 FR 56128 (October 30, We proposed to revise this section to defense for such violations, absent 2009), 70 FR 20224, 20237–8 (April 18, incorporate a reference to the provision corrective action during a 30-day 2005) and 71 FR 8390, 8410 (February of PSQIA at 42 U.S.C. 299b–22 that period, it did not revise the Secretary’s 16, 2006) for prior, more detailed provides that penalties are not to be waiver authority. As a result, the discussions about the Department’s imposed under both PSQIA and the Enforcement IFR amended § 160.412 to determination of when knowledge HIPAA Privacy Rule for the same reflect the revisions made to § 160.410 exists. violation. to provide that ‘‘[r]egardless of whether VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00022 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

23 5587 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations new enforcement provisions will apply inherent to constructive knowledge, we Because the Department recognized to violations of all HIPAA believe that it provides an appropriate that the minimum penalty amount Administrative Simplification incentive that is consistent with the under the HITECH Act of a violation provisions or just to the privacy and strengthened enforcement of the HIPAA due to willful neglect that is corrected security requirements. Rules, as provided in the HITECH Act. during the 30-day cure period is Response: The enforcement Reliance on notification by a significantly less than that for a regulations at 45 CFR Part 160, Subparts complainant or the Department would violation due to willful neglect that is C, D, and E, relate to compliance with, not encourage self-correction or an not timely corrected (equating to a and the enforcement of, all of the entity’s establishment of a compliance $40,000 minimum penalty amount Administrative Simplification program that proactively prevents, difference), the IFR specifically regulations adopted under subtitle F of detects and corrects indications of requested comment on whether there Title II of HIPAA, including the noncompliance. If the cure period were are alternative approaches to calculating Standards for Electronic Transactions solely based on external notification, it the beginning of the 30-day cure period and Code Sets (Transactions and Code is quite possible that entities would for this purpose. Sets Rule(s) (referred to in both a have little or no incentive to make Overview of Public Comments singular and plural sense); Standards for corrections of noncompliance until long While a few commenters expressed Privacy of Individually Identifiable after an incident occurred, if ever. In support for utilizing the current scheme Health Information (HIPAA Privacy response to concerns that constructive in determining which tier should apply Rule); Standard Unique Employer knowledge may be imputed to the to a violation due to willful neglect, Identifier (EIN Rule); Security Standards principal when an agent fails to notify other commenters expressed concerns (HIPAA Security Rule); and Standard the responsible entity, we note that an with this approach due to the Unique Health Identifier for Health Care agent must be acting within the scope of uncertainty with determining exactly Providers (NPI Rule). In addition, the agency for a covered entity or a business when the cure period begins and that a Enforcement Rule applies to the Breach associate to be liable for the agent’s acts business associate’s knowledge of a Notification Rule for HIPAA covered or failures to act. An agent that fails to violation could be imputed to the entities and business associates. notify a covered entity or business covered entity prior to the business associate may be acting outside its scope C. Subparts A and C of Part 164: associate notifying the covered entity, as of authority as an agent. In such a General Provisions and Modifications to well as concerns if the Secretary does circumstance, the agent’s knowledge is the Security Rule not notify an entity of a potential not imputed to the principal under the We proposed implementing violation in a timely manner. A few Federal Common Law of Agency. modifications to the Security Rule as a commenters suggested that the 30-day Finally, an entity will have the result of the HITECH Act and to make cure period begin once the Department opportunity to submit evidence certain other changes. Below we notifies the covered entity of a establishing its knowledge or lack of respond to comments received on the complaint. knowledge, during the Department’s proposed changes as well as describe investigation. Entities will also have a Final Rule the final rule provisions. We also right to request a hearing to appeal a The final rule retains the policy that discuss the final technical and finding about knowledge in a notice of the 30-day cure period for violations conforming changes to the general proposed determination to the extent due to willful neglect, like those not due provisions in Subpart A of Part 164, they believe the finding is not based on which applies to the Security, Privacy, to willful neglect, begins on the date a preponderance of the evidence. An and Breach Notification Rules, and that an entity first acquires actual or administrative law judge would then respond to comments where substantive constructive knowledge of the violation review the finding and affirm or modify comments were received on these and will be determined based on it. changes. evidence gathered by the Department Response to Other Public Comments during its investigation, on a case-by- 1. Technical Changes to Subpart A— A few commenters Comment: case basis. General Provisions First, the requirement that an entity suggested that 30 days may not be a. Section 164.102—Statutory Basis have knowledge that a ‘‘violation’’ has sufficient for a covered entity to occurred, and not only of the facts complete corrective action, particularly This section sets out the statutory underlying the violation, is a higher with respect to large organizations with basis of Part 164. We proposed and standard than that which is often complex systems, structures and include in this final rule a technical required by other law. Also, as a relationships. One commenter suggested change to include a reference to the practical matter, the date an entity has there should be a process available to provisions of sections 13400 through actual or constructive knowledge of a allow an organization to apply for a 13424 of the HITECH Act upon which violation will vary depending on the reasonable extension to complete the the regulatory changes discussed below circumstances involved, and may be the cure. are based. In response to commenters’ Response: result of notice by a workforce member b. Section 164.104—Applicability concern about the length of the 30-day or business associate, a complaint This section sets out to whom Part cure period, we note that this time received by a health care consumer, or 164 applies. We proposed to replace the period is defined by statute at section notification by the Department that a existing paragraph (b) with an 1176(b) of the Social Security Act, and complaint has been filed. However, applicability statement for business was not modified by section 13410(d) of other sources of information exist that associates, consistent with the the HITECH Act. Thus, we believe there could establish knowledge, including provisions of the HITECH Act. is no authority upon which to base a internal indications of a potential Paragraph (b) makes clear that, where modification to the length of the cure noncompliance such as unusual access provided, the standards, requirements, period. or audit log activity. and implementation specifications of One commenter requested Comment: While we understand commenters’ the HIPAA Privacy, Security, and that the Department clarify whether the concerns relating to the uncertainty VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00023 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

24 5588 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations with discretion as to whether or not to associate separately for compliance Breach Notification Rules apply to include business associate divisions purposes. Further, commenters argued business associates. We also proposed to within the health care component. that, as the covered entity is ultimately remove as unnecessary the existing However, a disclosure of protected legally liable for compliance on the part language in § 164.104(b) regarding the health information from the health care of the organization, such a modification obligation of a health care clearinghouse component to any other division that is is not necessary. to comply with § 164.105 relating to Additionally, several commenters not part of the health care component, organizational requirements of covered stated that requiring a hybrid entity to including a business associate division, entities. This final rule adopts these include business associate departments is treated the same as a disclosure changes as proposed. is excessive and burdensome. Some of outside the covered entity. As a result, c. Section 164.105—Organizational these commenters further stated that because an entity generally cannot have Requirements business associate departments of a a business associate agreement with Section 164.105 outlines the hybrid entity will likely commit limited itself, a disclosure from the health care organizational requirements and time, personnel, and staff hours to component to the business associate implementation specifications for health Privacy and Security Rule compliance division(s) of the entity likely would care components of covered entities and and suggested that the hybrid entity require individual authorization. See 67 for affiliated covered entities. As should implement applicable entity- FR 53182, 53205 (Aug. 14, 2002). § 164.105 now also applies to Subpart D Importantly, after this final rule, wide policies and procedures and of Part 164 regarding breach notification business associates, by definition, are separately ensure that business associate for unsecured protected health separately and directly liable for departments implement specific information, we proposed to remove violations of the Security Rule and for practices scaled to the business several specific references to Subparts C violations of the Privacy Rule for associate’s use or disclosure of protected and E throughout this section to make impermissible uses and disclosures health information. clear that the provisions of this section In contrast, several commenters pursuant to their business associate also apply to Subpart D of Part 164. The supported the proposed change. Several contracts. With respect to a hybrid final rule adopts these modifications. of these commenters suggested that the entity, however, not including business In addition, we proposed the modification would better facilitate associate functions within the health following modifications to this section. compliance, because requiring the care component of a hybrid entity could covered entity to include the business avoid direct liability and compliance i. Section 164.105(a)(2)(ii)(C)–(E) associate department in the health care obligations for the business associate Proposed Rule component would better protect the component. Thus, we agree with the protected health information held by the commenters that supported requiring As a covered entity’s obligation to business associate and would ensure inclusion of business associate ensure that a health care component consistent standards within the health functions inside the health care complies with the Privacy and Security care component of the covered entity. component of a hybrid entity. As such, Rules is already set out at § 164.105(a)(2)(ii), we proposed to the final rule requires that the health Final Rule modify this section to remove as care component of a hybrid entity Many covered entities perform both unnecessary paragraphs (C) and (D), include all business associate functions covered and non-covered functions as which pertain to the obligation of a within the entity. part of their business operations. For covered entity to ensure that any Response to Other Public Comments such covered entities, the entire entity component that performs business is generally required to comply with the One commenter requested Comment: associate-like activities and is included Privacy Rule. However, the hybrid that the Department revise the in the health care component complies entity provisions of the HIPAA Rules definitions of ‘‘hybrid entity’’ to permit with the requirements of the Privacy permit the entity to limit the application business associates to designate a health and Security Rules, and to re-designate of the Rules to the entity’s components care component. paragraph (E) as (C). Additionally, we that perform functions that would make A business associate Response: requested comment on whether we the component a ‘‘covered entity’’ if the performs one or more functions on should require, rather than permit as component were a separate legal entity. behalf of a covered entity (or, in this was the case at § 164.105(a)(2)(iii)(C), a Specifically, this provision allows an final rule, another business associate). covered entity that is a hybrid entity to entity to designate a health care As a business associate is only subject include a component that performs component by documenting the to the HIPAA Rules with respect to the business associate-like activities within components of its organization that protected health information it its health care component so that such perform covered entity functions. The maintains, uses, or discloses on behalf components are directly subject to the effect of such a designation is that most of a covered entity (or business Rules. of the requirements of the HIPAA Rules associate) and not to other information Overview of Public Comments apply only to the designated health care it may maintain, including health Several commenters recommended component of the entity and not to the information, there is no need for a that hybrid entities should retain the functions the entity performs that are business associate to designate one or flexibility to either include or exclude not included in the health care more health care components. business associates from the healthcare One commenter asked Comment: component. While most of the HIPAA component. Two of these commenters whether an employer that operates an Rules’ requirements apply only to the stated this option would allow the on-site clinic for the treatment of health care component, the hybrid covered entity to distinguish the employees functions as a hybrid entity. entity retains certain oversight, An entity that maintains an Response: functions and responsibilities of the compliance, and enforcement on-site clinic to provide health care to business associate as separate from the obligations. one or more employees may be a HIPAA We explained in the preamble to the health care component, which would covered provider to the extent the clinic 2002 modifications to the Privacy Rule result in better compliance, as covered performs one or more covered that the Rule provides hybrid entities entities would evaluate each business VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00024 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

25 5589 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations transactions electronically, such as agrees to implement reasonable and 2. Modifications to the HIPAA Security Rule in Subpart C appropriate safeguards to protect it. See billing a health plan for the services § 164.314(a). Consequently, business provided. If covered, the entity need not a. Business Associates associates and subcontractors should become a hybrid entity so as to avoid Proposed Rule already have in place security practices applying the Privacy Rule to health that either comply with the Security Before the HITECH Act, the Security information the entity holds in its role Rule, or that require only modest Rule did not directly apply to business as employer, such as sick leave requests improvements to come into compliance associates of covered entities. However, of its employees. Such information is with the Security Rule requirements. section 13401 of the HITECH Act already excluded from the definition of Moreover, the requirements of the provides that the Security Rule’s ‘‘protected health information’’ as Security Rule were designed to be administrative, physical, and technical employment records and thus, the technology neutral and scalable to all safeguards requirements in §§ 164.308, Privacy Rule does not apply to this different sizes of covered entities and 164.310, and 164.312, as well as the information. However, the identifiable business associates. Covered entities Rule’s policies and procedures and health information the entity holds as a and business associates have the documentation requirements in covered health care provider (e.g., the flexibility to choose security measures § 164.316, apply to business associates information the clinic holds about appropriate for their size, resources, and in the same manner as these employees who have received requirements apply to covered entities, the nature of the security risks they face, treatment) is protected health and that business associates are civilly enabling them to reasonably implement information and generally may not be and criminally liable for violations of any given Security Rule standard. In shared with the employer for these provisions. deciding which security measures to employment purposes without the To implement section 13401 of the use, a covered entity or business individual’s authorization. HITECH Act, we proposed to insert associate should take into account its references in Subpart C to ‘‘business size, capabilities, the costs of the ii. Section 164.105(a)(2)(iii)(C) associate’’ following references to specific security measures, and the ‘‘covered entity,’’ as appropriate, to operational impact. Thus, the costs of We proposed to modify this section to make clear that these provisions of the implementing the Security Rule for re-designate § 164.105(a)(2)(iii)(C) as Security Rule also apply to business large, mid-sized, or small business (D), and to include a new paragraph (C), associates. In addition, we proposed associates will be proportional to their which makes clear that, with respect to additional changes to §§ 164.306, size and resources. a hybrid entity, the covered entity itself, 164.308, 164.312, 164.314, and 164.316 Notwithstanding the above, based on and not merely the health care of the Security Rule, as discussed the comments, we acknowledge that component, remains responsible for below. some business associates, particularly complying with §§ 164.314 and 164.504 the smaller or less sophisticated Overview of Public Comments regarding business associate business associates that may have access arrangements and other organizational Some commenters argued that the to electronic protected health time, implementation expense, requirements. Hybrid entities may need information for limited purposes, may transaction cost, and liability cost to execute legal contracts and conduct not have engaged in the formal burdens on business associates and other organizational matters at the level administrative safeguards such as subcontractors to comply with the of the legal entity rather than at the level having performed a risk analysis, Security Rule, especially small and mid- of the health care component. The final established a risk management program, size entities, would be significant. Other rule adopts this change. or designated a security official, and commenters supported the direct may not have written policies and iii. Section 164.105(b)(1) application of the Security Rule to procedures, conducted employee business associates and subcontractors. training, or documented compliance as The final rule fixes a minor Final Rule the statute and these regulations would typographical error in this paragraph by now require. For these business redesignating the second paragraph (1) We adopt the modifications to the associates, we include an estimate for as paragraph (2). Security Rule as proposed to implement compliance costs below in the the HITECH Act’s provisions extending iv. Section 164.105(b)(2)(ii) regulatory impact analysis. We also refer direct liability for compliance with the these business associates to our Security Rule to business associates. In The final rule simplifies this educational papers and other guidance response to the concerns raised paragraph by collapsing subparagraphs on compliance with the HIPAA Security regarding the costs of compliance, we (A), (B), and (C) regarding the http://www.hhs.gov/ocr/ Rule found at: note that the Security Rule currently obligations of an affiliated entity to privacy/hipaa/administrative/ requires a covered entity to establish a comply with the Privacy and Security . These materials provide securityrule business associate agreement that Rules into one provision. guidance on conducting risk analyses requires business associates to and implementing the other implement administrative, physical, and d. Section 164.106—Relationship to administrative safeguards required by technical safeguards that reasonably and Other Parts the Security Rule, which may prove appropriately protect the helpful to these business associates and The final rule adds a reference in this confidentiality, integrity, and facilitate their compliance efforts. provision to business associates, availability of the electronic protected consistent with their inclusion health information that they create, b. Section 164.306—Security Standards: elsewhere throughout the other HIPAA receive, maintain, or transmit on behalf General Rules Rules. of the covered entity as required by the Proposed Rule Security Rule; and to ensure that any Section 164.306 sets out the general agent, including a subcontractor, to rules that apply to all of the security whom they provide such information VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00025 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

26 5590 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations of parallel provisions in the Privacy Finally, we proposed to remove the standards and implementation Rule’s business associate contract provision at § 164.308(b)(3), which specifications that follow in the Security provisions at § 164.504. We also provides that a covered entity that Rule. We proposed technical revisions proposed to remove the specific violates the satisfactory assurances it to § 164.306(e) to more clearly indicate requirements under § 164.314(a)(2)(ii) provided as a business associate of that covered entities and business for other arrangements, such as a another covered entity will be in associates must review and modify memorandum of understanding when noncompliance with the Security Rule’s security measures as needed to ensure both a covered entity and business business associate provisions, as a the continued provision of reasonable associate are governmental entities, and covered entity’s actions as a business and appropriate protection of electronic instead simply refer to the parallel associate of another covered entity protected health information, and Privacy Rule requirements at would now be directly regulated by the update documentation of such security § 164.504(e)(3). Security Rule’s provisions that apply to measures accordingly. Second, we proposed conforming business associates. Final Rule modifications to the remaining contract Overview of Public Comments requirements in § 164.314(a)(2)(i) to The Department did not receive One commenter asked for provide that such contracts must require substantive public comment on this confirmation that the changes to a business associate to comply with the proposal. The final rule adopts the § 164.308 would require a covered Security Rule, to ensure any modifications to § 164.306 as proposed. entity to enter into a business associate subcontractors enter into a contract or agreement with its own business other arrangement to protect the c. Section 164.308—Administrative associate and not any subcontractors of security of electronic protected health Safeguards those business associates. information; and with respect to the Proposed Rule reporting of security incidents by Final Rule business associates to covered entities, We proposed a technical change to The final rule adopts the proposed to report to the covered entity breaches § 164.308(a)(3)(ii)(C) regarding security modifications to § 164.308. Section of unsecured protected health termination procedures for workforce 164.308(b) expressly provides that a information as required by § 164.410 of members, to add the words ‘‘or other covered entity is not required to enter the breach notification rules. arrangement with’’ after ‘‘employment into a business associate agreement with Third, we proposed to add a provision of’’ in recognition of the fact that not all a business associate that is a at § 164.314(a)(2)(iii) that provides that workforce members are employees (e.g., subcontractor; rather, this is the the requirements of this section for some may be volunteers) of a covered obligation of the business associate that contracts or other arrangements between entity or business associate. We also has engaged the subcontractor to a covered entity and business associate proposed a number of modifications to perform a function or service that would apply in the same manner to § 164.308(b) to conform to modifications involves the use or disclosure of contracts or other arrangements between proposed in the definition of ‘‘business protected health information. business associates and subcontractors associate.’’ Section 164.308(b) provides required by the proposed requirements d. Section 164.314—Organizational that a covered entity may permit a of § 164.308(b)(4). For example, under Requirements business associate to create, receive, these provisions, a business associate maintain, or transmit electronic Proposed Rule contract between a business associate protected health information only if the and a business associate subcontractor While Section 13401 of the HITECH covered entity has a contract or other would need to provide that the Act does not expressly include arrangement in place to ensure the subcontractor report any security § 164.314 among the provisions for business associate will appropriately incident of which it becomes aware, which business associates are directly safeguard the protected health including breaches of unsecured liable, it states that § 164.308 of the information. Section164.308(b)(2) protected health information as required Security Rule applies to business contains several exceptions to this by § 164.410, to the business associate. associates ‘‘in the same manner’’ that general rule for certain situations that This would mean that if a breach of the provision applies to covered do not give rise to a business associate unsecured protected health information entities. Section 164.308(b) requires a relationship, such as where a covered occurs at or by a second tier covered entity’s business associate entity discloses electronic protected subcontractor, the subcontractor must agreements to conform to the health information to a health care notify the business associate requirements of § 164.314. Accordingly, provider concerning the treatment of an subcontractor with which it contracts of in order for § 164.308(b) to apply to individual. We proposed to remove the breach, which then must notify the business associates in the same manner these exceptions from this provision, business associate which contracts with as it applies to covered entities, we since as discussed above, they would the covered entity of the breach, which proposed to revise § 164.314 to reflect now be established as exceptions to the then must notify the covered entity of that it is also applicable to agreements definition of ‘‘business associate.’’ the breach. The covered entity then between business associates and In addition, we proposed to modify notifies the affected individuals, the subcontractors that create, receive, § 164.308(b)(1) and (2) to clarify that Secretary, and, if applicable, the media, maintain, or transmit electronic covered entities are not required to of the breach, unless it has delegated protected health information. We also proposed a number of obtain satisfactory assurances in the such responsibilities to a business modifications to streamline the form of a contract or other arrangement associate. Finally, we proposed to requirements of § 164.314. First, since a with a business associate that is a remove the reference to subcontractors business associate for purposes of the subcontractor; rather, it is the business in § 164.314(b)(2)(iii) regarding Security Rule is also always a business associate that must obtain the required amendment of group health plan documents as a condition of disclosure associate for purposes of the Privacy satisfactory assurances from the of protected health information to a plan Rule, we proposed to remove contract subcontractor to protect the security of sponsor, as unnecessary and to avoid provisions that were merely duplicative electronic protected health information. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00026 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

27 5591 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register Final Rule assessments and met the security confusion with the use of the term requirements under other State and subcontractor when referring to The final rule implements the Federal laws or only requiring subcontractors that are business proposed revisions to § 164.500. While subcontractors to comply with the associates. we understand commenters’ concerns minimum necessary standard and to Final Rule regarding the uses and disclosures of utilize ‘‘reasonable’’ security measures health information by entities not The Department did not receive with regard to protected health covered by the Privacy Rule, the substantive public comment on these information. Department is limited to applying the proposed changes. The final rule adopts Response: We decline to adopt an HIPAA Rules to those entities covered the modifications as proposed. exemption or otherwise limit by HIPAA (i.e., health plans, health care subcontractors’ responsibility to Response to Other Public Comments clearinghouses, and health care safeguard individuals’ electronic Comment: One commenter suggested providers that conduct covered protected health information. To ensure that business associate agreements transactions) and to business associates, appropriate and strong security should be an ‘‘addressable’’ requirement as provided under the HITECH Act. protections for electronic protected under the Security Rule. health information, subcontractors are As we discuss further below, section The HITECH Act does not Response: required to comply with the Security 13404 of the HITECH Act creates direct remove the requirements for business Rule to the same extent as business liability for impermissible uses and associate agreements under the HIPAA associates with a direct relationship disclosures of protected health Rules. Therefore, we decline to make with a covered entity. information by a business associate of a the execution of business associate covered entity ‘‘that obtains or creates’’ agreements an ‘‘addressable’’ D. Subpart E of Part 164: Modifications protected health information ‘‘pursuant requirement under the Security Rule. to the Privacy Rule to a written contract or other One commenter Comment: The NPRM proposed a number of arrangement described in recommended that the Department changes to the Privacy Rule to § 164.502(e)(2)’’ and for compliance remove the ‘‘addressable’’ designation implement certain provisions of the with the other privacy provisions in the from the Security Rule, because such HITECH Act, as well as certain HITECH Act. Section 13404 does not designations lead to ambiguity in the modifications to improve the create direct liability for business application of the Security Rule in the workability and effectiveness of the associates with regard to compliance health care industry. Rule and to conform the Privacy Rule to with all requirements under the Privacy We decline to adopt this Response: PSQIA. The section-by-section Rule (i.e., does not treat them as covered recommendation. The Security Rule is description below of the final rule entities). Therefore, under the final rule, structured to be both scalable and discusses the proposed and final a business associate is directly liable flexible, so that entities of different changes and responds to public under the Privacy Rule for uses and types and sizes can implement the comments disclosures of protected health standards and implementation information that are not in accord with specifications in a manner that is 1. Section 164.500—Applicability its business associate agreement or the reasonable and appropriate for their Section 13404 of the HITECH Act Privacy Rule. In addition, a business circumstances. We do not mandate the makes specific requirements of the associate is directly liable for failing to use of specific technologies, or require Privacy Rule applicable to business disclose protected health information uniform policies and procedures for associates and creates direct liability for when required by the Secretary to do so compliance, because we recognize the noncompliance by business associates for the Secretary to investigate and diversity of regulated entities and with regard to those requirements. determine the business associate’s appreciate the unique characteristics of compliance with the HIPAA Rules, and their environments. Proposed Rule for failing to disclose protected health Two commenters suggested Comment: In accordance with section 13404 of information to the covered entity, providing subcontractors with the HITECH Act, we proposed language individual, or individual’s designee, as additional time to comply with the in § 164.500 to clarify that, where necessary to satisfy a covered entity’s provisions of the Security Rule. provided, the standards, requirements, obligations with respect to an Response: We decline to delay and implementation specifications of individual’s request for an electronic application of the requirements under the Privacy Rule apply to business copy of protected health information. the Security Rule to subcontractors associates. See § 164.502(a)(3) and (a)(4). Further, a beyond the compliance dates provided business associate is directly liable for by this final rule. As we emphasized Overview of Public Comments failing to make reasonable efforts to above, the Security Rule already limit protected health information to the One commenter suggested that the requires covered entities to establish minimum necessary to accomplish the Department expand the applicability of business associate agreements that intended purpose of the use, disclosure, the Privacy Rule to all entities that require business associates to ensure or request. See § 164.502(b). Finally, handle individually identifiable health that their subcontractors implement business associates are directly liable for information. Some commenters reasonable and appropriate safeguards failing to enter into business associate requested clarification as to which to protect the security of electronic agreements with subcontractors that provisions of the Privacy Rule apply protected health information they create or receive protected health directly to business associates, and one handle. information on their behalf. See commenter recommended applying all A few commenters Comment: § 164.502(e)(1)(ii). As was the case of the provisions of the Privacy Rule to proposed alternative ways to apply under the Privacy Rule before the business associates, including requiring security requirements to subcontractors, HITECH Act, business associates remain business associates to implement such as exempting subcontractors from contractually liable for all other Privacy reasonable safeguards, train employees, compliance with the Security Rule if Rule obligations that are included in and designate a privacy official. they have already completed security VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00027 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

28 5592 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations payment, the HITECH Act at section to market a product or service to them. their contracts or other arrangements 13406(a)(2)(B) and (C) requires that the with covered entities. See § 164.508(a)(3). Section 164.501 covered entity obtain the individual’s defines ‘‘marketing’’ as making a 2. Section 164.501—Definitions valid authorization prior to making the communication about a product or a. Definition of ‘‘Health Care communication, or, if applicable, prior service that encourages recipients of the Operations’’ to its business associate making the communication to purchase or use the communication on its behalf in product or service. Paragraph (1) of the Proposed Rule accordance with its written contract. definition includes a number of PSQIA provides, among other things, Section 13406(a)(2)(A) of the HITECH exceptions to marketing for certain that Patient Safety Organizations (PSOs) Act includes an exception to the health-related communications: (1) are to be treated as business associates payment limitation for communications Communications made to describe a of covered health care providers. that describe only a drug or biologic that health-related product or service (or Further, PSQIA provides that the patient is currently being prescribed to the payment for such product or service) safety activities of PSOs are deemed to individual as long as any payment that is provided by, or included in a be health care operations of covered received by the covered entity in plan of benefits of, the covered entity health care providers under the Privacy exchange for making the making the communications, including Rule. See 42 U.S.C. 299b–22(i). To communication is reasonable in communications about: The entities conform to these statutory provisions, amount. Section 13406(a)(3) of the Act participating in a healthcare provider we proposed to amend paragraph (1) of provides that the term ‘‘reasonable in network or health plan network; the definition of ‘‘health care amount’’ shall have the meaning given replacement of, or enhancements to, a operations’’ to include an express to such term by the Secretary in health plan; and health-related products reference to patient safety activities, as regulation. Finally, section 13406(a)(4) or services available only to a health defined in the PSQIA implementing of the Act clarifies that the term ‘‘direct plan enrollee that add value to, but are regulation at 42 CFR 3.20. Many health or indirect payment’’ does not include not part of, a plan of benefits; (2) care providers participating in the any payment for treatment of the communications made for the treatment voluntary patient safety program individual. We believe Congress of the individual; and (3) authorized by PSQIA are HIPAA intended that these provisions curtail a communications for case management covered entities. PSQIA acknowledges covered entity’s ability to use the or care coordination for the individual, that such providers must also comply exceptions to the definition of or to direct or recommend alternative with the Privacy Rule and deems patient ‘‘marketing’’ in the Privacy Rule to send treatments, therapies, health care safety activities to be health care communications to the individual that providers, or settings of care to the operations under the Privacy Rule. are motivated more by commercial gain individual. A covered entity is While such types of activities are or other commercial purpose rather than permitted to make these excepted already encompassed within paragraph for the purpose of the individual’s communications without an (1) of the definition, which addresses health care, despite the communication individual’s authorization as either various quality activities, we proposed being about a health-related product or treatment or health care operations to expressly include patient safety service. communications, as appropriate, under activities within paragraph (1) of the the Privacy Rule. In addition, the To implement the marketing definition of health care operations to Privacy Rule does not require a covered limitations of the HITECH Act, we conform the definition to PSQIA and to entity to obtain individual authorization proposed a number of modifications to eliminate the potential for confusion. for face-to-face communications or to the definition of ‘‘marketing’’ at This modification also addresses public provide only promotional gifts of § 164.501. In paragraph (1) of the comments the Department received nominal value to the individual. See definition of ‘‘marketing,’’ we proposed during the rulemaking period for the § 164.508(a)(3)(i). However, a covered to maintain the general concept that PSQIA implementing regulations, which entity must obtain prior written ‘‘marketing’’ means ‘‘to make a urged the Department to modify the authorization from an individual to communication about a product or definition of ‘‘health care operations’’ in send communications to the individual service that encourages recipients of the the Privacy Rule to expressly reference about non-health related products or communication to purchase or use the patient safety activities so that the services or to give or sell the product or service.’’ In paragraph (2) of intersection of the Privacy and PSQIA individual’s protected health the definition, we proposed to include Rules would be clear. See 73 FR 70732, information to a third party for three exceptions to this definition to 70780 (Nov. 21, 2008). marketing. Still, concerns have encompass certain treatment and health Overview of Public Comments remained about the ability under these care operations communications about provisions for a third party to pay a health-related products or services. The Department received comments covered entity to send health-related First, we proposed to exclude from the supporting the inclusion of patient communications to an individual about definition of ‘‘marketing’’ certain health safety activities in the definition of the third party’s products or services. care operations communications, except ‘‘health care operations.’’ where, as provided by the HITECH Act, Section 13406(a) of the HITECH Act Final Rule the covered entity receives financial limits the health-related The final rule adopts the proposed remuneration in exchange for making communications that may be considered modification. the communication. This would health care operations and thus, that are encompass communications to describe excepted from the definition of b. Definition of ‘‘Marketing’’ a health-related product or service (or ‘‘marketing’’ under the Privacy Rule, to Proposed Rule payment for such product or service) the extent a covered entity receives or that is provided by, or included in a has received direct or indirect payment The Privacy Rule requires covered plan of benefits of, the covered entity in exchange for making the entities to obtain a valid authorization making the communication, as well as communication. In cases where the from individuals before using or communications for case management covered entity would receive such disclosing protected health information VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00028 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

29 5593 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations party in exchange for making the patients announcing the opening of a or care coordination, contacting of new wing where the funds for the new individuals with information about communication shall not be considered wing were donated by a third party, treatment alternatives, and related a (emphasis health care operation since the financial remuneration to the functions (to the extent these activities added) under the Privacy Rule, and thus hospital from the third party was not in did not constitute ‘‘treatment’’). is marketing, it is unclear how Congress Although the HITECH Act uses the exchange for the mailing of the flyers. intended these provisions to apply to Second, we proposed to include the term ‘‘direct or indirect payment’’ to treatment communications between a statutory exception to marketing at describe the limitation on permissible health care provider and a patient. section 13406(a)(2)(A) for health care operations disclosures, the Specifically, it is unclear whether communications regarding refill proposed rule substituted the term Congress intended to restrict only those reminders or otherwise about a drug or ‘‘financial remuneration’’ to avoid subsidized communications about biologic that is currently being confusion with the term ‘‘payment,’’ products and services that are less prescribed for the individual, provided which is defined in the Privacy Rule to essential to an individual’s health care any financial remuneration received by mean payment for health care, and for (i.e., those classified as health care the covered entity for making the consistency with the Privacy Rule’s operations communications) or all communication is reasonably related to current authorization requirement for subsidized communications about the covered entity’s cost of making the marketing at § 164.508(a)(3), which uses products and services, including communication. The Act expressly the term ‘‘remuneration.’’ We proposed treatment communications. Given this identifies these types of to define ‘‘financial remuneration’’ in ambiguity and to avoid undue communications as being exempt from paragraph (3) of the definition of interference with treatment the remuneration limitation only to the ‘‘marketing’’ to mean direct or indirect communications between the individual extent that any payment received for payment from or on behalf of a third and a health care provider, we proposed making the communication is party whose product or service is being to continue to allow subsidized reasonable in amount. We requested described. We also proposed to make treatment communications, but comment on the scope of this exception, clear, in accordance with section conditioned on providing the individual that is, whether communications about 13406(a)(4) of the HITECH Act, that with notice and an opportunity to opt drugs that are related to the drug financial remuneration does not include out of receiving such communications. currently being prescribed, such as any direct or indirect payment for the Specifically, to ensure the individual is communications regarding generic treatment of an individual. aware that he or she may receive Additionally, because the HITECH alternatives or new formulations of the subsidized treatment communications Act refers expressly to ‘‘payment,’’ drug, should fall within the exception. from his or her provider and has the rather than remuneration more We also requested comment on the opportunity to elect not to receive them, generally, the proposed rule specified types and amount of costs that should the proposed rule would have required that only the receipt of financial be allowed under this provision. We at § 164.514(f)(2) that: (1) The covered remuneration in exchange for making a noted that we had considered proposing health care provider’s notice of privacy communication, as opposed to in-kind a requirement that a covered entity practices include a statement informing or any other type of remuneration, is could only receive financial individuals that the provider may send relevant for purposes of the definition of remuneration for making such a treatment communications to the marketing. We also proposed a communication to the extent it did not individual concerning treatment conforming change to the required exceed the actual cost to make the alternatives or other health-related authorization provisions for marketing communication. However, because we products or services where the provider communications at § 164.508(a)(3) to were concerned that such a requirement receives financial remuneration from a add the term ‘‘financial’’ before would impose the additional burden of third party in exchange for making the ‘‘remuneration’’ and to refer to the new calculating the costs of making each communication, and the individual has definition of ‘‘financial remuneration.’’ communication, we proposed to allow a right to opt out of receiving such The proposed rule emphasized that costs that are reasonably related to a communications; and (2) the treatment financial remuneration for purposes of covered entity’s cost of making the communication itself disclose the fact of the definition of ‘‘marketing’’ must be in communication. remuneration and provide the exchange for making the Third, we proposed to exclude from individual with a clear and conspicuous communication itself and be from or on marketing treatment communications opportunity to elect not to receive any behalf of the entity whose product or about health-related products or further such communications. We service is being described. Thus, under services by a health care provider to an requested comment on how the opt out these proposed provisions, an individual, including communications should apply to future subsidized authorization would be required prior to for case management or care treatment communications (i.e., should a covered entity making a coordination for the individual, or to the opt out prevent all future subsidized communication to its patients regarding direct or recommend alternative treatment communications by the the acquisition of, for example, new treatments, therapies, health care provider or just those dealing with the state of the art medical equipment if the providers, or settings of care to the particular product or service described equipment manufacturer paid the individual, provided, however, that if in the current communication?). We covered entity to send the the communications are in writing and also requested comment on the communication to its patients; but not if financial remuneration is received in workability of requiring health care a local charitable organization, such as exchange for making the providers that intend to send subsidized a breast cancer foundation, funded the communications, certain notice and opt treatment communications to covered entity’s mailing to patients out conditions are met. While section individuals to provide an individual about new state of the art 13406(a) of the HITECH Act expressly with the opportunity to opt out of mammography screening equipment. provides that a communication to an receiving such communications prior to individual about a health-related Furthermore, it would not constitute the individual receiving the first product or service where the covered marketing and no authorization would communication and what mechanisms entity receives payment from a third be required if a hospital sent flyers to its VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00029 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

30 5594 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations opportunity to opt out prior to the first commenters stated that while the could be put into place to implement communication would be too costly and distinction may be clear in some limited such a requirement. Given that the new marketing burdensome for most covered entities. circumstances, there are other limitations on the receipt of Many also noted that the statement in circumstances where it may be difficult remuneration by a covered entity would the notice of privacy practices, which for covered entities to determine what apply differently depending on whether would inform individuals of their type of communication they are sending a communication is for treatment or option to opt out of receiving subsidized and whether authorization or just health care operations purposes, and treatment communications, could serve disclosure in the notice of privacy that distinguishing such as an opportunity to opt out before the practices and the opportunity to opt out communications may in many cases call first communication. Some commenters would be required. For example, while for close judgments, we requested expressed concern even with including the NPRM stated that whether a comment on the alternatives of a statement in the notice of privacy communication is being made for excluding treatment communications practices because of the cost associated treatment purposes or for health care altogether even if they involve financial with modifying notices to do so. operations purposes would depend on With respect to the scope of the remuneration from a third party or the extent to which the covered entity proposed opt out, most commenters requiring individual authorization for is making the communication in a believed that the opt out should apply both treatment and health care population-based fashion (health care only to subsidized treatment operations communications made in operations) or to further the treatment of communications related to a specific exchange for financial remuneration. a particular individual’s health care Finally, we proposed to remove the product or service and should not apply status or condition (treatment), many language defining as marketing an universally to all similar future commenters stated that there may be arrangement between a covered entity communications from the covered circumstances in which a covered entity and any other entity in which the entity. These commenters stated that it provides a population-based covered entity discloses protected would be difficult for an individual to communication to further the treatment health information to the other entity, in elect, in a meaningful way, not to of the health care status or condition of exchange for remuneration, for the other receive all future subsidized treatment an entire group of individuals. Other entity or its affiliate to make a communications because he or she commenters suggested that the communication about its own product would not know exactly what he or she distinction between communications for or service that encourages recipients of is opting out of without receiving at treatment and those for health care the communication to purchase or use least one communication. Other operations purposes should be made that product or service, since such commenters believed that while a based on the entity providing the activity would now constitute a product or service-specific application communication: If a health care prohibited ‘‘sale’’ of protected health of the opt out would be ideal, it is provider is providing the information under section 13405(d) of simply unrealistic and infeasible for communication, it should be deemed for the HITECH Act and the proposed rule. covered entities to be able to implement treatment purposes; however, if the such a policy. These commenters stated communication is made by a covered Overview of Public Comments that a universal opt out, which would entity other than a health care provider, Several commenters asked as a apply to all future subsidized treatment the determination should be based on general matter that the final rule retain communications, would be much whether the communication is the current definition of ‘‘marketing’’ simpler and easier for covered entities individual (treatment) or population and that no changes to this provision be to implement. Additionally, while some based (health care operations). implemented. With respect to commenters believed that individuals With respect to the subsidized subsidized treatment communications, should be able to decide whether they treatment communications, commenters many commenters expressed support for want to opt out of specific subsidized opposed to the opt out notification the decision in the NPRM to not require treatment communications or all future generally took one of three positions: authorizations for such such communications, most All such communications should communications, and several argued for commenters supported giving covered require authorizations to best protect removing even the opt out requirement. entities the flexibility to determine the patient privacy; an opt in method would Other commenters believed that all scope of this opt out provision based on better permit individuals to make more communications in which the covered their own specific capabilities. Many of informed choices about whether to entity receives financial remuneration these commenters also suggested that receive such communications; or a for making the communication, the final rule permit individuals who covered entity should be permitted to regardless of whether the have opted out of receiving such make these communications without an communication is for treatment communications to opt back in to opportunity to opt out, because of purposes, should be considered receive future notices using the same unintended effects that may adversely marketing and require authorization. methods through which the individuals affect the quality of care provided. Some While many commenters were had opted out. commenters asked, if the opt out generally in support of not requiring The Department also received several requirement is retained, that OCR authorization for treatment comments on the definition of ensure that covered entities are given communications, at the same time, ‘‘financial remuneration.’’ Several significant flexibility in determining several commenters expressed concern commenters supported the NPRM’s how best to implement the opt out with the difficulty of distinguishing definition of ‘‘financial remuneration’’; requirement. between treatment communications and however, many commenters asked for Additionally, the vast majority of communications for health care clarification regarding the scope of the commenters did not believe there operations purposes. These commenters definition and the meaning of the should be an opportunity to opt out of stated that additional clarification phrase ‘‘direct or indirect payment.’’ For receiving subsidized treatment example, some commenters asked for communications prior to receipt of the regarding this distinction would be confirmation that non-financial benefits first such communication. The needed to be able to implement the did not constitute financial commenters believed that requiring an NPRM’s marketing provisions. Several VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00030 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

31 5595 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations covered entity’s notice of privacy costs ‘‘reasonably related’’ to providing remuneration, while other commenters practices include a statement informing the communication suggested specific wanted the exception for refill individuals that the provider may send costs that should be permitted under reminders (that is, the communication is treatment communications to the this exception, such as costs of not marketing as long as the financial individual concerning treatment personnel, data storage, data processing, remuneration does not exceed the alternatives or other health-related data analysis, data security, software, related costs of the communication) to products or services where the provider hardware, employee training, message apply more broadly to all marketing receives financial remuneration from a content development, clinical review, communications. Additionally, some third party in exchange for making the postage, materials, drug adherence commenters suggested that the final rule communication, and the individual has program development, formulary clarify that only financial remuneration a right to opt out of receiving such development, and the creation and in exchange for sending a communications. We also do not retain implementation of analytics to measure communication triggers either the the notice requirement that existed at the effectiveness of the communication. authorization or the statement of notice § 164.520(b)(1)(iii) prior to this final rule Several commenters noted that it would and opt out requirement and not the that a covered entity include in its be unrealistic to expect a covered entity exchange of financial remuneration for notice of privacy practices a statement to perform such non-essential functions the development or funding for that the covered entity may contact the as sending refill reminders and other programs, which may include the individual to provide appointment related communications if they could sending of a communication. These reminders or information about not recoup both their direct and indirect commenters generally suggested that the treatment alternatives or other health- costs as well as a modest profit. final rule give covered entities the related benefits and services that may be flexibility to determine whether the Final Rule of interest to the individual. Where the financial remuneration received is truly The final rule significantly modifies sending of such communications in exchange for making the the proposed rule’s approach to involves financial remuneration, the communication. marketing by requiring authorization for We received a great deal of public individual will be notified of such all treatment and health care operations comment on the exception to the communications through the communications where the covered definition of ‘‘marketing’’ for providing authorization process. Other entity receives financial remuneration refill reminders or to otherwise communications for such purposes that for making the communications from a communicate about a drug or biologic do not involve financial remuneration third party whose product or service is currently being prescribed for the are adequately captured in a covered being marketed. Many of the comments individual where the only financial entity’s description in its notice of we received in response to the proposed remuneration received by the covered privacy practices of treatment and marketing provisions concerned the entity in exchange for making the health care operations. However, distinction between communications for communication is reasonably related to covered entities that wish to continue to treatment and those for health care the covered entity’s cost of making the include such a specific statement in operations purposes and sought communication. In general, most their notices of privacy practices may do clarification on the line between such commenters supported this exception; so. For further discussion about the communications. We acknowledge that however, a few commenters disagreed Notice of Privacy Practices, please see the distinction between what constitutes with the exception and felt that refill the discussion addressing the provisions a treatment versus a health care reminders should be treated as at § 164.520 below. operations communication may be We adopt the term ‘‘financial treatment communications requiring a difficult to make with precision in all remuneration’’ and its definition as statement in the notice and an cases, placing covered entities at risk for proposed without modification in the opportunity to opt out if the violating the authorization requirement final rule. Most commenters were communication is subsidized. Many for marketing communications. We, generally satisfied with the proposed commenters expressed the need for therefore, believe that requiring use of the term and its definition. There guidance on the scope of this exception authorizations for all subsidized was, however, some confusion among and stated that certain communications communications that market a health commenters as to what constitutes should fall into the exception, such as related product or service is the best direct or indirect payment from or on communications about generic policy. Such a policy will ensure that all behalf of a third party. We clarify that alternatives and drug adherence, and such communications are treated as under this provision direct payment communications related to every marketing communications, instead of means financial remuneration that flows component of a drug or biologic requiring covered entities to have two from the third party whose product or delivery system (especially where processes in place based on whether the service is being described directly to the patients must self-administer communication provided to individuals covered entity. In contrast, indirect medication). Some commenters is for a treatment or a health care payment means financial remuneration specifically asked that the final rule operations purpose. We decline to retain that flows from an entity on behalf of exclude certain types of the Privacy Rule’s definition of what the third party whose product or service communications from this exception. constitutes ‘‘marketing’’ unchanged, as With respect to the proposed cost is being described to a covered entity. We also clarify that where a business limitation on the refill reminder suggested by some commenters, as associate (including a subcontractor), as exception, while some commenters doing so would be inconsistent with the opposed to the covered entity itself, suggested that the cost be limited to provisions of the Section 13406(a) of the receives financial remuneration from a either the actual cost or the fair market HITECH Act. Because the final rule treats third party in exchange for making a value of providing the communication, subsidized treatment communications communication about a product or generally, most commenters supported as marketing communications that service, such communication also the position that reasonably related requires prior authorization from the require authorization, we have not costs should not be limited to actual individual. The HITECH Act at Section adopted the notice requirement at costs. Many of the commenters in 13406(a)(2)(C) provides that a business proposed § 164.520(b)(1)(iii)(A) that a support of a broad interpretation of VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00031 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

32 5596 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations a covered entity to an individual or communications related to a single associate may make such consists of a promotional gift of nominal product or service or the products or communications on behalf of a covered value provided by the covered entity. services of one third party, but rather entity if consistent with the written For example, a health care provider may apply more broadly to subsidized contract required by the Privacy Rule could, in a face to face conversation communications generally so long as the between the business associate and with the individual, recommend, authorization adequately describes the covered entity. The Privacy Rule a verbally or by handing the individual intended purposes of the requested uses § 164.504(e)(2)(i) provides that the written materials such as a pamphlet, and disclosures (i.e., the scope of the contract may not authorize the business that the individual take a specific authorization) and otherwise contains associate to further use or disclose the alternative medication, even if the the elements and statements of a valid protected health information in a provider is otherwise paid by a third authorization under § 164.508. This manner that would violate the Rule if party to make such communications. includes making clear in the done by the covered entity (except in However, communications made over authorization that the individual may two limited circumstances not relevant the phone (as well as all revoke the authorization at any time he here). Thus, individual authorization communications sent through the mail or she wishes to stop receiving the also must be obtained if a business or via email) do not constitute face to marketing material. associate is to send these Because the final rule will treat all face communications, and as such, these communications instead of the covered subsidized treatment communications communications require individual entity. as marketing communications for which We also confirm, in response to authorization where the covered entity an authorization is required, the final comments, that the term ‘‘financial receives remuneration in exchange for rule also removes the language at remuneration’’ does not include non- making the communications. With respect to the exception for refill proposed § 164.514(f)(2), which financial benefits, such as in-kind reminders or to otherwise communicate proposed to require that such benefits, provided to a covered entity in about a drug or biologic currently being communications be accompanied by a exchange for making a communication prescribed to the individual, we adopt statement in the notice and an about a product or service. Rather, the exception as proposed. We continue opportunity for the individual to opt out financial remuneration includes only to provide a stand-alone exception for of receiving such communications. We payments made in exchange for making refill reminders, given that the HITECH believe that the removal of the notice such communications. In addition, we Act expressly does so. We therefore and opt out requirements for such continue to emphasize that the financial decline to adopt the suggestions of communications and the addition of the remuneration a covered entity receives commenters to consider these requirement to obtain an authorization from a third party must be for the communications to specifically be will provide covered entities with a purpose of making a communication treatment communications (which more uniform system for treating all and such communication must would have required, under the remunerated communications. Because encourage individuals to purchase or provisions of the proposed rule, notice the individual must now sign an use the third party’s product or service. and an opportunity to opt out where the authorization before the covered entity If the financial remuneration received covered entity receives financial can make subsidized treatment by the covered entity is for any purpose remuneration), or health care operations communications, there is no longer any other than for making the communications (which require need to require each such communication, then this marketing authorization if financial remuneration communication to contain a clear and provision does not apply. For example, is received). conspicuous opportunity for the if a third party provides financial Many commenters asked for guidance individual to elect not to receive any remuneration to a covered entity to and clarification regarding the scope of more of these communications. Where implement a program, such as a disease this exception, and we received a wide the individual signs an authorization to management program, the covered array of examples of communications receive such communications, the entity could provide individuals with that commenters suggested should fall covered entity may use and disclose the communications about the program within this exception. At this time, we individual’s protected health without obtaining individual clarify that we consider information for the purposes of making authorization as long as the communications about the generic such communications unless or until communications are about the covered equivalent of a drug being prescribed to the individual revokes the authorization entity’s program itself. There, the an individual as well as adherence pursuant to § 164.508(a)(5). If the communications would only be communications encouraging individual does not authorize the encouraging individuals to participate individuals to take their prescribed covered entity to use and disclose the in the covered entity’s disease medication as directed fall within the individual’s protected health management program and would not be scope of this exception. Additionally, information for the purposes of making encouraging individuals to use or we clarify that where an individual is subsidized treatment communications, purchase the third party’s product or prescribed a self-administered drug or then the covered entity is prohibited service. biologic, communications regarding all Under the final rule, for marketing from doing so. aspects of a drug delivery system, We clarify that the final rule does communications that involve financial nothing to modify the exceptions to the remuneration, the covered entity must including, for example, an insulin authorization requirement for marketing obtain a valid authorization from the pump, fall under this exception. With communications at § 164.508(a)(3)(i)(A) individual before using or disclosing respect to the array of other examples and (B). Therefore, no authorization is protected health information for such and suggestions provided by required where a covered entity receives purposes, and such authorization must commenters as to what should fall financial remuneration from a third disclose the fact that the covered entity within or outside of the exception, we party to make a treatment or health care is receiving financial remuneration from intend to provide future guidance to operations communication (or other a third party. See § 164.508(a)(3). The address these questions. The proposed rule contained the Act’s marketing communication), if the scope of the authorization need not be limitation that the financial communication is made face-to-face by limited only to subsidized VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00032 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

33 5597 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations diagnostic tests, such as annual remuneration received in exchange for 3. Business Associates providing a refill reminder or to mammograms, do not constitute a. Section 164.502(a) and (b)—Permitted otherwise communicate about a drug or marketing and thus, do not require and Required Uses and Disclosures and biologic currently being prescribed to individual authorization. Minimum Necessary the individual must be ‘‘reasonable in Second, communications about Before the HITECH Act, the Privacy amount,’’ by providing that such government and government-sponsored Rule did not govern business associates remuneration must be reasonably programs do not fall within the directly. However, section 13404 of the related to the covered entity’s cost of definition of ‘‘marketing’’ as there is no HITECH Act makes specific making the communication for the commercial component to requirements of the Privacy Rule exception from marketing to apply. We communications about benefits through applicable to business associates, and adopt this provision in the final rule. In creates direct liability for public programs. Therefore, a covered response to comments regarding what noncompliance by business associates entity may use and disclose protected types of costs fall within permissible with regard to those Privacy Rule health information to communicate with remuneration, we clarify that we requirements. Specifically, section individuals about eligibility for consider permissible costs for which a 13404(a) of the HITECH Act creates programs, such as Medicare, Medicaid, covered entity may receive direct liability for uses and disclosures or the State Children’s Health Insurance remuneration under this exception are of protected health information by Program (CHIP) without obtaining those which cover only the costs of business associates that do not comply individual authorization. labor, supplies, and postage to make the with its business associate contract or communication. Where the financial Response to Other Public Comments other arrangement under the Privacy remuneration a covered entity receives Rule. Additionally, section 13404(a) in exchange for making the Comment: One commenter asked applies the other privacy requirements communication generates a profit or whether it is marketing where an entity of the HITECH Act directly to business includes payment for other costs, such promotes its discounts on covered associates just as they apply to covered financial remuneration would run afoul benefits or member-exclusive value- entities. Section 13404(b) applies the of the Act’s ‘‘reasonable in amount’’ added health products and services by provision of § 164.504(e)(1)(ii) regarding language. Thus, under this final rule, if paying a mailing house that is the health knowledge of a pattern of activity or a pharmacy receives financial practice that constitutes a material plan’s business associate to send its remuneration from a drug manufacturer breach or violation of a contract to written promotional material to health to provide refill reminders to business associates. Finally, section plan members. The commenter stated individuals taking a particular drug that 13404(c) applies the HIPAA civil and that only the mailing house, and not the covers only the pharmacy’s cost of criminal penalties to business covered entity, is paid to send the drafting, printing, and mailing the refill associates. We discuss the modifications communications. reminders, the exception would apply to the Privacy Rule pursuant to and no authorization would be required. Response: Even where a business paragraphs (a) and (b) of section 13404 However, where the drug manufacturer associate of a covered entity, such as a of the HITECH Act below. We address also provides the pharmacy with a mailing house, rather than the covered the modifications made to the financial incentive beyond the cost of entity itself, receives the financial Enforcement Rule by section 13404(c) making the communication to remuneration from the entity whose regarding the application of penalties to encourage the pharmacy’s continued product or service is being promoted to violations by business associates above willingness to send such health plan members, the in the discussion of the changes to the communications on behalf of the drug communication is a marketing Enforcement Rule. manufacturer, the exception would not We note that we have not added communication for which prior apply and the pharmacy must obtain references to ‘‘business associate’’ to all authorization is required. As stated individual authorization. We note, provisions of the Privacy Rule that above, under the Privacy Rule, a however, that if a pharmacy provides address uses and disclosures by covered business associate generally may not use refill reminders to individuals only entities. Such additions to the Privacy or disclose protected health information when they visit the pharmacy (in face to Rule are unnecessary, as a business in a manner that would be face encounters), such communications associate generally may only use or impermissible if done by the covered would be permitted under disclose protected health information in entity. We note, however, that non- § 164.508(a)(3)(i)(A) and thus, the same manner as a covered entity. financial or in-kind remuneration may authorization would not be required Therefore, any Privacy Rule limitation be received by the covered entity or its even if the pharmacy receives financial on how a covered entity may use or business associate and it would not remuneration above and beyond what is disclose protected health information implicate the new marketing reasonably related to the pharmacy’s automatically extends to a business restrictions. Thus, if the materials cost of making the communication. associate. describing a member-exclusive value- Finally, in addition to the i. Permitted and Required Uses and added health product or service were communications that fall within the Disclosures provided by the entity to the health plan refill reminder exception, two other Proposed Rule or its business associate and no payment types of communications continue to be was made by the entity relating to the exempt from the marketing provisions. We proposed to modify § 164.502(a) mailing or distribution of the materials, First, as explained in the NPRM, of the Privacy Rule containing the the covered entity or its business communications promoting health in general rules for uses and disclosures of associate would be able to provide the general and that do not promote a protected health information to address material to its members without product or service from a particular the permitted and required uses and provider, such as communications disclosures of protected health requiring an authorization. promoting a healthy diet or encouraging information by business associates. individuals to get certain routine First, we proposed to modify VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00033 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

34 5598 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register receives, maintains, or transmits on protected health information apply only § 164.502(a) to provide that a business behalf of a covered entity or another to covered entities, as well as a associate, like a covered entity, may not business associate, or on the type of technical change to § 164.502(a)(2)(ii) to use or disclose protected health entity performing the function or replace the term ‘‘subpart’’ with information except as permitted or service, except to the extent the entity ‘‘subchapter’’ to make clear that a required by the Privacy Rule or the falls within one of the exceptions at covered entity is required to disclose Enforcement Rule. Second, we proposed paragraph 4 of the definition of business protected health information to the to add new provisions at § 164.502(a)(4) associate. First, protected health Secretary as needed to determine and (5) to specify the permitted and information created, received, compliance with any of the HIPAA required uses and disclosures of maintained, or transmitted by a business Rules and not just the Privacy Rule. protected health information by associate may not necessarily include business associates. Overview of Public Comments In accordance with section 13404(a) diagnosis-specific information, such as Several commenters expressed of the HITECH Act, we proposed in information about the treatment of an concern about the increased liability for § 164.502(a)(4) to allow business individual, and may be limited to business associates under the rule and associates to use or disclose protected demographic or other information not requested clarification on when health information only as permitted or indicative of the type of health care business associate liability for required by their business associate services provided to an individual. If impermissible uses and disclosures contracts or other arrangements the information is tied to a covered would attach. Several commenters pursuant to § 164.504(e) or as required entity, then it is protected health asked for clarification as to what a by law. Any other use or disclosure information by definition since it is business associate is directly liable for would violate the Privacy Rule. indicative that the individual received under the Privacy Rule, and some Proposed § 164.502(a)(4) also provided health care services or benefits from the expressed specific confusion regarding that a business associate would not be covered entity, and therefore it must be the liability of business associates for permitted to use or disclose protected protected by the business associate in the provision of e-access under the rule. health information in a manner that accordance with the HIPAA Rules and would violate the Privacy Rule if done its business associate agreement. Final Rule by the covered entity, except that the Second, the definition of business The final rule adopts the proposed business associate would be permitted associate is contingent on the fact that modifications to § 164.502(a). The to use or disclose protected health the business associate performs certain provisions specifying a business information for the proper management activities or functions on behalf of, or associate’s permitted and required uses and administration of the business provides certain services to, a covered and disclosures of protected health associate and to provide data entity or another business associate that information are renumbered from aggregation services for the covered involve the use or disclosure of § 164.502(a)(4) and (a)(5), as proposed, entity, as specified at protected health information. Therefore, to § 164.502(a)(3) and (a)(4), as § 164.504(e)(2)(i)(A) and (B), if such any person, defined in the HIPAA Rules § 164.502(a)(5) of the final rule now uses and disclosures are permitted by its as a natural person, trust or estate, includes provisions to address business associate contract or other partnership, corporation, professional prohibited uses and disclosures. Section arrangement. association or corporation, or other 164.502(a)(5) is discussed below in the In § 164.502(a)(5), we proposed to entity, public or private, who performs sections describing the prohibitions on require that a business associate these functions or activities or services the sale of protected health information disclose protected health information is a business associate for purposes of and the use or disclosure of genetic either: (1) When required by the the HIPAA Rules, regardless of whether information for underwriting purposes. Secretary under Subpart C of Part 160 to such person has other professional or In response to specific comments investigate or determine the business privilege-based duties or asking for clarification regarding when associate’s compliance with this responsibilities. business associate liability would subchapter; or (2) to the covered entity, Finally, while we understand attach, we provide the following. As we individual, or individual’s designee, as commenters’ concerns about the discussed above, the final rule provides necessary to satisfy a covered entity’s increased liability for business that a business associate is a person who obligations under § 164.524(c)(2)(ii) and associates under the HIPAA Rules, such performs functions or activities on (3)(ii), as modified, with respect to an direct liability for violations of certain behalf of, or certain services for, a individual’s request for an electronic HIPAA provisions is expressly provided covered entity or another business copy of protected health information. for by the HITECH Act. associate that involve the use or Section 13405(e) of the HITECH Act In response to comments requesting disclosure of protected health requires covered entities that maintain clarification on with which HIPAA information. The final rule establishes protected health information in an provisions a business associate is that a person becomes a business electronic health record to provide an directly liable for compliance, we associate by definition, not by the act of individual, or the individual’s designee, provide the following. Business contracting with a covered entity or with a copy of such information in an associates are directly liable under the otherwise. Therefore, liability for electronic format, if the individual so HIPAA Rules for impermissible uses 4 impermissible uses and disclosures chooses. We proposed to include a and disclosures, for a failure to provide attaches immediately when a person similar direct requirement on business breach notification to the covered 5 creates, receives, maintains, or transmits associates in § 164.502(a)(5), as section entity, for a failure to provide access to protected health information on behalf 13404(a) of the HITECH Act also applies a copy of electronic protected health of a covered entity or business associate section 13405(e) to business associates. information to either the covered entity, We also proposed a conforming and otherwise meets the definition of a the individual, or the individual’s change to revise the titles of business associate. designee (whichever is specified in the Liability also does not depend on the § 164.502(a)(1) and (a)(2) to make clear 4 type of protected health information that these provisions setting out See § 164.502(a)(3). 5 See § 164.410. that a business associate creates, permitted uses and disclosures of VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00034 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

35 5599 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register 6 § 164.504(e), that the business associate Overview of Public Comments for a business associate agreement), will appropriately safeguard the failure to disclose protected health While the Department received information. We proposed a parallel information where required by the general support for application of the provision in § 164.502(e) that would Secretary to investigate or determine the minimum necessary standard to allow a business associate to disclose business associate’s compliance with requests and uses and disclosures by 7 protected health information to a the HIPAA Rules, for a failure to business associates, several commenters 8 business associate that is a provide an accounting of disclosures, requested clarification on such subcontractor, and to allow the and for a failure to comply with the application. subcontractor to create or receive 9 requirements of the Security Rule. Final Rule protected health information on its Business associates remain behalf, if the business associate obtains The final rule adopts the proposal to contractually liable for other similar satisfactory assurances that the apply the minimum necessary standard requirements of the business associate subcontractor will appropriately directly to business associates when agreement (see below for a discussion of safeguard the information. Consistent using or disclosing protected health the business associate agreement with the proposal with respect to information or when requesting provisions). Security Rule requirements and protected health information from With respect to a business associate’s business associates, we proposed to another covered entity. The final rule direct liability for a failure to provide make clear in § 164.502(e) that a covered also makes clear that requests directed access to a copy of electronic protected entity would not be required to obtain to another business associate, in health information, business associates satisfactory assurances from business addition to those directed to another are liable for providing electronic access associates that are subcontractors. covered entity, must also be limited to in accordance with their business Rather, a business associate would be the minimum necessary. Covered associate agreements. Therefore, required to obtain such assurances from entities and business associates business associates may provide a subcontractor. Thus, the proposed disclosing protected health information electronic access directly to individuals provisions would not change the parties in response may reasonably rely on such or their designees, or may provide the to the contracts. For example, a covered requests as requesting the minimum entity may choose to contract with a electronic protected health information necessary for the disclosure. business associate (contractor) to use or How a business associate will apply to the covered entity (which then disclose protected health information on the minimum necessary standard will provides the electronic access to its behalf, the business associate may vary based on the circumstances. As is individuals or their designees). As with choose to obtain the services of (and the case today, a business associate many other provisions in the HIPAA exchange protected health information agreement must limit the business Rules, the Department leaves the details with) a subcontractor (subcontractor 1), associate’s uses and disclosures of to the contracting parties, and is and that subcontractor may, in turn, protected health information to be concerned only that access is provided contract with another subcontractor consistent with the covered entity’s to the individual, not with which party (subcontractor 2) for services involving minimum necessary policies and provides the access. protected health information. The procedures. We leave it to the discretion ii. Minimum Necessary contractor and subcontractors 1 and 2 of the parties to determine to what would now be business associates with extent the business associate agreement Proposed Rule direct liability under the HIPAA Rules, will include specific minimum We proposed to modify the minimum and would be required to obtain necessary provisions to ensure a necessary standard at § 164.502(b) to business associate agreements with the business associate’s uses and parties with whom they contract for require that when business associates disclosures and requests for protected services that involve access to protected health information are consistent with use, disclose, or request protected health information. (Note, however, as the covered entity’s minimum necessary health information from another discussed above with respect to the policies and procedures. The covered entity, they limit protected definition of ‘‘business associate,’’ direct Department intends to issue future health information to the minimum liability under the HIPAA Rules would guidance on the minimum necessary necessary to accomplish the intended attach regardless of whether the standard in accordance with section purpose of the use, disclosure, or contractor and subcontractors have 13405(b) of the HITECH Act that will request. Applying the minimum entered into the required business consider the specific questions posed by necessary standard is a condition of the associate agreements.) commenters with respect to business permissibility of many uses and associates’ application of the minimum We also proposed to remove disclosures of protected health necessary standard. § 164.502(e)(1)(iii), which provides that information. Thus, a business associate a covered entity that violates the is not making a permitted use or b. Sections 164.502(e) and 164.504(e)— satisfactory assurances it provided as a disclosure under the Privacy Rule if it Business Associate Agreements business associate of another covered does not apply the minimum necessary Proposed Rule entity will be in noncompliance with standard, where appropriate. the Privacy Rule’s business associate Section 164.502(e) permits a covered Additionally, the HITECH Act at section agreement provisions, given that entity to disclose protected health 13405(b) addresses the application of proposed changes to § 164.502 would information to a business associate and minimum necessary and, in accordance now restrict directly the uses and may allow a business associate to create with 13404(a), also applies such disclosures of protected health or receive protected health information requirements to business associates. information by a business associate, on its behalf, if the covered entity including a covered entity acting as a obtains satisfactory assurances, in the 6 See § 164.502(a)(4)(ii). business associate, to those uses and form of a written contract or other 7 See § 164.502(a)(4)(i). 8 disclosures permitted by its business written arrangement with the business 76 FR 31426 (May 31, 2011). See 9 associate agreement. associate that meets the requirements of See Subpart C of Part 164. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00035 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

36 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 5600 Federal Register We also proposed to add a new associates with regard to business Finally, as discussed above with respect to the definition of business § 164.504(e)(5) that would apply the associate subcontractors with the associate, we proposed to move the requirements at § 164.504(e)(2) through requirements for covered entities with current exceptions to business associate (e)(4) to the contract or other regard to their business associates. to the definition itself in § 160.103. arrangement between a business We also proposed changes to the Section 164.504(e) contains the associate and its business associate specific business associate agreement specific requirements for business subcontractor as required by provisions at § 164.504(e). First, we associate contracts and other § 164.502(e)(1)(ii) in the same manner as proposed to revise § 164.504(e)(2)(ii)(B) arrangements. We proposed a number of such requirements apply to contracts or through (D) to provide that the contract modifications to § 164.504(e) to other arrangements between a covered will require that: in (B), business implement section 13404 of the HITECH entity and its business associate. Thus, associates comply, where applicable, Act and to reflect the Department’s new a business associate would be required with the Security Rule with regard to regulatory authority with respect to by § 164.502(e)(1)(ii) and by this section electronic protected health information; business associates, as well as to reflect to enter into business associate in (C), business associates report a covered entity’s and business agreements or other arrangements that breaches of unsecured protected health associate’s new obligations under comply with the Privacy and Security information to covered entities, as Subpart D of Part 164 of the Privacy Rules with their business associate required by § 164.410; and in (D), in Rule to provide for notification in the subcontractors, in the same manner that accordance with § 164.502(e)(1)(ii), case of breaches of unsecured protected covered entities are required to enter business associates ensure that any health information. into contracts or other arrangements subcontractors that create or receive Section 164.504(e)(1)(ii) provides that with their business associates. protected health information on behalf a covered entity is not in compliance Finally, we proposed a few other of the business associate agree to the with the business associate minor changes. We proposed in same restrictions and conditions that requirements if the covered entity knew § 164.504(e)(3) regarding other apply to the business associate with of a pattern of activity or practice of the arrangements for governmental entities respect to such information. These business associate that constituted a to include references to the Security revisions were proposed to align the material breach or violation of the Rule requirements for business requirements for the business associate business associate’s obligation under the associates to avoid having to repeat such agreement with the requirements in the contract or other arrangement, unless provisions in the Security Rule. We also HITECH Act and elsewhere within the the covered entity took reasonable steps proposed to remove the reference to HIPAA Rules. to cure the breach or end the violation, subcontractors in § 164.504(f)(2)(ii)(B) Additionally, we proposed to add a as applicable, and if such steps were (regarding disclosures to plan sponsors) new agreement provision at unsuccessful, terminated the contract or and in § 164.514(e)(4)(ii)(C)(4) § 164.504(e)(2)(ii)(H) (and to renumber arrangement or, if termination is not (regarding data use agreements for the current paragraphs (H) and (I) feasible, reported the problem to the limited data sets) to avoid confusion accordingly) to requires that, to the Secretary. We proposed to remove the since the term ‘‘subcontractor’’ is now a extent the business associate is to carry requirement that covered entities report defined term under the HIPAA Rules out a covered entity’s obligation under to the Secretary when termination of a with a particular meaning that is related this subpart, the business associate must business associate agreement is not to business associates. The proposed comply with the requirements of the feasible. In light of a business associate’s removal of the term was not intended as Privacy Rule that apply to the covered direct liability for civil money penalties a substantive change to the provisions. entity in the performance of such for certain violations of the business obligation. This provision would clarify associate agreement and both a covered Overview of Public Comments that when a covered entity delegates a entity’s and business associate’s Several commenters expressed responsibility under the Privacy Rule to obligations under Subpart D to report confusion regarding the need for the business associate, the business breaches of unsecured protected health business associate agreements, associate would be contractually information to the Secretary, we have considering the provisions for direct required to comply with the other mechanisms through which we liability from the HITECH Act and in requirements of the Privacy Rule in the expect to learn of such breaches and the proposed rule. Many of these same manner as they apply to the misuses of protected health information commenters suggested that all of the covered entity. For example, if a third by a business associate. requirements of the Privacy Rule apply party administrator, as a business We also proposed to add a new to business associates, as is the case associate of a group health plan, fails to provision at § 164.504(e)(1)(iii) with the Security Rule. distribute the plan’s notice of privacy applicable to business associates with A few commenters requested practices to participants on a timely respect to subcontractors to mirror the clarification about what constitutes basis, the third party administrator requirements on covered entities at ‘‘satisfactory assurances’’ pursuant to would not be directly liable under the § 164.504(e)(1)(ii) (minus the the rule, asking whether, for example, HIPAA Rules, but would be requirement to report to the Secretary if there were expectations on covered contractually liable, for the failure. termination of a contract is not feasible). entities to ensure that business However, even though the business Thus, a business associate that is aware associates (including subcontractors) associate is not directly liable under the of noncompliance by its business have appropriate controls in place HIPAA Rules for failure to provide the associate subcontractor would be besides business associate agreements or notice, the covered entity remains required to respond to the situation in whether a covered entity must obtain directly liable for failure to provide the the same manner as a covered entity from a business associate satisfactory individuals with its notice of privacy that is aware of noncompliance by its assurance that any business associate practices because it is the covered business associate. We believe this subcontractors are complying with the entity’s ultimate responsibility to do so, provision would implement section Rules. Several commenters requested despite its having hired a business 13404(b) of the HITECH Act, and would clarification on the appropriateness of associate to perform the function. align the requirements for business VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00036 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

37 5601 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations stringent or more stringent as the the HIPAA Rules, such as by indemnification clauses in business establishing how the business associate associate agreements. agreement above with respect to the Finally, several commenters requested should handle a request for access to permissible uses and disclosures. that the Department provide a model protected health information that it Finally, in response to the comments business associate agreement. directly receives from an individual. requesting a model business associate Finally, the business associate agreement, we note that the Department Final Rule agreement serves to notify the business has published sample business associate The final rule adopts the proposed associate of its status under the HIPAA provisions on its web site. The sample modifications to §§ 164.502(e) and Rules, so that it is fully aware of its language is designed to help covered 164.504(e). As we discussed above, obligations and potential liabilities. entities comply with the business while section 13404 of the HITECH Act With respect to questions about associate agreement requirements of the provides that business associates are ‘‘satisfactory assurances,’’ § 164.502(e) Privacy and Security Rules. However, now directly liable for civil money provides that covered entities and use of these sample provisions is not penalties under the HIPAA Privacy Rule business associates must obtain and required for compliance with the Rules, for impermissible uses and disclosures document the ‘‘satisfactory assurances’’ and the language should be amended as and for the additional HITECH of a business associate through a written appropriate to reflect actual business requirements in Subtitle D that are made contract or other agreement, such as a arrangements between the covered applicable to covered entities, it does memorandum of understanding, with entity and the business associate (or a not apply all of the requirements of the the business associate that meets the business associate and a subcontractor). Privacy Rule to business associates and applicable requirements of § 164.504(e). Response to Other Public Comments thus, the final rule does not. Therefore, As discussed above, § 164.504(e) business associates are not required to specifies the provisions required in the Comment: Commenters requested comply with other provisions of the written agreement between covered guidance on whether a contract that Privacy Rule, such as providing a notice entities and business associates, complies with the requirements of the of privacy practices or designating a including a requirement that a business Graham Leach Bliley Act (GLBA) and privacy official, unless the covered associate ensure that any subcontractors incorporates the required elements of entity has chosen to delegate such a agree to the same restrictions and the HIPAA Rules may satisfy both sets responsibility to the business associate, conditions that apply to the business of regulatory requirements. The which would then make it a contractual associate by providing similar commenters urged the Department to requirement for which contractual satisfactory assurances. Beyond the permit a single agreement rather than liability would attach. required elements at § 164.504(e), as requiring business associates and Concerning commenters’ questions with any contracting relationship, business associate subcontractors to about the continued need for business business associates and covered entities enter into separate GLBA agreements associate agreements given the new may include other provisions or and business associate agreements. direct liability on business associates for requirements that dictate and describe Response: While meeting the compliance, we note that section 13404 their business relationship, and that are requirements of the GLBA does not of the HITECH Act expressly refers and outside the governance of the Privacy satisfy the requirements of the HIPAA ties business associate liability to and Security Rules. These may or may Rules, covered entities may use one making uses and disclosures in not include additional assurances of agreement to satisfy the requirements of accordance with the uses and compliance or indemnification clauses both the GLBA and the HIPAA Rules. disclosures laid out in such agreements, or other risk-shifting provisions. A few commenters Comment: rather than liability for compliance with We also clarify with respect to the recommended adding an exception to the Privacy Rule generally. Further, satisfactory assurances to be provided having a business associate agreement section 13408 of the HITECH Act by subcontractors, that the agreement for a person that receives a limited requires certain data transmission and between a business associate and a dataset and executes a data use personal health record vendors to have business associate that is a agreement for research, health care in place business associate agreements subcontractor may not permit the operations, or public health purposes. with the covered entities they serve. We subcontractor to use or disclose We have prior guidance Response: also continue to believe that, despite the protected health information in a that clarifies that if only a limited business associate’s direct liability for manner that would not be permissible if dataset is released to a business certain provisions of the HIPAA Rules, done by the business associate. For associate for a health care operations the business associate agreement is example, if a business associate purpose, then a data use agreement necessary to clarify and limit, as agreement between a covered entity and suffices and a business associate appropriate, the permissible uses and a contractor does not permit the agreement is not necessary. To make disclosures by the business associate, contractor to de-identify protected this clear in the regulation itself, we are given the relationship between the health information, then the business adding to § 164.504(e)(3) a new parties and the activities or services associate agreement between the paragraph (iv) that recognizes that a data being performed by the business contractor and a subcontractor (and the use agreement may qualify as a business associate. The business associate agreement between the subcontractor associate’s satisfactory assurance that it agreement is also necessary to ensure and another subcontractor) cannot will appropriately safeguard the covered that the business associate is permit the de-identification of protected entity’s protected health information contractually required to perform health information. Such a use may be when the protected health information certain activities for which direct permissible if done by the covered disclosed for a health care operations liability does not attach (such as entity, but is not permitted by the purpose is a limited data set. A similar amending protected health information contractor or any subcontractors if it is provision is not necessary or in accordance with § 164.526). In not permitted by the covered entity’s appropriate for disclosures of limited business associate agreement with the addition, the agreement represents an data sets for research or public health contractor. In short, each agreement in opportunity for the parties to clarify purposes since such disclosures would the business associate chain must be as their respective responsibilities under VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00037 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

38 5602 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations guarantee compliance and therefore administration and for data aggregation not otherwise require business associate services relating to the health care agreements. ‘‘certified’’ entities may still be subject A few commenters Comment: operations of the covered entity, the to enforcement by OCR. requested that the Department delete business associate may not use or Comment: One commenter requested § 164.504(e)(2)(ii)(H), which provides disclose protected health information in clarification on when it is not feasible that to the extent the business associate a manner that would not be permissible for a business associate to terminate a is to carry out a covered entity’s if done by the covered entity (even if contract with a subcontractor. obligation under the HIPAA Rules, the such a use or disclosure is permitted by Whether it is feasible for a Response: business associate must comply with the business associate agreement). business associate to terminate an Comment: One commenter suggested the requirements of the HIPAA Rules agreement with a business associate requiring subcontractors to return or that apply to the covered entity in the subcontractor is a very fact-specific destroy all protected health information performance of the obligation on behalf inquiry that must be examined on a received from or created for a business of the covered entity. Alternatively, case-by-case basis. For example, associate when the contract with the commenters suggested that the termination is not feasible for a business business associate is terminated. Department clarify that the associate with regard to a subcontractor Response: The final rule at requirements of the section need not be relationship where there are no other § 164.504(e)(5) does apply the included in business associate viable business alternatives for the requirements at § 164.504(e)(2) through agreements and that this section does business associate (when the (4) (which set forth the requirements for not limit the ability of covered entities subcontractor, for example, provides a agreements between covered entities and business associates to negotiate unique service that is necessary for the and their business associates) to responsibilities with regard to other business associate’s operations). See our agreements between business associates sections of the Privacy Rule. prior guidance on this issue as it applies and their subcontractors. This includes Response: The Department declines to to covered entities and business § 164.504(e)(2)(ii)(J), which requires the delete § 164.504(e)(2)(ii)(H). If a associates in Frequently Asked Question business associate to return or destroy business associate contracts to provide http://www.hhs.gov/ #236, available at all protected health information services to the covered entity with ocr/privacy/hipaa/faq/ received from, or created or received on regard to fulfilling individual rights or behalf of, the covered entity at the business _ associates/236.html. other obligations of the covered entity termination of the contract, if feasible. under the Privacy Rule, then the c. Section 164.532—Transition When this requirement is applied to the business associate agreement must Provisions agreement between the business require the business associate to fulfill Proposed Rule associate and its business associate such obligation in accordance with the subcontractor, the effect is a contractual Privacy Rule’s requirements. We do We understand that covered entities obligation for the business associate clarify, however, that if the covered and business associates are concerned subcontractor to similarly return or entity does not delegate any of its with the anticipated administrative responsibilities under the Privacy Rule destroy protected health information at burden and cost to implement the to the business associate, then the termination of the contract, if revised business associate agreement § 164.504(e)(2)(ii)(H) is not applicable feasible. provisions of the Privacy and Security Comment: One commenter suggested and the parties are not required to Rules. Covered entities may have requiring a business associate to include such language. existing contracts that are not set to Comment: One commenter requested disclose all subcontractors of the terminate or expire until after the that the Department modify business associate to a covered entity compliance date of the modifications to § 164.502(a)(4)(i) to permit business within thirty days of the covered the Rules, and we understand that a six associates to use and disclose protected entity’s request. month compliance period may not health information for their own health Response: The Department declines to provide enough time to reopen and care operations purposes, and another adopt this suggestion as a requirement renegotiate all contracts. In response to commenter requested that the of the HIPAA Rules, because such a these concerns, we proposed to relieve Department clarify whether requirement would impose an undue some of the burden on covered entities § 164.504(e)(4) provides that a business disclosure burden on business and business associates in complying associate may use or disclose protected associates. However, covered entities with the revised business associate health information as a covered entity and business associates may include provisions by adding a transition would use or disclose the information. additional terms and conditions in their provision to grandfather certain existing The Department declines to Response: contracts beyond those required by contracts for a specified period of time. make the suggested modification. § 164.504. The Department’s authority to add the Business associates do not have their One commenter suggested Comment: transition provision is set forth in own health care operations (see the establishing a certification process of § 160.104(c), which allows the Secretary definition of health care operations at business associates and subcontractors to establish the compliance date for any § 164.501, which is limited to activities with regard to HIPAA compliance. modified standard or implementation Response: The Department declines to of the covered entity). While a business specification, taking into account the establish or endorse a certification associate does not have health care extent of the modification and the time process for HIPAA compliance for operations, it is permitted by needed to comply with the business associates and subcontractors. § 164.504(e)(2)(i)(A) to use and disclose modification. The proposed transition Business associates and subcontractors protected health information as period would prevent rushed and hasty are free to enlist the services of outside necessary for its own management and changes to thousands of on-going entities to assess their compliance with administration if the business associate existing business associate agreements. the HIPAA Rules and certification may agreement permits such activities, or to We addressed the issue of the business be a useful compliance tool for entities, carry out its legal responsibilities. Other associate transition provisions as depending on the rigor of the program. than the exceptions for the business follows. However, certification does not associate’s management and VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00038 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

39 5603 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations they do not, these covered entities then over. These transition provisions would We proposed new transition have the transition period to make have applied to covered entities and provisions at § 164.532(d) and (e) to whatever additional changes are business associates only with respect to allow covered entities and business necessary to conform to the final rule. written contracts or other written associates (and business associates and The transition period is also available to arrangements as specified above, and business associate subcontractors) to those agreements that require not to oral contracts or other continue to operate under certain compliance with all applicable laws (to arrangements. existing contracts for up to one year These transition provisions would the extent the agreements were beyond the compliance date of the have only applied to the requirement to otherwise in compliance with the revisions to the Rules. The additional amend contracts; they would not affect HIPAA Rules prior to this final rule), transition period would be available to any other compliance obligations under but that do not fully meet the new a covered entity or business associate if, the HIPAA Rules. For example, requirements in this final rule. prior to the publication date of the beginning on the compliance date of However, we do not deem such modified Rules, the covered entity or this rule, a business associate may not contracts as compliant beyond the business associate had an existing use or disclose protected health transition period because they would contract or other written arrangement information in a manner that is contrary not sufficiently reflect the new with a business associate or to the Privacy Rule, even if the business requirements. subcontractor, respectively, that associate’s contract with the covered complied with the prior provisions of 4. Section 164.508—Uses and entity has not yet been amended. the HIPAA Rules and such contract or Disclosures for Which an Authorization arrangement was not renewed or Overview of Public Comments Is Required modified between the effective date and Many commenters supported the 1- a. Sale of Protected Health Information the compliance date of the year extended timeframe for compliance modifications to the Rules. The Proposed Rule with the business associate agreement proposed provisions were intended to Section 164.508 of the Privacy Rule provisions. Some commenters suggested allow those covered entities and permits a covered entity to use and longer timeframes, citing cost and business associates with valid contracts disclose protected health information resource limitations. Some commenters with business associates and for purposes not otherwise permitted by suggested that the Department should subcontractors, respectively, to continue the Rule if it has obtained a valid deem compliant all business associate to disclose protected health information written authorization from the agreements that have been renegotiated to the business associate or individual who is the subject of the in good faith to meet the February 2010 subcontractor, or to allow the business information. This section also specifies effective date of the applicable associate or subcontractor to continue to two circumstances in which provisions in the HITECH Act. Some create or receive protected health authorization from the individual must commenters suggested that the information on behalf of the covered be obtained: (1) Most uses and Department recognize as compliant entity or business associate, for up to disclosures of psychotherapy notes; and business associate agreements with one year beyond the compliance date of (2) uses and disclosures for marketing provisions requiring compliance with the modifications, regardless of whether purposes. all applicable laws. the contract meets the applicable Section 13405(d) of the HITECH Act contract requirements in the Final Rule added a third circumstance that requires modifications to the Rules. With respect authorization, specifically the sale of The final rule adopts the proposal, to business associates and protected health information. Section adding new transition provisions at subcontractors, the proposal would 13405(d)(1) prohibits a covered entity or § 164.532(d) and (e) to allow covered grandfather existing written agreements business associate from receiving direct entities and business associates (and between business associates and or indirect remuneration in exchange for business associates and business subcontractors entered into pursuant to the disclosure of protected health associate subcontractors) to continue to § 164.504(e)(2)(ii)(D) (which requires the information unless the covered entity operate under certain existing contracts business associate to ensure that its has obtained an individual’s for up to one year beyond the agents with access to protected health authorization pursuant to § 164.508 that compliance date of the revisions to the information agree to the same states whether the protected health Rules. restrictions and conditions that apply to information can be further exchanged We decline to provide a longer time the business associate). The Department for remuneration by the entity receiving for compliance with the business proposed to deem such contracts to be the information. associate agreement provisions. We compliant with the modifications to the Section 13405(d)(2) contains several provided a similar transition period for Rules until either the covered entity or exceptions to the authorization revising agreements in the 2002 business associate has renewed or requirement for circumstances where modifications to the HIPAA Rules, and modified the contract following the the purpose of the exchange is for: (1) it was our experience that such time compliance date of the modifications, or Public health activities, as described at was sufficient to ease burden on the until the date that is one year after the § 164.512(b) of the Privacy Rule; (2) entities and allow most agreements to be compliance date, whichever is sooner. research purposes as described at modified at the time they would §§ 164.501 and 164.512(i) of the Rule, if In cases where a contract renews otherwise come up for renewal or the price charged for the information automatically without any change in renegotiation. reflects the cost of preparation and With respect to those business terms or other action by the parties (also transmittal of the data; (3) treatment of associate agreements that already have known as ‘‘evergreen contracts’’), the the individual; (4) the sale, transfer, been renegotiated in good faith to meet Department intended that such merger or consolidation of all or part of the applicable provisions in the HITECH evergreen contracts would be eligible for a covered entity and for related due Act, covered entities should review the extension and that deemed diligence; (5) services rendered by a such agreements to determine whether compliance would not terminate when business associate pursuant to a they meet the final rule’s provisions. If these contracts automatically rolled VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00039 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

40 5604 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations cost to prepare and transmit the disclosed for remuneration by a covered business associate agreement and at the information for research purposes. Like entity or business associate to another specific request of the covered entity; (6) the public health exception, we covered entity or business associate in providing an individual with access to proposed to add a reference to compliance with the authorization his or her protected health information § 164.514(e) to ensure that this requirements at proposed pursuant to § 164.524; and (7) other exception would also apply to the § 164.508(a)(4)(i), the recipient covered purposes as the Secretary deems disclosure of protected health entity or business associate could not necessary and appropriate by regulation. information in limited data set form for redisclose the protected health Section 13405(d)(4) of the Act provides research purposes. We requested public information in exchange for that the prohibition on sale of protected comment on the types of costs that remuneration unless a valid health information applies to should be permitted under this authorization was obtained in disclosures occurring six months after provision. accordance with proposed the date of the promulgation of the final We proposed to create an exception § 164.508(a)(4)(i). We requested regulations implementing this section. from the authorization requirement for To implement section 13405(d) of the comment on these provisions. disclosures of protected health At proposed § 164.508(a)(4)(ii), we set HITECH Act, we proposed to add a information for treatment and payment forth the exceptions to the authorization general rule at § 164.508(a)(4) requiring purposes. Though the Act only requirement. We proposed the a covered entity to obtain an addressed treatment, we proposed to exceptions provided for by section authorization for any disclosure of also except disclosures for payment for 13405(d)(2) of the HITECH Act, and also protected health information in health care from the remuneration proposed to exercise the authority exchange for direct or indirect prohibition to make clear that the granted to the Secretary in section remuneration from or on behalf of the exchange of protected health 13405(d)(2)(G) to include additional recipient of the information and to information to obtain ‘‘payment,’’ as exceptions that we deemed to be require that the authorization state that such term is defined in the Privacy Rule similarly necessary and appropriate. the disclosure will result in at § 164.501, would not be considered a These exceptions are discussed below. remuneration to the covered entity. sale of protected health information. We requested comment on whether Consistent with the HITECH Act, the Consistent with section there were additional exceptions that NPRM proposed to exclude several 13405(d)(2)(D) of the HITECH Act, we should be included in the final disclosures of protected health proposed to except from the regulation. information made in exchange for authorization requirement disclosures First, we proposed to include an remuneration from this general rule. As described in paragraph (6)(iv) of the exception to cover exchanges for provided in the Act, these requirements definition of health care operations at remuneration for public health activities would also apply to business associates § 164.501, that is, disclosures for the pursuant to §§ 164.512(b) or 164.514(e). of covered entities. sale, transfer, merger, or consolidation We added the reference to § 164.514(e) In the NPRM we did not include of all or part of a covered entity, or an of the Privacy Rule to ensure that language at § 164.508(a)(4) to require entity that following such activity will disclosures of protected health that the authorization under § 164.508 become a covered entity, and due information for public health activities specify whether the protected health diligence related to such activity. in limited data set form would also be information disclosed by the covered We proposed to provide an exception excepted from the authorization entity for remuneration could be further from the authorization requirement for requirement, in addition to disclosures exchanged for remuneration by the disclosures of protected health that may occur under § 164.512(b) with entity receiving the information. The information to or by a business associate more identifiable information. With statute refers to obtaining a valid for activities that the business associate respect to the exception for public authorization that includes a undertakes on behalf of a covered entity health disclosures, section remuneration statement in accordance pursuant to §§ 164.502(e) and 164.504(e) 13405(d)(3)(A) of the HITECH Act with § 164.508. The remuneration of the Privacy Rule, as long as the only requires that the Secretary evaluate the statement required by § 164.508 is remuneration provided is by the impact on public health activities of whether remuneration will be received covered entity to the business associate restricting this exception to require that by the covered entity with respect to the for the performance of such activities. the price charged for the data reflects disclosures subject to the authorization. This exception would exempt from the only the costs of preparation and This puts the individual on notice that authorization requirement at transmittal of the data, including those the disclosure involves remuneration § 164.508(a)(4)(i) a disclosure of conducted by or for the use of the Food and thus, enables the individual to protected health information by a and Drug Administration (FDA). Section make an informed decision as to covered entity to a business associate or 13405(d)(3)(B) further provides that if whether to sign the authorization. Thus, by a business associate to a third party the Secretary finds that such further we interpreted the statute to mean that on behalf of the covered entity as long restriction will not impede public the authorization must include a as any remuneration received by the health activities, the restriction may statement that the covered entity is business associate was for the activities then be included in the regulations. We receiving direct or indirect performed by the business associate did not propose to include such a remuneration in exchange for the protected health information. We note pursuant to a business associate restriction on remuneration in the Rule, that these exact words do not need to be contract. but requested public comment to assist We proposed to except from the used in the statement. We provide us in evaluating the impact of doing so. authorization requirement disclosures of The NPRM also included an discretion for covered entities to craft protected health information by a exception for disclosures of protected appropriate language that reflects, for covered entity to an individual when health information for research example, the specific type of requested under §§ 164.524 (providing a purposes, pursuant to §§ 164.512(i) or remuneration they receive. As we right to access protected health 164.514(e), in exchange for which the explained in the NPRM, with respect to information) or 164.528 (providing a covered entity receives only a the recipient of the information, if right to receive an accounting of reasonable, cost based fee to cover the protected health information is VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00040 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

41 5605 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations study or project. Other commenters these laws, there is great variation disclosures). While section expressed concern about the regarding the types of document 13405(d)(2)(F) of the HITECH Act authorization requirements for the sale preparation activities for which a explicitly refers only to disclosures of protected health information provider can charge as well as the under § 164.524, we exercised our applying to programs for which a permissible fee schedules for such authority under section 13405(d)(2)(G) covered entity receives funding and, as preparation activities. Some States of the HITECH Act to likewise include a condition of that funding, is required simply require any reasonable costs in the exception disclosures to the to report data, such as under the incurred by the provider in making individual under § 164.528. Section Medicare and Medicaid incentive copies of the medical records to be paid 164.524 permits a covered entity to payment programs for meaningful users for by the requesting party, while other impose a reasonable, cost-based fee for of certified electronic health record States set forth specific cost limitations the provision of access to an technology and certain State grant with respect to retrieval, labor, supplies, individual’s protected health programs. A few commenters were and copying costs and allow charges information upon request. Section concerned that the exchange of equal to actual mailing or shipping 164.528 requires a covered entity to protected health information through a costs. Many of these State laws set provide a requesting individual with an health information exchange (HIE) that different cost limitations based on the accounting of disclosures without is paid for through fees assessed on HIE amount and type of information to be charge in any 12-month period but participants could be considered sale of provided, taking into account whether permits a covered entity to impose a protected health information. the information is in paper or electronic reasonable, cost-based fee for each Commenters also asked for form as well as whether the requested subsequent request for an accounting of clarification on the meaning and scope material includes x-rays, films, disks, disclosures during that 12-month of the term ‘‘direct and indirect tapes, or other diagnostic imaging. The period. Therefore, a disclosure of remuneration,’’ and some were proposed exception would permit protected health information under particularly concerned that ‘‘indirect recoupment of fees expressly permitted § 164.528 is similar to a disclosure remuneration’’ meant nonfinancial by these other laws. under § 164.524 in that a covered entity benefits provided in exchange for may be paid a fee for making the Overview of Public Comments protected health information could turn disclosure. Many commenters asked for a disclosure into a sale of protected Pursuant to the authority granted to clarification on the scope of activities health information. Some commenters the Secretary in section 13405(d)(2)(G) that constitute a ‘‘sale of protected stated that prohibiting the receipt of of the HITECH Act, we proposed an health information.’’ Several of these indirect remuneration or nonfinancial additional exception for disclosures that commenters asked that the final rule benefits may eliminate any incentive for are required by law as permitted under include a definition of ‘‘sale of protected covered entities to participate in certain § 164.512(a) of the Privacy Rule. health information’’ and argued that the Finally, we proposed an exception, collaborative research or quality proposed language at § 164.508(a)(4) pursuant to the authority granted to the activities, in which covered entities was too broad and had the potential to Secretary in section 13405(d)(2)(G), for contribute data to a centralized database capture a number of activities that disclosures of protected health to create aggregate data sets and in should not constitute a ‘‘sale’’ of information for any other purpose return may receive a number of protected health information. permitted by and in accordance with the nonfinancial benefits, such as the ability Commenters made a variety of applicable requirements of the Privacy to use the aggregated information for suggestions in this regard, including Rule, as long as the only remuneration research or access to quality assurance/ suggesting that a definition of sale received by the covered entity is a quality improvement tools. Certain should focus on the transfer of reasonable, cost based fee to cover the commenters argued that the term ownership of protected health cost to prepare and transmit the indirect in the statute modifies the information and thus exclude protected health information for such ‘‘receipt’’ of remuneration (i.e., that the disclosures pursuant to an access purpose or is a fee otherwise expressly statute also applies to the situation agreement, license, or lease that permitted by other law. We proposed where the remuneration is provided by appropriately limits a recipient’s uses or this exception to ensure that the a third party on behalf of the recipient disclosures of the information; or that a authorization requirement would not of the protected health information) and definition of sale should more clearly deter covered entities from disclosing not the type of remuneration. capture those disclosures where The public health exception to the protected health information for remuneration is provided in exchange remuneration prohibition received a permissible purposes under the Privacy for protected health information, rather significant amount of support from Rule just because they routinely receive than all disclosures that may involve commenters. Several commenters payment equal to the cost of preparing, remuneration. A number of commenters expressed specific support for the producing, and transmitting the were concerned that fees paid for proposal to expand the exception to also protected health information. We services or programs that involve the apply to disclosures of limited data sets emphasized that this proposed disclosure of protected health for public health purposes. With respect exception would not apply if a covered information but that are not fees to to the request for comment on the entity received remuneration above the purchase the data themselves impact of restricting this exception to actual cost incurred to prepare, produce, nonetheless would turn such disclosure require that the price charged for the and transmit the protected health into a sale of protected health data reflects on the costs of preparing information for the permitted purpose, information. For example, some and transmitting the data, commenters unless such fee is expressly permitted commenters were concerned that the were generally opposed to imposing by other law. disclosure of research results to a As explained in the NPRM, we such a restriction. Commenters stated research sponsor would be a sale of recognize that many States have laws in that it may be difficult and burdensome to determine if some of a covered protected health information because place to limit the fees a health care entity’s routine public health reporting the sponsor paid the covered entity for provider can charge to prepare, copy, involve any type of remuneration and its services in conducting the research and transmit medical records. Under VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00041 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

42 5606 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations include such a limitation and the that these vendors and not the covered that a cost-based restriction on entities bill for the reasonable costs of remuneration would discourage and Privacy Rule rights and protections providing the records to the requestors. impede covered entities from making apply to protected health information Commenters asked that the final rule important public health disclosures. without regard to ownership interests clarify that business associates can One commenter was opposed to the over the data. Thus, the sale provisions continue to receive payment of costs public health exception altogether, apply to disclosures in exchange for from third parties for providing this stating that it is a privacy loophole that remuneration including those that are service on behalf of covered entities. eliminates consumer control over their the result of access, license, or lease Another commenter requested that the protected health information. agreements. Many respondents to the proposed final rule clarify that the exception for In addition, we do not consider sale sale prohibition commented on the remuneration to a business associate for of protected health information in this proposed exception for research. While activities performed on behalf of a provision to encompass payments a most commenters supported including covered entity also applies to covered entity may receive in the form an exception for research disclosures, remuneration received by of grants, or contracts or other including disclosures of limited data subcontractors performing services on arrangements to perform programs or sets for research, many argued that the behalf of business associates. activities, such as a research study, Finally, several commenters also exception should not be limited to the because any provision of protected responded to the proposed rule’s receipt of a reasonable cost-based fee to health information to the payer is a request for comment on the general prepare and transmit the data as such a byproduct of the service being provided. exception at § 164.508(a)(4)(ii)(H) by fee limitation could impede important Thus, the payment by a research suggesting costs that they believed research efforts. A number of sponsor to a covered entity to conduct should be permitted, including but not commenters specifically opposed a research study is not considered a sale limited to costs for: preparing, imposing a fee limitation on the of protected health information even if producing, and transmitting protected disclosure of limited data sets. If a fee research results that may include health information; retrieval, labor, limitation were retained, commenters protected health information are supplies, and copying costs; personnel argued that it should be broadly disclosed to the sponsor in the course of and overhead costs; investments and construed. The majority of commenters the study. Further, the receipt of a grant indirect costs; and any costs that are in on this issue supported the proposed or funding from a government agency to compliance with State law. exceptions to the remuneration conduct a program is not a sale of prohibition for treatment and health Final Rule protected health information, even if, as care payment purposes, as necessary so a condition of receiving the funding, the The final rule adopts the HITECH as not to impede these core health care covered entity is required to report Act’s prohibition on the sale of functions. Overall, support was also protected health information to the protected health information but makes expressed by those who commented on agency for program oversight or other certain changes to the provisions in the the exception for the sale, transfer, purposes. (Certain of these disclosures proposed rule to clarify the scope of the merger, or consolidation of a covered would also be exempt from the sale provisions and otherwise address entity. Further, commenters generally requirements, depending on whether certain of commenters’ concerns. First, agreed that a covered entity should be the requirement to report data was we have moved the general prohibition permitted to disclose protected health included in regulation or other law.) on the sale of protected health information without individual Similarly, we clarify that the exchange information by a covered entity or authorization as required by law, even of protected health information through business associate to § 164.502(a)(5)(ii) if remuneration is received in exchange a health information exchange (HIE) that and created a definition of ‘‘sale of for the disclosure. is paid for through fees assessed on HIE protected health information.’’ Commenters also submitted a number participants is not a sale of protected Numerous commenters requested that of comments and questions regarding health information; rather the the Privacy Rule include a definition of the ability of business associates to remuneration is for the services sale to better clarify what types of receive fees under both the proposed provided by the HIE and not for the data transactions fall within the scope of the exception specifically for fees paid by a itself. (Such disclosures may also be provisions. Accordingly, covered entity to a business associate exempt from these provisions under the 1 § 164.502(a)(5)(ii)(B)( ) defines ‘‘sale of and the general exception that would exception for disclosures to or by a protected health information’’ to allow a covered entity to receive a business associate that is being generally mean ‘‘a disclosure of reasonable, cost-based fee to cover the compensated by a covered entity for its protected health information by a costs to prepare and transmit the data or services.) In contrast, a sale of protected covered entity or business associate, if a fee otherwise expressly permitted by health information occurs when the applicable, where the covered entity or other law for any disclosure permitted covered entity primarily is being business associate directly or indirectly by the Privacy Rule. While commenters compensated to supply data it maintains receives remuneration from or on behalf generally supported these exceptions, in its role as a covered entity (or of the recipient of the protected health commenters were concerned that these business associate). Thus, such information in exchange for the exceptions appeared not to cover the disclosures require the individual’s common situation where a business protected health information.’’ Section authorization unless they otherwise fall associate, rather than the covered entity, 2 164.502(a)(5)(ii)(B)( ) then excludes within an exception at receives remuneration from a third party from the definition the various § 164.502(a)(5)(ii)(B)( ). For example, a 2 for making a permitted disclosure under exceptions that were in the proposed disclosure of protected health the Privacy Rule. For example, a rule (discussed further below). information by a covered entity to a We do not limit a ‘‘sale’’ to those number of commenters stated that third party researcher that is conducting transactions where there is a transfer of covered entities often outsource to the research in exchange for ownership of protected health release of information (ROI) vendors the remuneration would fall within these information as some commenters processing of requests for copies of provisions, unless the only suggested. The HITECH Act does not medical records from third parties and VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00042 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

43 5607 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations disclosures that are otherwise required discourage voluntary public health remuneration received is a reasonable, by law to ensure a covered entity can reporting, we do not limit the exception cost-based fee to cover the cost to continue to meet its legal obligations to only those disclosures where all the prepare and transmit the data for such without imposing an authorization covered entity receives as remuneration purposes (see below). In response to questions by requirement. We also retain the is a cost-based fee to cover the cost to commenters, we also clarify the scope of exception for disclosures to the prepare and transmit the data. With respect to the exception for the term ‘‘remuneration.’’ The statute individual to provide the individual research disclosures, the final rule uses the term ‘‘remuneration,’’ and not with access to protected health adopts the language as proposed, ‘‘payment,’’ as it does in the marketing information or an accounting of including the cost-based fee limitation provisions at section 13406(a). Because disclosures, where the fees charged for provided for in the HITECH Act. Thus, the statute uses different terms, we do doing so are in accord with the Privacy disclosures for research purposes are not believe that remuneration as applied Rule. We adopt the exceptions for excepted from the remuneration to the sale provisions is limited to remuneration paid by a covered entity prohibition to the extent that the only financial payment in the same way it is to a business associate for activities remuneration received by the covered so limited in the marketing provisions. performed on behalf of a covered entity, entity or business associate is a Thus, the prohibition on sale of as well as the general exception reasonable cost-based fee to cover the protected health information applies to permitting a covered entity to receive cost to prepare and transmit the the receipt of nonfinancial as well as remuneration in the form of a protected health information for such financial benefits. In response to reasonable, cost-based fee to cover the purposes. We do not remove the fee commenters who indicated that the cost to prepare and transmit the limitation as requested by some statute’s terms ‘‘direct and indirect’’ protected health information for any commenters; the statutory language apply to how the remuneration is disclosure otherwise permitted by the included in Section 13405(d)(2)(B) of received rather than the remuneration Privacy Rule. However, we make a the HITECH Act clearly states that any itself, we agree and have moved the number of clarifications to address remuneration received in exchange for terms in the definition to further make commenters questions and concerns research disclosures must reflect only clear that the provisions prohibit the regarding the ability of a business the cost of preparation and transmittal receipt of remuneration not only from associate rather than a covered entity to of the data for such purpose. the third party that receives the In response to comments about the receive the permitted remuneration. protected health information but also types of costs that are permitted in the First, we add the term ‘‘business from another party on behalf of the reasonable cost-based fee to prepare and associate’’ in the general exception recipient of the protected health transmit the data, we clarify that this permitting reasonable, cost-based fees to information. However, this does not may include both direct and indirect prepare and transmit data (or fees change the scope of the term costs, including labor, materials, and permitted by State laws) to make clear ‘‘remuneration.’’ As discussed above, supplies for generating, storing, that business associates may continue to we interpret the statute to mean that retrieving, and transmitting the recoup fees from third party record nonfinancial benefits are included in protected health information; labor and requestors for preparing and the prohibition. Thus, a covered entity supplies to ensure the protected health transmitting records on behalf of a or business associate may not disclose information is disclosed in a covered entity, to the extent such fees protected health information in permissible manner; as well as related are reasonable, cost-based fees to cover exchange for in kind benefits, unless the capital and overhead costs. However, the cost to prepare and transmit the disclosure falls within one of the fees charged to incur a profit from the protected health information or exceptions discussed below. Consider, disclosure of protected health otherwise expressly permitted by other for example, a covered entity that is information are not allowed. We believe law. Second, we clarify in the business offered computers in exchange for allowing a profit margin would not be associate exception that the exception disclosing protected health information. consistent with the language contained would also cover remuneration by a The provision of protected health in Section 13405 of the HITECH Act. We business associate to its subcontractor information in exchange for the intend to work with the research for activities performed by the computers would not be considered a community to provide guidance and subcontractor on behalf of the business sale of protected health information if help the research community reach a associate. Finally, we add the term the computers were solely used for the common understanding of appropriate ‘‘business associate’’ to the general purpose of preparing and transmitting cost-based limitations on remuneration. prohibition on sale of protected health protected health information to the We retain the exceptions proposed for information for consistency, even person collecting it and were returned treatment and payment disclosures though, without the addition, a business when such disclosure was completed. without modification and agree with associate still would not be permitted to However, if the covered entity is commenters that these exceptions are sell protected health information as a permitted to use the computers for other necessary to make clear that these core business associate may generally only purposes or to keep the computers even health care functions may continue. make uses and disclosures of protected after the disclosures have been made, Similarly, we retain the exception to the health information in manners in which then the covered entity has received in remuneration prohibition for a covered entity would be permitted kind remuneration in exchange for the disclosures for the transfer, merger, or under the Privacy Rule. protected health information above consolidation of all or part of a covered With respect to the types of costs that what is needed to make the actual entity with another covered entity, or an would be permitted as part of a disclosures. entity that following such activity will reasonable, cost-based fee under this We retain in the final rule the broad become a covered entity, and related provision, we clarify that the final rule exception for disclosures for public due diligence, to ensure that such permits the same types of costs under health purposes made pursuant to this exception as the research exception, disclosures may continue to occur in §§ 164.512(b) and 164.514(e). Based on as well as costs that are in compliance accordance with the Privacy Rule. We the concerns from the public comment with a fee schedule provided by State retain the proposed exception for that narrowing the exception could VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00043 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

44 5608 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations even if such disclosure would otherwise form. However, covered entities that are law or otherwise expressly permitted by constitute a sale of protected health informed of such information may other applicable law. Thus, costs may information upon the effective date of include it on the authorization form if include the direct and indirect costs to this rule. they wish to. In any event, the Privacy prepare and transmit the data, including Some commenters were Comment: Rule retains the requirement that an labor, materials, and supplies, but not a concerned that the sale prohibition authorization inform the individual of profit margin. We intend to continue to would apply to a covered entity’s sale the potential for information disclosed work with interested stakeholders to of accounts receivable including pursuant to the authorization to be develop more guidance on direct and protected health information to a subject to redisclosure by the recipient indirect costs and on remuneration. collection agency, arguing that such and to no longer be subject to the Response to Other Public Comments disclosures should remain permissible Privacy Rule. Comment: Several commenters without authorization as a payment Comment: Several commenters asked suggested that we make clear in the final disclosure. for clarification on the effect the final rule that redisclosures of information by Disclosures of protected Response: rule will have on existing research a recipient covered entity or business health information for payment efforts and some suggested that HHS associate even for remuneration that are collection activities are permitted should grandfather in all Privacy Rule set forth in the original authorization are without authorization as a payment authorizations for research obtained not restricted by this provision. Another disclosure under the Privacy Rule (see under existing law before the effective commenter argued that the original §§ 164.501 and 164.506(a)) and thus, are date of the final rule. These commenters authorization form should indicate excepted from the remuneration believed addressing current research whether the recipient of the protected prohibition at would be necessary to ensure the rule health information will further § 164.502(a)(5)(ii)(B)( ). 2 )( iii would not frustrate ongoing research A few commenters asked Comment: exchange the information for efforts. that the final rule clarify that transfers remuneration. We agree that ongoing Response: Response: It is expected to be the of value among entities under common research studies that are based on a usual case that if a covered entity or control does not implicate the prior permission under the Privacy Rule business associate that receives authorization requirements. Similarly, for the research use or disclosure of protected health information in some commenters sought clarification protected health information should be exchange for remuneration wishes to on whether business transfers on the grandfathered so as not to disrupt these further disclose that information in books for internal reorganization would ongoing studies. We have added a exchange for remuneration, then an also be excluded under the transfer, reference to the authorization additional authorization in accordance merger, and consolidation exception to requirements that apply to the sale of with § 164.508 must be obtained the final rule. protected health information at Response: First, we clarify that uses of because such disclosures will not be § 164.508(a)(4) to make clear that the protected health information within a encompassed by the original transition provisions in § 164.532 apply covered entity that is a single legal authorization. However, it may be to permissions existing prior to the entity are not implicated by the possible that redisclosures of applicable compliance date of the Rule. remuneration prohibition as the information for remuneration by a Thus, a covered entity may continue to prohibition applies only to disclosures recipient covered entity or business rely on an authorization obtained from outside of a covered entity. Second, the associate do not require an additional an individual prior to the compliance use of protected health information authorization, provided it is sufficiently date even if remuneration is involved among legally separate covered entities clear to the individual in the original but the authorization does not indicate under common ownership or control authorization that the recipient covered that the disclosure is in exchange for that have designated themselves as an entity or business associate will further remuneration. This would apply to affiliated covered entity (i.e., a single disclose the individual’s protected authorizations for any permissible covered entity for purposes of health information in exchange for purpose under the Rule and not just for compliance with the HIPAA Rules) is remuneration. In response to the research purposes. Further, in the not implicated. See the requirements for commenter that argued that the original research context, where a covered entity affiliated covered entities at authorization form should indicate obtained documentation of a waiver of whether the recipient of the protected § 164.105(b). Thus, to the extent that authorization from an Institutional health information will further what the commenters contemplate is an Review Board or Privacy Board prior to exchange the information for otherwise permissible use of protected the compliance date for this final rule, remuneration, as explained above we health information within a single legal the covered entity may continue to rely believe the language included in Section entity that is a covered entity or an on that documentation to release 13405 of the HITECH Act was to alert affiliated covered entity, such use of protected health information to a the individual as to whether the data is not impacted by these researcher, even if the covered entity disclosures he or she was authorizing at provisions. Third, disclosures of receives remuneration in the form of the time involved remuneration. Where protected health information for the more than a reasonable, cost based fee the recipient of protected health sale, transfer, merger, or consolidation to prepare and transmit the data. information pursuant to an Finally, we also provide at new of all or part of a covered entity with authorization is a third party that is not § 164.532(f) that a covered entity may another covered entity, or with an entity a covered entity or business associate, continue to use or disclose a limited that following such activity will become we do not have authority to require that data set in accordance with an existing a covered entity and due diligence entity to disclose to the disclosing data use agreement that meets the related to such activity are excepted covered entity or business associate requirements of § 164.514(e), including from the definition of sale of protected whether it plans to further exchange the for research purposes, until the data use health information at agreement is renewed or modified or protected health information for iv )( ). 2 § 164.502(a)(5)(ii)(B)( Comment: Some commenters until one year from the compliance date remuneration for purposes of including expressed concern over the role the of this final rule, whichever is earlier, such information on the authorization VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00044 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

45 5609 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations still receive treatment or other benefits the data use agreement is renewed or Institutional Review Board will play in or services by agreeing to the modified or until one year from the determining reasonable costs, and conditioned authorization. compliance date of this final rule, several commenters asked that the final The impact of these authorization whichever is earlier, even if such rule clarify that the Institutional Review requirements and limitations can be disclosure would otherwise constitute a Board is not responsible for making a seen during clinical trials that are sale of protected health information determination regarding the associated with a corollary research upon the effective date of this rule. permissibility of the fees paid in activity, such as when protected health exchange for a disclosure of protected b. Research information is used or disclosed to health information for research i. Compound Authorizations create or to contribute to a central purposes. research database or repository. For We clarify that a covered Response: Proposed Rule example, § 164.508(b)(3)(iii) prohibits entity, or business associate if Section 164.508(b)(4) of the Privacy covered entities from obtaining a single applicable, is responsible for Rule prohibits covered entities from authorization for the use or disclosure of determining whether any fees paid to conditioning treatment, payment, protected health information for a the entity in exchange for protected enrollment in a health plan, or research study that includes both health information covers the covered eligibility for benefits on the provision treatment as part of a clinical trial and entity’s or business associate’s costs to of an authorization. This limitation is tissue banking of specimens (and prepare and transmit protected health intended to ensure that authorization associated protected health information) information for research. from an individual for a use or A few commenters sought Comment: collected, since the individual generally disclosure of protected health clarification on how to differentiate must sign the authorization for the use information is voluntarily provided. access to protected health information of his or her protected health However, there are exceptions to this from access to statistical data, information in the clinical trial in order general rule for certain circumstances, particularly when remuneration is to receive the research-related treatment including in the research context, where provided for access to a database but the (conditioned authorization) but whether a covered entity may condition the party is solely interested in a population the individual also signs the tissue provision of research-related treatment, study, not an individual’s protected banking authorization is completely such as in a clinical trial, on obtaining health information. voluntary and will not affect the the individual’s authorization for the Response: Disclosures of health individual receiving the research-related use or disclosure of protected health information that has been de-identified treatment (unconditioned information for such research. in accordance with the Privacy Rule at authorization). Thus, covered entities Permitting the use of protected health § 164.514(b)–(d) are not subject to the must obtain separate authorizations information is part of the decision to remuneration prohibition as such from research participants for a clinical receive care through a clinical trial, and information is not protected health trial that also collects specimens with health care providers conducting such information under the Rule. However, a associated protected health information trials are able to condition research- covered entity that allows a third party for a central repository. related treatment on the individual’s access to a database containing As stated in the NPRM, various willingness to authorize the use or protected health information in groups, including researchers and disclosure of protected health exchange for remuneration is subject to professional organizations, have information for research associated with these provisions unless an exception expressed concern at this lack of the trial. applies (e.g., the remuneration received integration. A number of persons in the Section 164.508(b)(3) generally is limited to a reasonable, cost-based fee research community have stated that prohibits what are termed ‘‘compound to prepare and make available the data). requiring separate forms for these authorizations,’’ i.e., where an Comment: A number of commenters corollary research activities is authorization for the use and disclosure argued that limited data sets should be inconsistent with current practice under of protected health information is exempted entirely from the the Common Rule (45 CFR Part 46) with combined with any other legal remuneration prohibition because they respect to obtaining informed consent permission. However, § 164.508(b)(3)(i) are not fully identifiable data sets and and creates unnecessary documentation carves out an exception to this general are subject to protections under data use burdens. Persons have also indicated prohibition, permitting the combining of agreements. that the multiple authorization forms an authorization for a research study We decline to completely Response: are potentially confusing to research with any other written permission for exempt limited data sets from these subjects and/or may dissuade them the same study, including another provisions as, unlike de-identified data, altogether from participating in a authorization or informed consent to they are still protected health clinical trial, and that redundant participate in the research. Nonetheless, information. However, disclosures of information on the forms diverts an § 164.508(b)(3)(iii) prohibits combining limited data sets for purposes permitted individual’s attention from other an authorization that conditions under the Rule would be exempt from content that describes how and why the treatment, payment, enrollment in a the authorization requirements to the personal health information may be health plan, or eligibility for benefits extent the only remuneration received used. In light of these concerns, the (conditioned authorization) with an in exchange for the data is a reasonable, Secretary’s Advisory Committee on authorization for another purpose for cost-based fee to prepare and transmit Human Research Protections in 2004 which treatment, payment, enrollment, the data or a fee otherwise expressly (Recommendation V, in a letter to the or eligibility may not be conditioned permitted by other law. We also provide http:// Secretary of HHS, available at (unconditioned authorization). This at new § 164.532(f) that a covered entity www.hhs.gov/ohrp/sachrp/ limitation on certain compound may continue to use or disclose a hipaalettertosecy090104.html ), as well authorizations was intended to help limited data set in accordance with an as the Institute of Medicine in its 2009 Report, ‘‘Beyond the HIPAA Privacy ensure that individuals understand that existing data use agreement that meets Rule: Enhancing Privacy, Improving they may decline the activity described the requirements of § 164.514(e), Health Through Research’’ in the unconditioned authorization yet including for research purposes, until VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00045 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

46 5610 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations as well as for biospecimen banking that activity, including whether to use a (Recommendation II.B.2), made specific also permits future secondary use of the check box with a single signature line, recommendations to allow combined data (to the extent the future use or separate signature lines. Several authorizations for clinical trials and authorization is aligned with the commenters suggested that an opt out biospecimen storage. To address these concerns and discussion in the following section method should be permitted as an streamline the process in the Privacy regarding authorizations for future alternative to an opt in approach. A few commenters opposed the Rule for obtaining an individual’s research). Also, this provision continues proposal to allow compound authorization for research, we proposed to allow for a covered entity to combine authorizations for conditioned and to amend § 164.508(b)(3)(i) and (iii) to such authorizations with informed unconditioned research activities. These allow a covered entity to combine consent documents for the research commenters generally felt that separate conditioned and unconditioned studies. The final rule provides covered authorizations are appropriate and that authorizations for research, provided entities, institutions, and Institutional there is not sufficient evidence to that the authorization clearly Review Boards with flexibility to suggest that combining the forms will be differentiates between the conditioned determine the best approach for clearly beneficial to individuals. and unconditioned research The Secretary’s Advisory Committee differentiating the conditioned and components and clearly allows the on Human Research Protections, in its unconditioned research activities and individual the option to opt in to the letter of comment on the Department’s giving research participants the option unconditioned research activities. These NPRM, indicated its support for the to opt in to the unconditioned research provisions would allow covered entities proposal to permit compound activities. We decline to permit a to combine authorizations for the use authorizations for conditioned and combined authorization that only allows and disclosure of protected health unconditioned research activities, and the individual the option to opt out of information for clinical trials and expressed particular appreciation for the the unconditioned research activities related biospecimen banking activities, goal of harmonization with the Common (e.g., ‘‘check here if you do NOT want as well as other scenarios that often Rule. The Secretary’s Advisory your data provided to the biospecimen occur in research studies. Committee on Human Research While we did not propose to alter the bank’’) because an opt out option does Protections also supported flexibility in core elements or required statements not provide individuals with a clear the manner that the conditioned and integral to a valid authorization, we ability to authorize the optional research unconditioned research activities are stated that covered entities would have activity, and may be viewed as coercive differentiated. The Secretary’s Advisory some flexibility with respect to how by individuals. The final rule does not Committee on Human Research they met the authorization remove the requirement that an Protections requested clarification that requirements. For example, covered individual affirmatively authorize the the compound authorizations permitted entities could facilitate an individual’s unconditioned research activities; it under this proposal would be understanding of a compound merely provides flexibility to streamline permissible for any type of combined authorization by describing the the authorization process by combining research studies, and not exclusively for unconditioned research activity on a the forms. With respect to the commenters that clinical trials with a biospecimen separate page of a compound believed there is insufficient evidence banking component. authorization and could also cross- that combining conditioned and reference relevant sections of a Final Rule unconditioned research activities into a compound authorization to minimize The final rule adopts the proposal to compound authorization would be the potential for redundant language. In amend § 164.508(b)(3)(i) and (iii) to beneficial, and that such compound addition, a covered entity could use a allow a covered entity to combine authorizations may be confusing for separate check-box for the conditioned and unconditioned patients, as indicated above, there have unconditioned research activity to authorizations for research, provided been anecdotal reports to the signify whether an individual has that the authorization clearly Department that the use of multiple opted-in to the unconditioned research differentiates between the conditioned authorization forms has caused activity, while maintaining one and unconditioned research confusion among research subjects. signature line for the authorization, or components and clearly allows the Further, we note that these alternatively provide a distinct signature individual the option to opt in to the modifications do not remove the line for the unconditioned authorization unconditioned research activities. We required elements of an authorization to signal that the individual is intend this provision to allow for the that are necessary to inform the authorizing optional research that will use of compound authorizations for any individual about the study (e.g., not affect research-related treatment. We type of research activities, and not description of the information to be requested comment on additional solely to clinical trials and biospecimen used or disclosed, description of the methods that would clearly differentiate banking, except to the extent the purpose, etc.); they merely introduce to the individual the conditioned and research involves the use or disclosure flexibility to avoid redundant language unconditioned research activities on the of psychotherapy notes. For research that would otherwise be necessary to compound authorization. that involves the use or disclosure of include in the authorizations for the Overview of Public Comments psychotherapy notes, an authorization multiple research activities. In addition, for a use or disclosure of psychotherapy Almost all commenters on this topic these changes are intended to align the notes may only be combined with strongly supported the proposal to allow HIPAA Privacy Rule’s authorization another authorization for a use or combined authorizations for requirements with what has been disclosure of psychotherapy notes. See conditioned and unconditioned common and ongoing practice in terms § 164.508(b)(3)(ii). Thus, aside from the research activities. Many commenters of the informed consent form under the use of psychotherapy notes, combined supported allowing flexibility for Common Rule. We note that covered entities are authorizations could be obtained for the institutions to determine how best to permitted but not required by the use of protected health information in a differentiate the unconditioned modifications adopted at clinical trial and optional sub-studies, authorization for the voluntary research VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00046 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

47 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 5611 Federal Register certain of the research activities potential research participants before § 164.508(b)(3)(i) and (iii) to create they are asked to sign the authorization/ compound authorizations for identified in the authorization, or the consent document (unless the conditioned and unconditioned entire authorization must be treated as authorization form itself includes the research activities. Previously approved, revoked. Further, such revocations must required elements). Finally, in such ongoing studies may continue to rely on be maintained and documented in a cases, a covered entity must keep not the separate authorization forms that manner that will ensure uses and only the signed authorization/consent were obtained under the prior disclosures of protected health form, but also a copy of the brochure or provisions. For new studies, covered information for the activity to which the information sheet, in order to be in entities and researchers may continue to revocation applies discontinue, except compliance with the documentation use separate authorizations for to the extent the covered entity has requirements at § 164.530(j). conditioned and unconditioned already acted in reliance on the Comment: The Secretary’s Advisory research activities, or may transition to authorization, which would permit Committee on Human Research compound authorizations as they deem certain limited, continued use and Protections requested confirmation that appropriate, which can be used disclosure, such as necessary to the compound authorization proposal beginning on the effective date of this maintain the integrity of the research would not affect the waiver provisions rule. study. currently existing in the Privacy Rule, Response to Other Public Comments ii. Authorizing Future Research Use or such that such provisions could be Disclosure The Secretary’s Advisory Comment: used, if appropriate, for new studies Committee on Human Research distinct from both the original study and Prior Interpretation Protections asked whether the following the banking activity. Research often involves obtaining approaches for distinguishing between Response: The new compound health information and biological conditioned and unconditioned authorization provision does not affect specimens to create a research database research activities would be acceptable: the waiver of authorization provisions or repository for future research. For Using (1) a combined consent/ in the Privacy Rule. A covered entity example, this frequently occurs where authorization form for a clinical trial may continue to use or disclose clinical trials are paired with corollary and optional banking component, with protected health information for research activities, such as the creation a check-box for the individual to have research purposes based on of a research database or repository the choice to opt in to the optional documentation that meets the where information and specimens banking component, and one signature; requirements at § 164.512(i), indicating obtained from a research participant (2) a combined consent/authorization that an Institutional Review Board or during the trial are transferred and form for a clinical trial and optional Privacy Board has waived the obtaining maintained for future research. It is our banking component, with one signature of individual authorization for such understanding that Institutional Review for the clinical trial and another purposes, based on a determination that Boards in some cases may approve an signature to indicate the individual (1) the use or disclosure of protected informed consent document for a agrees to the optional banking health information involves no more clinical trial that also asks research component; and (3) a combined than a minimal risk to the privacy of participants to permit future research on consent/authorization form for a clinical individuals; (2) the research could not their identifiable information or trial and optional banking component, practicably be conducted without the specimens obtained during the course of with a check box for the individual to waiver; and (3) the research could not the trial. It is also our understanding have the choice to opt in to the banking practicably be conducted without access that an Institutional Review Board may component, and one signature, but with to and use of the protected health in some cases review an informed detailed information about the banking information. consent for a prior clinical trial to Comment: The Secretary’s Advisory component presented in a separate determine whether a subsequent Committee on Human Research brochure or information sheet that is research use is encompassed within the Protections requested clarification on referenced directly in the consent/ original consent. the effect of revoking only one part of authorization form. The Department has previously Response: Covered entities and a compound authorization. For interpreted the Privacy Rule, however, researchers have flexibility in the example, if an individual signs a to require that authorizations for methods used to distinguish the combined authorization for conditioned research be study specific for purposes conditioned and unconditioned and unconditioned research activities of complying with the Rule’s research activities and to provide the and later specifically revokes only the requirement at § 164.508(c)(1)(iv) that individual with a clear opportunity to unconditioned research activity (e.g., an authorization must include a opt in to the unconditioned portion, and the banking component), then the description of each purpose of the all of the above approaches would be covered entity may continue to act in requested use or disclosure. See 67 FR acceptable provided, with respect to the reliance on the authorization for the 53182, 53226, Aug. 14, 2002. In part, the third approach, that the brochure or conditioned component (e.g., the Department’s interpretation was based information sheet is incorporated by clinical trial). on a concern that patients could lack Where it is clear that an Response: reference into the authorization/consent necessary information in the individual is revoking only one part of form such that it is considered to be part authorization to make an informed a compound authorization, such of the form (even if not physically decision about the future research. In revocation does not equate to a attached to the form). In addition, if the addition, it was recognized that not all revocation of the entire authorization to brochure or information sheet includes uses and disclosures of protected health include the other studies. However, required elements of the authorization information for a future research where it is not clear exactly to which (or informed consent), and purpose would require a covered entity research activities the individual’s authorization/consent has not been to re-contact the individual to obtain revocation applies, written clarification altered by an Institutional Review another authorization (e.g., uses or must be obtained from the individual in Board, then the brochure or information disclosures with a waiver of order for the revocation to apply only to sheet must be made available to VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00047 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

48 5612 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Common Rule standards but also FDA with respect to future downstream authorization from an Institutional standards for informed consent. They research studies. Review Board or Privacy Board as indicated that the authorization should provided under § 164.512(i) or of a Overview of Public Comments be reasonably specific such that limited data set pursuant to a data use Almost all commenters on this topic individuals are aware of the types of agreement under § 164.514(e) for the supported the proposal to allow research that may be conducted. future research purpose). authorizations for future research. Many However, the Secretary’s Advisory Subsequent to issuing this commenters indicated this flexibility to Committee on Human Research interpretation, the Department heard be important, particularly considering Protections emphasized the need for concerns from covered entities and evolving technologies and discoveries. flexibility to rely on Institutional researchers that the Department’s About half of these commenters Review Board judgment and interpretation encumbers secondary specifically advocated for providing recommended against requiring research, and limits an individual’s investigators and Institutional Review prescribed statements about certain ability to agree to the use or disclosure Boards with the maximum flexibility to types of ‘‘sensitive’’ research, since of their protected health information for determine the appropriateness of the these concepts change over time and future research. In addition, many descriptions for future research and felt requiring prescribed authorization commenters noted that the Department’s that this would best align with the statements may conflict with interpretation limiting the scope of a Common Rule. These commenters were Institutional Review Boards’ judgments HIPAA authorization for research thus against requiring specific about how to appropriately describe the appeared to diverge from the current statements in the Privacy Rule about the research in the informed consent. practice under the Common Rule with future research, including for sensitive respect to the ability of a researcher to Modified Interpretation research. Other commenters were in seek subjects’ informed consent to favor of requiring the additional We modify the prior Departmental future research so long as the future statements about sensitive categories of interpretation that research research uses are described in sufficient research, stating that this would better authorizations must be study specific. detail to allow an informed consent. inform individuals and give them This modification does not make any These commenters, as well as the greater choice in determining their changes to the authorization Secretary’s Advisory Committee on willingness to participate in certain requirements at § 164.508. A HIPAA Human Research Protections in 2004 types of future research. A couple of authorization for future research must (Recommendation IV, in a letter to the these commenters recommended still address each of the core elements http:// Secretary of HHS, available at working with National Committee on and statements required at § 164.508(c). www.hhs.gov/ohrp/sachrp/ Vital and Health Statistics on the However, the Department no longer ) and the hipaalettertosecy090104.html categories of sensitive research, however interprets the ‘‘purpose’’ provision at Institute of Medicine in its 2009 Report no further examples of specific types of § 164.508(c)(1)(iv) as requiring that an entitled ‘‘Beyond the HIPAA Privacy research were given beyond the authorization for the use or disclosure of Rule: Enhancing Privacy, Improving examples provided in the proposed rule protected health information for Health Through Research’’ (genetic analyses or mental health research purposes be study specific. In (Recommendation II.B.1), had urged the research). Several commenters order to satisfy the requirement that an Department to allow the HIPAA specifically advised against requiring authorization include a description of authorization to permit future research specific statements for sensitive each purpose of the requested use or use and disclosure of protected health research, citing concerns of variability disclosure, an authorization for uses and information. in what is considered sensitive disclosures of protected health Given these concerns, the Department information and practicality challenges information for future research purposes explained in the NPRM that it was due to the changing nature of the must adequately describe such purposes considering a number of options concept over time. such that it would be reasonable for the regarding authorizations for future A few commenters opposed the individual to expect that his or her research, including whether the Privacy proposal to allow authorizations for protected health information could be Rule should: permit an authorization for future research altogether. Some of these used or disclosed for such future uses and disclosures of protected health commenters felt strongly that study- research. This could include specific information for future research purposes specific authorizations are critical to statements with respect to sensitive to the extent such purposes are protect patients, and are the only way research to the extent such research is adequately described in the that individuals can make a truly contemplated. However, we do not authorization such that it would be informed decision. These commenters prescribe specific statements in the reasonable for the individual to expect suggested that outreach to patients and Rule. We agree that it is difficult to that his or her protected health potential research participants to solicit define what is sensitive and that this information could be used or disclosed concept changes over time. We also feedback, as well as a study on the for such future research; or permit an agree with commenters that this potential burdens that enhanced authorization for future research but approach best harmonizes with practice authorizations may have on require certain specific elements or under the Common Rule regarding stakeholders, were necessary before any statements with respect to the future informed consent for future research, changes were made. In its comment letter on the NPRM, research, particularly where the future and allows covered entities, researchers the Secretary’s Advisory Committee on research may encompass certain types and Institutional Review Boards to have Human Research Protections supported of sensitive research activities, such as flexibility in determining what adequately describes a future research the proposal to harmonize HIPAA research involving genetic analyses or purpose depending on the authorizations with the Common Rule mental health research, that may alter circumstances. We have consulted with informed consent requirements, and an individual’s willingness to Office for Human Research Protections also requested consultation with the participate in the research. We (OHRP) and the FDA on this approach FDA to ensure that authorizations for requested comment on these options to ensure consistency and future research align not only with the and on how a revocation would operate VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00048 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

49 5613 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations understanding/special/research/ research, so long as it is reasonable from harmonization with the HHS and FDA (see, e.g., the fact sheet index.html such description to believe that the human subjects protections regulations, entitled, ‘‘Health Services Research and individual would expect his or her where appropriate. With respect to commenters that the HIPAA Privacy Rule’’). The protected health information to be stated it is impossible for individuals to Department may issue additional shared with such persons for the future be truly informed about future research, guidance in the future with respect to research. The Secretary’s Advisory Comment: we note that we are aligning with revocation policies in the context of Committee on Human Research existing practice under the Common authorizations that specify, and under Protections requested that the Rule in regard to informed consent and which protected health information has Department allow for grandfathering of still require that all required elements of been disclosed for, future research uses. In response to the Secretary’s existing, ongoing studies that involve authorization be included in an Advisory Committee on Human the possibility of future/secondary authorization for future research, even if Research Protections recommendation, research, if an Institutional Review they are to be described in a more we also clarify that while the Privacy Board-approved consent reasonably general manner than is done for specific Rule requires that a revocation of informed the individuals of the future studies. Pursuant to this modified authorization from an individual be in research. In these situations, researchers interpretation, covered entities that writing, uses and disclosures pursuant would have needed to obtain a study- wish to obtain individual authorization to an authorization are permissive and specific authorization or waiver of for the use or disclosure of protected not required, and thus, a covered entity authorization before commencing the health information for future research may cease using or disclosing protected future/secondary research that was may do so at any time after the effective health information pursuant to an encompassed in the original informed date of this final rule. Alternatively, authorization based on an individual’s consent. Response: Covered entities and covered entities may continue to use oral request if it chooses to do so. researchers may rely on an Institutional only study-specific authorizations for 5. Protected Health Information About Review Board-approved consent research if they choose. Decedents obtained prior to the effective date of Response to Other Public Comments a. Section 164.502(f)—Period of this final rule that reasonably informed Comment: The Secretary’s Advisory Protection for Decedent Information individuals of the future research, Committee on Human Research provided the informed consent was Proposed Rule Protections requested flexibility combined with a HIPAA authorization Section 164.502(f) requires covered regarding the description in the (even though the authorization itself entities to protect the privacy of a authorization of the information to be was specific to the original study or decedent’s protected health information used or disclosed for future research as creation and maintenance of a generally in the same manner and to the well as to whom the covered entity may repository). same extent that is required for the make the requested use or disclosure as One commenter advocated Comment: protected health information of living there may be some uncertainty of the for the use of time-limited individuals. Thus, if an authorization is identity of future researchers. The authorizations for future research. required for a particular use or Secretary’s Advisory Committee on Response: This modification in disclosure of protected health Human Research Protections also Departmental interpretation does not information, a covered entity may use or suggested that the description of change the requirement at disclose a decedent’s protected health information to be collected be allowed § 164.508(c)(1)(v), which states that an information in that situation only if the to reference information beyond the authorization must contain an covered entity obtains an authorization time of the original study, for example expiration date or an expiration event from the decedent’s personal ‘‘your future medical records [at that relates to the individual or the representative. The personal Hospital]’’ or ‘‘your future medical purpose of the use or disclosure. This representative for a decedent is the records [relating to diseases/ statement may be a specific time limit, executor, administrator, or other person conditions].’’ or be ‘‘end of the research study,’’ who has authority under applicable law Response: Covered entities and ‘‘none,’’ or similar language for a to act on behalf of the decedent or the researchers have flexibility to describe research study. decedent’s estate. The Department heard the information to be used or disclosed Several commenters Comment: a number of concerns since the for the future research, so long as it is suggested that revocation of publication of the Privacy Rule that it reasonable from such description to authorizations should continue to be can be difficult to locate a personal believe that the individual would expect permitted in the same manner that it is representative to authorize the use or the information to be used or disclosed currently allowed under the Privacy disclosure of the decedent’s protected for the future research. We also clarify Rule. The Secretary’s Advisory health information, particularly after an that a description of the protected Committee on Human Research estate is closed. Furthermore, archivists, health information to be used for the Protections recommended that biographers, and historians had future research may include information revocations of authorization for future expressed frustration regarding the lack collected beyond the time of the original research be permitted orally, rather than of access to ancient or old records of study. Further, the Privacy Rule in writing, as is currently required for historical value held by covered entities, authorization requirements allow a all authorizations under §§ 164.508(b)(5) even when there are likely few ‘‘class of persons’’ to be described for and (c)(2)(i) of the Rule. surviving individuals concerned with Response: Covered entities may purposes of identifying in the the privacy of such information. continue to rely on existing guidance authorization the recipients of the Archives and libraries may hold regarding how revocations of protected health information. Thus, medical records, as well as authorizations operate in the research covered entities and researchers have correspondence files, physician diaries context. Such guidance is published in flexibility in the manner in which they and casebooks, and photograph http:// several materials available at describe the recipients of the protected collections containing fragments of www.hhs.gov/ocr/privacy/hipaa/ health information for the future VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00049 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

50 5614 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations medical record. While we appreciate the abuse treatment. A couple of identifiable health information, that are commenters recommended that there centuries old. Currently, to the extent challenges that may be present in should be no time limit on the such information is maintained by a determining the date of death of an protection of psychotherapy notes. One covered entity, it is subject to the individual in cases in which it is not commenter expressed concern that this Privacy Rule. sufficiently clear from the age of the Accordingly, we proposed to amend modification may encourage covered record whether the individual is § 164.502(f) to require a covered entity entities to retain records that they deceased, we believe that this to comply with the requirements of the would not have otherwise in order to determination is necessary in closer Privacy Rule with regard to the profit from the data after the 50-year cases to protect the individual, as well protected health information of a period. One commenter suggested that as living relatives and others, who may deceased individual for a period of 50 the period of protection should be be affected by disclosure of the years following the date of death. We extended to 100 years, if protections are information. Further, as we stated in the also proposed to modify the definition to be limited at all. A few commenters NPRM, this modification has no impact of ‘‘protected health information’’ at were opposed to the 50-year period of on a covered entity’s disclosures § 160.103 to make clear that the protection because they interpreted this permitted under other provisions of the individually identifiable health provision to be a proposed record Privacy Rule. For example, a covered information of a person who has been retention requirement. entity is permitted to disclose protected deceased for more than 50 years is not health information of decedents for Final Rule protected health information under the research that is solely on the After considering the public Privacy Rule. We proposed 50 years to information of decedents in accordance comments, the final rule adopts the balance the privacy interests of living with § 164.512(i)(1)(iii), without regard proposal. We believe 50 years is an relatives or other affected individuals to how long the individual has been appropriate period of protection for with a relationship to the decedent, deceased. decedent health information, taking into with the difficulty of obtaining Finally, we clarify that the 50-year account the remaining privacy interests authorizations from personal period of protection is not a record of living individuals after the span of representatives as time passes. A 50- retention requirement. The HIPAA approximately two generations have year period of protection had also been Privacy Rule does not include medical passed, and the difficulty of obtaining suggested at a National Committee for record retention requirements and authorizations from a personal Vital and Health Statistics (the public covered entities may destroy such representative of a decedent as the same advisory committee which advises the records at the time permitted by State or amount of time passes. For the same Secretary on the implementation of the other applicable law. (We note that reason, we decline to shorten the period Administrative Simplification covered entities are subject to the of protection as suggested by some provisions of HIPAA, among other accounting requirements at § 164.528 commenters or to adopt a 100-year issues) meeting, at which committee and, thus, would need to retain or period of protection for decedent members heard testimony from record certain information regarding information. We also believe the 50-year archivists regarding the problems their disclosures of protected health period of protection to be long enough associated with applying the Privacy information.) However, if a covered so as not to provide an incentive for Rule to very old records. See http:// entity does maintain decedent health covered entities to change their record ncvhs.hhs.gov/050111mn.htm . We information for longer than 50 years retention policies in order to profit from requested public comment on the following the date of death of the the data about a decedent once 50 years appropriateness of this time period. individual, this information will no has elapsed. longer be subject to the Privacy Rule. Overview of Public Comments With respect to commenters’ concerns regarding protected health information The majority of public comment on b. Section 164.510(b)—Disclosures about decedents that is sensitive, such this proposal was in favor of limiting About a Decedent to Family Members as HIV/AIDS, substance abuse, or the period of protection for decedent and Others Involved in Care mental health information, or that health information to 50 years past the Proposed Rule involves psychotherapy notes, we date of death. Some of these Section 164.510(b) describes how a emphasize that the 50-year period of commenters specifically cited the covered entity may use or disclose protection for decedent health potential benefits to research. A few protected health information to persons, information under the Privacy Rule does commenters stated that the 50-year such as family members or others, who not override or interfere with State or period was too long and should be are involved in an individual’s care or other laws that provide greater shortened to, for example, 25 years. payment related to the individual’s protection for such information, or the Some supporters of limiting privacy health care. The Department had professional responsibilities of mental protection for decedent information received a number of questions about health or other providers. Covered indicated that the date of death is often the scope of the section, specifically entities may continue to provide privacy difficult to determine, and thus with regard to disclosing protected protections to decedent information suggested an alternative time period health information when the individual beyond the 50-year period, and may be (e.g., 75, 100, 120, 125 years) starting who is the subject of the information required to do so under other applicable from the last date in the medical record, was deceased. We had additionally laws or as part of their professional if the date of death is unknown. heard concerns that family members, Some commenters were opposed to responsibility. Alternatively, covered relatives, and others, many of whom limiting the period of protection for entities may choose to destroy decedent may have had access to the health decedent health information due to the information although other applicable information of the deceased individual continued privacy interests of living law may prescribe or limit such prior to death, have had difficulty relatives as well as the decedent, destruction. obtaining access to such information We also decline to limit protections particularly when highly sensitive after the death of the individual, under the Privacy Rule to a certain information is involved, including HIV/ because many do not qualify as a period beyond the last date in the AIDS status, or psychiatric or substance VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00050 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

51 5615 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations the individual’s care’’ on the requestor personal representative to have been ‘‘personal representative’’ of the meaningfully involved in the care or decedent under the Privacy Rule at and not the covered entity, and would payment for care of the decedent. § 164.502(g)(4). hold the covered entity harmless when As such, we proposed to amend disclosing decedent information in good Final Rule § 164.510(b) to add a new paragraph (5), faith in accordance with this new The final rule adopts the proposal to which would permit covered entities to permission. amend § 164.510(b) to permit covered disclose a decedent’s information to We interpret this phrase in Response: entities to disclose a decedent’s family members and others who were the same manner as we have with protected health information to family involved in the care or payment for care respect to disclosures of protected members and others who were involved of the decedent prior to death, unless health information of living individuals in the care or payment for care of the doing so is inconsistent with any prior under § 164.510(b). See the decedent prior to death, unless doing so expressed preference of the individual Department’s existing guidance at is inconsistent with any prior expressed that is known to the covered entity. We http://www.hhs.gov/ocr/privacy/hipaa/ preference of the individual that is emphasized that these modifications understanding/coveredentities/ known to the covered entity. would not change the authority of a _ ffg.pdf . Subject to the specified provider In response to commenters who decedent’s personal representative with conditions, disclosures may be made opposed this provision, we believe the regard to the decedent’s protected under this provision to family members, provision strikes the appropriate health information. Thus, a personal as well as to other persons provided the balance in allowing communications representative would continue to have a covered entity has reasonable assurance with family members and other persons right to access the decedent’s protected the individual prior to death was who were involved in the individual’s health information relevant to such involved in the individual’s care or care or payment for care prior to death, personal representation, and have payment for care. Depending on the unless doing so is inconsistent with the authority to authorize uses and circumstances, this could include prior expressed wishes of the disclosures of the decedent’s protected disclosures to spouses, parents, individual. This will ensure family health information that are not children, domestic partners, other members and others can find out about otherwise permitted or required by the relatives, or friends of a decedent. As the circumstances surrounding the Privacy Rule. We requested comment on with similar disclosures concerning death of their loved ones, unless the any unintended consequences that this living individuals under individual prior to his or her death proposed disclosure provision might § 164.510(b)(1)(i), this provision does objected to the covered entity making cause. not generally apply to disclosures to such communications. Further, the health care providers, health plans, Overview of Public Comments Privacy Rule limits such disclosures, public health authorities, law similar to the other disclosures Most commenters supported the enforcement officials, and others whose permitted under § 164.510(b), to the proposal to permit disclosures to family access to protected health information is protected health information relevant to members and others involved in the governed by other provisions of the the family member or other person’s care or payment for care of the decedent Privacy Rule. involvement in the individual’s health prior to death, unless doing so is We decline to include language in the inconsistent with any prior expressed care or payment for health care. For final rule placing the burden of proof on preference of the individual that is example, a covered health care provider the requestor to demonstrate they were known to the covered entity. These could describe the circumstances that involved in the individual’s care. In commenters felt that such permissive led to an individual’s passing with the some cases, it will be readily apparent disclosures would help facilitate decedent’s sister who is asking about to the covered entity that a person is a important and appropriate her sibling’s death. In addition, a family member or was involved in the communications with family members covered health care provider could individual’s care prior to death because and others who had been involved in disclose billing information to a family the person would have made themselves the individual’s care or payment for member of a decedent who is assisting known to the covered entity prior to the health care prior to the individual’s with wrapping up the decedent’s estate. individual’s death by either visiting death but who may not rise to the level However, in both of these cases, the with or inquiring about the individual, of personal representative. Some provider generally should not share or the individual would have identified commenters stated that the provision information about past, unrelated such person as being involved in their recognizes the legitimate interest that medical problems. Finally, these care or payment for care to a member of family members may have in a disclosures are permitted and not the covered entity’s workforce. In other decedent’s health information as it required, and thus, a covered entity that cases, the covered entity need just have affects their own health care. questions the relationship of the person reasonable assurance that the person is A few commenters opposed the to the decedent or otherwise believes, a family member of the decedent or proposal to expressly permit based on the circumstances, that other person who was involved in the communications with family members disclosure of the decedent’s protected individual’s care or payment for care and other persons who had been health information would not be prior to death. For example, the person involved with the individual’s care or appropriate, is not required to make the may indicate to the covered entity how payment for care prior to death. Two disclosure. he or she is related to the decedent or commenters felt it would be a large Response to Other Public Comments offer sufficient details about the burden on covered entities to determine decedent’s circumstances prior to death Commenters requested Comment: the legitimacy of a requestor as a family to indicate involvement in the guidance on what it means for a person member or individual involved in the decedent’s care prior to death. As stated to have been ‘‘involved in the care’’ of care or payment for care. One above, a covered entity that is the decedent prior to death. One commenter questioned the need for uncomfortable disclosing protected commenter suggested including family members to have access to health information under this provision language in the final rule that would put decedent health information and the because of questions about the person’s the burden of proof of ‘‘involvement in likelihood of anyone other than the VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00051 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

52 5616 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations appropriately immunized. Some States accept a parent’s oral agreement to relationship to the decedent is not allow a child to enter school disclose immunization results to a required to do so. provisionally for a certain period of time school—as opposed to a written Several commenters Comment: while the school waits for the necessary agreement—the NPRM acknowledged a requested and offered suggested immunization information. Typically, potential for a miscommunication and clarifications on the scope of the terms schools ensure compliance with those later objection by the parent. We, ‘‘personal representative’’ and ‘‘family requirements by requesting the therefore, requested comment on member.’’ immunization records from parents whether the Privacy Rule should require Response: The Privacy Rule already (rather than directly from a health care that a provider document any oral identifies the persons who qualify as a provider). However, where a covered agreement under this provision to help personal representative of a decedent at health care provider is requested to send avoid such problems, or whether a § 164.502(g)(4). Further, this final rule the immunization records directly to a requirement for written documentation includes a definition of ‘‘family school, the Privacy Rule generally would be overly cumbersome, on member’’ at § 160.103. requires written authorization by the balance. We also requested comment on Comment: A few commenters child’s parent before a covered health whether the rule should mandate that suggested extending this provision to care provider may do so. the disclosures go to a particular school allow disclosures to the decedent’s Since the Privacy Rule went into official and if so, who that should be. health care ‘‘proxy,’’ ‘‘medical power of effect, we had heard concerns that the In addition, the Privacy Rule does not attorney,’’ ‘‘power of attorney,’’ and requirement for covered entities to define the term ‘‘school’’ and the types ‘‘estate executor.’’ obtain authorization before disclosing of schools subject to the school entry Response: We decline to expand the student immunization information may laws may vary by State. For example, provision as suggested. Under the make it more difficult for parents to depending on the State, such laws may Privacy Rule, a person with authority provide, and for schools to obtain, the apply to public and private elementary under applicable law to act on behalf of necessary immunization documentation or primary schools and secondary the decedent or the decedent’s estate is for students, which may prevent schools (kindergarten through 12th the personal representative of the students’ admittance to school. The grade), as well as daycare and preschool decedent. Thus, certain of these National Committee on Vital and Health facilities, and post-secondary persons, such as the executor of the Statistics submitted these concerns to institutions. Thus, we requested estate, already have a right of access to the HHS Secretary and recommended comment on the scope of the term the decedent’s protected health that HHS regard disclosure of ‘‘school’’ for the purposes of this section information. In cases where a person immunization records to schools to be a and whether we should include a does not rise to the level of a personal public health disclosure, thus specific definition of ‘‘school’’ within representative, the final rule at eliminating the requirement for the regulation itself. In addition, we § 164.510(b) permits, subject to any authorization. See http:// requested comment on the extent to prior expressed preference of the . As www.ncvhs.hhs.gov/04061712.html which schools that may not be subject individual, a covered entity to disclose such, we proposed to amend to these school entry laws but that may relevant protected health information of § 164.512(b)(1) by adding a new also require proof of immunization have the decedent to family members of the paragraph that permits covered entities experienced problems that would decedent or persons who otherwise to disclose proof of immunization to warrant their being included in this were involved in the individual’s care schools in States that have school entry category of public health disclosures. or payment for care prior to the 10 or similar laws. While written individual’s death, which may include Overview of Public Comments authorization that complies with persons who held a health care proxy Most commenters were generally in § 164.508 would no longer have been for the individual or a medical power of favor of permitting covered entities to required for disclosure of such attorney. disclose student immunization records information under the proposal, the based on obtaining agreement, which 6. Section 164.512(b)—Disclosure of covered entity would still have been may be oral, from a parent, guardian or Student Immunizations to Schools required to obtain agreement, which in loco parentis for other person acting may have been oral, from a parent, Proposed Rule the individual, or from the individual guardian or other person acting in loco The Privacy Rule, at § 164.512(b), himself or herself, if the individual is an parentis for the individual, or from the recognizes that covered entities must adult or emancipated minor, rather than individual him- or herself, if the balance protecting the privacy of health written authorization. Commenters individual is an adult or emancipated information with sharing health supported the intent to facilitate the minor. Because the proposed provision information with those responsible for transmission of immunization records to would have permitted a provider to ensuring public health and safety, and ease the burden on parents, schools and permits covered entities to disclose the 10 covered entities, and to minimize the We note that once a student’s immunization records are obtained and maintained by an minimum necessary protected health amount of school missed by students. educational institution or agency to which the Some commenters opposed the information to public health authorities Family Educational Rights and Privacy Act (FERPA) proposal to require oral or written or other designated persons or entities applies, the records are protected by FERPA, rather agreement, claiming that a new form of without an authorization for public than the HIPAA Privacy Rule. See paragraphs (2)(i) and (2)(ii) of the definition of ‘‘protected health ‘‘agreement’’ would introduce health purposes specified by the Rule. information’’ at § 160.103, which exclude from Schools play an important role in unnecessary complexity and confusion, coverage under the Privacy Rule student records preventing the spread of communicable and would not help to reduce burden. protected by FERPA. In addition, for more diseases among students by ensuring These commenters asserted that covered information on the intersection of FERPA and HIPAA, readers are encouraged to consult the Joint that students entering classes have been entities would document the verbal HHS/ED Guidance on the Application of FERPA immunized. Most States have ‘‘school agreements for their own liability and HIPAA to Student Health Records, available at entry laws’’ which prohibit a child from purposes, even if not required by the http://www.hhs.gov/ocr/privacy/hipaa/ attending school unless the school has Privacy Rule. In this manner, the understanding/coveredentities/ hipaaferpajointguide.pdf . proof that the child has been documentation burden would still be VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00052 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

53 5617 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register notation in the child’s medical record or suggested defining schools as being present. Some commenters open to children up to age 18, since recommended that instead of an oral elsewhere of the phone call would students become adults at age 18 and agreement or authorization requirement, suffice as documentation of the can authorize the disclosure of their disclosure of immunization records to agreement. We emphasize that the own information. A few commenters schools should be considered an exempt agreement is not equivalent to a HIPAA- suggested that the definition include all public health disclosure. A small compliant authorization, and covered schools that require immunization minority of commenters felt that the entities are not required to document a documentation as a prerequisite to current authorization system should be signature as part of this requirement. We enrollment, not just those that are maintained as it is the best way to disagree with comments that subject to State entry laws, in order to ensure patient safety and privacy while documentation would be as burdensome protect public health in all school avoiding miscommunications and on covered entities as written settings, since the threat of un- misunderstandings. authorization, since an authorization Commenters were divided on the immunized children exists regardless of form contains many required statements issue of requiring written State school entry laws. Additionally, and elements, including a signature by documentation of the agreement. Some some commenters recommended that the appropriate individual, which are commenters were in favor of the term ‘‘school’’ not be defined in the not required for the agreement and documenting oral agreements, citing Privacy Rule due to the variation across documentation contemplated here. that the documentation would be less States in the types of schools that are Furthermore, we believe that cumbersome than obtaining written subject to the entry laws. documentation of oral agreements will authorizations while also helping to help to prevent miscommunications and Final Rule avoid miscommunications. On the other potential future objections by parents or The final rule adopts the proposal to hand, some commenters felt that individuals, and the concerns that amend § 164.512(b)(1) by adding a new requiring written documentation would covered entities may have regarding paragraph that permits a covered entity be burdensome and would eliminate the liability, penalty or other enforcement to disclose proof of immunization to a benefits introduced by permitting oral actions for disclosures made pursuant to school where State or other law requires agreements. Some commenters also an oral agreement. the school to have such information requested flexibility for covered entities Several commenters recommended prior to admitting the student. While to determine whether or not written that in lieu of an oral agreement, written authorization will no longer be documentation is appropriate and disclosure of immunization records to required to permit this disclosure, necessary for their purposes. schools are presumed to be permitted, covered entities will still be required to The majority of commenters requested while giving individuals the option to obtain agreement, which may be oral, that a designated recipient of the opt out of this presumption or request from a parent, guardian or other person student immunization records not be a restriction to the disclosure. One acting in loco parentis for the defined, and that schools be allowed commenter advocated for this public individual, or from the individual flexibility to identify the appropriate health exemption for disclosure of himself or herself, if the individual is an individual(s) that can act as the school immunization records as being adult or emancipated minor. We believe official permitted to receive the records. particularly critical for children who that the option to provide oral Commenters indicated that while the may be, for example, homeless, living agreement for the disclosure of student disclosures would ideally be made to a with someone other than a parent or immunization records will relieve nurse or licensed health professional at legal guardian, or living with a parent burden on parents, schools, and covered the school, such a health professional that does not speak English. We remove entities, and greatly facilitate the role may not always be present. In such the written authorization requirement to that schools play in public health, while instances, it should be permissible that help facilitate these disclosures with as still giving parents the opportunity to the immunization records be disclosed much flexibility as possible. However, consider whether to agree to the to another official designated by the we do not intend this provision to disclosure of this information. school as a suitable representative. One change the current practice of parents, The final rule additionally requires commenter recommended that the guardians, or other persons acting in that covered entities document the school nurse be designated as the loco parentis contacting a child’s health agreement obtained under this recipient and custodian of the records. care provider to request proof of provision. The final rule does not Most commenters recommended that immunization be sent to the child’s prescribe the nature of the the definition of ‘‘school’’ be interpreted school. Therefore, we still require active documentation and does not require broadly in order to best support public agreement from the appropriate signature by the parent, allowing health efforts. Commenters provided individual, and a health care provider covered entities the flexibility to suggestions on the types of schools that may not disclose immunization records determine what is appropriate for their should be included, for example, K–12 to a school under this provision without purposes. The documentation must only schools, public and private schools, and such agreement. The agreement must be make clear that agreement was obtained post-secondary schools. Many an affirmative assent or request by a as permitted under this provision. For commenters also suggested that daycare, parent, guardian, or other person acting example, if a parent or guardian submits preschool and nursery school facilities (or by an adult in loco parentis a written or email request to a covered be encompassed in the definition of individual or emancipated minor, if entity to disclose his or her child’s school. One commenter expressly applicable) to the covered entity, which immunization records to the child’s recommended that child care facilities may be oral and over the phone, to school, a copy of the request would or day care programs not be included in allow the disclosure of the suffice as documentation of the the definition of school, despite immunization records. A mere request agreement. Likewise, if a parent or acknowledging the need to protect the by a school to a health care provider for guardian calls the covered entity and health of these children, due to the fact the immunization records of a student requests over the phone that his or her that many States have different laws for would not be sufficient to permit child’s immunization records be these settings and are separate from disclosure under this provision (and disclosed to the child’s school, a school systems. Two commenters VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00053 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

54 5618 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Response: An agreement to permit the State laws that permit but do not require such a request by a school might also raise implications under other laws, disclosure of immunization records is covered entities to disclose such as FERPA). considered effective until revoked by immunization records to schools, this We decline to include definitions of the parent, guardian or other person does not meet the requirements of the ‘‘school official’’ and ‘‘school’’ in the acting in loco parentis for the provisions at § 164.512(a), and final rule. The motivation for this new individual, or by the individual himself disclosures of immunization records are permissive disclosure is to promote or herself, if the individual is an adult subject to the Privacy Rule agreement public health by reducing the burden or emancipated minor. and documentation requirements associated with providing schools with Comment: Commenters requested described in this part. We also note that student immunization records and we clarification regarding any requirement the Privacy Rule at § 164.512(b) permits do not wish to create additional for schools to maintain the a covered entity to disclose protected difficulties or confusion in doing so. We immunization records. health information for public health therefore agree with commenters that The Privacy Rule does not Response: activities. Disclosures of protected schools are best equipped to determine require schools to keep student health information to State the appropriate individual to receive immunization records; however immunization registries are therefore student immunization records at their individual State or other laws may permitted by the Privacy Rule and also location and will benefit from having require this. do not require authorization. The this flexibility. We also agree with Privacy Rule at § 164.514(d)(3)(iii)(A) 7. Section 164.514(f)—Fundraising commenters that ‘‘school’’ should provides that a covered entity, when remain undefined in the Privacy Rule Proposed Rule making a permitted disclosure pursuant due to the variation across States in the to § 164.512 to a public official, may Section 164.514(f)(1) of the Privacy types of schools that are subject to the determine, if such a determination is Rule permits a covered entity to use, or entry laws. We believe that this will best reasonable under the circumstances, disclose to a business associate or an align with State law and cause the least that information requested by a public institutionally related foundation, the amount of confusion. We did not official is the minimum necessary following protected health information receive sufficient comment regarding information for the stated purpose, if the about an individual for the covered the breadth of schools that are not public official represents that the entity’s fundraising from that individual subject to school entry laws or the information requested is the minimum without the individual’s authorization: burden that these institutions face to necessary for the stated purpose(s). (1) Demographic information relating to justify expanding this provision to allow Under this provision, a covered entity an individual; and (2) the dates of disclosure of proof of immunization to may rely on State law or a State health care provided to an individual. such schools without an authorization. official’s determination of the minimum Section 164.514(f)(2) of the Privacy Rule necessary information required for proof Response to Other Public Comments requires a covered entity that plans to of immunization, unless such use or disclose protected health Several commenters raised Comment: determination is unreasonable. information for fundraising under this concerns about the dynamic between Commenters requested Comment: paragraph to inform individuals in its the Privacy Rule requirements and State guidance on when and how often to notice of privacy practices that it may law requirements regarding obtain agreement for immunization contact them to raise funds for the immunization disclosures. Commenters disclosures. covered entity. In addition, indicated that some State laws require We anticipate that covered Response: § 164.514(f)(2) requires that a covered providers to directly share entities will obtain agreement for the entity include in any fundraising immunization records with schools and disclosure of immunization records on a materials it sends to an individual a provide parents with the opportunity to case-by-case basis as needed. For description of how the individual may opt out of this direct sharing. example, a parent may call and request opt out of receiving future fundraising Commenters also indicated the use of that a covered entity provide his or her communications and that a covered State immunization registries in many child’s immunization records before the entity must make reasonable efforts to States, to which schools are permitted child begins elementary school, if ensure that individuals who do opt out direct access. One commenter suggested required by State school entry laws. If are not sent future fundraising that the Privacy Rule permit State law that child moves to a different school communications. to determine what is the minimum and is unable to transfer their Section 13406(b) of the HITECH Act necessary for proof of immunization. immunization records to the new Response: We take this opportunity to requires the Secretary to provide by rule school, the parent may need to request clarify that the Privacy Rule at that a covered entity provide the that the covered entity provide his or § 164.512(a) permits a covered entity to recipient of any fundraising her child’s immunization records to the use or disclose protected health communication with a clear and new school, if required by State school information to the extent that such use conspicuous opportunity to opt out of entry laws. A parent might also or disclosure is required by law and the receiving any further fundraising generally indicate to a covered entity use or disclosure complies with and is communications. Additionally, section that he or she affirmatively agrees to the limited to the relevant requirements of 13406(b) states that if an individual immediate or future disclosure of his or such law. As such, the Privacy Rule does opt out of receiving further her child’s immunization records to the does not prohibit immunization fundraising communications, the child’s school as necessary, or the disclosures that are mandated by State individual’s choice to opt out must be continued disclosure of such law, nor does it require authorization for treated as a revocation of authorization information if, for example, updates are such disclosures. With regard to State under § 164.508 of the Privacy Rule. required by the school when a series of In the NPRM, we proposed a number laws that require covered entities to vaccinations have been completed. of changes to the Privacy Rule’s disclose immunization records to fundraising requirements to implement Commenters requested Comment: schools and allow parents to opt out, the statutory provisions. First, we clarification on the length of time an this is not in any way prohibited by the proposed to strengthen the opt out by agreement may be relied upon. Privacy Rule. However, with regard to VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00054 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

55 5619 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations http://www.ncvhs.hhs.gov/ should allow a similar method, short of requiring that a covered entity provide, . 040902lt1.htm the individual signing an authorization, with each fundraising communication In light of these concerns and the by which an individual who has sent to an individual under these prior recommendation of the National previously opted out can put his or her provisions, a clear and conspicuous Committee on Vital and Health name back on an institution’s opportunity for the individual to elect Statistics, we asked for public comment fundraising list. not to receive further fundraising on whether and how the current We proposed to retain the communications. To satisfy this restriction on what information may be requirement that a covered entity that requirement, we also proposed to used and disclosed should be modified intends to contact the individual to raise require that the method for an to allow covered entities to more funds under these provisions include a individual to elect not to receive further effectively target fundraising and avoid statement to that effect in its notice of fundraising communications may not inappropriate solicitations to privacy practices. However, we cause the individual to incur an undue individuals, as well as to reduce the proposed that the required statement burden or more than nominal cost. We need to send solicitations to all patients. also inform individuals that they have a encouraged covered entities to consider In particular, we solicited comment on: right to opt out of receiving such the use of a toll-free phone number, an (1) Whether the Privacy Rule should communications. email address, or similar opt out In addition to the above allow additional categories of protected mechanism that would provide modifications, we requested public health information to be used or individuals with a simple, quick, and comment on the requirement at disclosed for fundraising, such as inexpensive way to opt out of receiving § 164.514(f)(1) which limits the department of service or similar future communications. We noted that information a covered entity may use or information, and if so, what those we considered requiring individuals to disclose for fundraising to demographic categories should be; (2) the adequacy of write a letter to opt out to constitute an information about and dates of health the minimum necessary standard to undue burden on the individual. care service provided to an individual. appropriately limit the amount of We also proposed to provide that a Since the promulgation of the Privacy protected health information that may covered entity may not condition Rule, we acknowledged that certain be used or disclosed for fundraising treatment or payment on an individual’s covered entities have raised concerns purposes; or (3) whether the current choice with respect to receiving regarding this limitation, maintaining limitation should remain unchanged. fundraising communications. We that the Privacy Rule’s prohibition on We also solicited comment on whether, believed this modification would the use or disclosure of certain if additional information is permitted to implement the language in section treatment information without an be used or disclosed for fundraising 13406(b) of the HITECH Act that authorization, such as the department of absent an authorization, covered entities provides that an election by an service where care was received and should be required to provide individual not to receive further outcomes information, impedes their individuals with an opportunity to opt fundraising communications shall be ability to raise funds from often willing out of receiving any fundraising treated as a revocation of authorization and grateful patients because they are communications before making the first under the Privacy Rule. unable to target their fundraising efforts Further, we proposed to provide that fundraising solicitation, in addition to and avoid inappropriate solicitations to a covered entity may not send the opportunity to opt out with every individuals who may have had a bad fundraising communications to an subsequent communication. We invited treatment outcome. Such entities have individual who has elected not to public comment on whether such a pre- argued that obtaining an individual’s receive such communications. This solicitation opt out would be workable authorization for fundraising as the would strengthen the current for covered entities and individuals and individual enters or leaves the hospital requirement at § 164.514(f)(2)(iii) that a what mechanisms could be put into for treatment is often impracticable or covered entity make ‘‘reasonable place to implement the requirement. inappropriate. The proposed rule also efforts’’ to ensure that those individuals Overview of Public Comments discussed the fact that the National who have opted out of receiving In general, the public comments Committee on Vital and Health fundraising communications are not received in response to the NPRM were Statistics held a hearing and heard sent such communications. The NPRM supportive of the proposed public testimony on this issue in July proposed stronger language to make modifications but many asked that the 2004 and recommended to the Secretary clear the expectation that covered final rule give covered entities that the Privacy Rule should allow entities abide by an individual’s flexibility with respect to covered entities to use or disclose decision not to receive fundraising operationalizing these requirements. information related to the patient’s communications, as well as to make the Several commenters provided examples department of service (broad fundraising opt out operate more like a of routine communications and designations, such as surgery or revocation of authorization, consistent expressed the need for guidance and oncology, but not narrower designations with the statutory language and clarification about what constitutes a or information relating to diagnosis or legislative history of section 13406(b) of fundraising communication. treating physician) for fundraising the HITECH Act discussed above. Generally, most commenters With respect to the operation of the activities without patient authorization. supported the NPRM’s proposed opt out, we requested comment The National Committee on Vital and requirement that the method through regarding to what fundraising Health Statistics also recommended that which the covered entity permits communications the opt out should a covered entity’s notice of privacy individuals to opt out of receiving apply (i.e., should the opt out apply to practices inform patients that their future fundraising communications not all future fundraising communications department of service information may cause individuals to incur an undue or should and can the opt out be be used in fundraising, and that patients burden or more than a nominal cost. structured in a way to apply only to the should be afforded the opportunity to Many commenters stated that the final opt out of the use of their department particular fundraising campaign rule should give covered entities the of service information for fundraising or described in the letter). We also flexibility to determine which opt out all fundraising contacts altogether. See requested comment on whether the Rule VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00055 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

56 5620 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations individual was a pediatric or adult policy. Several commenters stated that methods will work best given their patient, medical record number, Social there are lag times between the period circumstances, instead of requiring all Security number, or other unique of time in which a fundraising mailing covered entities to employ specific opt identifier, and any other information list is compiled and the time in which out methods. These commenters noted that reflects the fact that the individual a fundraising communication is sent that depending on the size of the was served by the covered entity. out, so if an individual has opted out covered entity and type of population it With respect to the minimum during the interim time period, covered serves, certain opt out methods might necessary standard, a few commenters entities may not be able to prevent the not be feasible, such as one that requires supported its use to limit any additional prepared fundraising communication the establishment of a toll-free number, categories of protected health from being sent. Other commenters which may be cost prohibitive for some information that can be used to target a stated that it may be difficult to small entities. Similarly, some covered entity’s fundraising efforts. implement an opt out across all records commenters noted that because not all These commenters supported the use of belonging to that individual where individuals have access to a computer the standard because of how familiar complications, such as name changes and the Internet, providing individuals and comfortable most covered entities and variation, address changes, and with the opportunity to opt out via are at applying the minimum necessary multiple addresses are involved. email alone may not be sufficient. standard. However, another commenter For those individuals who have opted With respect to the scope of the opt was opposed to the use of the minimum out of receiving fundraising out, the commenters were generally necessary standard, stating that it is not communications, commenters generally split on whether the opt out should uniformly applied across covered supported allowing those individuals to apply to communications related to a entities. opt back in to receiving such specific fundraising campaign or to all Despite the general support for the communications. Some suggested that future fundraising communications. The use of additional protected health individuals be able to opt back in using commenters in support of applying the information, a small minority of the same methods they used to opt out, opt out to a specific fundraising commenters opposed allowing the use while others suggested that any campaign stated that it would be too of additional protected health communication indicating a willingness difficult for individuals to make a information to target fundraising efforts, to resume receiving fundraising meaningful decision about whether they citing privacy concerns with doing so. communications, such as making a wanted to opt out of all future One commenter opposed expanding the donation to the covered entity, should fundraising communications, and information that could be used for function as an opt in. Other commenters allowing individuals to opt out of all fundraising in cases where outside suggested that the final rule limit the futurefundraising communications fundraising entities are used, including amount of time that an individual can would greatly hinder a covered entity’s those with whom the covered entity has opt out, such that after this period of ability to raise funds. Those commenters executed business associate agreements. time the individual automatically begins in favor of implementing an all or All commenters were opposed to receiving fundraising communications nothing opt out stated that it would be requiring covered entities to provide a again. A few commenters were opposed too difficult for covered entities, pre-solicitation opt out to individuals to permitting individuals to opt back in especially large facilities, to track and stated that permitting individuals to to receive fundraising communications, campaign-specific opt outs for each opt out in the first fundraising stating that this would be too costly and individual, so applying the opt out communication is sufficient. Several burdensome for covered entities to universally would make it much easier commenters noted that the proposed track. for covered entities to implement. Other With respect to the requests for public revision to the notice of privacy commenters asked that the final rule comments regarding the potential use or practices to require a covered entity to take a flexible approach and permit disclosure of additional protected health inform individuals of their right to opt covered entities to decide the scope of information to provide more targeted out of receiving fundraising the opt out, while others stated that the fundraising communications, the vast communications effectively functions as final rule should require covered majority of commenters supported entities to include both opt out options a pre-solicitation opt out, so individuals allowing the use or disclosure of on each fundraising communication who wish to opt out of receiving such additional protected health information leaving the decision to individuals. communications immediately can do so for fundraising. These commenters Additionally, while most commenters upon receipt of the notice. stated that the use of additional supported the prohibition on Final Rule protected health information would conditioning treatment or payment on We generally adopt the proposals in streamline their fundraising efforts and an individual’s choice regarding the the final rule, as well as allow certain ensure that individuals were sent receipt of fundraising communications, additional types of protected health communications about campaigns that most commenters opposed the NPRM’s information to be used or disclosed for would be meaningful to their proposal that prohibited covered fundraising purposes. experiences. These commenters also entities from sending future fundraising With respect to the commenters who stated that it would eliminate the communications to those individuals expressed confusion over what concern of sending a communication to who had opted out and stated that it constitutes a fundraising an individual or family that suffered a was too strict. The majority of these communication, we emphasize that the negative outcome. Commenters commenters suggested that the final rule final rule does nothing to modify the suggested several categories of protected retain the Privacy Rule’s original types of communications that are health information that covered entities ‘‘reasonable efforts’’ language and stated currently considered to be for should be able to use to target their that while covered entities have every fundraising purposes. A communication fundraising efforts, including incentive not to send fundraising to an individual that is made by a department or site of service, generic communications to those individuals covered entity, an institutionally related area of treatment, department where last who have opted out of receiving them, foundation, or a business associate on seen, outcome information, treating it is very difficult for covered entities to behalf of the covered entity for the physician, diagnosis, whether the ensure 100 percent accuracy with this VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00056 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

57 5621 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations entity. Covered entities voluntarily requiring that individuals opt out of purpose of raising funds for the covered choosing to send fundraising further fundraising communications by entity is a fundraising communication communications to individuals must simply mailing a pre-printed, pre-paid for purposes of § 164.514(f). The have data management systems and postcard would not constitute an undue Department has stated that processes in place to timely track and burden under the final rule and is an ‘‘[p]ermissible fundraising activities flag those individuals who have opted appropriate alternative to the use of a include appeals for money, sponsorship out of receiving fundraising phone number or email address. of events, etc. They do not include Regarding the scope of the opt out, the communications to ensure that they are royalties or remittances for the sale of commenters were split on whether the not sent additional fundraising products of third parties (except opt out should apply to all future communications. auctions, rummage sales, etc.).’’ See 65 The majority of commenters fundraising communications or to a FR 82718. Additionally, the Privacy supported allowing a process for specific fundraising campaign. The final Rule has always required that such individuals who have opted out of rule leaves the scope of the opt out to communications contain a description receiving further fundraising the discretion of covered entities. For of how the individual may opt out of communications to opt back in and the those covered entities that expressed receiving further fundraising final rule at § 164.514(f)(2)(v) permits concern about the ability to track communications (§ 164.514(f)(2)(ii)). covered entities have one. Like the campaign-specific opt outs, they have With respect to the proposed discretion given to covered entities the discretion to apply the opt out to all requirement that the method for an regarding the methods through which future fundraising communications. individual to elect not to receive further an individual can opt out, the final rule Likewise, those covered entities that fundraising communications should not gives covered entities the discretion to prefer, and have the ability to track, cause the individual to incur an undue determine how individuals should be campaign-specific opt outs are free to burden or more than a nominal cost, we able to opt back in. For example, a apply the opt out to specific fundraising generally agree with the commenters covered entity could include as a part of campaigns only. Covered entities are who suggested that the final rule be a routine newsletter sent to all patients also free to provide individuals with the flexible and not prescriptive. Under the a phone number individuals can call to choice of opting out of all future final rule, covered entities are free to be put on a fundraising list. fundraising communications or just decide what methods individuals can While some commenters suggested campaign-specific communications. use to opt out of receiving further that opt outs should be time limited Whatever method is employed, the fundraising communications, as long as such that an individual automatically communication should clearly inform the chosen methods do not impose an opts back in after a certain period of individuals of their options and any undue burden or more than a nominal time, we do not believe that an consequences of electing to opt out of cost on individuals. Covered entities individual’s election not to receive further fundraising communications. should consider the use of a toll-free further fundraising communications is Despite the commenters who did not phone number, an email address, or something that should automatically support the strengthened language in similar opt out mechanisms that provide lapse. Because the individual has the NPRM prohibiting covered entities individuals with simple, quick, and actively chosen to opt out, only a from sending further fundraising inexpensive ways to opt out of receiving similar active decision by the individual communications to those individuals further fundraising communications. to opt back in will suffice. Additionally, who have already opted out, the final Covered entities may employ multiple where an individual who has opted out rule adopts this provision without opt out methods, allowing individuals of fundraising communications makes a modification. While many commenters to determine which opt out method is donation to a covered entity, it does not supported the current ‘‘reasonable the simplest and most convenient for serve, absent a separate election to opt efforts’’ standard and cited several them, or a single method that is back in, to automatically add the reasons that may make it difficult to reasonably accessible to all individuals individual back onto the mailing list for attain the proposed standard, we adopt wishing to opt out. fundraising communications. the proposed standard because it is In response to commenters who The Privacy Rule currently permits consistent with the statute and more expressed concern about the cost of covered entities to use or disclose only protective of an individual’s right to setting up a toll-free phone number, we demographic information relating to the elect not to receive further fundraising clarify that covered entities may require individual and dates of health care communications. For example, some individuals who wish to opt out of provided to the individual for commenters cited lag times between the further fundraising communications to fundraising communications. In creation of mailing lists and the receipt do so through other methods, (e.g., response to several commenters who or update of opt out lists and difficulty through the use of a local phone asked for clarification regarding the in accurately identifying individuals on number), where appropriate, as long as scope of demographic information, the the fundraising lists due to name the method or methods adopted do not final rule, at § 164.514(f)(1)(i), clarifies changes or variations and multiple impose an undue burden or cost on the that demographic information relating addresses. These issues are common to individual. We encourage covered to an individual includes names, the management of the medical or entities to consider the size of the addresses, other contact information, billing records and effectuating population to which they are sending age, gender, and dates of birth. Although revocations of authorization, requests the communications, the geographic much of this information was listed in for access, and other general distribution, and any other factors that the preamble to the 2000 final rule (65 communications between the entity and may help determine which opt out FR 82718) as being demographic the individual. We expect the same care method(s) is most appropriate and least information with respect to the and attention to the handling of burdensome to individuals. fundraising provisions, we have added We continue to consider requiring protected health information in this information to the regulatory text individuals to write and send a letter to fundraising communications as is for clarity. Additionally, we have necessary for the proper handling of this the covered entity asking not to receive included date of birth as demographic information in all other health care further fundraising communications to information, instead of merely age. We operations performed by the covered constitute an undue burden. However, VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00057 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

58 5622 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Response: We decline to require an an individual has a right to opt out of believe that date of birth may be useful to covered entities because they are opt in process. The HITECH Act did not receiving such communications. The more likely to maintain a record of an replace the right to opt out of final rule does not require covered individual’s date of birth, rather than fundraising communications with an entities to send pre-solicitation opt outs his or her static age. We also note that opt in process. Further, we continue to to individuals prior to the first the 2000 preamble identifies insurance believe that the opt out process, fundraising communication. We believe status as falling within the category of particularly as it has been strengthened that because the individual will be on demographic information. The final rule by the HITECH Act and this final rule, notice of the opportunity to opt out of continues to allow covered entities to provides individuals with appropriate receiving fundraising communications use or disclose information about an control over the use of their information through the notice of privacy practices individual’s health insurance status for for these purposes. and the first fundraising communication fundraising purposes; however, we list Comment: One commenter asked that itself will contain a clear and this category of information separately if an individual opts out of receiving conspicuous opportunity to opt out, in the regulatory text, as we do not further fundraising communications there is no need to require covered believe this information truly through a mailed communication, must entities to incur the additional burden constitutes demographic information. the covered entity also remove the and cost of sending pre-solicitation opt In addition to demographic individual’s name from the list through outs. information, health insurance status, which the covered entity sends email Under the Privacy Rule fundraising and dates of health care provided to the fundraising communications, or must communications can take many forms, individual (which is currently permitted the individual opt out of receiving such including communications made over under the Rule), this final rule also email communications separately. the phone. Despite the fact that the allows covered entities to use and A covered entity may Response: HITECH Act refers only to written disclose department of service choose to provide individuals with the fundraising communications, because information, treating physician opportunity to select their preferred the Privacy Rule applies to information, and outcome information method for receiving fundraising communications made over the phone, for fundraising purposes. These three communications. If an individual elects we believe it would be counterintuitive categories of information were most to opt out of future fundraising to apply the strengthened opt out frequently identified by commenters as communications, then the opt out is requirement to only written fundraising the most needed for covered entities to effective for all forms of fundraising communications. Therefore, like further target fundraising communications. Thus, the individual fundraising communications made in communications to appropriate must be removed from all such lists. writing, covered entities that make individuals. Although we do not define fundraising communications over the 8. Section 164.520—Notice of Privacy these terms, we clarify that department phone must clearly inform individuals Practices for Protected Health of service information includes that they have a right to opt out of Information information about the general further solicitations. Accordingly, to department of treatment, such as Proposed Rule make clear that the opt out requirement cardiology, oncology, or pediatrics. applies to fundraising solicitations Section 164.520 of the Privacy Rule Additionally, we clarify that outcome made over the phone, the final rule sets out the requirements for most information includes information provides that the opt out requirement covered entities to have and distribute regarding the death of the patient or any applies to each fundraising a notice of privacy practices (NPP). The sub-optimal result of treatment or communication ‘‘made’’ rather than NPP must describe the uses and services. In permitting its use for ‘‘sent’’ to an individual. disclosures of protected health fundraising purposes, we intend for it to We also emphasize that the notice and information a covered entity is be used by the covered entity itself to opt out requirements for fundraising permitted to make, the covered entity’s screen and eliminate from fundraising communications apply only where the legal duties and privacy practices with solicitations those individuals covered entity is using or disclosing respect to protected health information, experiencing a sub-optimum outcome, protected health information to target and the individual’s rights concerning and for its disclosure to a business the fundraising communication. If the protected health information. associate or institutionally related covered entity does not use protected Section 164.520(b)(1)(ii) requires a foundation only where such screening health information to send fundraising covered entity to include separate function is done by those parties. We materials, then the notice and opt out statements about permitted uses and also emphasize that as with any use or requirements do not apply. For disclosures that the covered entity disclosure under the Privacy Rule, a example, if a covered entity uses a intends to make, including uses and covered entity must apply the minimum public directory to mail fundraising disclosures for certain treatment, necessary standard at § 164.502(b) to communications to all residents in a payment, or health care operations ensure that only the minimum amount particular geographic service area, the purposes. Further, § 164.520(b)(1)(ii)(E) of protected health information notice and opt out requirements are not currently requires that the NPP contain necessary to accomplish the intended applicable. a statement that any uses and purpose is used or disclosed. disclosures other than those permitted We adopt in the final rule the Response to Other Public Comments by the Privacy Rule will be made only provision prohibiting the conditioning A few commenters Comment: with the written authorization of the of treatment or payment on an suggested that, to better protect an individual, and that the individual has individual’s choice with respect to the individual’s privacy, particularly where the right to revoke an authorization receipt of fundraising communications. sensitive health information may be pursuant to § 164.508(b)(5). We also adopt at § 164.520(b)(1)(iii)(A) We proposed to amend used to target solicitations, the final rule the requirement that the notice of § 164.520(b)(1)(ii)(E) to require that the should require an opt in process rather privacy practices inform individuals NPP describe the uses and disclosures than an opt out process for consenting that a covered entity may contact them of protected health information that to fundraising communications. to raise funds for the covered entity and VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00058 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

59 5623 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations underwriting provide notice to The NPRM proposed to modify require an authorization under individuals within 60 days of the § 164.520(b)(1)(iv)(A) to require a § 164.508(a)(2) through (a)(4) (i.e., material change to the NPP that would statement explaining that the covered including a statement that most uses be required by this proposed rule. The entity is required to agree to a request and disclosures of psychotherapy notes Department requested comment on to restrict disclosure of protected health and of protected health information for these options, as well as any other information to a health plan if the marketing purposes and the sale of options for informing individuals in a disclosure is for payment or health care protected health information require an timely manner of material changes to operations and pertains to a health care authorization), and provide that other the NPP. item or service for which the individual uses and disclosures not described in Section 164.520(c)(2)(iv) requires that has paid out of pocket in full, as the notice will be made only with the when a health care provider with a provided at § 164.522(a)(1)(vi). individual’s authorization. direct treatment relationship with an Under Subpart D of Part 164, covered Section 164.520(b)(1)(iii) requires a individual revises the NPP, the health entities now have new breach covered entity to include in its NPP care provider must make the NPP notification obligations. We requested separate statements about certain available upon request on or after the comment on whether the Privacy Rule activities if the covered entity intends to effective date of the revision and must should require a specific statement engage in any of the activities. In comply with the requirements of regarding this new legal duty and what particular, § 164.520(b)(1)(iii) requires a § 164.520(c)(2)(iii) to have the NPP particular aspects of this new duty separate statement in the notice if the available at the delivery site and to post would be important for individuals to covered entity intends to contact the the notice in a clear and prominent be notified of in the NPP. individual to provide appointment The NPRM stated that modifications location. We did not propose changes to reminders or information about to § 164.520 would represent material these provisions because we did not treatment alternatives or other health- changes to covered entities’ NPPs. believe these requirements to be overly related benefits or services; to contact Section 164.520(b)(3) requires that when burdensome but we requested comment the individual to fundraise for the there is a material change to the NPP, on the issue. covered entity; or, with respect to a covered entities must promptly revise group health plan, to disclose protected Overview of Public Comments and distribute the NPP as outlined at health information to the plan sponsor. We received several comments § 164.520(c). Section 164.520(c)(1)(i)(C) First, with respect to this provision, expressing support for the proposed requires that health plans provide notice the NPRM proposed to modify requirement that the NPP include a to individuals covered by the plan § 164.520(b)(1)(iii)(A) to align the statement about the uses and within 60 days of any material revision required statement with the proposed disclosures that require authorization. to the NPP. Because we acknowledged modifications related to marketing and However, other commenters opposed that revising and redistributing a NPP subsidized treatment communications. this requirement, arguing that because may be costly for health plans, we The provision would have required a not all uses and disclosures will apply requested comment on ways to inform covered health care provider that to every individual, the statement will individuals of this change to privacy intends to send treatment cause confusion and unnecessary practices without unduly burdening communications to individuals and has concern. Additionally, these health plans. We requested comment on received financial remuneration in commenters argued that the cost of options for informing individuals in a exchange for making the listing all of the situations requiring timely manner of this proposed or other communication to, in its NPP, notify authorization would be significant. material changes to the NPP. We also individuals of this intention and to We received several comments in requested comment on this issue in the inform them that they can opt out of support of the proposed requirement proposed changes to the Privacy Rule receiving such communications. that the NPP include a specific pursuant to the Genetic Information Second, at § 164.520(b)(1)(iii)(B) we statement about authorization for uses Nondiscrimination Act (GINA), as proposed to require that if a covered and disclosures of psychotherapy notes. discussed below in Section VI. In entity intends to contact the individual Some of these commenters requested particular, the Department requested to raise funds for the entity as permitted that the final rule require covered comment on the following options: (1) under § 164.514(f)(1), the covered entity providers to describe in their NPPs their Replace the 60-day requirement with a must not only inform the individual in recordkeeping practices with regard to requirement for health plans to revise the NPP of this intention but also must psychotherapy notes and how those their NPPs and redistribute them (or at inform the individual that he or she has practices affect what information can be least notify members of the material the right to opt out of receiving such used and disclosed. Several commenters change to the NPP and how to obtain communications. argued that only covered entities that the revised NPP) in their next annual Section 164.520(b)(1)(iv) requires that record psychotherapy notes should be mailing to members after a material the NPP contain statements regarding required to include a statement about revision to the NPP, such as at the the rights of individuals with respect to the authorization requirement for beginning of the plan year or during the their protected health information and a psychotherapy notes in their NPPs. open enrollment period; (2) provide a We also received several comments brief description of how individuals specified delay or extension of the 60- expressing concern regarding the may exercise such rights. Section day timeframe for health plans (3) retain proposed requirement to include 164.520(b)(1)(iv)(A) currently requires a the provision generally to require health information in the NPP about the statement and a brief description plans to provide notice within 60 days individual’s right to opt out of receiving addressing an individual’s right to of a material revision but provide that certain communications. These request restrictions on the uses and the Secretary will waive the 60-day commenters argued that information disclosures of protected health timeframe in cases where the timing or notifying individuals that they could information pursuant to § 164.522(a), substance of modifications to the opt out of receiving further subsidized Privacy Rule call for such a waiver; or including the fact that the covered treatment or fundraising (4) make no change and thus, require entity is not required to agree to this communications would provide little that health plans that perform request. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00059 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

60 Federal Register 5624 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations decision to treat all subsidized period; and (3) a request for HHS to value to individuals at a significant cost treatment communications as marketing extend the compliance deadline and to covered entities. These commenters communications requiring an permit the distribution of the revised felt that including this information authorization, please see the above NPP through a quarterly newsletter, would be unnecessary because all discussion regarding § 164.501. annual mailing, after 18 months of subsidized treatment and fundraising The final rule, however, adopts the transition, or in a triennial mailing. In communications themselves will proposed requirement for a statement in addition, many commenters supported include an opt-out mechanism, and as the NPP regarding fundraising electronic distribution of an NPP or a such, including the information in the communications and an individual’s notice of material changes to the NPP. NPP may cause unnecessary concern for right to opt out of receiving such While not proposed, some consumers. communications, if a covered entity commenters suggested eliminating or We received one comment in support intends to contact an individual to raise alternatives to the current requirements of the requirement to include in the NPP funds for the covered entity. Because for health care providers with direct a statement about an individual’s right individuals will be provided the treatment relationships to hand the NPP to restrict certain uses and disclosures opportunity to opt out of fundraising to every individual patient and make a of protected health information if the communications with each solicitation, good faith attempt to obtain individual pays for treatment or services the final rule does not require the NPP acknowledgement of receipt. out-of-pocket in full. We also received A few commenters also expressed to include the mechanism for one comment suggesting that only concern regarding the cost burden individuals to opt out of receiving health care providers should be required associated with revising and fundraising communications, although to include such a statement in their distributing a new NPP. One commenter covered entities are free to include such NPP. argued that considerations of cost do not We received a number of comments information if they choose to do so. The final rule also adopts the justify a delay in distributing a revised supporting a requirement to include a proposal that the NPP inform NPP. statement in the NPP about the right to individuals of their new right to restrict be notified following a breach of Final Rule certain disclosures of protected health unsecured protected health information. First, the final rule adopts the information to a health plan where the One commenter suggested that modification to § 164.520(b)(1)(ii)(E), individual pays out of pocket in full for explaining breach notification which requires certain statements in the the health care item or service. Only requirements in the NPP would help NPP regarding uses and disclosures that health care providers are required to entities handle customer service issues require authorization. We note that, include such a statement in the NPP; that arise when customers become upset contrary to some commenter concerns, other covered entities may retain the upon receipt of such a breach the final rule does not require the NPP existing language indicating that a notification. However, a number of to include a list of all situations covered entity is not required to agree other commenters expressed opposition requiring authorization. Instead, the to a requested restriction. to this proposal due to concern that NPP must contain a statement The final rule also requires covered such a statement would cause indicating that most uses and entities to include in their NPP a unnecessary concern and fear among disclosures of psychotherapy notes statement of the right of affected individuals who may believe that (where appropriate), uses and individuals to be notified following a covered entities cannot appropriately disclosures of protected health breach of unsecured protected health secure their protected health information for marketing purposes, and information. We believe that individuals information. Finally, we received one disclosures that constitute a sale of should be informed of their right to comment requesting that HHS specify protected health information require receive and the obligations of covered the required elements of a breach entities to provide notification following authorization, as well as a statement notification statement for a NPP. a breach. We disagree with the We also received several comments that other uses and disclosures not commenters who argued that such a arguing that the proposed changes described in the NPP will be made only statement would cause individuals should not constitute material changes with authorization from the individual. The final rule does not require the unnecessary concern and would create to privacy practices requiring a new NPP to include a description of a unfounded fear that covered entities NPP, particularly where covered entities covered entity’s recordkeeping practices cannot appropriately secure protected have already revised their NPPs to with respect to psychotherapy notes; health information. Such advance notice comply with the HITECH Act or State of their rights should provide helpful however, covered entities are free to law requirements. Two additional context for individuals should they later include such additional information in commenters argued that each covered receive a breach notification. In their NPP if they choose. Additionally, entity should determine whether a response to comments, we also clarify in response to requests by some change is material or not, depending on that a simple statement in the NPP that commenters, we clarify that covered its existing privacy practices. We received a number of comments an individual has a right to or will entities that do not record or maintain regarding the appropriate timing and receive notifications of breaches of his psychotherapy notes are not required to manner for distributing new NPPs. The or her unsecured protected health include a statement in their NPPs about information will suffice for purposes of majority of the comments received the authorization requirement for uses this requirement. We do not intend for generally fell into three categories: (1) and disclosures of psychotherapy notes. this requirement to add undue Second, because the final rule treats Support for a requirement to revise and complexity or length to a covered all subsidized treatment distribute notices within 60 days of a entity’s NPP. Thus, the statement need communications as marketing material change; (2) a recommendation not be entity-specific, such as by communications, we have not adopted for HHS to require that covered entities describing how the covered entity will the proposal to require a statement in promptly post a revised NPP on their conduct a risk assessment, include the the NPP about such communications Web site in conjunction with a regulatory descriptions of ‘‘breach’’ or and the ability of an individual to opt requirement to send a notice of the ‘‘unsecured PHI,’’ or describe the types out. For further discussion on the change by mail within a specified VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00060 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

61 5625 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations the final rule require NPPs to be relationship with an individual revises of information to be provided in the shortened, simplified, and written in a the NPP, the health care provider must actual breach notification to the clear, easily understandable manner. In make the NPP available upon request on individual. However, covered entities addition, while a few commenters or after the effective date of the revision that wish to include additional or more suggested that HHS provide a sample or and must comply with the requirements detailed information may do so. These changes represent material standard NPP, many more commenters of § 164.520(c)(2)(iii) to have the NPP changes to the NPP of covered entities. requested flexibility in developing the available at the delivery site and to post We disagree with the few commenters content of their respective NPPs. the notice in a clear and prominent We believe that the Response: who argued that such modifications to location. In response to several additions to the NPP required by the § 164.520 do not constitute material comments expressing concern about final rule are necessary to fully inform changes of privacy practices requiring printing costs for new NPPs, we clarify individuals of the covered entity’s the distribution of new NPPs. The that providers are not required to print privacy practices and their rights. The modifications to § 164.520 are and hand out a revised NPP to all NPP should be provided in a clear, significant and are important to ensure individuals seeking treatment; providers concise, and easy to understand that individuals are aware of the must post the revised NPP in a clear and manner, and we clarify that covered HITECH Act changes that affect privacy prominent location and have copies of entities may use a ‘‘layered notice’’ to protections and individual rights the NPP at the delivery site for implement the Rule’s provisions, so regarding protected health information. individuals to request to take with them. Section 164.520(c)(1) of the final rule long as the elements required at Providers are only required to give a requires a health plan that currently § 164.520(b) are included in the copy of the NPP to, and obtain a good posts its NPP on its Web site in document that is provided for the faith acknowledgment of receipt from, accordance with § 164.520(c)(3)(i) to: (1) individual. For example, a covered new patients. As a result, we do not Prominently post the material change or entity may satisfy the NPP provisions by believe that the current requirement is its revised notice on its web site by the providing the individual with both a overly burdensome to providers, nor is effective date of the material change to short notice that briefly summarizes the it overly costly. We also clarify that the notice (e.g., the compliance date of individual’s rights, as well as other while health care providers are required this final rule) and (2) provide the information, and a longer notice, to post the NPP in a clear and revised notice, or information about the layered beneath the short notice that prominent location at the delivery site, material change and how to obtain the contains all the elements required by providers may post a summary of the revised notice, in its next annual the Rule. Additionally, the Privacy Rule notice in such a location as long as the mailing to individuals then covered by requires that the NPP be written in plain full notice is immediately available the plan, such as at the beginning of the language, and we note that some (such as on a table directly under the plan year or during the open enrollment covered entities may have obligations posted summary) for individuals to pick period. Health plans that do not have under other laws with respect to their up without any additional burden on customer service web sites are required communication with affected their part. It would not be appropriate, to provide the revised NPP, or individuals. For example, to the extent however, to require the individual to information about the material change a covered entity is obligated to comply have to ask the receptionist for a copy and how to obtain the revised notice, to with Title VI of the Civil Rights Act of of the full NPP. individuals covered by the plan within 1964, the covered entity must take To the extent that some covered 60 days of the material revision to the reasonable steps to ensure meaningful entities have already revised their NPPs notice. These requirements apply to all access for Limited English Proficient in response to the enactment of the material changes including, where persons to the services of the covered HITECH Act or State law requirements, applicable, the rule change adopted entity, which could include translating we clarify that as long as a covered pursuant to GINA to prohibit most the NPP into frequently encountered entity’s current NPP is consistent with health plans from using or disclosing languages. In addition, we agree with this final rule and individuals have been genetic information for underwriting the commenters who suggested that informed of all material revisions made purposes. covered entities have flexibility and to the NPP, the covered entity is not We believe these distribution discretion to determine how to draft and required to revise and distribute another requirements best balance the right of prepare their NPPs. Because each NPP NPP upon publication of this final rule. individuals to be informed of their will vary based on the functions of the Finally, we note that to the extent a privacy rights with the burden on health individual covered entity, there is no covered entity is required to comply plans to provide the revised NPP. We ‘‘one size fits all’’ approach. However, with Section 504 of the Rehabilitation also note that health plans should we continue to explore options for Act of 1973 or the Americans with provide both paper- and web-based making model or best practice language Disabilities Act of 1990, the covered notices in a way accessible to all available. entity has an obligation to take steps beneficiaries, including those One commenter requested Comment: that may be necessary to ensure individuals with disabilities. These elimination of the requirement that effective communication with modifications provide an avenue for an covered entities obtain agreement from individuals with disabilities, which individuals (an opt in) before electronic individual to be informed of material could include making the revised NPP distribution while another commenter changes upon their effective date while or notice of material changes to the NPP requested that HHS clarify that a better aligning the NPP distribution available in alternate formats, such as covered entity may obtain an electronic with health plans’ normal mailings to Braille, large print, or audio. agreement from an individual to receive individuals. Response to Other Public Comments For health care providers, the final an NPP electronically. The Privacy Rule permits Response: Comment: One commenter expressed rule does not modify the current covered entities to distribute their NPPs concern about the addition of more requirements to distribute revisions to or notices of material changes by email, information to the NPP when it is the NPP. As such, § 164.520(c)(2)(iv) provided the individual has agreed to already very long and complex, while requires that when a health care receive an electronic copy. Although several commenters recommended that provider with a direct treatment VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00061 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

62 5626 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations health information regarding all health request restrictions of certain uses and internet access is a convenience of daily disclosures. First, we proposed at life for many individuals, maintaining care to the health plan. We requested § 164.522(a)(1)(vi) to require a covered the opt-in requirement ensures that comment on the types of treatment entity to agree to a request by an individuals who are not able to or interactions between individuals and individual to restrict the disclosure of choose not to receive information covered entities that would make protected health information about the electronically are fully informed of how implementing a restriction more individual to a health plan if: (A) the their protected health information is difficult and ways to address such disclosure is for the purposes of being used and disclosed and of their difficult situations, such as where an carrying out payment or health care individual rights with respect to this individual wishes to restrict a operations and is not otherwise required information. We clarify that agreement disclosure regarding a prescription to a by law; and (B) the protected health to receive electronic notice can be health plan but because the provider information pertains solely to a health obtained electronically pursuant to the electronically sends prescriptions to the care item or service for which the requirements at § 164.520(c)(3). pharmacy to be filled, the pharmacy individual, or person on behalf of the may have already billed the health plan 9. Section 164.522(a)—Right To Request individual other than the health plan, by the time the patient arrives at the a Restriction of Uses and Disclosures has paid the covered entity in full. In pharmacy. We requested comment Section 164.522(a) of the Privacy Rule recognition that there are many generally on whether covered health requires covered entities to permit situations in which family members or care providers that know of a restriction individuals to request that a covered other persons may pay for the should inform other health care entity restrict uses or disclosures of individual’s treatment, we proposed to providers downstream of such their protected health information for include language to the provision to restriction, including pharmacies, and treatment, payment, and health care ensure that this requirement not be whether technology could facilitate operations purposes, as well as for limited to solely the individual paying such notification. We requested disclosures to family members and for the health care item or service but comment on examples of the types of certain others permitted under would also include payment made by disclosures that may fall under this § 164.510(b). While covered entities are another person, other than the health ‘‘required by law’’ exception. With not required to agree to such requests plan, on behalf of the individual. respect to an individual, or someone on for restrictions, if a covered entity does We proposed to modify behalf of the individual, paying out of agree to restrict the use or disclosure of § 164.522(a)(1)(ii), which states that a an individual’s protected health pocket for the health care item or covered entity is not required to agree information, the covered entity must service, we noted that the individual to a restriction, to refer to this exception abide by that restriction, except in should not expect that this payment to that general rule. We noted in the emergency circumstances when the would count towards the individual’s NPRM that in cases where an individual information is required for the treatment has exercised his or her right to restrict out of pocket threshold with respect to of the individual. Section 164.522 also disclosure to a health plan under the his or her health plan benefits. We includes provisions for the termination above circumstances, the covered entity requested comment on how this of such a restriction and requires that is also prohibited from making such provision will function with respect to covered entities that have agreed to a disclosures to a business associate of the HMOs, given our understanding that restriction document the restriction in health plan, because a covered entity under most current HMO contracts with writing. may only disclose protected health providers an individual could not pay information to a business associate of the provider in full for the treatment or Proposed Rule another covered entity if the disclosure service received. We clarified in the Section 13405(a) of the HITECH Act would be permitted directly to the other NPRM that if an individual’s out of sets forth certain circumstances in covered entity. We also proposed pocket payment for a health care item or which a covered entity now must conforming modifications to service is not honored (e.g., the comply with an individual’s request for § 164.522(a)(2) and (3) regarding individual’s check bounces), the restriction of disclosure of his or her terminating restrictions and covered entity is not obligated to protected health information. documentation of restrictions to reflect continue to abide by the requested Specifically, section 13405(a) of the these new requirements, and to make restriction because the individual has HITECH Act requires that when an clear that, unlike other agreed to not fulfilled the requirements necessary individual requests a restriction on restrictions, a covered entity may not to obtain the restriction. Additionally, disclosure pursuant to § 164.522, the unilaterally terminate a required we stated our expectation in such cases covered entity must agree to the restriction to a health plan under that covered entities make some attempt requested restriction unless the § 164.522(a)(1)(ii). to resolve any payment issues with the disclosure is otherwise required by law, We provided a number of individual prior to sending the if the request for restriction is on clarifications, and solicited public protected health information to the disclosures of protected health comment on a number of issues, health plan, such as by notifying the information to a health plan for the regarding these proposed provisions, as individual that his or her payment did follows. We stated that we interpret purpose of carrying out payment or not go through and giving the individual section 13405(a) as giving the individual health care operations and if the an opportunity to submit payment and a right to determine for which health restriction applies to protected health requesting comment on the extent to care items or services the individual information that pertains solely to a which covered entities must make wishes to pay out of pocket and restrict. health care item or service for which the reasonable efforts to secure payment Thus, section 13405(a) would not health care provider has been paid out from the individual prior to billing the permit a covered entity to require of pocket in full. health plan. We requested comment on To implement section 13405(a) of the individuals who wish to restrict the scope of a restriction and in what disclosures about only certain health HITECH Act, we proposed a number of circumstances it should apply to a care items or services to a health plan changes to the Privacy Rule’s provisions subsequent, but related, treatment to restrict disclosures of protected regarding an individual’s right to VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00062 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

63 5627 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations disclosed to the HMO. Some Other commenters were concerned encounter, such as follow-up care for commenters indicated that State laws with applying a restriction to only treatment of a particular condition. and/or provider contracts with an HMO certain health care items or services Overview of Public Comments may prohibit the provider from provided during a single patient receiving a cash payment from an HMO encounter or visit. Commenters argued We received many comments on these patient above the patient’s cost-sharing that split billing is not possible for most proposed provisions and our questions amount for the health care item or providers or that it may be obvious to as to how they should apply. A number service. Conversely, some commenters a health plan if one item or service out of commenters generally supported the stated that individuals should not have of a bundle is restricted and that provisions as being an important right to go out-of-network when requesting a unbundling services may be costly. One for health care consumers. However, restriction and instead, providers could commenter suggested that individuals many commenters expressed concerns and should treat the services as non- should only be able to restrict certain with these new requirements. Many covered services and accept payment types of services/treatment (e.g., commenters raised concerns with, and directly from the patient. Several cosmetic surgery and family planning requested guidance on, how to commenters also suggested that services) as such services are more operationalize a restriction. Several managed care contracts would have to easily segregable from other health care commenters were concerned with be revised or renegotiated in order to services. having to create separate records to In response to our question regarding comply with this provision and as such, ensure that restricted data is not available electronic methods through ample time for renegotiation should be inadvertently sent to or accessible by which a prescribing provider could alert provided. the health plan or to manually redact Commenters generally supported the a pharmacy that an individual intends information from the medical record language in the proposed rule making to pay out of pocket for a prescription prior to disclosure to a health plan. clear that a restriction would apply and restrict disclosure to a health plan, Commenters argued that having to where an individual requests a commenters indicated they were segregate restricted and unrestricted restriction, but someone other than the generally unaware of any system that information or redact restricted individual (other than the health plan), would alert a pharmacy of restrictions information prior to disclosure would such as a family member, pays for the electronically, and many agreed that the be burdensome as such a process would individual’s care on behalf of the cost and burden of flagging records generally have to occur manually, and individual. One commenter asked for manually would not be feasible for all may result in difficulties with ensuring clarification that payment by any health covered entities. In general, commenters that treating providers continue to have plan would not constitute payment out agreed that paper prescriptions would access to the entire medical record. of pocket by the individual. The provide individuals with an opportunity Some commenters were concerned commenter stated that such clarification to request a restriction when they arrive specifically with having to manually was necessary to avoid the situation at the pharmacy. However, commenters redact or create separate records prior to where an individual has coverage under also noted that returning to the use of a health plan audit, or otherwise with multiple plans, pays for care with a paper prescriptions over electronic withholding information from a plan secondary plan, requests a restriction on prescribing would be a step in the during an audit, to ensure a health plan disclosure to the primary plan, and then wrong direction, as there are many would not see restricted information. the secondary plan proceeds to obtain benefits to electronic prescribing, and it With respect to the exception to a reimbursement from the primary plan is important not to limit these benefits. restriction for disclosures that are Almost all of the comments we disclosing the protected health required by law, several commenters received regarding the obligation information at issue. Another supported this exception but requested generally of health care providers that commenter asked that we clarify that a clarification on how such an exception know of a restriction to inform clinical research participant whose would affect providers’ existing legal downstream health care providers of the health care services are paid for by a obligations. Many commenters restriction argued that it should be the research grant can still qualify for a suggested that providers would be individual’s and not the provider’s restriction to the individual’s health prohibited from receiving cash payment responsibility to inform downstream plan. from individuals for items or services Most commenters supported not providers of any requested restriction. otherwise covered by State or Federally having to abide by a requested While a few commenters stated that the funded programs, such as Medicare and restriction in cases where the provider should bear this responsibility, Medicaid, and thus, requested that individual’s method of payment is the majority believed that this obligation disclosures to such State or Federally returned or otherwise does not go would be difficult and burdensome for funded programs not be eligible for through. A few commenters suggested a provider. Some commenters restriction. Similarly, some commenters that a covered entity should include acknowledged that in time, more sought clarification on the effect of this information to this effect in its notice of advanced electronic and automated provision where certain State laws privacy practices. A number of systems may allow providers to notify prohibit ‘‘balance billing,’’ making it commenters expressed concern with the other providers downstream of a illegal for the provider to bill the patient ability of a provider to bill a health plan restriction, but these commenters for any covered services over and above for services following an individual’s stressed that such systems are not any permissible copayment, inability to pay. For example, a provider widely available at this time. With respect to the requirement’s coinsurance or deductible amounts. may find it difficult to be reimbursed for application to health care providers Some commenters asked that we clarify services if the provider did not obtain providing care within an HMO context, that the ‘‘required by law’’ exception the plan’s required pre-certification for many commenters expressed support for allows providers to disclose protected services because the individual initially the suggestion that HMO patients would health information subject to a agreed to pay out of pocket for the have to use an out-of-network provider restriction for Medicare and Medicaid services. Several commenters asked for for treatment to ensure that the audits, because those insurers require guidance on what constitutes a restricted information would not be complete, accurate records for audits. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00063 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

64 5628 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations payment is sought under a government concerned as to how a provider would ‘‘reasonable effort’’ to obtain payment know when such counseling was from an individual prior to billing a program providing public benefits. needed and what it should include, and health plan for health care services Therefore, if a covered entity is required asked whether giving the individual a where an individual’s original form of by law to submit protected health written statement explaining the payment fails, and argued that the effort information to a Federal health plan, it consequences would suffice. required should not be too burdensome may continue to do so as necessary to on providers. A number of commenters comply with that legal mandate. With Final Rule suggested various alternatives. A few respect to commenters’ concerns with We adopt the modifications to commenters suggested that providers prohibitions in State law and under § 164.522 as proposed in the NPRM to should be able to set a deadline for Medicare and Medicaid that prevent implement section 13405(a) of the payment and then bill the plan if the providers from billing, and receiving HITECH Act. In response to questions patient fails to pay; others requested cash payment from, an individual for and comments regarding how to that the regulation set a specific covered services over and above any operationalize these requirements, we timeframe in which providers must be permissible cost sharing amounts, we provide the following clarifications. We paid or the requested restriction is provide the following guidance. If a clarify that these provisions do not terminated. Some commenters provider is required by State or other require that covered health care suggested that a ‘‘reasonable effort’’ law to submit a claim to a health plan providers create separate medical should be based upon a covered entity for a covered service provided to the records or otherwise segregate protected making one or two attempts to contact individual, and there is no exception or health information subject to a restricted the patient and obtain payment. procedure for individuals wishing to health care item or service. Covered Another commenter recommended that pay out of pocket for the service, then health care providers will, however, reasonable efforts should require the the disclosure is required by law and is need to employ some method to flag or provider to make a good faith effort to an exception to an individual’s right to make a notation in the record with obtain payment based on their usual request a restriction to the health plan respect to the protected health debt collection practices. Other pursuant to § 154.522(a)(1)(vi)(A) of the information that has been restricted to commenters requested clarification that Rule. With respect to Medicare, it is our ensure that such information is not reasonable efforts would not require a understanding that when a physician or inadvertently sent to or made accessible provider sending a bill to a collection supplier furnishes a service that is to the health plan for payment or health agency. Some commenters were covered by Medicare, then it is subject care operations purposes, such as audits generally concerned with requiring a to the mandatory claim submission by the health plan. Covered entities provider to wait too long for payment, provisions of section 1848(g)(4) of the should already have in place, and thus as the provider could risk the plan not Social Security Act (the Act), which be familiar with applying, minimum paying for the treatment if it is billed too requires that if a physician or supplier necessary policies and procedures, late. Certain commenters argued that charges or attempts to charge a which require limiting the protected providers should not have to engage in beneficiary any remuneration for a health information disclosed to a health any attempts to resolve payment issues service that is covered by Medicare, plan to the amount reasonably necessary if an individual’s payment fails prior to then the physician or supplier must to achieve the purpose of the disclosure. billing the health plan for the services. submit a claim to Medicare. However, Thus, covered entities should already Finally, a number of commenters asked there is an exception to this rule where have mechanisms in place to whether a provider could require a beneficiary (or the beneficiary’s legal appropriately limit the protected health payment in full at the time of the representative) refuses, of his/her own information that is disclosed to a health request for a restriction to avoid free will, to authorize the submission of plan. payment issues altogether. a bill to Medicare. In such cases, a With respect to commenters who were Medicare provider is not required to Finally, many commenters responded concerned about providers being able to submit a claim to Medicare for the to the NPRM’s approach to follow-up continue to meet their legal obligations, covered service and may accept an out care. The majority of commenters such as disclosing protected health of pocket payment for the service from supported the idea that if an individual information to Medicare or Medicaid for the beneficiary. The limits on what the does not request a restriction and pay required audits, we note that the statute provider may collect from the out of pocket for follow up care, then and final rule continue to allow beneficiary continue to apply to charges the covered entity may disclose the disclosures that are otherwise required for the covered service, notwithstanding protected health information necessary by law, notwithstanding that an the absence of a claim to Medicare. See to obtain payment from the health plan individual has requested a restriction on the Medicare Benefit Policy Manual, for such follow up care, recognizing that such disclosures. Thus, a covered entity Internet only Manual pub. 100–2, ch. some of the protected health may disclose the protected health http:// 15, sect. 40, available at information may relate to and/or information necessary to meet the www.cms.gov/manuals/Downloads/ requirements of the law. Under the indicate that the individual received the bp102c15.pdf . Thus, if a Medicare Privacy Rule, ‘‘required by law’’ is underlying health care item or service to beneficiary requests a restriction on the defined at § 164.103 as a mandate which a restriction applied. A few disclosure of protected health contained in law that compels a covered commenters asked whether individual information to Medicare for a covered entity to make a use or disclosure of authorization would be required to service and pays out of pocket for the protected health information and that is disclose previously restricted protected service (i.e., refuses to authorize the enforceable in a court of law. For health information to a health plan if submission of a bill to Medicare for the purposes of this definition, ‘‘required by the individual does not want to restrict service), the provider must restrict the law’’ includes Medicare conditions of the follow up care. A number of disclosure of protected health participation with respect to health care commenters expressed support for information regarding the service to providers participating in the program, providers counseling patients on the Medicare in accordance with and statutes and regulations that require consequences of not restricting follow- § 164.522(a)(1)(vi). the production of information if up care. A few commenters were VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00064 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

65 5629 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations above the individual’s cost-sharing technologies to support such a Certain commenters raised concerns amount (i.e., the provider cannot accept requirement, to require health care with an individual requesting a an out of pocket payment from the providers to notify downstream restriction with respect to only one of individual for the service), then the providers of the fact that an individual several health care items or services provider may counsel the individual has requested a restriction to a health provided in a single patient encounter, that he or she will have to use an out- plan. However, we do encourage and a provider being prohibited from of-network provider for the health care providers to counsel patients that they unbundling, or it being more costly to item or service in order to restrict the would need to request a restriction and unbundle, the services for purposes of disclosure of protected health pay out of pocket with other providers billing a health plan. In such cases, we information to the HMO for the health for the restriction to apply to the expect providers to counsel patients on care. Providers operating within an disclosures by such providers. In the the ability of the provider to unbundle HMO context and who are able under case of an individual who wants to the items or services and the impact of law to treat the health care services to restrict disclosures to a health plan doing so (e.g., the health plan still may which the restriction would apply as concerning a prescribed medication, the be able to determine that the restricted out-of-network services should do so in prescribing provider can provide the item or service was performed based on order to abide by the requested patient with a paper prescription to the context). If a provider is able to restriction. We would not consider a allow the individual an opportunity to unbundle the items or services and contractual requirement to submit a request a restriction and pay for the accommodate the individual’s wishes claim or otherwise disclose protected prescription with the pharmacy before after counseling the individual on the health information to an HMO to the pharmacy has submitted a bill to the impact of unbundling, it should do so. exempt the provider from his or her health plan. However, while we do not If a provider is not able to unbundle a obligations under this provision. require it, providers are permitted and group of items or services, the provider Further, the final rule provides a 180- encouraged to assist individuals as should inform the individual and give day compliance period beyond the feasible in alerting downstream the individual the opportunity to effective date of these revisions to the providers of the individual’s desire to restrict and pay out of pocket for the Privacy Rule, during which provider request a restriction and pay out of entire bundle of items or services. contracts with HMOs can be updated as pocket for a particular health care item Where a provider is not able to needed to be consistent with these new or service. unbundle a group of bundled items or For example, consider an individual requirements. services, we view such group of As proposed in the NPRM, under the who is meeting with her primary bundled items or services as one item or final rule, a covered entity must apply physician and requests a restriction on service for the purpose of applying a restriction not only where an tests that are being administered to § 164.522(a)(1)(v). However, we would individual pays in full for the healthcare determine if she has a heart condition. expect a provider to accommodate an item or service, but also where a family If, after conducting the tests, the individual’s request for a restriction for member or other person pays for the patient’s primary physician refers the separable and unbundled health care item or service on behalf of the patient to a cardiologist, it is the items or services, even if part of the individual. We decline to modify the patient’s obligation to request a same treatment encounter, such as in regulation, as suggested by one restriction from the subsequent the prior example with respect to the commenter, to provide that payment provider, the cardiologist, if she wishes patient receiving both treatment for from ‘‘any’’ health plan, rather than the to pay out of pocket rather than have her asthma and diabetes. Thus, we decline one to which the disclosure is restricted, health plan billed for the visit. Although to provide as a general rule that an should not constitute payment on behalf the primary physician in this example individual may only restrict either all or of the individual. In response to the would not be required to alert the none of the health care items or services commenter’s concern about difficulties cardiologist of the patient’s potential that are part of one treatment encounter. in coordination of benefits for desire to request a restriction, we In response to the question we posed individuals with coverage under encourage providers to do so if feasible in the NPRM regarding methods through multiple plans, we note that this or in the very least, to engage in a which a provider could electronically provision does not impede a health dialogue with the patient to ensure that (such as through an e-prescribing tool) plan’s ability to disclose protected he or she is aware that it is the patient’s notify a pharmacist of an individual’s health information as necessary to obligation to request restrictions from restriction request, the majority of another health plan for coordination of subsequent providers. In response to commenters indicated that there benefits. Thus, health plans may commenters who were confused about currently is not a widely available continue to make such disclosures. whether the individual or the provider method for electronically notifying a Many commenters supported the would have the obligation of notifying pharmacy that a patient has requested a discussion in the NPRM regarding not subsequent providers when a Health restriction. Further, commenters abiding by a restriction if an Information Exchange is involved, we generally argued that it would be costly, individual’s payment is dishonored. In clarify that the responsibility to notify burdensome, and unworkable for a such cases, we continue to expect that downstream providers of a restriction provider to attempt to notify all providers will make a reasonable effort request in this situation also remains subsequent providers of an individual’s to contact the individual and obtain with the individual, and not the restriction request, particularly given payment prior to billing a health plan. provider. the lack of automated tools to make We do not prescribe the efforts a health With respect to HMOs, we clarify that such notifications, and thus, it should care provider must make but leave that a provider providing care in such a remain the obligation of the individual up to the provider’s policies and setting should abide by an individual’s to notify downstream providers if the individual circumstances. While we requested restriction unless doing so individual wants to restrict protected require the provider to make a would be inconsistent with State or reasonable effort to secure payment other law. Thus, if a provider within an health information to a health plan. We from the individual, this requirement is HMO is prohibited by law from agree that it would be unworkable at not intended to place an additional accepting payment from an individual this point, given the lack of automated VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00065 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

66 5630 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations related to an individual’s debt to the operations purposes in such cases or all burden on the provider but is instead provider. Section 164.522(a) restricts entities that may receive protected intended to align with its current disclosures to a health plan for payment health information for payment or policies for contacting individuals to purposes where the individual has paid health care operations. obtain an alternative form of payment to Response: We clarify that this out of pocket for the health care item or one that was dishonored. We do not provision, in effect, will apply only to service that is the subject of the require that the individual’s debt be covered health care providers. However, disclosure and requests such a placed in collection before a provider is the provisions of § 164.522(a) apply to restriction. permitted to bill a health plan for the Comment: Commenters asked that we covered entities generally and thus, we health care services. Further, a provider clarify whether payment with a Flexible decline to alter the regulatory text. In may choose to require payment in full Spending Account (FSA) or Health response to commenters’ concerns at the time of the request for a Savings Account (HSA) is considered a regarding disclosure for payment or restriction to avoid payment issues payment by a person on behalf of the health care operations purposes to altogether. Similarly, where individual. entities other than the health plan, we precertification is required for a health An individual may use an Response: clarify that this provision does not affect plan to pay for services, a provider may FSA or HSA to pay for the health care disclosures to these other entities as require the individual to settle items or services that the individual permitted by the Privacy Rule. payments for the care prior to providing wishes to have restricted from another Comment: Commenters asked what the service and implementing a plan; however, in doing so the the liability is for a provider who restriction to avoid the situation where individual may not restrict a disclosure discloses restricted protected health the provider is unable to be reimbursed to the FSA or HSA necessary to information to a plan. by either the individual or the health A provider who discloses Response: effectuate that payment. plan. When a restriction is Comment: restricted protected health information We also recognize that a provider may requested, the provider is also to the health plan is making a disclosure not be able to implement a restriction prohibited from making disclosures of in violation of the Privacy Rule and the where an individual waits until care has the restricted protected health HITECH Act, which, as with other been initiated to make such a request, information to the business associate of impermissible disclosures is subject to such as in the case of a hospital stay, in the health plan. One commenter the imposition of possible criminal which case the individual’s protected suggested that the final rule make it the penalties, civil money penalties, or health information may have already priority of the business associate to corrective action. been disclosed to the health plan. Comment: Several commenters asked inform the provider that they are acting With respect to restrictions and that we clarify that the ‘‘required by as the business associate of the health follow-up care, we continue to maintain law’’ exception allows providers to plan to ensure provider compliance the approach discussed in the NPRM. If respond to subpoenas, court orders, and with the rule. Other comments an individual has a restriction in place judicial proceedings. misconstrued the preamble statements with respect to a health care service but Response: The ‘‘required by law’’ on this issue and commented that a does not pay out of pocket and request exception in § 164.522(a)(1)(vi) does provider should be allowed to provide a restriction with regard to follow-up allow health care providers to respond restricted protected health information treatment, and the provider needs to to court orders and subpoenas issued by to its own business associates. include information that was previously Response: A provider that is a court requiring disclosure of protected restricted in the bill to the health plan prohibited from disclosing protected health information to a health plan. See in order to have the service deemed health information to a health plan may the definition of ‘‘required by law’’ at medically necessary or appropriate, not disclose such information to the § 164.103. Further, § 164.522(a)(1)(vi) then the provider is permitted to health plan’s business associate. We do does not affect the disclosure of disclose such information so long as not include a requirement that the protected health information to entities doing so is consistent with the business associate inform the provider that are not health plans and thus, provider’s minimum necessary policies that they are acting as a business disclosures to these other entities made and procedures. We also clarify that associate of the health plan as it is the as required by law, for judicial and such a disclosure would continue to be provider’s responsibility to know to administrative proceedings, or for law permitted for payment purposes and whom and for what purposes it is enforcement activities in accordance thus, would not require the individual’s making a disclosure. We also clarify that with §§ 164.512(a), 164.512(e), and written authorization. However, as we a provider is not prohibited from 164.512(f), respectively, continue to be did in the NPRM, we highly encourage disclosing protected health information permitted. covered entities to engage in open Comment: Several commenters restricted from a health plan to its own dialogue with individuals to ensure that suggested that the final rule be written business associates for the provider’s they are aware that previously restricted to ensure that there are no conflicts with own purposes. protected health information may be Comment: One commenter expressed the Fair Debt Collection Practices Act disclosed to the health plan unless they concern about the number of workforce and similar State laws regarding the request an additional restriction and pay members who must know about the legal obligation to validate a debt that is out of pocket for the follow-up care. restriction and indicated that this may disputed by a debtor. Commenters Response to Other Public Comments create a risk for potential error with sought clarification on whether the Comment: Several commenters asked regard to the information. provider can still disclose protected Response: Covered entities must that the provision be limited to just health information for the recovery of identify those workforce members or providers and not to covered entities in debts. class of persons who need access to Response: The final rule does not general. Commenters also asked for particular protected health information, impact a provider’s ability to disclose clarification on whether the restriction and appropriately train their workforce protected health information for prohibits providers from giving members as necessary to comply with payment purposes to a collection agency protected health information to health these new requirements. or otherwise for collection activities plans solely for payment or health care VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00066 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

67 5631 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations entity must provide the individual with rights individuals should have with 10. Section 164.524—Access of access to the electronic information in respect to their individually identifiable Individuals to Protected Health the electronic form and format health information to strengthen the Information requested by the individual, if it is right of access as provided under Proposed Rule readily producible, or, if not, in a section 13405(e) of the HITECH Act Section 164.524 of the Privacy Rule readable electronic form and format as more uniformly to all protected health currently establishes, with limited agreed to by the covered entity and the information maintained in one or more exceptions, an enforceable means by individual. In such cases, to the extent designated record sets electronically, which individuals have a right to review possible, we expect covered entities to regardless of whether the designated or obtain copies of their protected provide the individual with a machine record set is an EHR. The public health information to the extent such readable copy of the individual’s comments and final regulation on the information is maintained in the protected health information. The scope are discussed here. The proposed designated record set(s) of a covered Department considers machine readable amendments to each provision entity. An individual’s right of access data to mean digital information stored implicated by section 13405(e), together exists regardless of the format of the in a standard format enabling the with the public comments and final protected health information, and the information to be processed and regulation, are discussed more standards and implementation analyzed by computer. For example, specifically in separate sections below. specifications that address individuals’ this would include providing the Overview of Public Comments requests for access and timely action by individual with an electronic copy of the covered entity (i.e., provision of Most commenters were opposed to the protected health information in the access, denial of access, and the proposal to expand the scope of the format of MS Word or Excel, text, documentation) apply to an electronic individual access provision to include HTML, or text-based PDF, among other environment in a similar manner as they all electronic designated record sets and formats. do to a paper-based environment. See favored limiting the requirement to We disagree with commenters that The HIPAA Privacy Rule’s Right of EHRs. These commenters felt that questioned the Department’s authority Access and Health Information limiting the access provision to EHRs to extend the strengthened electronic Technology (providing guidance with was consistent with congressional intent access right to all protected health respect to how § 164.524 applies in an and questioned the authority of the information maintained electronically electronic environment and how health Department to expand the scope. in designated record sets, and believe information technology can facilitate Commenters also argued that having that this extended electronic right of providing individuals with this disparate requirements for different access is important for individuals as important privacy right), available at: systems would not be confusing, and covered entities increasingly transition http://www.hhs.gov/ocr/privacy/hipaa/ requiring electronic access to electronic from paper to electronic records. With understanding/special/healthit/ designated record sets that are not EHRs regard to the additional burdens on . eaccess.pdf would be highly burdensome for covered entities, we note that providing Section 13405(e) of the HITECH Act covered entities. Specifically, access to protected health information strengthens the Privacy Rule’s right of commenters stated that the proposed held in electronic designated record sets access with respect to covered entities requirement for electronic access would was already required under the Privacy that use or maintain an electronic health include numerous types of legacy Rule at § 164.524, which applies to record (EHR) on an individual. Section systems, many of which are incapable of protected health information in both 13405(e) provides that when a covered producing reports in easily readable paper and electronic designated record entity uses or maintains an EHR with formats that can be transmitted sets, and which requires providing the respect to protected health information electronically. These commenters copy in the form and format requested of an individual, the individual shall indicated that a significant amount of by the individual, including have a right to obtain from the covered information technology development electronically, if it is readily producible entity a copy of such information in an and investment would be needed to in such form and format. We anticipate electronic format and the individual comply with this requirement if it the additional burden to be small due to may direct the covered entity to applies to all electronic designated the flexibility permitted in satisfying transmit such copy directly to the record sets. this new requirement, as discussed in individual’s designee, provided that any A number of consumer advocates the section on Form and Format. such choice is clear, conspicuous, and supported the expanded scope to Response to Other Public Comments specific. Section 13405(e) also provides include all electronic designated records that any fee imposed by the covered sets in addition to EHRs. These Comment: Some commenters worried entity for providing such an electronic commenters felt that this would provide that giving individuals access to copy shall not be greater than the complete transparency for consumers, administrative systems (in contrast to entity’s labor costs in responding to the help individuals gain access to their clinical systems) would present a request for the copy. medical records and make better- security concern to covered entities. Section 13405(e) applies by its terms Covered entities are not Response: informed decisions about their health only to protected health information in required by this provision to provide care, and promote consistent and EHRs. However, incorporating these individuals with direct access to their uniform practices. new provisions in such a limited systems. They must only provide Final Rule manner in the Privacy Rule could result individuals with an electronic copy of The final rule adopts the proposal to in a complex set of disparate their protected health information. amend the Privacy Rule at requirements for access to protected Comment: Commenters requested § 164.524(c)(2)(ii) to require that if an health information in EHR systems clarification on what constitutes an individual requests an electronic copy versus other types of electronic records EHR. Under this final rule, the Response: of protected health information that is systems. As such, the Department requirement to provide individuals with maintained electronically in one or proposed to use its authority under access to an electronic copy includes all more designated record sets, the covered section 264(c) of HIPAA to prescribe the VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00067 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

68 5632 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register while a covered entity may provide form or format as agreed to by the protected health information individuals with limited access rights to covered entity and the individual. maintained in an electronic designated their EHR, such as through a secure Section 13405(e) of the HITECH Act record set held by a covered entity. web-based portal, nothing under the expands this requirement by explicitly Because we are not limiting the right of current Rule or proposed modifications requiring a covered entity that uses or electronic access to EHRs, we do not would require a covered entity to have maintains an EHR with respect to believe there is a need to define or this capability. protected health information to provide further clarify the term at this time. We noted that the option of arriving the individual with a copy of such Comment: One commenter requested at an alternative agreement that satisfies information in an electronic format. clarification that this electronic access both parties is already part of the We proposed to implement this requirement preempts State laws that requirement to provide access under statutory provision, in conjunction with diminish, block, or limit individual § 164.524(c)(2)(i), so extension of such a our broader authority under section access to their records. requirement to electronic access should 264(c) of HIPAA, by requiring, in Response: We clarify that this HIPAA present few implementation difficulties. proposed § 164.524(c)(2)(ii), that if the electronic right of access requirement Further, as with other disclosures of protected health information requested does preempt contrary State law unless protected health information, in is maintained electronically in one or such law is more stringent. In the case providing the individual with an more designated record sets, the covered of right of access, more stringent means electronic copy of protected health entity must provide the individual with that such State law permits greater information through a web-based portal, access to the electronic information in rights of access to the individual. email, on portable electronic media, or the electronic form and format Several commenters sought Comment: other means, covered entities should requested by the individual, if it is clarification of how the new e-access ensure that reasonable safeguards are in readily producible, or, if not, in a provisions would apply to business place to protect the information. We readable electronic form and format as associates. One commenter asked also noted that the proposed agreed to by the covered entity and the whether business associates could modification presumes that covered individual. This provision would continue to provide patients access to entities have the capability of providing require any covered entity that records when permitted and acting on an electronic copy of protected health electronically maintains the protected behalf of a covered entity. Another information maintained in their health information about an individual, commenter asked whether business designated record set(s) electronically in one or more designated record sets, associates are required to provide through a secure web-based portal, via to provide the individual with an information to covered entities and not email, on portable electronic media, or electronic copy of such information (or to individuals directly. One commenter other manner. We invited public summary or explanation if agreed to by was opposed to direct access from a comment on this presumption. the individual in accordance with business associate because of security proposed § 164.524(c)(2)(iii)) in the concerns and increased burden on Overview of Public Comments electronic form and format requested or business associates if corrections are We received many comments and in an otherwise agreed upon electronic needed. requests for clarification and guidance form and format. While an individual’s How and to what extent a Response: regarding the permitted methods for right of access to an electronic copy of business associate is to support or fulfill offering protected health information on protected health information is a covered entity’s obligation to provide electronic media, and the acceptable currently limited under the Privacy Rule individuals with electronic access to form and format of the electronic copy. by whether the form or format requested their records will be governed by the Several commenters suggested that is readily producible, covered entities business associate agreement between covered entities be permitted flexibility that maintain such information the covered entity and the business in determining available electronic electronically in a designated record set associate. For example, the business formats and requested clarification on would be required under these proposed associate agreement may provide for the what is considered ‘‘readily modifications to provide some type of business associate to give copies of the producible.’’ These commenters electronic copy, if requested by an requested information directly to the expressed concerns that a limited individual. individual, or to the covered entity for number of permissible electronic Because we did not want to bind the covered entity to provide the copies formats may result in a situation where covered entities to standards that may to the individual. There is no separate protected health information could not not yet be technologically mature, we requirement on business associates to be converted from a particular proposed to permit covered entities to provide individuals with direct access electronic system. Other commenters make some other agreement with to their health records, if that is not indicated that there should be minimum individuals as to an alternative means what has been agreed to between the standards and clearly defined media by which they may provide a readable covered entity and the business that are permissible to meet this electronic copy to the extent the associate in the business associate requirement. One commenter felt that requested means is not readily agreement. this requirement is important but producible. If, for example, a covered should be deferred until covered entities entity received a request to provide a. Form and Format electronic access via a secure web-based have improved their technological Proposed Rule portal, but the only readily producible capabilities. Many commenters requested guidance Section 164.524(c)(2) of the Privacy version of the protected health on how to proceed if a covered entity Rule currently requires a covered entity information was in portable document and an individual are unable to come to to provide the individual with access to format (PDF), proposed an agreement on the medium of choice the protected health information in the § 164.524(c)(2)(ii) would require the and what is expected in terms of form or format requested by the covered entity to provide the individual accommodating the individual’s with a PDF copy of the protected health individual, if it is readily producible in medium of choice. Some commenters information, if agreed to by the covered such form or format, or, if not, in a suggested various alternate solutions if entity and the individual. We noted that readable hard copy form or such other VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00068 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

69 5633 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations how to handle links to images or other individual’s requested format or if the an agreement cannot be reached, data. individual agrees to accept a PDF including any readily producible We clarify that just as is Response: instead of the individual’s requested format, PDF, or hard copy protected currently required for hard copy format. Alternatively, there may be health information. Some covered protected health information access circumstances where an individual entities felt that individuals should not requests, covered entities must provide prefers a simple text or rich text file and have an unlimited choice in terms of the an electronic copy of all protected the covered entity is able to electronic media they are willing to health information about the individual accommodate this preference. A hard accept, and should only be permitted to in an electronically maintained copy of the individual’s protected confine their choices of electronic designated record set, except as health information would not satisfy the media to a couple of options that the otherwise provided at § 164.524(a). If electronic access requirement. However, covered entity has available. the designated record set includes a hard copy may be provided if the Final Rule electronic links to images or other data, individual decides not to accept any of The final rule adopts the proposal to the images or other data that is linked the electronic formats offered by the require covered entities to provide to the designated record set must also be covered entity. electronic information to an individual included in the electronic copy Response to Other Public Comments in the electronic form and format provided to the individual. The Several covered entities Comment: requested by the individual, if it is electronic copy must contain all commented on the form of a request for readily producible, or, if not, in a protected health information access to electronic protected health readable electronic form and format as electronically maintained in the information. Some expressed agreed to by the covered entity and the designated record set at the time the appreciation for permitting an electronic individual. We recognize that what is request is fulfilled. The individual may request process, including e-signatures available in a readable electronic form request, however, only a portion of the and authentication. Some expressed and format will vary by system and that protected health information opposition to the requirement for a covered entities will continue to electronically maintained in the signed request in writing, as it would be improve their technological capabilities designated record set, in which case the highly burdensome and cause delays. over time. We therefore allow covered covered entity is only required to Covered entities sought guidance on entities the flexibility to provide readily provide the requested information. elements that would be required or producible electronic copies of Comment: One commenter asserted permitted in a request form for protected health information that are that the request for protected health individuals. currently available on their various information should only apply to We clarify that the Response: systems. A covered entity is not protected health information the requirement at § 164.524(b)(1), which required to purchase new software or covered entity has at the time of the states that the covered entity may systems in order to accommodate an request, not any additional protected require individuals to make requests for electronic copy request for a specific health information that it obtains while access in writing, provided that it form that is not readily producible by processing the request. informs individuals of such a We clarify that the Response: the covered entity at the time of the requirement, remains unchanged. electronic copy must reflect all request, provided that the covered entity Therefore, covered entities may at their electronic protected health information is able to provide some form of option require individuals to make held by the covered entity in a electronic copy. We note that some requests for electronic copies of their legacy or other systems may not be designated record set, or the subset of protected health information in writing. capable of providing any form of electronic protected health information We note that the Privacy Rule allows for electronic copy at present and anticipate specifically requested by the individual, electronic documents to qualify as that some covered entities may need to at the time the request is fulfilled. written documents, as well as electronic Comment: One commenter asked for make some investment in order to meet signatures to satisfy any requirements confirmation that the new electronic the basic requirement to provide some for a signature, to the extent the requirement does not include a form of electronic copy. signature is valid under applicable law. We agree with covered entities that requirement to scan paper and provide If the covered entity chooses to require individuals should not have an electronic copies of records held in unlimited choice in the form of a written request, it has flexibility in paper form. electronic copy requested. However, We clarify that covered Response: determining what information to put covered entities must still provide entities are not required to scan paper into the request form. However, the individuals with some kind of readable documents to provide electronic copies request form may not be in any way electronic copy. If an individual of records maintained in hard copy. We designed to discourage an individual requests a form of electronic copy that note that for covered entities that have from exercising his or her right. A the covered entity is unable to produce, mixed media, it may in some cases be covered entity may also choose to the covered entity must offer other easier to scan and provide all records in accept an individual’s oral request for electronic formats that are available on electronic form rather than provide a an electronic copy of their protected their systems. If the individual declines combination of electronic and hard health information without written to accept any of the electronic formats copies, however this is in no way signature or documentation. Comment: We received several that are readily producible by the required. Many commenters Comment: comments on the content that covered covered entity, the covered entity must expressed security concerns related to entities are required to provide in provide a hard copy as an option to this new requirement. Covered entities response to an electronic access request. fulfill the access request. While we felt that they should not have to use Some commenters felt that there should remain neutral on the type of portable devices brought by individuals be a defined minimum set of data technology that covered entities may (particularly flash drives), due to the elements to satisfy this requirement, adopt, a PDF is a widely recognized security risks that this would introduce particularly for non-EHR data. Covered format that would satisfy the electronic to their systems. Some covered entities entities also requested clarification on access requirement if it is the VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00069 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

70 5634 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register Privacy Rule allows for electronic security. Rather, we merely expect the additionally asserted that requiring the documents to qualify as written use of individually-supplied media is covered entity to notify the individual documents for purposes of meeting the prohibited by the Security Rule, based that there may be some level of risk that Rule’s requirements, as well as on the risk analysis determination of an the information in the email could be electronic signatures to satisfy any unacceptable risk to the confidentiality, read by a third party. If individuals are requirements for a signature, to the integrity and availability of the covered notified of the risks and still prefer extent the signature is valid under entity’s electronic protected health unencrypted email, the individual has applicable law. Thus, a covered entity information. the right to receive protected health Response: We acknowledge these could employ an electronic process for information in that way, and covered security concerns and agree with receiving an individual’s request to entities are not responsible for commenters that it may not be transmit a copy of protected health unauthorized access of protected health appropriate for covered entities to information to his or her designee under information while in transmission to the accept the use of external portable this proposed provision. Whether the individual based on the individual’s media on their systems. Covered entities process is electronic or paper-based, a request. Further, covered entities are not are required by the Security Rule to covered entity must implement responsible for safeguarding information perform a risk analysis related to the reasonable policies and procedures once delivered to the individual. potential use of external portable media, under § 164.514(h) to verify the identity b. Third Parties and are not required to accept the of any person who requests protected external media if they determine there health information, as well as Proposed Rule is an unacceptable level of risk. implement reasonable safeguards under Section 164.524(c)(3) of the Privacy However, covered entities are not then § 164.530(c) to protect the information Rule currently requires the covered permitted to require individuals to that is used or disclosed. entity to provide the access requested by purchase a portable media device from the individual in a timely manner, Overview of Public Comments the covered entity if the individual does which includes arranging with the Commenters requested clarification not wish to do so. The individual may individual for a convenient time and regarding the proposal to transmit an in such cases opt to receive an place to inspect or obtain a copy of the electronic copy of protected health alternative form of the electronic copy protected health information, or mailing information to another person of the protected health information, the copy of protected health information designated by the individual. In such as through email. at the individual’s request. The particular, covered entities sought Comment: Several commenters Department had previously interpreted clarification on whether or not an specifically commented on the option to this provision as requiring a covered authorization is required prior to provide electronic protected health entity to mail the copy of protected transmitting the requested electronic information via unencrypted email. health information to an alternative protected health information to a third Covered entities requested clarification address requested by the individual, party designated by the individual. that they are permitted to send provided the request was clearly made Some commenters supported the ability individuals unencrypted emails if they by the individual and not a third party. to provide electronic protected health have advised the individual of the risk, Section 13405(e)(1) of the HITECH Act information access to third parties and the individual still prefers the provides that if the individual chooses, without individual authorization, while unencrypted email. Some felt that the he or she has a right to direct the others felt that authorization should be ‘‘duty to warn’’ individuals of risks covered entity to transmit an electronic required. Covered entities requested associated with unencrypted email copy of protected health information in clarification that they are not liable would be unduly burdensome on an EHR directly to an entity or person when making reasonable efforts to verify covered entities. Covered entities also designated by the individual, provided the identity of a third party recipient requested clarification that they would that such choice is clear, conspicuous, identified by the individual. not be responsible for breach and specific. notification in the event that Final Rule Based on section 13405(e)(1) of the unauthorized access of protected health The final rule adopts the proposed HITECH Act and our authority under information occurred as a result of amendment § 164.524(c)(3) to expressly section 264(c) of HIPAA, we proposed sending an unencrypted email based on provide that, if requested by an to expand § 164.524(c)(3) to expressly an individual’s request. Finally, one individual, a covered entity must provide that, if requested by an commenter emphasized the importance transmit the copy of protected health individual, a covered entity must that individuals are allowed to decide if information directly to another person transmit the copy of protected health they want to receive unencrypted designated by the individual. In contrast information directly to another person emails. to other requests under § 164.524, when designated by the individual. This We clarify that covered Response: an individual directs the covered entity proposed amendment is consistent with entities are permitted to send to send the copy of protected health the Department’s prior interpretation on individuals unencrypted emails if they information to another designated this issue and would apply without have advised the individual of the risk, person, the request must be made in regard to whether the protected health and the individual still prefers the writing, signed by the individual, and information is in electronic or paper unencrypted email. We disagree that the clearly identify the designated person form. We proposed to implement the ‘‘duty to warn’’ individuals of risks and where to send the copy of the requirement of section 13405(e)(1) that associated with unencrypted email protected health information. If a the individual’s ‘‘choice [be] clear, would be unduly burdensome on covered entity has decided to require all conspicuous, and specific’’ by requiring covered entities and believe this is a access requests in writing, the third that the individual’s request be ‘‘in necessary step in protecting the party recipient information and writing, signed by the individual, and protected health information. We do not signature by the individual can be clearly identify the designated person expect covered entities to educate included in the same written request; no and where to send the copy of protected individuals about encryption additional or separate written request is health information.’’ We noted that the technology and the information VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00070 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

71 5635 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations electronic media it provided, as cost-based fee includes costs required. This written request for requested or agreed to by an individual. attributable to the labor involved to protected health information to be sent While we proposed to renumber the review the access request and to to a designated person is distinct from remaining factors at § 164.524(c)(4), we produce the electronic copy, which we an authorization form, which contains did not propose to amend their expected would be negligible. However, many additional required statements substance. With respect to we did not consider a reasonable cost- and elements (see § 164.508(c)). Covered § 164.524(c)(4)(iii), however, we noted based fee to include a standard entities may rely on the information that our interpretation of the statute ‘‘retrieval fee’’ that does not reflect the provided in writing by the individual would permit a covered entity to charge actual labor costs associated with the when providing protected health for postage if an individual requests that retrieval of the electronic information or information to a third party recipient the covered entity transmit portable that reflects charges that are unrelated to identified by the individual, but must media containing an electronic copy the individual’s request (e.g., the also implement reasonable policies and through mail or courier (e.g., if the additional labor resulting from technical procedures under § 164.514(h) to verify individual requests that the covered problems or a workforce member’s lack the identity of any person who requests entity save protected health information of adequate training). We invited public protected health information, as well as to a CD and then mail the CD to a comment on this aspect of our implement reasonable safeguards under designee). rulemaking, specifically with respect to § 164.530(c) to protect the information what types of activities related to that is used or disclosed. For example, Overview of Public Comments managing electronic access requests reasonable safeguards would not require Commenters generally supported and should be compensable aspects of labor. the covered entity to confirm that the appreciated the inclusion of a individual provided the correct email We also proposed to amend reasonable, cost-based fee that includes address of the third party, but would § 164.524(c)(4)(ii) to provide separately both labor and, in some cases, supply require reasonable procedures to ensure for the cost of supplies for creating the costs to support the new electronic that the covered entity correctly enters paper copy or electronic media (i.e., access requirement. Several commenters the email address into its system. physical media such as a compact disc disagreed that the cost related to (CD) or universal serial bus (USB) flash reviewing and responding to requests c. Fees drive), if the individual requests that the would be negligible, particularly if the Proposed Rule electronic copy be provided on portable scope includes information in media. This reorganization and the Section 164.524(c)(4) of the Privacy designated record sets and not only addition of the phrase ‘‘electronic Rule currently permits a covered entity EHRs, since more technically trained media’’ reflected our understanding that to impose a reasonable, cost-based fee staff would be necessary to perform this since section 13405(e)(2) of the HITECH for a copy of protected health function. Act permits only the inclusion of labor information (or a summary or Commenters provided many costs in the charge for electronic copies, explanation of such information). suggestions of costs that should be it by implication excludes charging for However, such a fee may only include permitted in the fees, including those the supplies that are used to create an the cost of: (1) The supplies for, and associated with labor, materials, electronic copy of the individual’s labor of, copying the protected health systems, retrieval (particularly for old protected health information, such as information; (2) the postage associated data maintained in archives, backup the hardware (computers, scanners, etc.) with mailing the protected health media or legacy systems), copying, or software that is used to generate an information, if applicable; and (3) the transmission, and capital to recoup the electronic copy of an individual’s preparation of an explanation or significant investments made for data protected health information in summary of the protected health access, storage and infrastructure. response to an access request. We noted information, if agreed to by the Commenters offered additional that this limitation is in contrast to a individual. With respect to providing a suggestions on labor-related costs, covered entity’s ability to charge for copy (or summary or explanation) of including: skilled technical staff time; supplies for hard copies of protected protected health information from an time spent recovering, compiling, health information (e.g., the cost of EHR in electronic form, however, extracting, scanning and burning paper, the prorated cost of toner and section 13405(e)(2) of the HITECH Act protected health information to media, wear and tear on the printer). See 65 FR provides that a covered entity may not and distributing the media; and 82462, 82735, Dec. 28, 2000 (responding charge more than its labor costs in preparation of an explanation or to a comment seeking clarification on responding to the request for the copy. summary if appropriate. Suggestions of ‘‘capital cost for copying’’ and other In response to section 13405(e)(2) of materials-related costs included: CDs, supply costs by indicating that a the HITECH Act, we proposed to amend flash drives, tapes or other portable covered entity was free to recoup all of § 164.524(c)(4)(i) to identify separately media; new types of technology needed their reasonable costs for copying). We the labor for copying protected health to comply with individual requests; asserted that this interpretation was information, whether in paper or office supplies; and mail copies. consistent with the fact that, unlike a electronic form, as one factor that may Systems-related costs included: software hard copy, which generally exists on be included in a reasonable cost-based necessary to conduct protected health paper, an electronic copy exists fee. While we did not propose more information searches; and independent of media, and can be detailed considerations for this factor implementation and maintenance of transmitted securely via multiple within the regulatory text, we retained security systems and secure methods (e.g., email, a secure web-based all prior interpretations of labor with connectivity. portal, or an individual’s own electronic respect to paper copies—that is, that the Final Rule media) without accruing any ancillary labor cost of copying may not include The final rule adopts the proposed supply costs. We also noted, however, the costs associated with searching for amendment at § 164.524(c)(4)(i) to that our interpretation of the statute and retrieving the requested identify separately the labor for copying would permit a covered entity to charge information. With respect to electronic protected health information, whether a reasonable and cost-based fee for any copies, we asserted that a reasonable VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00071 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

72 5636 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations d. Timeliness interpretation will ensure that the fee in paper or electronic form, as one factor that may be included in a reasonable requirements for electronic access are Proposed Rule cost-based fee. We acknowledge consistent with the requirements for We requested comment on one aspect commenters’ assertions that the cost hard copies, which do not allow of the right to access and obtain a copy related to searching for and retrieving retrieval fees for locating the data. of protected health information which electronic protected health information Response to Other Public Comments the HITECH Act did not amend. In in response to requests would be not be particular, the HITECH Act did not negligible, as opposed to what we had Comment: Commenters requested change the timeliness requirements for anticipated, particularly in regards to clarification on how to proceed when provision of access at § 164.524(b). designated record set access that will State laws designate fees. Under the current requirements, a require more technically trained staff to request for access must be approved or Response: When a State law provides perform this function. We clarify that denied, and if approved, access or a a limit on the fee that a covered entity labor costs included in a reasonable copy of the information provided, may charge for a copy of protected cost-based fee could include skilled within 30 days of the request. In cases health information, this is relevant in technical staff time spent to create and where the records requested are only determining whether a covered entity’s copy the electronic file, such as accessible from an off-site location, the fee is ‘‘reasonable’’ under compiling, extracting, scanning and covered entity has an additional 30 days § 164.524(c)(4). A covered entity’s fee burning protected health information to to respond to the request. In extenuating must be both reasonable and cost-based. media, and distributing the media. This circumstances where access cannot be For example, if a State permits a charge could also include the time spent provided within these timeframes, the of 25 cents per page, but a covered preparing an explanation or summary of covered entity may have a one-time 30- entity is able to provide an electronic the protected health information, if day extension if the individual is appropriate. copy at a cost of five cents per page, notified of the need for the extension The final rule also adopts the then the covered entity may not charge within the original timeframes. proposed amendment at more than five cents per page (since that With regard to the timeliness of the § 164.524(c)(4)(ii) to provide separately is the reasonable and cost-based provision of access, we recognized that for the cost of supplies for creating the amount). Similarly, if a covered entity’s with the advance of EHRs, there is an paper copy or electronic media (i.e., cost is 30 cents per page but the State increasing expectation and capacity to physical media such as a compact disc law limits the covered entity’s charge to provide individuals with almost (CD) or universal serial bus (USB) flash 25 cents per page, then the covered instantaneous electronic access to the drive), if the individual requests that the entity may not charge more than 25 protected health information in those electronic copy be provided on portable cents per page (since charging 30 cents records through personal health records media. We do not require that covered per page would be the cost-based or similar electronic means. On the entities obtain new types of technology amount, but would not be reasonable in other hand, we did not propose to limit needed to comply with specific light of the State law). the right to electronic access of individual requests, and therefore the Comment: One commenter suggested protected health information to certified cost of obtaining such new technologies that labor-related costs should include EHRs, and the variety of electronic is not a permissible fee to include in the preparation of an affidavit certifying systems that are subject to this proposed supply costs. that the information is a true and correct requirement would not all be able to With respect to § 164.524(c)(4)(iii), we copy of the records. comply with a timeliness standard clarify that a covered entity is permitted based on personal health record to charge for postage if an individual We do not consider the cost Response: capabilities. It was our assumption that requests that the covered entity transmit to prepare an affidavit to be a copying a single timeliness standard that would portable media containing an electronic cost. Thus, where an individual requests address a variety of electronic systems, copy through mail or courier (e.g., if the that an affidavit accompany the copy of rather than having a multitude of individual requests that the covered protected health information requested standards based on system capacity, entity save protected health information by the individual for litigation purposes would be the preferred approach to to a CD and then mail the CD to a or otherwise, a covered entity may avoid workability issues for covered designee). charge the individual for the entities. Even under a single standard, Fees associated with maintaining preparation of such affidavit and is not nothing would prevent users of EHR systems and recouping capital for data subject to the reasonable, cost-based fee systems from exceeding the Privacy access, storage and infrastructure are not limitations of § 164.524(c)(4). However, Rule’s timeliness requirements for considered reasonable, cost-based fees, a covered entity may not withhold an providing access to individuals. and are not permissible to include individual’s copy of his or her protected Additionally, the Medicare and under this provision. Covered entities health information for failure by the Medicaid EHR Incentive Programs (the are not required to adopt or purchase individual to pay any fees for services ‘‘meaningful use’’ programs) require new systems under this provision, and above and beyond the copying, such as users of Certified EHR Technology to thus any costs associated with for preparing an affidavit. provide individuals with expedited maintaining them are present regardless Comment: Some commenters access to information. Based on the of the new electronic access right. recommended defining the following assumption that a single standard would Additionally, although the proposed terms: ‘‘preparing,’’ ‘‘producing,’’ and be the preferred approach under the rule indicated that a covered entity ‘‘transmitting.’’ Privacy Rule, we requested public could charge for the actual labor costs comment on an appropriate, common We decline to define the Response: associated with the retrieval of timeliness standard for the provision of terms ‘‘preparing,’’ ‘‘producing,’’ and electronic information, in this final rule access by covered entities with ‘‘transmitting,’’ as we believe the terms we clarify that a covered entity may not electronic designated record sets have been adequately understood and charge a retrieval fee (whether it be a generally. We specifically requested utilized in the context of hard copy standard retrieval fee or one based on comment on aspects of existing systems access to protected health information. actual retrieval costs). This VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00072 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

73 5637 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations exercise. This means, for example, that data set standards are established and that would create efficiencies in covered entities have electronic records processing of requests for electronic a covered entity must provide an in place. One commenter believed that information, as well as those aspects of individual with access to off-site records electronic records could be furnished in electronic systems that would provide within 30 days of the individual’s a much shorter timeframe, such as two little change from the time required for request when possible, with a 30-day business days. processing a paper record. Alternatively, extension available (for a total of 60 Several commenters suggested we requested comment on whether the days, in contrast to the current law that responses be done in much shorter current standard could be altered for all permits up to 90 days to provide the timeframes, such as instantly, within systems, paper and electronic, such that individual with access to such records). one day or three days. One commenter all requests for access should be We decline to establish separate noted that meaningful use standards responded to without unreasonable timeframes for timely access based upon required access within three days for 50 delay and not later than 30 days. whether the protected health percent of patients. These commenters We also requested public comment on information to be accessed is paper or suggested alternative timeframes for whether, contrary to our assumption, a electronic. Commenters generally adoption, such as allowing 60 days for variety of timeliness standards based on supported adoption of a single standard response due to off-site storage issues the type of electronic designated record rather than differing standards based and potential for multiple requests. One set is the preferred approach and if so, upon whether a record is paper or commenter suggested 30 and 60 day how such an approach should be electronic and no comments provided times were unworkable and another implemented. compelling reasons to establish differing Finally, we requested comment on the commenter suggested eliminating the 30 standards. time necessary for covered entities to day extension for off-site record storage. review access requests and make Response to Other Public Comments One commenter suggested 30 days may necessary determinations, such as be longer than is necessary, but Comment: One commenter asked for whether the granting of access would cautioned against mandates that would clarification as to when the time period endanger the individual or other unreasonably divert provider resources for responding to a response begins if persons so as to better understand how (e.g., five days would be unreasonable the parties spend significant time the time needed for these reviews when a provider must take time to attempting to reach agreement on the relates to the overall time needed to include explanatory notes). format of the electronic copy. provide the individual with access. Final Rule Response: We confirm that the time Further, we requested comment The final rule modifies the timeliness period for responding to a request for generally on whether the provision requirements for right to access and to access begins on the date of the request. which allows a covered entity an obtain a copy of protected health Covered entities that spend significant additional 30 days to provide access to information at § 164.524(b). We remove time before reaching agreement on the the individual if the protected health the provision at § 164.524(b)(2)(ii) that electronic format for a response are information is maintained off-site permits 60 days for timely action when using part of the 30 days permitted for should be eliminated altogether for both protected health information for access response. paper and electronic records, or at least is not maintained or accessible to the for protected health information One commenter suggested Comment: covered entity on-site. We retain and maintained or archived electronically there should be a transition period for renumber as necessary the provision at because the physical location of those covered entities that do not § 164.524(b)(2)(iii) that permits a electronic data storage is not relevant to currently have the capability to meet the covered entity a one-time extension of its accessibility. electronic access requirement. 30 days to respond to the individual’s Response: We decline to implement a Overview of Public Comments request (with written notice to the transition period for access to electronic individual of the reasons for delay and Commenters generally supported copies of protected health information. the expected date by which the entity maintaining the same timeframe for Covered entities are already subject to will complete action on the request). response for both paper and electronic the hard copy access requirement for all We believe the 30 day timeframe for records and not modifying the existing information held in designated record access is appropriate and achievable by timeframes for response. Commenters sets, including electronic designated covered entities given the increasing espoused many rationales for record sets, and the new requirement for expectation and capacity to provide maintaining a single standard and the electronic copies gives covered entities individuals with almost instantaneous existing response standards, including the flexibility to provide an electronic electronic access to the protected health that off-site electronic storage with back- copy in a form that is readily information in those records through up tapes will require time to obtain the producible. We do not believe personal health records or similar electronic media, multiple electronic additional time is needed to provide electronic means. While a covered systems may need to be accessed, some electronic copies of protected health entity is permitted 30 days to provide systems may not have data stored in information that are readily producible. access (with a 30-day extension when useable formats requiring time to necessary), we encourage covered 11. Other Technical Changes and convert data, and time may be required entities to provide individuals with Conforming Changes to obtain data from business associates access to their information sooner, and and subcontractors. Proposed Rule to take advantage of technologies that Some commenters acknowledged that We proposed to make a number of provide individuals with immediate electronic records may be easier to technical and conforming changes to the access to their health information. access, but review of records and Privacy Rule to fix minor problems, Nevertheless, for covered entities that verification processes would still such as incorrect cross-references, continue to make use of off-site storage require time that cannot be shortcut mistakes of grammar, and typographical or have additional time constraints to because a record is electronic. One errors. These changes are shown in providing access, the 30 day extension commenter acknowledged that shorter Table 3 below. remains available for a covered entity to times may be achievable when specific VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00073 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

74 5638 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 3—T ECHNICAL AND ONFORMING C HANGES C ABLE T Reason for change Proposed change Current language Regulation section 164.510(b)(2)(iii) ... ‘‘based the exercise of professional Insert ‘‘on’’ after ‘‘based’’ ... Correct typographical error. Judgment’’. Insert ‘‘uses and’’ and ‘‘use or’’ be- 164.512(b)(1) ... ‘‘Permitted disclosures’’ and ‘‘may Correct inadvertent omission. disclose’’. fore ‘‘disclosures’’ and ‘‘disclose,’’ respectively. Change ‘‘protecting’’ to ‘‘protected’’ Correct typographical error. 164.512(e)(1)(iii) ... ‘‘seeking protecting health informa- tion’’. cross-reference. 164.512(e)(1)(vi) ... ‘‘paragraph (e)(1)(iv) of this section’’ Change ‘‘(e)(1)(iv)’’ to ‘‘(e)(1)(v)’’ ... Correct Remove the comma after ‘‘U.S.C. Correct typographical errors. 164.512(k)(3) ... ‘‘authorized by 18 U.S.C. 3056, or to foreign heads of state, or to for 3056’’ and the ‘‘to’’ before ‘‘for’’. the conduct of investigations’’. OHCA may include only professional subject to certain conditions, protected In addition to the above technical health information of an individual to staff members. changes, we proposed to make a few the individual’s employer if the covered clarifications to existing text in various Final Rule entity is a covered health care provider provisions of the regulation not The final rule implements the ‘‘who is a member of the workforce of otherwise addressed in the above technical, conforming, and clarifying such employer or who provides health preamble. These are as follows. changes as proposed. In response to the care to the individual at the request of 1. Section 164.506(c)(5) permits a comments regarding which entities may the employer.’’ We proposed to amend covered entity to disclose protected participate in an OHCA, we clarify that the quoted language by removing the health information ‘‘to another covered a covered entity participating in an words ‘‘who is a member of the entity that participates in the organized OHCA or the OHCA itself may contract workforce of such employer or,’’ as the health care arrangement.’’ We proposed with a business associate to provide language is unnecessary. to change the words ‘‘another covered 5. At § 164.512(k)(1)(ii), we proposed certain functions, activities, or services entity that participates’’ to ‘‘other to replace the word ‘‘Transportation’’ on its behalf that involve access to participants’’ because not all with ‘‘Homeland Security.’’ The protected health information, provided participants in an organized health care language regarding a component of the the applicable requirements of arrangement may be covered entities; for Department of Transportation was §§ 164.502(e), 164.504(e), 164.308(b) example, some physicians with staff included to refer to the Coast Guard; and 164.314(a) are met. Further, the privileges at a hospital may not be however, the Coast Guard was definition of an organized health care covered entities. transferred to the Department of arrangement (OHCA) at § 160.103 2. Section 164.510(a)(1)(ii) permits the Homeland Security in 2003. includes a clinically integrated care disclosure of directory information to 6. At § 164.512(k)(5), which permits a setting in which individuals typically members of the clergy and other persons covered entity to disclose to a receive health care from more than one who ask for the individual by name. We correctional institution or law health care provider. We modified proposed to add the words ‘‘use or’’ to enforcement official having lawful § 164.506(c)(5) as discussed above in this permission, to cover the provision custody of an inmate or other individual recognition of the fact that not all of such information to clergy who are protected health information about the participants in a clinically integrated part of a facility’s workforce. inmate or individual in certain care setting may be covered entities 3. Section 164.510(b)(3) covers uses necessary situations, we proposed to (e.g., hospital with physicians with staff and disclosures of protected health replace the word ‘‘and’’ after the privileges that are not workforce information when the individual is not semicolon in paragraph (i)(E) with the members). Such change does not permit present to agree or object to the use or word ‘‘or.’’ The intent of employers and pharmaceutical disclosure, and, as pertinent here, § 164.512(k)(5)(i) is not that the representatives to receive access to permits disclosure to persons only of existence of all of the conditions is protected health information from or ‘‘the protected health information that is necessary to permit the disclosure, but through an OHCA in a manner they directly relevant to the person’s rather that the existence of any would would otherwise be prohibited from involvement with the individual’s permit the disclosure. now. health care.’’ We proposed to delete the Overview of Public Comments last two quoted words and substitute the V. Modifications to the Breach following: ‘‘care or payment related to One commenter requested Notification Rule Under the HITECH the individual’s health care or needed clarification about whether business Act for notification purposes.’’ This change associates may participate in an A. Background aligns the text of paragraph (b)(3) with organized health care arrangement the permissions provided for at Section 13402 of the HITECH Act (OHCA) under § 164.506(c)(5). Another paragraph (b)(1) of this section. requires HIPAA covered entities to commenter recommended against provide notification to affected 4. Where an employer needs protected changing the language of § 164.506(c)(5), individuals and to the Secretary of HHS health information to comply with arguing that such a change could bring following the discovery of a breach of workplace medical surveillance laws, entities like employers and unsecured protected health information. such as the Occupational Safety and pharmaceutical companies into OHCAs In some cases, the Act requires covered Health Administration or Mine Safety that should not otherwise have access to entities also to provide notification to and Health Administration protected health information, and the media of breaches. In the case of a suggested that the Department change requirements, § 164.512(b)(1)(v)(A) breach of unsecured protected health the language to make clear that an permits a covered entity to disclose, VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00074 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

75 5639 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations or similar language, within the 17, 2009 (it was subsequently published information at or by a business associate at 74 FR 19006 on April 27, 2009). The of a covered entity, the Act requires the constraints of the statutory language. guidance listed and described business associate to notify the covered The 60-day public comment period on encryption and destruction as the two entity of the breach. Finally, the Act the interim final rule closed on October technologies and methodologies for requires the Secretary to post on an HHS 23, 2009. The Department received rendering protected health information Web site a list of covered entities that approximately 120 comments during the unusable, unreadable, or indecipherable experience breaches of unsecured comment period from a variety of to unauthorized individuals. protected health information involving entities, including health care providers, In cases in which notification is more than 500 individuals. hospital and medical associations, required, the Act at section 13402 Section 13400(1) of the Act defines health plans, educational institutions, prescribes the timeliness, content, and ‘‘breach’’ to mean, generally, the information technology companies, methods of providing the breach unauthorized acquisition, access, use, or privacy and security advocates, notifications. disclosure of protected health consumer groups, state agencies, and Section 13402 required HHS to issue information which compromises the several members of Congress. The within 180 days of enactment interim security or privacy of such information. provisions of the interim final rule are final regulations to implement these The Act includes three exceptions to discussed in more detail below, along breach notification requirements. The this definition to encompass situations with the public comments received, and Department issued an interim final rule Congress clearly intended not to the provisions of this final rule. on August 24, 2009, with a 60-day constitute breaches: (1) Unintentional C. Section-by-Section Description of public comment period (74 FR 42740). acquisition, access, or use of protected Final Rule and Response to Comments The interim final rule became effective health information by an employee or on September 23, 2009. In the preamble other person acting under the authority 1. Section 164.402—Definitions to the interim final rule, the Department of a covered entity or business associate a. Definition of ‘‘Breach’’ also re-issued without substantive if such acquisition, access, or use was change its Guidance Specifying the made in good faith and within the Interim Final Rule Technologies and Methodologies That course and scope of the employment or Section 13400(1)(A) of the Act defines Render Protected Health Information other professional relationship of such ‘‘breach’’ as the ‘‘unauthorized Unusable, Unreadable, or person with the covered entity or acquisition, access, use, or disclosure of Indecipherable to Unauthorized business associate and such information protected health information which Individuals that was initially issued on is not further acquired, accessed, used, compromises the security or privacy of April 17, 2009. The Guidance continues or disclosed by any person (section such information, except where an to specify encryption and destruction as 13400(1)(B)(i)); (2) inadvertent unauthorized person to whom such the two methods for rendering protected disclosure of protected health information is disclosed would not health information unusable, information from one person authorized reasonably have been able to retain such unreadable, or indecipherable to to access protected health information at information.’’ Section 13400(1)(B) of the unauthorized individuals—or a facility operated by a covered entity or Act provides two additional exceptions ‘‘secured’’—and thus, exempt from the business associate to another person to the definition of ‘‘breach.’’ The breach notification obligations. See 74 similarly situated at the same facility interim final rule at 45 CFR 164.402 FR 42741–43. and the information received is not defined a ‘‘breach’’ to mean generally further acquired, accessed, used or B. Overview of the Interim Final Rule ‘‘the acquisition, access, use, or disclosed without authorization by any disclosure of protected health The interim final rule added a new person (section 13400(1)(B)(ii) and (iii)); information in a manner not permitted subpart D to part 164 of title 45 of the and (3) unauthorized disclosures in [by the Privacy Rule] which Code of Federal Regulations (CFR) to which an unauthorized person to whom compromises the security or privacy of implement the breach notification protected health information is the protected health information.’’ The provisions of section 13402 of the disclosed would not reasonably have definition included the statutory HITECH Act. In developing the interim been able to retain the information exceptions to the definition (discussed final rule, the Department consulted (section 13400(1)(A)). below) and clarified that closely with the Federal Trade Further, section 13402(h) of the Act ‘‘unauthorized’’ for purposes of the Commission (FTC), which administers defines ‘‘unsecured protected health statute meant in a manner not permitted similar breach notification requirements information’’ as ‘‘protected health by the Privacy Rule. on vendors of personal health records information that is not secured through In addition, for purposes of this (PHRs) and their third party service the use of a technology or methodology definition, the rule provided that providers under section 13407 of the specified by the Secretary in guidance’’ ‘‘compromises the security or privacy of HITECH Act. The interim final rule and and provides that the guidance specify the protected health information’’ FTC’s Health Breach Notification Rule the technologies and methodologies that means poses a significant risk of (74 FR 42962, published August 25, render protected health information financial, reputational, or other harm to 2009) made clear that entities operating unusable, unreadable, or indecipherable the individual. The Department as HIPAA covered entities and business to unauthorized individuals. Covered included this standard regarding a associates are subject to HHS’, and not entities and business associates that significant risk of harm to the individual the FTC’s, breach notification rule. implement the specified technologies (i.e., harm standard) after considering Second, to address those limited cases and methodologies with respect to public comment received in response to where an entity may be subject to both protected health information are not the Department’s request for HHS’ and the FTC’s rules, such as a required to provide notifications in the information on the HITECH Act’s breach vendor that offers PHRs to customers of event of a breach of such information— notification provisions. See 74 FR a HIPAA covered entity as a business that is, the information is not 19006. The inclusion of the harm associate and also offers PHRs directly considered ‘‘unsecured’’ in such cases. standard was intended to align the to the public, both sets of regulations As required by the Act, the Secretary Department’s rule with many State were harmonized by including the same initially issued this guidance on April VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00075 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

76 Federal Register 5640 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations a covered entity, due to a lack of of the HIPAA Rules and means breach notification laws, as well as reasonable safeguards, sends a number employees, volunteers, trainees, and existing obligations on Federal agencies of explanations of benefits (EOBs) to the other persons whose conduct, in the pursuant to OMB Memorandum M–07– wrong individuals and a few of the performance of work for a covered 16, that have similar standards for EOBs are returned by the post office, entity or business associate, is under the triggering breach notification. In unopened, as undeliverable, the covered direct control of such covered entity or addition, the standard was intended to entity can conclude that the improper business associate. ensure that consumers were not flooded In addition to unintentional, good addressees could not reasonably have with breach notifications for faith access to protected health retained the information. The EOBs that inconsequential events, which could information by workforce members, this were not returned as undeliverable, cause unnecessary anxiety and eventual exception covers similar access by a however, and that the covered entity apathy among consumers. business associate of a covered entity or To determine whether an knows were sent to the wrong subcontractor with respect to a business impermissible use or disclosure of individuals, should be treated as associate or other person acting on protected health information constitutes potential breaches. As another example, behalf of a covered entity or business a breach under this standard, covered if a nurse mistakenly hands a patient the associate. The exception does not, entities and business associates were discharge papers belonging to another however, cover situations involving required to perform a risk assessment to patient, but she quickly realizes her snooping employees, because access as determine if there is a significant risk of mistake and recovers the protected a result of such snooping would be harm to the individual as a result of the health information from the patient, this neither unintentional nor done in good impermissible use or disclosure. In would not constitute a breach if the faith. conducting the risk assessment, covered nurse can reasonably conclude that the To implement section 13400(1)(B)(ii) entities and business associates were to patient could not have read or otherwise and (iii) of the Act, the second consider a number or combination of retained the information. regulatory exception provided that a With respect to any of the three factors, including who impermissibly breach excludes inadvertent disclosures exceptions discussed above, a covered used the information or to whom the of protected health information from a entity or business associate has the information was impermissibly person who is authorized to access burden of proof, pursuant to disclosed; whether the covered entity or protected health information at a § 164.414(b) (discussed below), for business associate had taken steps to covered entity or business associate to showing why breach notification was mitigate or eliminate the risk of harm; another person authorized to access not required. Accordingly, the covered whether the protected health protected health information at the same entity or business associate must information was actually accessed; and covered entity, business associate, or document why the impermissible use or what type or amount of protected health organized health care arrangement in disclosure falls under one of the above information was impermissibly used or which the covered entity participates. exceptions. disclosed. The regulatory exception includes The rule provided further that an Overview of Public Comments reference to an ‘‘organized health care impermissible use or disclosure of Of the approximately 85 public arrangement’’ to capture, among other protected health information that comments received on the interim final things, clinically integrated care settings qualifies as a limited data set but also rule addressing the definition of breach, in which individuals typically receive excludes dates of birth and zip codes approximately 70 of those comments health care from more than one health (both identifiers that may otherwise be addressed the harm standard and risk care provider, such as a hospital, and included in a limited data set) does not assessment approach in the interim final the health care providers who have staff compromise the security or privacy of rule. We received approximately 60 privileges at the hospital. the protected health information. The comments in support of the harm In this regulatory exception, we also Department included this narrow standard and the risk assessment interpreted the statutory limitations that exception in the belief that it would be approach. The commenters in support the disclosure be to ‘‘another person very difficult to re-identify a limited of this approach included providers, similarly situated at the same facility’’ data set that excludes dates of birth and health plans, professional associations, to mean that the disclosure be to zip codes. Thus, a breach of such and certain members of Congress. These another person authorized to access information would pose a low level of commenters argued that the inclusion of protected health information (even if the risk of harm to an individual. the harm standard and accompanying two persons may not be authorized to The interim final rule also included risk assessment was consistent with the access the same types of protected the three statutory exceptions to the definition of breach. To implement statutory language, aligned the interim health information) at the same covered section 13400(1)(B)(i) of the Act, the final rule with many State breach entity, business associate, or organized first regulatory exception provided that notification laws and Federal policies, health care arrangement in which the a breach excludes any unintentional and appropriately placed the obligation covered entity participates (even if the acquisition, access, or use of protected to determine if a breach had occurred on covered entity, business associate, or health information by a workforce covered entities and business associates organized health care arrangement has member or person acting under the since they had the requisite knowledge multiple facilities or locations across the authority of a covered entity or business of the incident to best assess the likely country). Finally, to implement section associate, if such acquisition, access, or impact of the impermissible use or 13400(1)(A) of the Act, the interim final use was made in good faith and within disclosure. The proponents of the harm standard rule exempted disclosures of protected the scope of authority and does not and risk assessment approach also health information where a covered result in further use or disclosure in a argued that its removal would increase entity or a business associate has a good manner not permitted by the Privacy the cost and burden of implementing faith belief that an unauthorized person Rule. We substituted the term the rule for covered entities, business to whom the disclosure was made ‘‘workforce members’’ for the statutory associates, as well as HHS, and may would not reasonably have been able to term ‘‘employees’’ because ‘‘workforce cause unnecessary anxiety and eventual retain such information. For example, if member’’ is a defined term for purposes VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00076 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

77 5641 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations recognize that the language used in the determined that a significant risk of apathy among consumers if notifications interim final rule and its preamble harm does not exist, or alternatively, are sent when there is no risk of harm could be construed and implemented in required notification only in cases to the individual. We also received approximately 10 manners we had not intended. where significant risk of harm can be comments opposed to the harm Accordingly, this final rule modifies demonstrated. Other commenters standard. Generally, the commenters and clarifies the definition of breach suggested that we include in the opposed to this approach were members and the risk assessment approach definition an express presumption of a of Congress and consumer advocacy outlined in the interim final rule. breach unless an entity can show First, we have added language to the groups. Some opponents of the harm otherwise. definition of breach to clarify that an Additionally, many commenters standard argued that its addition to the impermissible use or disclosure of responded to the treatment of limited interim final rule set too high a bar for protected health information is data sets in the interim final rule. triggering breach notification, which presumed to be a breach unless the Although many commenters expressed was contrary to statutory intent. These covered entity or business associate, as support for the assertion that limited commenters argued that the final rule applicable, demonstrates that there is a data sets that do not contain dates of should adopt a bright line standard for low probability that the protected health birth and zip codes do not compromise breach notification to ensure that information has been compromised. We the security or privacy of protected individuals are aware of all recognize that some persons may have health information, most of these impermissible uses and disclosures of interpreted the risk of harm standard in commenters expressed concern that the their health information regardless of the interim final rule as setting a much interim final rule did not go far enough the potential risk and to make higher threshold for breach notification and should exempt even those limited implementation and enforcement of the than we intended to set. As a result, we data sets that contain dates of birth and/ rule more uniform by removing the have clarified our position that breach or zip codes from the breach notification discretion and judgment given to notification is necessary in all situations requirements. These commenters argued covered entities in the interim final rule. except those in which the covered entity that no impermissible use or disclosure These commenters argued that such or business associate, as applicable, of a limited data set should trigger transparency would better breed demonstrates that there is a low breach notification obligations because consumer trust and would allow probability that the protected health without the 16 direct identifiers that the individuals to assess the risk of harm information has been compromised (or Privacy Rule requires to be stripped themselves and take necessary measures one of the other exceptions to the from the information, there is minimal to mitigate an impermissible use or definition of breach applies). We believe risk of harm to the individual. disclosure of their health information. Other commenters, while opposed to that the express statement of this Additionally, commenters indicated it a harm standard to trigger breach presumption in the final rule will help would be costly and burdensome for notification, nonetheless agreed that ensure that all covered entities and entities to have to re-identify the breach notification should not be business associates interpret and apply information in a limited data set to required following every impermissible the regulation in a uniform manner and provide notification and that re- use or disclosure of unsecured protected also responds to commenters that identifying the information could also health information no matter how indicated the default function of the pose an additional risk of harm to the inconsequential the breach. These rule was unclear. This new language is affected individuals. Finally, other commenters argued that, rather than a also consistent with § 164.414, which commenters noted that because subjective standard measuring the risk provides that covered entities and researchers commonly rely on limited of harm to an individual, the final rule business associates have the burden of data sets that contain dates of birth and should include a more objective proof to demonstrate that all zip codes, researchers would not be able standard against which entities would notifications were provided or that an to take advantage of the exception for be required to assess risk. These impermissible use or disclosure did not certain limited data sets in the interim commenters suggested that the risk constitute a breach (such as by final rule, which may have the effect of assessment should focus on the risk that demonstrating through a risk assessment deterring research. the protected health information was In contrast, some commenters that there was a low probability that the compromised instead of on the risk of expressed concern regarding the protected health information had been harm to the individual. Additionally, inclusion of even the limited exception compromised) and must maintain these commenters proposed four factors to the definition of breach for limited documentation sufficient to meet that that should be considered to determine data sets that do not include dates of burden of proof. Second, to further ensure that this whether the information was birth and zip codes. These commenters provision is applied uniformly and compromised: (1) To whom the supported requiring entities to perform objectively by covered entities and information was impermissibly a risk assessment to determine whether business associates, we have removed disclosed; (2) whether the information an impermissible use or disclosure of the harm standard and modified the risk was actually accessed or viewed; (3) the such information compromised the assessment to focus more objectively on potential ability of the recipient to security or privacy of the information, the risk that the protected health identify the subjects of the data; and (4) as there may be a risk of re- information has been compromised. in cases where the recipient is the identification of this information Thus, breach notification is not required disclosing covered entity’s business depending on who received the under the final rule if a covered entity associate or is another covered entity, information. or business associate, as applicable, whether the recipient took appropriate Final Rule demonstrates through a risk assessment mitigating action. After considering the public Some commenters stated that the that there is a low probability that the comments on the definition, the default function of the rule was unclear. protected health information has been compromised, rather than demonstrate Department in this final rule amends the In particular, these commenters that there is no significant risk of harm definition of ‘‘breach’’ at 45 CFR questioned whether the rule required to the individual as was provided under 164.402. Based on the comments, we notification of a breach unless it is VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00077 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

78 5642 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations breaches and to comply with certain line standard would be extremely the interim final rule. The final rule also identifies the more objective factors State breach notification laws. burdensome and costly for entities to covered entities and business associates The first factor requires covered implement. With no risk assessment must consider when performing a risk entities and business associates to following an impermissible use or assessment to determine if the protected evaluate the nature and the extent of the disclosure, entities may be required to health information has been protected health information involved, provide many notices each year for compromised and breach notification is including the types of identifiers and incidents that did not compromise the necessary. the likelihood of re-identification of the security or privacy of an individual’s Although some commenters urged us information. To assess this factor, protected health information. to implement a bright line standard, entities should consider the type of Although we do not believe a bright requiring notification for all protected health information involved line approach to breach notification is impermissible uses and disclosures in the impermissible use or disclosure, appropriate, we do agree with the without any assessment of risk, we such as whether the disclosure involved commenters who expressed concern believe that a risk assessment is information that is of a more sensitive that the risk assessment focus on ‘‘harm necessary. The statute acknowledges, by nature. For example, with respect to to an individual’’ in the interim final including a specific definition of breach financial information, this includes rule was too subjective and would lead and identifying exceptions to this credit card numbers, social security to inconsistent interpretations and definition, as well as by providing that numbers, or other information that results across covered entities and an unauthorized acquisition, access, increases the risk of identity theft or business associates. As a result, instead use, or disclosure of protected health financial fraud. With respect to clinical of assessing the risk of harm to the information must compromise the information, this may involve individual, covered entities and security or privacy of such information considering not only the nature of the business associates must assess the to be a breach, that there are several 11 services or other information but also probability that the protected health situations in which unauthorized the amount of detailed clinical information has been compromised acquisition, access, use, or disclosure of information involved (e.g., treatment based on a risk assessment that protected health information is so plan, diagnosis, medication, medical considers at least the following factors: inconsequential that it does not warrant history information, test results). (1) The nature and extent of the notification. In addition to the statutory Considering the type of protected health protected health information involved, exceptions that have been included in information involved in the including the types of identifiers and both the interim final rule and this final impermissible use or disclosure will the likelihood of re-identification; (2) rule, there may be other similar help entities determine the probability the unauthorized person who used the situations that do not warrant breach that the protected health information protected health information or to notification. We agree with commenters could be used by an unauthorized whom the disclosure was made; (3) that providing notification in such cases recipient in a manner adverse to the whether the protected health may cause the individual unnecessary individual or otherwise used to further information was actually acquired or anxiety or even eventual apathy if the unauthorized recipient’s own viewed; and (4) the extent to which the notifications of these types of incidents interests. Additionally, in situations risk to the protected health information are sent routinely. For example, if a where there are few, if any, direct has been mitigated. We believe that the covered entity misdirects a fax identifiers in the information use of these factors, which are derived containing protected health information impermissibly used or disclosed, from the factors listed in the interim to the wrong physician practice, and entities should determine whether there final rule as well as many of the factors upon receipt, the receiving physician is a likelihood that the protected health suggested by commenters, will result in calls the covered entity to say he has information released could be re- a more objective evaluation of the risk received the fax in error and has identified based on the context and the to the protected health information and destroyed it, the covered entity may be ability to link the information with a more uniform application of the rule. able to demonstrate after performing a 12 other available information. For As we have modified and risk assessment that there is a low risk example, if a covered entity incorporated the factors that must be that the protected health information impermissibly disclosed a list of patient considered when performing a risk has been compromised. Although this names, addresses, and hospital assessment into the regulatory text, scenario does not fit into any of the identification numbers, the protected covered entities and business associates statutory or regulatory exceptions, we health information is obviously should examine their policies to ensure believe that, like the exceptions to identifiable, and a risk assessment likely that when evaluating the risk of an breach, notification should not be would determine that there is more than impermissible use or disclosure they required if the covered entity a low probability that the information consider all of the required factors. In demonstrates a low probability that the has been compromised, dependent on addition, given the circumstances of the data has been compromised. an assessment of the other factors impermissible use or disclosure, Commenters argued that a rule discussed below. Alternatively, if the additional factors may need to be containing a bright line standard for covered entity disclosed a list of patient considered to appropriately assess the notification would be easier for both the discharge dates and diagnoses, the risk that the protected health regulated entities to implement and for information has been compromised. We HHS to enforce. We disagree. Although 11 We caution that many forms of health note that, although we have included a rule that required notification information, not just information about sexually this risk assessment in the final rule, following every impermissible use or transmitted diseases or mental health or substance this type of assessment of risk should disclosure may appear easier for abuse, are sensitive. 12 Information that has been de-identified in not be a new or different exercise for covered entities and business associates accordance with 45 CFR 164.514(a)–(c) is not covered entities and business associates. to implement—as no determination of protected health information, and thus, any Similar assessments of risk that data the risk that the protected health inadvertent or unauthorized use or disclosure of have been compromised must be information has been compromised such information is not considered a breach for purposes of this rule. performed routinely following security would be required—in effect, a bright VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00078 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

79 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 5643 Federal Register factor, when considered in combination disclosures of protected health entity would need to consider whether information, since information any of the individuals could be with the factor regarding the impermissibly ‘‘used’’ remains within identified based on the specificity of the unauthorized recipient of the the covered entity or business associate. diagnosis, the size of the community information discussed above, may lead We disagree. The final rule requires a served by the covered entity, or whether to different results in terms of the risk risk assessment to be performed the unauthorized recipient of the to the protected health information. For following both impermissible uses and information may have the ability to example, a covered entity may be able disclosures (that do not otherwise fall combine the information with other to obtain and rely on the assurances of within the other enumerated exceptions available information to re-identify the an employee, affiliated entity, business to breach). However, the fact that affected individuals (considering this associate, or another covered entity that information only is impermissibly used factor in combination with the second the entity or person destroyed within a covered entity or business factor discussed below). We emphasize, information it received in error, while associate and the impermissible use however, that the entity must evaluate such assurances from certain third does not result in further impermissible all the factors, including those parties may not be sufficient. As disclosure outside the entity, is discussed below, before making a described above, certain commenters something that may be taken into determination about the probability of suggested that mitigation should only be account in conducting the risk risk that the protected health considered where the recipient of the assessment and may reduce the information has been compromised. information is a business associate of The second factor requires covered probability that the protected health the covered entity or another covered entities and business associates to information has been compromised. entity. We do not in this rule limit this The third factor requires covered consider the unauthorized person who factor to those circumstances but, as entities and business associates to impermissibly used the protected health discussed above, acknowledge that the investigate an impermissible use or information or to whom the recipient of the information will have an disclosure to determine if the protected impermissible disclosure was made. impact on whether the covered entity health information was actually Entities should consider whether the can conclude that an impermissible use acquired or viewed or, alternatively, if unauthorized person who received the or disclosure has been appropriately only the opportunity existed for the information has obligations to protect mitigated. information to be acquired or viewed. the privacy and security of the A covered entity’s or business For example, as we discussed in the information. For example, as discussed associate’s analysis of the probability interim final rule, if a laptop computer in the interim final rule, if protected that protected health information has was stolen and later recovered and a health information is impermissibly been compromised following an forensic analysis shows that the disclosed to another entity obligated to impermissible use or disclosure must protected health information on the abide by the HIPAA Privacy and address each factor discussed above. computer was never accessed, viewed, Security Rules or to a Federal agency Other factors may also be considered acquired, transferred, or otherwise obligated to comply with the Privacy where necessary. Covered entities and compromised, the entity could Act of 1974 and the Federal Information business associates must then evaluate determine that the information was not Security Management Act of 2002, there the overall probability that the protected actually acquired by an unauthorized may be a lower probability that the health information has been individual even though the opportunity protected health information has been compromised by considering all the existed. In contrast, however, if a compromised since the recipient of the factors in combination, and we expect covered entity mailed information to the information is obligated to protect the these risk assessments to be thorough, wrong individual who opened the privacy and security of the information completed in good faith, and for the envelope and called the entity to say in a similar manner as the disclosing conclusions reached to be reasonable. If that she received the information in entity. We also emphasize that this an evaluation of the factors discussed error, then, in this case, the factor should be considered in above fails to demonstrate that there is unauthorized recipient viewed and combination with the factor discussed a low probability that the protected acquired the information because she above regarding the risk of re- health information has been opened and read the information to the identification. If the information compromised, breach notification is extent that she recognized it was mailed impermissibly used or disclosed is not required. We do note, however, that a to her in error. immediately identifiable, entities covered entity or business associate has The final factor included in the final should determine whether the the discretion to provide the required rule requires covered entities and unauthorized person who received the notifications following an impermissible business associates to consider the protected health information has the use or disclosure of protected health extent to which the risk to the protected ability to re-identify the information. information without performing a risk health information has been mitigated. For example, if information containing assessment. Because the final rule Covered entities and business associates dates of health care service and clarifies the presumption that a breach should attempt to mitigate the risks to diagnoses of certain employees was has occurred following every the protected health information impermissibly disclosed to their impermissible use or disclosure of following any impermissible use or employer, the employer may be able to protected health information, entities disclosure, such as by obtaining the determine that the information pertains may decide to notify without evaluation recipient’s satisfactory assurances that to specific employees based on other of the probability that the protected the information will not be further used information available to the employer, health information has been or disclosed (through a confidentiality such as dates of absence from work. In compromised. In the future, we will agreement or similar means) or will be this case, there may be more than a low issue additional guidance to aid covered destroyed, and should consider the probability that the protected health entities and business associates in extent and efficacy of the mitigation information has been compromised. performing risk assessments with when determining the probability that Several commenters suggested that a respect to frequently occurring the protected health information has risk assessment need be completed scenarios. been compromised. We note that this following only impermissible VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00079 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

80 5644 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations rule are conducive to more uniform risk information pursuant to the Guidance In addition to the removal of the harm assessments across covered entities and Specifying the Technologies and standard and the creation of more business associates. Additionally, as Methodologies that Render Protected objective factors to evaluate the with the interim final rule, we note that Health Information Unusable, probability that protected health covered entities and business associates Unreadable, or Indecipherable to information has been compromised, we have the burden of proof, pursuant to Unauthorized Individuals (74 FR 42740, have removed the exception for limited § 164.414, to demonstrate that all 42742). If protected health information data sets that do not contain any dates notifications were provided or that an is encrypted pursuant to this guidance, of birth and zip codes. In the final rule, impermissible use or disclosure did not then no breach notification is required following the impermissible use or constitute a breach and to maintain following an impermissible use or disclosure of any limited data set, a documentation (e.g., of the risk disclosure of the information. covered entity or business associate In addition to the comments assessment demonstrating that there must perform a risk assessment that discussed above, it was suggested that was a low probability that the protected evaluates the factors discussed above to covered entities be required to include health information had been determine if breach notification is not in their notice of privacy practices compromised or of the assessment that required. information about how a risk The vast majority of commenters were the impermissible use or disclosure falls assessment will be conducted or their not supportive of the exception for within one of the other exceptions to internal policies for determining certain limited data sets outlined in the breach), pursuant to 45 CFR whether a breach has occurred and interim final rule, either because they 164.530(j)(1)(iv), as necessary to meet notification is warranted. It was also believed the exception did not go far this burden of proof. Thus, covered suggested that the breach notice to the enough and would chill research that entities and business associates have individual following discovery of a needed access to birth dates and zip adequate incentive to conduct breach of unsecured protected health codes in limited data sets, or because of reasonable and diligent risk information contain information about concerns regarding the re-identifiability assessments. Finally, after reviewing and the covered entity or business of the limited information to which the considering the comments received associate’s risk assessment to help the exception applied. Based on the regarding the exceptions to the individual better assess the level of comments, we believe it is appropriate definition of breach in the interim final threat posed by the breach and to better to require the impermissible use or rule, the Department adopts these determine the appropriate steps, if any, disclosure of a limited data set, even exceptions without modification in this to take. those that do not contain dates of birth We decline to require that the covered final rule. Although the substance of and zip codes, to be subject to a risk entity’s notice of privacy practices these exceptions has not changed, these assessment to demonstrate that breach include a description of how a risk exceptions are now located at paragraph notification is not required. The final assessment will be conducted, although (1) of the definition of breach instead of rule expressly includes a factor that covered entities may include such paragraph (2) to accommodate the would require consideration of the re- information in their notice of privacy modifications discussed above. We identifiability of the information, as practices if they choose. While each risk respond to the public comments well a factor that requires an assessment assessment will differ depending on the addressing these exceptions, as well as of the unauthorized person who used specific facts and circumstances the protected health information or to other comments received on the surrounding the impermissible use or whom the disclosure was made (i.e., definition of ‘‘breach,’’ below. disclosure, we believe that the whether this person has the ability to re- Response to Other Public Comments modifications in this final rule will help identify the affected individuals). Thus, Many commenters Comment: ensure that covered entities and the factors are particularly suited to expressed concern that violations of the business associates perform risk address the probability that a data set minimum necessary standard may assessments more uniformly and without direct identifiers has been trigger breach notification obligations. objectively. We also note that the compromised following an Response: We do not believe it would content requirements for the notice to impermissible use or disclosure. be appropriate to exempt minimum the individual outlined in § 164.404(c) Further, we believe in most cases that necessary violations from the breach already require that the individual be the result would be the same under this notification obligations as we do not notified of the circumstances of a final rule as under the interim final rule believe that all minimum necessary breach, as well as what steps with respect to whether an violations present a low probability that individuals should take to protect impermissible use or disclosure of a the protected health information has themselves from potential harm limited data set that also excludes dates been compromised. Thus, uses or resulting from the breach. of birth and zip codes constitutes a One commenter suggested that we disclosures that impermissibly involve breach for which notification is require a covered entity to hire an more than the minimum necessary required. Due to the lack of identifiers independent organization to assess the information, in violation of present in the protected health risk of an impermissible use or §§ 164.502(b) and 164.514(d), may information, entities may reasonably disclosure to determine if breach qualify as breaches. Such incidents determine that there is a low probability notification is required. We do not must be evaluated as any other of risk that the information has been believe such a requirement is necessary, impermissible uses or disclosures to compromised; however, we stress that although covered entities are free to determine whether breach notification this is a fact specific determination to be engage independent organizations to is not required. made based on the circumstances of the As explained above, there are several assist in making such determinations impermissible use or disclosure. factors to be considered when provided that, if access to protected We encourage covered entities and determining the probability that the health information is required, business business associates to take advantage of protected health information involved associate agreements are entered into to the safe harbor provision of the breach in an impermissible use or disclosure protect the information. Further, we notification rule by encrypting limited has been compromised, including the believe the modifications in this final data sets and other protected health VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00080 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

81 5645 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register notification is not warranted, the to information based on their plain unauthorized person who used the inquiry into that breach ends; however, meanings and believe that both terms information or to whom the disclosure the covered entity or business associate are encompassed within the current was made. Thus, where a minimum should take appropriate steps to ensure definitions of ‘‘use’’ and ‘‘disclosure’’ in necessary violation occurs in a that the information is not further used the HIPAA Rules. For example, an disclosure to a business associate or as or disclosed impermissibly. If, sometime acquisition may be a ‘‘use’’ or an internal use within a covered entity after making the determination that the ‘‘disclosure’’ depending on who or business associate, the fact that the exception applied, the information is acquired the information—i.e., a information was not acquired by a third impermissibly used or disclosed, the workforce member or someone outside party would be considered as part of the covered entity or business associate the covered entity, such as a business risk assessment and may help lead to should treat that incident as a separate associate. the conclusion that there is a low Comment: Several commenters impermissible use or disclosure that probability that the protected health supported our interpretations of the warrants evaluation as a breach on its information has been compromised. statutory terms ‘‘employee,’’ ‘‘same own. As explained more fully below, we Alternatively, covered entities and facility,’’ and ‘‘similarly situated treat a breach as having occurred at the business associates may determine that individual’’ with respect to the time of the impermissible use or certain minimum necessary violations exceptions to the definition of breach. disclosure, which in the case of the first fall within the exceptions to the We retain these Response: two exceptions to breach, is at the time definition of breach at § 164.402(1)(i) or clarifications in this final rule. of the ‘‘further’’ impermissible use or (1)(ii). Comment: Some commenters asked We note that the Privacy Rule’s disclosure. that we use the term ‘‘use’’ instead of Comment: One commenter asked that minimum necessary standard requires a ‘‘disclosure’’ to describe the type of we broaden the application of the covered entity to make reasonable information exchange contemplated by inadvertent disclosure exception to efforts to limit access to protected health the exception for certain inadvertent apply to all routine disclosures between information to those persons or classes disclosures among persons similarly covered entities. Other commenters of persons who need access to protected authorized to access protected health asked that the rule exempt from the health information to carry out their information at a covered entity or breach notification obligations duties and to disclose an amount of business associate since the information situations in which a covered entity protected health information reasonably must be shared within a covered entity discloses information to a business necessary to achieve the purpose of a or business associate for the exception associate or another covered entity. disclosure. The Privacy Rule requires to apply. Commenters noted that because covered covered entities to determine and define We clarify that the Response: entities and business associates are in their policies and procedures how the exception at paragraph (1)(ii) of the required to protect the privacy of minimum necessary standard applies to definition of ‘‘breach’’ is intended to protected health information, there is their own uses and disclosures. Thus, apply to certain ‘‘disclosures’’ that may little risk that even an impermissible covered entities are in a good position occur ‘‘at’’ a covered entity, business disclosure between such entities would to know when such policies and associate, or organized health care compromise the security or privacy of procedures have been violated and to arrangement in which the covered entity the information. assess the probability that the incident participates—e.g., to persons onsite at a Response: We do not agree that such has compromised the security or covered entity’s facility that are not situations warrant a blanket exception privacy of the information. Finally, we workforce members, such as physicians from the breach notification rules. In will consider including further guidance with staff privileges at a hospital. For appropriate cases, some of these regarding the interaction between the impermissible ‘‘uses’’ of protected impermissible disclosures among minimum necessary standard and the health information among workforce covered entities and covered entities breach notification requirements in the members of a covered entity or a and business associates may fall within guidance required by section business associate, a covered entity or the existing exceptions to breach at 13405(b)(1)(B) of the HITECH Act. business associate should determine paragraphs (1)(i) and (ii) of the Comment: Several commenters asked whether the exception to breach at definition. Otherwise, such disclosures that we clarify the differences between paragraph (1)(i) regarding certain must be evaluated as to the probability ‘‘acquisition,’’ ‘‘access,’’ ‘‘use,’’ and unintentional acquisition, access, or use that the protected health information ‘‘disclosure’’ in the exceptions in the has been compromised based on a risk by a workforce member or person acting final rule. These commenters expressed assessment of a number of factors. confusion regarding the use of these under the authority of a covered entity While the fact that the recipient of an terms in the first two exceptions to the or business associate applies. Comment: One commenter asked if impermissible disclosure is a covered definition of breach, stating that the breach notification is required in cases entity or business associate with term ‘‘acquisition’’ connotes a where an impermissible use or obligations to protect the privacy and disclosure of information, and thus, the disclosure originally qualifies for either security of protected health information exception regarding unintentional of the exceptions to breach at is a consideration with respect to acquisition, access, or use of protected assessing the risk that the protected § 164.402(1)(i) or (1)(ii) at the time the health information by a workforce health information has been incident occurs but later no longer fits member or person acting under the compromised, it is not the only factor. within the exception because the authority of a covered entity or business For example, a covered entity or protected health information is further associate implicitly includes disclosures business associate must also evaluate used or disclosed in an impermissible of protected health information. While the Privacy Rule Response: the extent to which the risk to the manner. The applicability of an Response: uses the terms ‘‘use’’ and ‘‘disclosure,’’ protected health information has been exception to breach must be judged at we included both ‘‘acquisition’’ and mitigated. Several commenters Comment: the time the incident is discovered and ‘‘access’’ in the regulatory text for suggested that the exceptions to breach evaluated. If an exception to breach is consistency with the statutory language. should not apply to situations where determined to apply such that We interpret ‘‘acquisition’’ and ‘‘access’’ VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00081 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

82 5646 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register information. If, however, the information on the computer was not workforce members or employees accessed. The commenter stated that further use or disclose information they information was not returned or if the because the forensic analysis showed unintentionally or inadvertently covered entity was informed by the that the information was not acquired, accessed, or used, even if such unauthorized recipient that he had compromised, a risk assessment should further use or disclosure is permitted received and opened the mail in error, not be required. under the Privacy Rule. Additionally, the covered entity would need to We do not include an Response: these commenters suggested that the complete a risk assessment to determine explicit exception for this particular breach exceptions should apply only in the probability that the protected health scenario. As we explained above, in cases in which the workforce member or information had been compromised as a cases where a lost laptop is recovered, employee has taken appropriate steps to result of the impermissible disclosure. the fact that a forensic analysis of the mitigate the unintentional acquisition, Comment: Several commenters asked computer shows that its information access, or use of protected health that we harmonize the final rule with was not accessed is a relevant information, such as by alerting the the FTC’s Health Breach Notification consideration for the risk assessment, sender of the misdirected information, if final rule. and entities in such situations may be applicable, and returning or destroying Response: Although the FTC and HHS able to demonstrate a low probability it. breach notification rules generally apply that the information has been We do not believe it is Response: to different entities, HHS has worked compromised. However, covered appropriate to prohibit the sharing of closely with the FTC to ensure both sets entities and business associates still protected health information for of regulations were harmonized to the must document their risk assessments in permissible purposes following an greatest extent possible by including the these cases. We also note, as we did in unintentional or inadvertent error by a same or similar requirements within the the interim final rule, if a computer is workforce member or an employee. constraints of the statutory language. In lost or stolen, we do not consider it Doing so would restrict access and addition, in the few situations where an reasonable to delay breach notification disclosure of the protected health entity provides PHRs to customers of a based on the hope that the computer information for necessary treatment and HIPAA covered entity through a will be recovered. other important purposes to the extent business associate arrangement but also Some commenters asked Comment: the workforce member or employee provides PHRs directly to the public that we create an exception to breach to needed access to the information in the and a breach of its records occurs, in cover certain routine impermissible future for authorized purposes, which certain cases, the FTC will deem disclosures of protected health would adversely affect health care compliance with certain provisions of information. For example, commenters delivery. We believe that the rule strikes HHS’ rule as compliance with FTC’s asked that we except from notification an appropriate balance by not allowing rule. See 74 FR 42964. In particular, in disclosures made as a result of the workforce member errors to be excepted such situations, it may be appropriate covered entity mailing information to a from the definition of breach in cases for the vendor to provide the same patient’s old address, faxing information where the workforce member takes the breach notice to all its PHR customers to the wrong number, disclosures made information he or she has mistakenly since it has a direct relationship with all as a result of leaving a voice message at obtained and then misuses it. the affected individuals. Thus, in those the wrong number reminding a patient With respect to requiring workforce limited circumstances where a vendor of an upcoming appointment, or, in members or employees to take of PHRs (1) provides notice to situations where patients have identical appropriate steps to mitigate their individuals on behalf of a HIPAA or similar names, contacting the wrong unintentional access to protected health covered entity, (2) has dealt directly patient to inform him or her that lab information, we note that the Privacy with these individuals in managing results were ready. Rule already requires covered entities to their PHR accounts, and (3) provides We decline to create such Response: ensure as part of their minimum notice to its customers at the same time, an exception. The ability of a covered necessary policies and procedures that the FTC will deem compliance with entity or business associate to workforce members have appropriate HHS requirements governing the timing, demonstrate that a particular situation access to protected health information. method, and content of notice to be poses a low probability that the Therefore, covered entities should compliance with the corresponding FTC protected health information was ensure that workforce members who rule provisions. Note, however, that the compromised is very fact specific and gain access in an unauthorized manner PHR vendor still must comply with all will depend on an assessment of all of to protected health information do not other FTC rule requirements, including the factors discussed above, such as to continue to have such unauthorized the requirement to notify the FTC whom the information was disclosed, access. This may require having policies within ten business days after what information was disclosed, and which require workforce members to discovering the breach. what mitigation has taken place. We return or destroy the information to also note that, in some cases, some of which they obtained unauthorized b. Definition of ‘‘Unsecured Protected the situations contemplated by the access. Further, covered entities must Health Information’’ commenters may fall within an existing implement reasonable safeguards to Interim Final Rule exception. For example, if a covered protect against impermissible uses and Section 13402(h)(1)(A) of the Act entity mails protected health disclosures, including further defines ‘‘unsecured protected health information about an individual to a impermissible uses and disclosures by a information’’ as ‘‘protected health wrong address, the impermissible workforce member who has gained information’’ that is not secured through disclosure may fall into the exception at unauthorized access to protected health the use of a technology or methodology paragraph (1)(iii) of the definition of information. specified by the Secretary in guidance breach if the information is returned, One commenter asked that Comment: issued under [section 13402(h)(2)].’’ The undelivered and unopened, to the we include an exception in the final Act at section 13402(h)(2) requires that covered entity, such that an rule for situations in which a laptop is the Secretary specify in the guidance the unauthorized recipient could not lost and recovered and a forensic technologies and methodologies that reasonably have retained the analysis shows that the protected health VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00082 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

83 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 5647 Federal Register Overview of Public Comments each affected individual whose render protected health information unsecured protected health information unusable, unreadable, or indecipherable Several commenters argued that a has been, or is reasonably believed by to unauthorized individuals. breach should be treated as discovered the covered entity to have been, Accordingly, the interim final rule by a covered entity only after accessed, acquired, or disclosed as a defined ‘‘unsecured protected health management has been notified of the result of such breach. Accordingly, information’’ as protected health incident. Commenters stated that the § 164.404(a)(1) of the interim final rule information that is not rendered Department should not hold an entity included the general rule that a covered unusable, unreadable, or indecipherable responsible for knowing of a breach if entity shall, following the discovery of to unauthorized individuals through the an appropriately trained employee fails a breach of unsecured protected health use of a technology or methodology to inform the proper persons within the information, notify each individual specified by the Secretary in guidance. entity of a breach. Other commenters whose unsecured protected health This guidance, which was published in asked for guidance and more information has been, or is reasonably updated form within the preamble to clarification regarding what it means for believed to have been accessed, the interim final rule and made a covered entity or business associate to acquired, used, or disclosed as a result available on the HHS Web site, specifies be exercising reasonable diligence, such of such breach. that only encryption and destruction, as what frequency of monitoring for consistent with National Institute of Breaches Treated as Discovered breaches is expected or what types of Standards and Technology (NIST) Section 13402(c) of the HITECH Act systems must covered entities and guidelines, renders protected health states that a breach shall be treated as business associates have in place to information unusable, unreadable, or discovered by a covered entity or detect breaches. indecipherable to unauthorized business associate as of the first day on individuals such that notification is not Final Rule which such breach is known or should required in the event of a breach of such reasonably have been known to the information. We retain § 164.404(a)(2) in this final covered entity or business associate. rule without modification. We decline Overview of Public Comments The Act also specifies that this to adopt the suggestion that a covered discovery is triggered as soon as any While we received a number of entity be deemed to have discovered a person, other than the individual technical and other comments on the breach only when management is committing the breach, who is an guidance, we did not receive any notified of the breach. The HITECH Act employee, officer, or other agent of the comments on the language of the above itself provides that a breach is to be covered entity or business associate definition itself. We intend to address treated as discovered by a covered entity knows or should reasonably have the comments on the guidance in our or business associate if ‘‘any person, known of the breach. next update to the guidance. other than the individual committing Section 164.404(a)(2) of the interim the breach, that is an employee, officer, Final Rule final rule implemented the Act’s or other agent of such entity or The final rule modifies the interim discovery provision, with respect to associate’’ knows or should reasonably final rule’s definition of ‘‘unsecured covered entities by stating that a breach have known of the breach. This concept protected health information’’ to replace shall be treated as discovered by a is also consistent with the HIPAA the term ‘‘unauthorized individuals’’ in covered entity on the first day the Enforcement Rule and the Federal the definition with ‘‘unauthorized breach is known to the covered entity, common law of agency. We encourage persons.’’ The term ‘‘individual’’ is or by exercising reasonable diligence covered entities and business associates defined in § 160.103 to mean the person would have been known to the covered to ensure their workforce members and who is the subject of the protected entity. The interim final rule other agents are adequately trained on health information, which is not what is incorporated the term ‘‘by exercising the importance of prompt reporting of intended with the reference to reasonable diligence,’’ which is used in privacy and security incidents. ‘‘individual’’ in the definition of the HIPAA Enforcement Rule and With respect to those commenters ‘‘unsecured protected health defined to mean the ‘‘business care and information.’’ Accordingly, the final asking for guidance on what it means for prudence expected from a person rule uses more appropriately the term a covered entity to be exercising seeking to satisfy a legal requirement ‘‘unauthorized persons.’’ The final rule reasonable diligence, we note that the under similar circumstances.’’ also modifies the definition to remove term reasonable diligence, as defined in Section 164.404(a)(2) of the interim the term ‘‘on the HHS Web site’’ as § 160.401, means the business care and final rule further provided, in unnecessary language. While we remove prudence expected from a person accordance with the Act, that a covered the reference to the HHS Web site from seeking to satisfy a legal requirement entity is deemed to have knowledge of the regulatory text, we do plan to under similar circumstances. The a breach if such breach is known, or by continue to post updates to the guidance determination of whether a person acted exercising reasonable diligence would on the Web site as they are issued. with reasonable diligence is generally a have been known, to any person other factual one, since what is reasonable than the person committing the breach, 2. Section 164.404—Notification to depends on the circumstances. Factors who is a workforce member or agent of Individuals to be considered include whether a the covered entity. Thus, the breach is Interim Final Rule covered entity or business associate took treated as discovered by the covered reasonable steps to learn of breaches entity at the time the workforce member Section 13402(a) of the Act provides and whether there were indications of or other agent has knowledge of the that a covered entity that accesses, breaches that a person seeking to satisfy breach. The rule also clarified that the maintains, retains, modifies, records, the Rule would have investigated under federal common law of agency controls stores, destroys, or otherwise holds, similar circumstances. Covered entities in determining who is an agent of the uses, or discloses unsecured protected and business associates may wish to covered entity, which is consistent with health information shall, in the case of look to how other covered entities and how agency liability is determined a breach of such information that is business associates operating under under the HIPAA Rules. discovered by the covered entity, notify VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00083 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

84 5648 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations potential harm to individuals resulting adversely impact affected individuals similar circumstances conduct from the breach and that such harm is and the ability to mitigate adverse themselves for a standard of practice. not limited to economic loss. consequences. For the same reasons, we Timeliness To address the readability and continue to provide that the time period Section 13402(d) of the Act and the accessibility of the notice, the interim begins to run when the incident implementing regulations at final rule made a number of becomes known, not when it is § 164.404(b) require covered entities to clarifications. First, the Department determined that a breach as defined by notify individuals of a breach without included in the interim final rule a the rule has occurred. There is sufficient unreasonable delay but in no case later requirement that the breach notices be time within this standard both to than 60 calendar days from the written in plain language so that conduct a prompt investigation of the discovery of the breach, except in individuals will be able to understand incident and to notify affected certain circumstances where law them more easily, which means the individuals. enforcement has requested a delay. notice should be written at an With respect to what constitutes a Under this rule, the time period for appropriate reading level, using clear reasonable versus unreasonable delay breach notification begins when the language and syntax, and not include within the 60-day timeframe, such incident is first known, not when the any extraneous material that might determinations are fact specific and investigation of the incident is diminish the message it is trying to there are many factors that may be complete, even if it is initially unclear convey. relevant, including the nature of the whether the incident constitutes a Second, the interim final rule breach, number of individuals affected, breach as defined in the rule. A covered explained that some covered entities and resources of the covered entity. entity is expected to make the may have obligations under other laws Content of the Notification individual notifications as soon as with respect to their communication Section 13402(f) of the HITECH Act reasonably possible after the covered with affected individuals. For example, set forth the content requirements for entity takes a reasonable time to to the extent a covered entity is the breach notice to the individual. investigate the circumstances obligated to comply with Title VI of the Section 164.404(c) of the interim final surrounding the breach in order to Civil Rights Act of 1964, the covered rule incorporated the statutory entity must take reasonable steps to collect and develop the information elements, requiring the following ensure meaningful access for Limited required to be included in the notice to information be included in the notices, English Proficient persons to the the individual. The 60 days is an outer to the extent possible: (1) A brief services of the covered entity, which limit and therefore, in some cases, it description of what happened, could include translating the notice into may be an ‘‘unreasonable delay’’ to wait including the date of the breach and the frequently encountered languages. until the 60th day to provide date of the discovery of the breach, if Similarly, to the extent that a covered notification. known; (2) a description of the types of entity is required to comply with Overview of Public Comments unsecured protected health information Section 504 of the Rehabilitation Act of While some commenters generally that were involved in the breach (such 1973 or the Americans with Disabilities as whether full name, social security were supportive of this provision in the Act of 1990, the covered entity has an number, date of birth, home address, interim final rule, others argued that the obligation to take steps that may be account number, diagnosis, disability 60-day timeframe for notification to necessary to ensure effective code, or other types of information were individuals is unreasonable and communication with individuals with involved); (3) any steps individuals requested more time, such as 120 days, disabilities, which could include should take to protect themselves from to provide the notifications. Some making the notice available in alternate potential harm resulting from the commenters argued that the clock on the formats, such as Braille, large print, or breach; (4) a brief description of what 60-day timeframe should not begin to audio. the covered entity involved is doing to run until after a covered entity has Overview of Public Comments investigate the breach, mitigate the harm completed its investigation and Several commenters stated that the to individuals, and to protect against determined that a breach has occurred. content requirements for breach any further breaches; and (5) contact Another commenter expressed the need notification were too vague. Some procedures for individuals to ask for clarification about the types of commenters asked that we provide questions or learn additional delays in notifying individuals that templates or sample notices to be used information, which shall include a toll- would be considered reasonable and by covered entities. Other commenters free telephone number, an email whether a covered entity’s resources asked for more specific guidance about address, Web site, or postal address. would be taken into account in particular required content elements of The interim final rule added the term determining whether any delay was the notice, such as what information ‘‘diagnosis,’’ to the parenthetical listing reasonable. should be provided to individuals about of examples of types of protected health Final Rule a covered entity’s or business associate’s information, which was not in the mitigation efforts and regarding any statute, to make clear that, where We retain § 164.404(b) in this final employee sanctions, particularly if a appropriate, a covered entity may need rule without modification. This is the company has policies that require to indicate in the notification to the standard expressly provided for in the certain employment actions be kept individual whether and what types of statute and we otherwise do not believe confidential. It was also suggested that treatment information were involved in it necessary or prudent to extend the we publish a list of actions to be a breach. In addition, with respect to a timeframe. Covered entities and included in the notices based on the covered entity’s mitigation, the interim business associates have been operating type of breach with respect to the steps final rule replaced the statutory term under this timeliness standard since the individuals should take to protect ‘‘mitigate losses’’ with ‘‘mitigate harm to issuance of the interim final rule and we themselves from harm. Some individuals’’ to make clear that the believe a longer time period to notify commenters also asked that the notification should describe the steps individuals of breaches of unsecured Department clarify that the requirement the covered entity is taking to mitigate protected health information could VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00084 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

85 5649 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations of a breach be sent to either the Methods of Notification to include ‘‘a brief description of what individual’s next of kin or personal happened’’ would not require the Section 13402(e)(1) of the HITECH representative, as such term is used for covered entity or business associate to Act provides for both actual written purposes of the Privacy Rule, describe how the breach occurred such notice to affected individuals, as well as recognizing that in some cases, a that it would create a roadmap for future substitute notice to affected individuals covered entity may have contact breaches. if contact information is insufficient or information for a personal out-of-date. Specifically, the statute Final Rule representative of a deceased individual requires breach notifications to be sent We retain § 164.404(c) in this final rather than the next of kin. To address by first-class mail at the last known rule without modification. The content administrative and privacy concerns address of the individual or next of kin requirements in the Rule generally with a covered entity being required to if the individual is deceased, or by mirror the content requirements in the obtain contact information for the next electronic mail if specified as the statute and each element is an important of kin of a deceased patient in cases preferred method by the individual. The component of the notice to ensure where the individual did not otherwise Act also provides that the notification individuals receive the information they provide the information while alive, the may be provided in one or more need to protect themselves to the extent interim final rule also clarified that a mailings as the information becomes possible from the consequences of a covered entity is only required to available. Where there is insufficient or breach and to learn what is being done provide notice to the next of kin or out-of-date contact information that to mitigate the breach and prevent personal representative if the covered precludes direct written notice to the future breaches. At the same time, the entity both knows the individual is individual, the statute requires that a content provisions are sufficiently deceased and has the address of the next substitute form of notice be provided to flexible to allow covered entities and of kin or personal representative of the the individual. If there is insufficient business associates to tailor the breach decedent. contact information for 10 or more notices based on the circumstances If a covered entity does not have individuals, the Act requires that the surrounding the breach and of the sufficient contact information for some substitute notice be a conspicuous entity. In our experience in or all of the affected individuals, or if posting on the home page of the covered administering the Rule since 2009, the some notices are returned as entity’s Web site or notice in major print Rule provides sufficient flexibility to undeliverable, the interim final rule or broadcast media in the geographic describe to the individual the required a covered entity to provide areas where the affected individuals circumstances surrounding the breach substitute notice for the unreachable likely reside, and in either case, that a in a more general manner that still individuals in accordance with toll-free number be included where provides the individual with pertinent § 164.404(d)(2). The interim final rule individuals can learn whether their information but that does not provide a required that substitute notice be information was possibly included in roadmap to third parties for future provided as soon as reasonably possible the breach. Finally, the Act provides breaches. For example, the notice need after the covered entity is aware that it that a covered entity may provide notice not explain the exact type of has insufficient or out-of-date contact by telephone or other means to vulnerability in the security of a covered information for one or more affected individuals, in addition to direct written entity’s electronic records system that individuals and that the notice contain notice by first-class mail or email, in led to unauthorized access and how that all the elements that § 164.404(c) urgent situations involving possible vulnerability was exploited. Similarly, a requires be included in the direct imminent misuse of the individual’s covered entity has flexibility in written notice to individuals. With information. describing what the covered entity is respect to decedents, however, the Section 164.404(d) of the interim final doing in response to a breach. Where interim final rule provided that a rule set forth these methods for employee sanctions are relevant based covered entity is not required to provide providing breach notification to affected on the circumstances of the breach, a substitute notice for the next of kin or individuals. Section 164.404(d)(1)(i) of covered entity may determine that it personal representative in cases where the interim final rule required a covered wants to describe the sanctions imposed the covered entity either does not have entity to provide breach notice to an more generally and nothing in the Rule contact information or has out-of-date affected individual in written form by would require that the notice include contact information for the next of kin first-class mail at the individual’s last the names of the employees involved. or personal representative. known address. The interim final rule For example, a covered entity may want Section 164.404(d)(2) of the interim also permitted covered entities to to indicate generally that the employees final rule required that, whatever provide this written notice in the form involved have been appropriately method used, the substitute form of of electronic mail if the individual has disciplined, particularly if multiple notice be reasonably calculated to reach agreed to receive electronic notice and employees received varying levels of the individuals for whom it is being that agreement has not been withdrawn. sanctions based on their degrees of provided. If there are fewer than 10 The Department clarified that, involvement in the breach. In other individuals for whom the covered entity consistent with § 164.502(g) of the cases, it may benefit the covered entity has insufficient or out-of-date contact Privacy Rule, where the individual information to provide the written to be more specific so as to better assure affected by a breach is a minor or notice, § 164.404(d)(2)(i) of the interim individuals that the entity is otherwise lacks legal capacity due to a final rule permitted the covered entity appropriately addressing the situation, physical or mental condition, notice to to provide substitute notice to such such as indicating that an employee the parent or other person who is the individuals through an alternative form who improperly accessed and sold personal representative of the of written notice, by telephone, or other patient information was promptly individual would satisfy the means. For example, if a covered entity terminated. requirements of § 164.404(d)(1). With respect to templates, examples, learned that the home address it has for one of its patients was out-of-date, but Additionally, with respect to deceased or other guidance, the Department it had the patient’s email address or individuals, the interim final rule at anticipates providing additional telephone number, it could provide § 164.404(d)(1)(ii) provided that notice guidance in the future. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00085 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

86 5650 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Finally, several commenters contact information for some substitute notice by email (even if the expressed concern over the substitute individuals can attempt to update the patient had not agreed to electronic notice required in cases in which the contact information so that they can notice) or by phone. Alternatively, covered entity has insufficient or out-of- provide direct written notification, in posting a notice on the Web site of the date contact information for affected order to limit the number of individuals covered entity or at another location individuals. Many of these commenters for whom substitute notice is required may be appropriate if the covered entity stated that providing notification via and, thus, potentially avoid the lacks any current contact information Web posting or media publication is an obligation to provide substitute notice for the patients, so long as the posting inappropriate method of providing through a Web site or major print or is done in a manner that is reasonably substitute notice, except in cases in broadcast media under calculated to reach the individuals. If a covered entity has insufficient or which the covered entity can reasonably § 164.404(d)(2)(ii). In accordance with the statute, out-of-date contact information for 10 or define the universe of affected § 164.404(d)(3) makes clear that notice more individuals, then individuals. In other cases, such notice to the individual by telephone or other § 164.404(d)(2)(ii) of the interim final will not give individuals who view the means may be provided, in addition to rule required the covered entity to notice enough information to determine the direct written notice required by provide substitute notice through either if they are affected by a breach, and may § 164.404(d)(1), in cases deemed by the a conspicuous posting for a period of 90 cause unaffected individuals covered entity to require urgency days on the home page of its Web site unnecessary alarm. Some commenters because of possible imminent misuse of or conspicuous notice in major print or recommended that covered entities unsecured protected health information. broadcast media in geographic areas instead be required to use reasonable where the individuals affected by the efforts to identify alternative means of Overview of Public Comments breach likely reside. For either method providing direct notice to the affected Several commenters questioned involving 10 or more individuals, the individuals, such as by phone or email, which entity has the responsibility for covered entity was also required to have or to only require substitute media or providing notifications to individuals a toll-free phone number, active for 90 Web notice when a covered entity when a breach occurs at or by a business days, where an individual can learn cannot reach 10 or more individuals associate and whether a covered entity whether the individual’s unsecured directly by mail, phone, or email. Other could delegate its breach notification protected health information may be commenters argued that the substitute obligations to a business associate. included in the breach and to include notice requirements, particularly the Some commenters asked about the the number in the notice. requirement to establish a toll-free notification obligations in cases where a If a covered entity chooses to provide number, may be cost prohibitive to covered entity’s business associate that substitute notice on its Web site, the smaller covered entities. It was also experiences a breach is also a covered covered entity may provide all the suggested that smaller covered entities, entity itself. Others requested information described at § 164.404(c) particularly those in rural areas, should clarification regarding the obligations directly on its home page (‘‘home page’’ be allowed to provide substitute notice for providing breach notification where includes the home page for visitors to via handouts or postings at the covered multiple covered entities and business the covered entity’s Web site and the entity’s physical location even in cases associates are involved in health landing page or login page for existing where the entity has insufficient contact information exchange and it may be account holders) or may provide a information for more than 10 unclear where a breach occurred and/or prominent hyperlink on its home page individuals. which entity has responsibility for the to the notice containing such Final Rule breach. information. Additionally, many commenters If the covered entity does not have or We retain § 164.404(d) in this final suggested that covered entities be does not wish to use a Web site for the rule without modification. In response permitted to provide notification to substitute notice, the interim final rule to questions raised with respect to a individuals via telephone or orally required the covered entity to provide breach at or by a business associate, we instead of via written communication, substitute notice of the breach in major note that the covered entity ultimately or at a work address instead of a home print or broadcast media in geographic maintains the obligation to notify address, if the individual has specified areas where the individuals affected by affected individuals of the breach under one of these alternative methods or the breach likely reside. What is § 164.404, although a covered entity is locations as preferred for receiving considered major print or broadcast free to delegate the responsibility to the breach notification. Commenters raised media for a metropolitan area may be business associate that suffered the potential privacy concerns with very different from what is considered breach or to another of its business communicating with individuals via major print or broadcast media in a rural associates. This is the case even if the mail to their home, particularly where area, such that the use of local, city, or breach of the covered entity’s protected the individual has received highly health information occurred at or by a state-wide media may be appropriate confidential medical services, such as business associate that is also a covered depending on the circumstances. substance abuse or mental health entity. For example, if a covered Further, multiple media outlets may services, and others who may have provider (Provider A) hires another need to be utilized to reasonably reach access to the mail may not otherwise be covered provider’s practice (Provider B) individuals in different regions or aware of such condition or treatment. as a business associate to perform his States. In any event, substitute media Some commenters argued that because billing and other back office functions, notice, as with substitute Web notice, the Privacy Rule requires covered and a breach of Provider A’s protected must be conspicuous and thus, covered health information occurs at Provider B entities to accommodate reasonable entities should consider the location while performing these functions for requests by individuals to receive and duration of the notice to ensure the Provider A, it remains Provider A’s communications by alternative means or notice is reasonably calculated to reach responsibility to provide breach at alternative locations, the same the affected individuals. notification to the affected individuals, standard should apply to the provision Finally, we clarified that covered although Provider A may delegate this of breach notification. entities with out-of-date or insufficient VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00086 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

87 5651 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations entities, such as those that have Web- confidential treatment services where responsibility to Provider B as its based relationships with individuals, to the individual has requested to receive business associate. Covered entities and business collect more information about communications in such a manner, we associates should consider which entity individuals (e.g., physical addresses) note that the HITECH Act specifically is in the best position to provide notice than they currently do. refers to ‘‘written’’ notice to be provided Response: The Rule allows a covered to the individual, which may depend on to individuals. However, we understand entity to provide written breach notice various circumstances, such as the the privacy concerns raised. We, thus, to an affected individual by email if the functions the business associate clarify that in the limited circumstances individual agrees to electronic notice performs on behalf of the covered entity in which an individual has agreed only and such agreement has not been and which entity has the relationship to receive communications from a withdrawn. We would expect that with the individual. covered health care provider orally or Similarly, when multiple covered covered entities that have primarily or by telephone, the provider is permitted entities participate in electronic health solely an online relationship with under the Rule to telephone the information exchange and there is a individuals would ask and encourage individual to request and have the breach of unsecured protected health individuals to receive breach notices by individual pick up their written breach information at a Health Information email and that generally individuals notice from the provider directly. In Organization (HIO), the obligation to would agree. However, an individual cases in which the individual does not notify individuals of the breach falls to that does not affirmatively agree to agree or wish to travel to the provider the covered entities. We recognize that receive breach notices by email, or that to pick up the written breach notice, the it may be difficult to determine what withdraws a prior agreement, has a right health care provider should provide all breached information is attributable to to notice by first-class mail. of the information in the breach notice Comment: One commenter suggested which covered entity’s individuals. For over the phone to the individual, that we excuse a covered entity from example, an HIO may store centralized document that it has done so, and the providing notification of a breach to an electronic health records (EHRs) for a Department will exercise enforcement individual where a licensed health care community, with each EHR including discretion in such cases with respect to professional has determined in the information generated by multiple the ‘‘written notice’’ requirement. We exercise of professional judgment that covered entities. In such circumstances, stress that our enforcement discretion the provision of such notice is likely to it may be necessary for the HIO to notify applies only to cases where the cause substantial harm to the all potentially affected covered entities individual affirmatively chooses not to individual. The commenter appeared to and for those covered entities to receive communications from a covered be concerned due to the nature of the delegate to the HIO the responsibility of health care provider at any written services it provides—mental health sending the required notifications to the addresses or email addresses, and not to services—and the distress breach affected individuals. This would avoid situations where providing telephonic notification could cause for certain of its the confusion of individuals receiving notice is simply less burdensome or patients. more than one notification about the easier on a provider and the entity has Response: The statute does not same breach. a valid address, or email address if include such an exception to the In response to the commenters who applicable, on file for the affected provision of breach notification, and we suggested that covered entities be individual. do not include one in this Rule. An permitted to accommodate reasonable Finally, with respect to commenters affected individual has a right to be requests by individuals to receive who expressed concerns with the informed of breaches of unsecured breach notifications by alternative substitute media and Web notice protected health information so the means or at alternative locations, we provisions of the interim final rule, we individual can take steps if appropriate provide the following guidance. The emphasize that these are statutory to protect themselves from the HITECH Act requires a covered entity to requirements that have been consequences. In situations where a provide breach notification to an incorporated into the Rule. Section health care provider believes that the affected individual in written form 13402(e)(1)(B) of the HITECH Act provision of written breach notification either at the last known address of the expressly requires that a covered entity to an individual may cause extreme individual or email address, if the that has insufficient or out-of-date anguish or distress, based on the individual agrees to receive notice contact information for 10 or more individual’s mental state or other electronically, where the covered entity individuals provide substitute circumstances, the provider may has sufficient contact information to do notification to such individuals via telephone the individual prior to the so. The Act and this rule do not prohibit posting on their Web site or notification time the breach notice is mailed or have a covered entity from sending a breach in major print or broadcast media in the them come into the provider’s office to notice to an alternative address rather areas in which the affected individuals discuss the situation. However, we note than a home address, such as a work likely reside. Additionally, the statute that the breach notification must still be address or post office box, or the requires such ‘‘notice in media or web mailed without unreasonable delay and individual’s email address of choice, if posting will include a toll-free phone in no case later than 60 calendar days the individual requests communications number where an individual can learn after discovery of the breach. Where a be sent to such an address. Further, a whether or not the individual’s provider is aware that an individual has covered health care provider (and health unsecured protected health information a personal representative due to plan, if potential endangerment is raised is possibly included in the breach.’’ incapacity or other health condition, the by the individual) is required by the Thus, we retain these requirements in breach notification may be sent to the Privacy Rule at § 164.522 to this final rule. personal representative. accommodate any such reasonable Response to Other Public Comments Many commenters Comment: requests. expressed support for allowing covered Comment: One commenter expressed In response to those commenters who entities to provide breach notification to concern about providing breach urged that we allow breach notices to be a deceased individual’s personal notification to individuals by first-class provided orally or via telephone to representative instead of to the next of mail because it could require some individuals receiving highly VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00087 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

88 5652 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations is aware that it will be unable to reach of one or more dependents affected by kin. One commenter suggested that we 10 or more individuals with direct the breach was different than the also allow covered entities to provide written notice, the covered entity participant’s address. Further, where a breach notification to the emergency should provide substitute Web or media plan participant (and/or spouse) is not contact provided by a deceased notice as soon as reasonably possible the personal representative of a individual prior to death as this is the thereafter, which may be prior to the dependent under the plan, a covered information they collect from end of the 60-day period depending on entity must address a breach notice to individuals and yet this person may not the circumstances. the dependent himself or herself. be the next of kin or a personal Comment: One commenter stated that Comment: Several commenters representative of the deceased the required content of the breach notice expressed support for the individual. itself, when made available to the public acknowledgment in the preamble to the We do not believe it Response: through the Web or media, could lead interim final rule that some covered appropriate to permit covered entities to to the identification of individuals entities may have obligations under send breach notifications to a deceased affected by the breach in some cases, Civil Rights laws to ensure that breach individual’s emergency contact where undermining the intent of HIPAA’s notifications are provided to individuals such person is not a personal privacy and security protections. in alternative languages, and in representative (such as an executor or It is unclear the Response: alternative formats, such as Braille, large administrator of the decedent’s estate) circumstances to which the commenter print, or audio, where appropriate. or next of kin of the decedent, as such refers. For example, the notification Some commenters requested additional notices may convey information about must include the types of protected guidance regarding how to ensure the decedent’s care the decedent never health information involved (e.g., social compliance with these laws with wished the emergency contact to have security numbers, dates of birth, full respect to breach notifications. and/or may go to a person who has no names). However, this is not a Response: Additional guidance on authority to act on the notice. requirement to include in the notice the how to comply with Title VI of the Civil To reduce the costs Comment: actual names or other identifiers of the Rights Act of 1964, Section 504 of the associated with sending breach affected individuals. We believe covered Rehabilitation Act of 1973, and the notifications, one commenter asked that entities are able to post breach notices Americans with Disabilities Act of 1990, we adopt the Department of Labor’s in a manner that does not identify is available on the OCR Web site at standard for providing COBRA Election particular individuals affected by a . http://www.hhs.gov/ocr/civilrights/ Notices to allow a covered entity to: (1) breach and thus, must do so. Further, covered entities with questions Where a breach affects both a plan Comment: One commenter asked that on how to comply may contact one of participant and the participant’s spouse, OCR engage in an educational campaign OCR’s ten regional offices. Contact send one breach notice addressed to to ensure that covered entities and information is available at http:// both if both spouses reside at the same business associates understand their www.hhs.gov/ocr/office/about/rgn- address; and (2) where a breach affects obligations under the breach hqaddresses.html . a dependent child (of any age) under a Comment: Some commenters notification rule. plan, send a breach notice to either the Response: Published guidance is the suggested that the final rule adopt a plan participant and/or the participant’s primary method that the Department substitute notification provision similar spouse, provided the dependent child uses to educate and provide technical to that in many State laws that allows resides at the same address. The assistance to covered entities and for substitute notification, rather than commenter stated the notice should business associates. We intend to issue direct written notice, to the individual clearly identify the individuals or guidance on these requirements in the in the event of breaches affecting a very classes of individuals to whom the future as questions are raised or large number of individuals, such as notice applies. Response: A covered entity is clarifications sought. over 250,000 or 500,000, where the costs permitted to send one breach notice of notification would be extremely high. 3. Section 164.406—Notification to the addressed to both a plan participant and The Act does not waive Response: Media the participant’s spouse or other direct written notice to the individual Section 13402(e)(2) of the HITECH dependents under the plan who are when a breach has affected a threshold Act, implemented at § 164.406 of the affected by a breach, so long as they all number of individuals and we do not do interim final rule, requires that a reside at a single address and the so in this rule. covered entity provide notice of a Comment: One commenter requested covered entity clearly identifies on the breach to prominent media outlets confirmation that a covered entity could notice the individuals to which the serving a State or jurisdiction, following notice applies. Further, a covered entity make multiple attempts to provide the discovery of a breach if the may send a notice regarding the breach direct written notice to individuals unsecured protected health information of a dependent child’s protected health within the 60-day timeframe before the of more than 500 residents of such State information addressed to the plan individual counts towards the 10 or or jurisdiction is, or is reasonably participant and/or participant’s spouse more threshold for providing substitute believed to have been, accessed, living with the dependent child, so long Web or media notice. acquired, or disclosed during such Response: We clarify that a covered as the participant and/or participant’s breach. This media notice is in addition entity can attempt to cure out-of-date spouse are the personal representatives to, not a substitute for, individual contact information on individuals of the dependent child and the notice notice. In accordance with the Act, when notices are returned as clearly identifies to whom it applies. § 164.406(b) of the interim final rule undeliverable by the United States Such notices by first-class mail would required covered entities to notify Postal Service to avoid substitute notice meet the written notice requirements of prominent media outlets without so long as a covered entity does so § 164.404(d)(1)(i). However, one breach unreasonable delay and in no case later promptly upon receiving the returned notice covering both the plan than 60 calendar days after discovery of notices and no later than 60 calendar participant and the dependents under the breach. Section 164.406(c) of the days from discovery of the breach. the plan mailed to the plan participant’s interim final rule required that the However, at the time the covered entity address would not suffice if the address VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00088 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

89 5653 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations (unlike the obligations for providing business associate and involve the notification to the media include the substitute notice to individuals in protected health information of multiple same information required to be § 164.404(d)(2) if there is insufficient or covered entities. In such cases, a included in the notification to the out-of-date contact information for 10 or covered entity involved would only be individual under § 164.404(c). The interim final rule did not define more affected individuals) nor does it required to provide notification to the ‘‘prominent media outlet’’ because what obligate prominent media outlets who media if the information breached constitutes a prominent media outlet receive notification of a breach from a included the protected health will differ depending upon the State or covered entity to print or run information of more than 500 jurisdiction affected. For a breach information about the breach. We also individuals located in any one State or affecting more than 500 individuals emphasize that posting a press release jurisdiction. For example, if a business across a particular state, a prominent regarding a breach of unsecured associate discovers a breach affecting media outlet may be a major, general protected health information on the 800 individuals in a State, the business interest newspaper with a daily home page of the covered entity’s Web associate must notify the appropriate circulation throughout the entire state. site will not fulfill the obligation to covered entity (or covered entities) In contrast, a newspaper serving only provide notice to the media (although subject to § 164.410 (discussed below). one town and distributed on a monthly covered entities are free to post a press If 450 of the affected individuals are basis, or a daily newspaper of release regarding a breach on their Web patients of one covered entity and the specialized interest (such as sports or site). To fulfill the obligation, remaining 350 are patients of another politics) would not be viewed as a notification, which may be in the form covered entity, because the breach has prominent media outlet. Where a breach of a press release, must be provided not affected more than 500 individuals affects more than 500 individuals in a directly to prominent media outlets at either covered entity, there is no limited jurisdiction, such as a city, then serving the State or jurisdiction where obligation to provide notification to the a prominent media outlet may be a the affected individuals reside. media under this section. Section 164.406(c) requires that the major, general-interest newspaper with 4. Section 164.408—Notification to the notice to the media include the same daily circulation throughout the city, Secretary content as that required for notification even though the newspaper does not Section 13402(e)(3) of the HITECH serve the whole State. to the individual under § 164.404(c), Act requires covered entities to notify With regard to the term ‘‘State,’’ the and we emphasized that this provision the Secretary of breaches of unsecured existing definition of ‘‘State’’ at does not replace either direct written or protected health information. The Act § 160.103 of the HIPAA Rules applies. substitute notice to the individual under requires covered entities to report Section § 160.103 defines ‘‘State’’ to § 164.404. breaches affecting 500 or more mean ‘‘any one of the several States, the Overview of Public Comments individuals to the Secretary District of Columbia, the In general, we received few comments immediately. For breaches affecting Commonwealth of Puerto Rico, the on this provision of the interim final fewer than 500 individuals, covered Virgin Islands, and Guam.’’ We also entities may maintain a log of all such rule. One commenter expressed general expressly provided in the regulation breaches occurring during the year and support for this provision because it that ‘‘State’’ for purposes of notice to the annually submit such log to the does not require the covered entity to media includes American Samoa and Secretary. incur the cost of printing or running the the Northern Mariana Islands, because To implement the statutory they were included in the HITECH Act’s media notice and asked for clarification provisions, § 164.408(a) contains the definition of ‘‘State’’ in addition to what that this policy places no requirement general rule that requires a covered appears in the definition at § 160.103. on the media to publically report the entity to notify the Secretary following With respect to what was meant by information provided by a covered the discovery of a breach of unsecured ‘‘jurisdiction’’ as opposed to a ‘‘State,’’ entity. Another commenter asked protected health information. With jurisdiction is a geographic area smaller whether a covered entity could fulfill respect to breaches involving 500 or than a state, such as a county, city, or the requirements for providing media more individuals, we interpreted the town. notification by posting a press release term ‘‘immediately’’ in the statute to The interim final rule also clarified on the covered entity’s Web site. require notification be sent to the that some breaches involving more than Final Rule Secretary concurrently with the 500 individuals who are residents in notification sent to the individual under We retain § 164.406 in this final rule multiple States may not require notice § 164.404 (i.e., without unreasonable with one minor change. As described in to the media. For example, if a covered delay but in no case later than 60 Section IV above, to align the definition entity discovers a breach of 600 calendar days following discovery of a of ‘‘State’’ in the HIPAA Rules with the individuals, 200 of which reside in breach). The rule provided that these definition of the same term used in the Virginia, 200 of which reside in notifications be provided in a manner to HITECH Act, the Department has Maryland, and 200 of which reside in be specified on the HHS Web site. modified the definition of ‘‘State’’ at the District of Columbia, the breach did Further, as required by section § 160.103 to include reference to not affect more than 500 residents of 13402(e)(4) of the Act, the interim final American Samoa and the Northern any one State or jurisdiction, and as rule stated that the Secretary would Mariana Islands. Given this change, it is such, notification is not required to be begin to post and maintain on the HHS not necessary to include specific provided to the media pursuant to Web site a list of covered entities that reference to American Samoa and the § 164.406. However, individual submit reports of breaches of unsecured Northern Mariana Islands at § 164.406 notification under § 164.404 would be protected health information involving and we remove it in this final rule. required, as would notification to the In response to public comments, we more than 500 individuals. Secretary under § 164.408 because the Under these provisions, covered clarify that § 164.406 does not require a breach involved 500 or more entities must notify the Secretary of all covered entity to incur any cost to print individuals. discovered breaches involving more or run media notice about a breach of The Department also recognized that than 500 individuals, without regard to unsecured protected health information in some cases a breach may occur at a VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00089 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

90 5654 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations controls be added to the breach occurred in the previous year. Several whether the breach involved more than reporting form, we do not believe this is others commented on the interim final 500 residents of a particular State or necessary at the present time. Since the rule’s process for providing the jurisdiction (the threshold for triggering Department began receiving and Secretary with breach notification. notification to the media under processing breach reports on September Some commenters asked that this § 164.406 of the interim final rule). 23, 2009, we have not yet received a process be revised to allow covered Thus, where a covered entity has report that has been falsely submitted by entities to maintain a log of all breaches discovered a breach involving 600 an individual or entity not acting on affecting fewer than 500 individuals and individuals, 300 of which reside in behalf of the covered entity. then submit that log, via attachment Maryland and 300 of which reside in Additionally, we emphasize that (such as an Excel spreadsheet), to the the District of Columbia, notification of following receipt of a breach report that Secretary on an annual basis. These the breach must be provided to the affects 500 or more individuals, we commenters stated that submitting Secretary concurrently with notification contact the covered entity identified in reports of these smaller breaches in this to the affected individuals. However, in the breach report and verify the manner would be much less this example, the breach would not information in the report before we post burdensome than submitting the reports trigger the requirement to notify the any information about the breach on the individually. Other commenters asked media under § 164.406 because the HHS Web site. If circumstances change that we provide a template log for breach did not involve more than 500 in the future, we will explore options entities to use to document smaller residents of any one State or for modifying the process. breaches for annual submission to the jurisdiction. For breaches involving less than 500 Secretary. Additionally, several Response to Other Public Comments individuals, § 164.408(c) requires a commenters suggested that there be Comment: One commenter asked that covered entity to maintain a log or other access or authentication controls for the final rule should not interpret the documentation of such breaches and to submitting breach reports because of term ‘‘immediately’’ in the statute to submit information annually to the concerns of false breach reports being mean without unreasonable delay, but Secretary for breaches occurring during submitted to the Secretary without the in no case later than 60 days, but rather the preceding calendar year. The covered entity’s knowledge. to mean as soon as the breach is interim final rule required the Final Rule discovered. Another commenter asked submission of this information to the that the final rule expand the timeframe The final rule retains § 164.408(c) Secretary no later than 60 days after the for providing notification to the with one modification. The end of each calendar year. As with Secretary to no later than 120 days after modification clarifies that covered notification of the larger breaches, the discovery of a breach. entities are required to notify the interim final rule required that Response: We believe that our Secretary of all breaches of unsecured information about breaches involving interpretation of ‘‘immediately’’ with protected health information affecting less than 500 individuals be provided to respect to notification to the Secretary fewer than 500 individuals not later the Secretary in the manner specified on for breaches affecting 500 or more than 60 days after the end of the the HHS Web site. individuals is reasonable and calendar year in which the breaches Although covered entities need only appropriate and thus, retain the were ‘‘discovered,’’ not in which the provide notification to the Secretary of provision that requires such notice be breaches ‘‘occurred.’’ We recognize that breaches involving less than 500 provided contemporaneously with there may be situations where, despite individuals annually, they must still notice to the individual. Requiring having reasonable and appropriate provide notification of such breaches to contemporaneous notice allows the breach detection systems in place, a affected individuals without notice to the Secretary to include all of breach may go undetected for some unreasonable delay and not later than the information provided in the notice time. In these cases, if a breach of 60 days after discovery of the breach to the individual and better ensures that unsecured protected health information pursuant to § 164.404. In addition, a covered entity does not report affecting fewer than 500 individuals that pursuant to § 164.414(a), a covered information to the Secretary that later occurred in the previous year is entity must follow the documentation turns out to be incorrect because the discovered, the covered entity has until requirements that otherwise apply to the entity did not have sufficient time to 60 days after the end of the calendar HIPAA Privacy Rule under § 164.530 conduct an investigation into the facts year in which the breach was with respect to the requirements of this surrounding the breach. In addition, this discovered to provide notice to the rule. Thus, pursuant to § 164.530(j)(2), interpretation satisfies the statutory Secretary. We emphasize, however, that covered entities must maintain the requirement that notifications of larger this modification does not alter a internal log or other documentation for breaches be provided to the Secretary covered entity’s obligation to promptly six years. Further, as with other immediately (as they occur) as report the breach to affected individuals required documentation, a covered compared to the reports of smaller without unreasonable delay but in no entity must make such information breaches the statute allows be reported cases later than 60 calendar days after available to the Secretary upon request annually to the Secretary. discovery of the breach. for compliance and enforcement Comment: Some commenters asked In response to the comments purposes in accordance with § 160.310. for further guidance on submitting suggesting that covered entities be Overview of Public Comments online breach notifications to the permitted to submit a log of all smaller Some commenters expressed concern Secretary. Additionally, some breaches to the Secretary instead of regarding the timing of providing commenters asked that HHS provide a submitting each breach individually notification to the Secretary of breaches confirmation to submitters that an through the online form, we agree that affecting fewer than 500 individuals. initial breach report or an addendum to the current process may be burdensome These commenters asked when a breach report has been successfully for some entities and are considering notification should be provided if a submitted. alternative ways to receive such reports. Since the publication of the Response: With respect to the commenters who covered entity discovers, after the interim final rule, OCR has posted asked that access or authentication reporting deadline, a breach that VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00090 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

91 5655 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Section 164.410(b) requires that a manner that gives the public access instructions for filling out and business associate provide notice of a effectively and efficiently. submitting the breach form on its Web breach of unsecured protected health http://www.hhs.gov/ocr/privacy/ site: 5. Section 164.410—Notification by a information to a covered entity without hipaa/administrative/ Business Associate unreasonable delay and in no case later breachnotificationrule/ Interim Final Rule than 60 days following the discovery of brinstruction.html. We will continue to a breach. With respect to timing, if a examine the instructions for submitting Section 13402(b) of the HITECH Act business associate is acting as an agent breach notification to the Secretary and requires a business associate of a of a covered entity, then, pursuant to will update this information, as covered entity that accesses, maintains, § 164.404(a)(2), the business associate’s necessary, to ensure that covered retains, modifies, records, destroys, or discovery of the breach will be imputed entities are able to navigate and submit otherwise holds, uses, or discloses to the covered entity. In such the form easily. The Department has unsecured protected health information circumstances, the covered entity must also made changes to the process to to notify the covered entity when it provide notifications under § 164.404(a) ensure that covered entities receive a discovers a breach of such information. based on the time the business associate confirmation following their submission The Act requires business associates to discovers the breach, not from the time of breach notification to the Secretary. provide such notification to covered the business associate notifies the Additionally, we note that the breach entities without unreasonable delay and covered entity. In contrast, if the reporting form does include an option in no case later than 60 days from business associate is not an agent of the for indicating that a submission is an discovery of the breach. Additionally, covered entity, then the covered entity addendum to a previous submission. the Act requires business associates to is required to provide notification based OCR updates the original breach report, provide covered entities with the on the time the business associate as appropriate, with any additional or identity of each individual whose notifies the covered entity of the breach. modified information submitted in an unsecured protected health information We encouraged covered entities and addendum. has, or is reasonably believed to have business associates to address the Comment: With respect to the posting been, affected by the breach. Section timing of this notification in their of breaches affecting 500 or more 164.410(a) implements section 13402(b) business associate contracts. individuals on the HHS Web site, some of the Act. Section 164.410(c)(1) requires commenters stated that these breach business associates, to the extent A business associate is required to submissions must be verified with the possible, to provide covered entities notify the covered entity of the breach covered entity before they are posted with the identity of each individual of unsecured protected health publicly. Other commenters asked for whose unsecured protected health information so that the covered entity clarification of what information will be information has been, or is reasonably can notify affected individuals. In the posted, while another commenter asked believed to have been, breached. interim final rule, we clarified that a that we post only the name of the Depending on the circumstances, business associate that maintains the covered entity involved in the breach. business associates could provide the protected health information of multiple Finally, one commenter suggested that covered entity with immediate covered entities need notify only the we only post these breaches on our Web notification of the breach and then covered entity(s) to which the breached site for a six month period. follow up with the required information information relates. However, in cases To provide helpful Response: in § 164.410(c) when available but in which a breach involves the information to the public, OCR without unreasonable delay and within unsecured protected health information currently posts the following 60 days. of multiple covered entities and it is information regarding breaches affecting Section 164.410(c)(1) requires unclear to whom the breached 500 or more individuals: name of the business associates to provide this information relates, it may be necessary covered entity (and if applicable, the information ‘‘to the extent possible,’’ to notify all potentially affected covered business associate) involved; State recognizing that there may be situations entities. where the covered entity is located; in which a business associate may be Section 164.410(a)(2) provides that a number of individuals affected by the unaware of the identification of the breach shall be treated as discovered by breach; the date of the breach; type of individuals whose unsecured protected a business associate as of the first day breach (e.g., theft, loss, unauthorized health information was breached. For on which such breach is known to the access/disclosure); and location of the example, a business associate that is a business associate or, by exercising breached information (e.g., laptop, record storage company that holds reasonable diligence, would have been paper records, desktop computer). Prior hundreds of boxes of paper medical known to the business associate. As to posting this information, OCR verifies records on behalf of a covered entity with a covered entity, a business the information in the breach may be unaware of the names of the associate shall be deemed to have notification report with the covered individuals whose records are stored. knowledge of a breach if the breach is entity. We do not believe it would serve Thus, if the business associate discovers known, or by exercising reasonable the public to only disclose the name of that several boxes are missing, it may be diligence would have been known, to the covered entity involved in each of unable to provide the covered entity any person, other than the person the breaches, because the additional with a list of the individuals whose committing the breach, who is an information enables members of the information has been breached. In such employee, officer, or other agent of the public to understand the nature of the circumstances, it is not our intent that business associate (determined in breach and to determine if the breach the business associate delay notification accordance with the Federal common affects them directly. In terms of how of the breach to the covered entity, law of agency). Similarly, as with long information about each of the when the covered entity may be better knowledge imputed to covered entities, breaches is to remain posted, we intend able to identify the individuals affected. Depending on the circumstances the Federal common law of agency to maintain the information on our Web surrounding a breach of unsecured controls in determining who is an agent site for as long as there is public interest protected health information, a business of the business associate. and the data can remain posted in a VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00091 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

92 5656 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations covered entities to discuss and define in agent independent contractor. If associate may be in the best position to their business associate agreements the knowledge is imputed when the gather the information the covered requirements regarding how, when, and business associate discovers the breach, entity is required by § 164.404(c) to to whom a business associate should one commenter argued that a covered include in the notification to the notify the covered entity of a potential entity would not have sufficient time to individual about the breach. Therefore, breach. provide the required notifications to in addition to the identification of individuals in a timely manner. Other affected individuals, § 164.410(c)(2) Response to Other Public Comments commenters argued that all business requires a business associate to provide Comment: Several commenters asked associates should be treated as agents of the covered entity with any other OCR to provide sample business the covered entity, such that the available information that the covered associate agreement language to outline business associate’s knowledge of a entity is required to include in the the covered entity’s and business breach is imputed to the covered entity. notification to the individual under associate’s obligations following a Finally, some commenters asked for § 164.404(c), either at the time it breach of unsecured protected health more guidance on when a business provides notice to the covered entity of information. associate is acting as an agent versus as the breach or promptly thereafter as Response: A covered entity’s and an independent contractor and how to information becomes available. Because business associate’s obligations determine this status under the Federal we allow this information to be following a breach of unsecured common law of agency. provided to a covered entity after the protected health information will vary initial notification of the breach as it Final Rule depending on the relationship. For becomes available, a business associate example, whether a business associate The final rule modifies § 164.410 only should not delay the initial notification will send the breach notices to affected to make the following technical and to the covered entity of the breach in individuals and/or to notify the non-substantive correction: in paragraph order to collect information needed for Secretary (and media, if applicable) on (a)(2) of § 164.410, the first sentence is the notification to the individual. To behalf of a covered entity is a business revised to refer to paragraph (a)(1) rather ensure the covered entity is aware of all decision of the parties and how quickly than paragraph (1). the available facts surrounding a breach, a business associate is to notify a With respect to the commenters who the Rule also requires that a business covered entity of a breach within the expressed concern that a covered associate provide this information even required timeframe may be based on a entity’s knowledge of a breach depends if it becomes available after notifications number of factors, such as whether the not only on a business associate’s have been sent to affected individuals or business associate is an agent of the discovery of the breach but also on the after the 60-day period specified in covered entity. However, to help covered entity’s relationship with the § 164.410(b) has elapsed. covered entities and business associates business associate, we acknowledge that We clarified that business associates there are many different types of implement the new business associate and covered entities would continue to relationships that can develop between agreement requirements generally under have the flexibility to set forth specific covered entities and business associates the HITECH modifications to the HIPAA obligations for each party, such as who based upon the function the business Rules, the Department has published will provide notice to individuals and associate performs on behalf of the sample business associate agreement when the notification from the business covered entity. In some situations, a provisions on its web site. associate to the covered entity will be Some commenters asked Comment: business associate will be acting as an required, following a breach of what happens if a covered entity and a agent of the covered entity, and as such, unsecured protected health information, it makes sense to treat the business business associate disagree about so long as all required notifications are associate’s knowledge of a breach whether an impermissible use or provided and the other requirements of analogous to the knowledge of one of disclosure is a breach that requires the interim final rule were met. We the covered entity’s own employees. notification. These commenters asked if encouraged the parties to consider However, in other situations, because a both parties must be in agreement before which entity is in the best position to business associate may not be an agent breach notification obligations are provide notice to the individual, which of the covered entity, it would not be triggered. may depend on circumstances, such as The covered entity is Response: reasonable to impute the business the functions the business associate ultimately responsible for providing associate’s knowledge directly to the performs on behalf of the covered entity individuals with notification of covered entity, and therefore, the and which entity has the relationship breaches and, as indicated above, the covered entity’s knowledge depends on with the individual. We also encouraged clock for notifying individuals of notification from the business associate. the parties to ensure the individual does Furthermore, the use of the Federal breaches begins upon knowledge of the not receive notifications from both the common law of agency to determine the incident, even if it is not yet clear covered entity and the business business associate’s status with respect whether the incident qualifies as a associate about the same breach, which to the covered entity is consistent with breach for purposes of this rule. Further, may be confusing to the individual. the approach taken in the Enforcement this final rule clarifies that the default Overview of Public Comments Rule for determining agency liability presumption is that an impermissible under the HIPAA Rules. Thus, we Many commenters expressed concern use or disclosure is a breach unless it believe the use of the standard is over the interim final rule’s treatment of can be determined through a risk appropriate here and should be familiar a covered entity’s knowledge of a breach assessment that there is a low to most entities. We provide additional that occurs at or by a business associate. probability that the data may be guidance regarding who is an agent Some commenters stated that a covered compromised. This standard should above in our response to comments on entity’s knowledge of a breach should allow for more uniform application of the HITECH modifications to the HIPAA begin when the business associate the risk assessment approach across Enforcement Rule. Because of the notifies them of the breach, regardless of covered entities and business associates. Comment: One commenter stated that agency implications on the timing of whether the business associate is an the requirement that a business breach notifications, we encourage agent of the covered entity or a non- VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00092 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

93 5657 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations § 164.402, in cases where the covered Similarly, § 164.412(b), based on 45 associate notify a covered entity of a entity or business associate determined CFR 164.528(a)(2)(ii) of the Privacy breach of unsecured protected health that notifications were not required. To Rule, requires a covered entity or information is duplicative of a business conform to these provisions, § 160.534 business associate to temporarily delay associate’s other obligations to notify of the HIPAA Enforcement Rule makes a notification, notice, or posting if a law the covered entity of privacy violations clear that, during any administrative enforcement official states orally that a and security incidents. hearing, the covered entity has the notification would impede a criminal Business associates are Response: burden of going forward and the burden investigation or cause damage to required to report to covered entities of persuasion with respect to these national security. However, in this case, any security incidents or uses or issues. the covered entity or business associate disclosures of protected health Thus, when a covered entity or must document the statement and the information not provided for by their business associate knows of an identity of the official and delay business associate agreements, which impermissible use or disclosure of notification for no longer than 30 days, include but are broader than breaches of protected health information, it should unless a written statement meeting the unsecured protected health information maintain documentation that all above requirements is provided during under this Rule. For example, a security required notifications were made, or, that time. We interpreted these incident need not lead to unauthorized alternatively, to demonstrate that provisions as tolling the time within access to protected health information notification was not required: (1) Its risk which notification is required under (and thus, is not a breach) but is still an assessment (discussed above in §§ 164.404, 164.406, 164.408, and event that should be reported to the § 164.402) demonstrating a low 164.410, as applicable. covered entity. Further, when a security probability that the protected health incident occurs that does rise to the Final Rule information has been compromised by level of a breach, the breach notice to the impermissible use or disclosure or The Department did not receive the covered entity suffices to meet the (2) the application of any other public comments on this provision of requirement to report the security exceptions to the definition of ‘‘breach.’’ the interim final rule. We retain incident to the covered entity (however, § 164.412 in this final rule without Overview of Public Comments a covered entity may require through modification. the business associate agreement that One commenter stated that it is additional information be reported). 7. Section 164.414—Administrative critical that all employees are trained Therefore, these requirements are not Requirements and Burden of Proof and knowledgeable about what duplicative. constitutes a breach, so that the covered Interim Final Rule entity or business associate can provide 6. Law Enforcement Delay Section 164.414(a) requires covered the required notifications within the entities to comply with the Interim Final Rule required timeframe. The commenter administrative requirements of also maintained that OCR should Section 13402(g) of the HITECH Act § 164.530(b), (d), (e), (g), (h), (i), and (j) emphasize the necessity of this training. provides that if a law enforcement of the Privacy Rule with respect to the With respect to the burden of proof official determines that a notification, breach notification provisions of this placed upon covered entities and notice, or posting required under this subpart. These Privacy Rule provisions, business associates, one commenter section would impede a criminal for example, require covered entities agreed that covered entities and investigation or cause damage to and business associates to develop and business associates should have the national security, such notification, document policies and procedures, train burden to demonstrate that all notice, or posting shall be delayed in the workforce members on and have notifications were provided following a same manner as provided under 45 CFR sanctions for failure to comply with breach of unsecured protected health 164.528(a)(2) of the Privacy Rule in the these policies and procedures, permit information. However, the commenter case of a disclosure covered under such individuals to file complaints regarding asked that we include a presumption section. Section 164.412 implements these policies and procedures or a that an impermissible use or disclosure section 13402(g) of the Act, requiring a failure to comply with them, and of protected health information did not covered entity or business associate to require covered entities to refrain from constitute a breach if a covered entity or temporarily delay notification to the intimidating or retaliatory acts. Thus, a business associate has implemented a individual, the media (if applicable), to covered entity is required to consider breach notification policy, completed a a covered entity by a business associate, and incorporate the breach notification risk assessment, and documented that it and to the Secretary if instructed to do requirements with respect to its followed its policy in reaching a so by a law enforcement official. administrative compliance and other conclusion that breach notification was obligations. Section 164.412(a), based on the not required. Section 164.414(b) provides that, requirements of 45 CFR 164.528(a)(2)(i) Final Rule following an impermissible use or of the Privacy Rule, provides for a We retain § 164.414 in this final rule disclosure under the Privacy Rule, temporary delay of notification in without modification. We emphasize covered entities and business associates situations in which a law enforcement the importance of ensuring that all have the burden of demonstrating that official provides a statement in writing workforce members are appropriately all notifications were made as required that the delay is necessary because trained and knowledgeable about what by this subpart. Additionally, as part of notification would impede a criminal constitutes a breach and on the policies demonstrating that all required investigation or cause damage to and procedures for reporting, analyzing, notifications were made, a covered national security, and specifies the time and documenting a possible breach of entity or business associate, as for which a delay is required. In such unsecured protected health information. applicable, also must be able to instances, the covered entity is required We note that because this final rule demonstrate that an impermissible use to delay the notification, notice, or modifies the definition of breach as or disclosure did not constitute a posting for the time period specified by stated in the interim final rule, covered breach, as such term is defined at the official. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00093 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

94 5658 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations the exceptional case, we do not have relevant State laws with respect to the entities will need to update their breach requirements to understand the authority to preempt a State breach policies and procedures and retrain interaction and apply this preemption notification law that is not contrary to workforce members as necessary to standard appropriately. this Rule. reflect such modifications. In the interim final rule, we stated our With respect to this burden of proof, 10. Responses to Other Public belief that, in general, covered entities section 13402 of the statute places the Comments can comply with both the applicable burden of proof on a covered entity or Comment: One commenter asked State laws and this regulation and that business associate, if applicable, to in most cases, a single notification can whether penalties are automatically demonstrate that all notifications were satisfy the notification requirements assessed following a violation of the made as required. Therefore, section under State laws and this regulation. breach notification rule or if this is done 164.530(j)(1)(iv) requires covered For example, if a State breach at OCR’s discretion and whether civil entities to maintain documentation to notification law requires notification be money penalties can be assessed for the meet this burden of proof. This includes sent to the individual in a shorter time underlying cause of a breach of documentation that all required frame than is required by this unsecured protected health information notifications have been provided or that regulation, a covered entity that sends where a covered entity has provided all no breach occurred and notification was the notice within the time frame required breach notifications. not necessary. If a covered entity’s required by the State law will also be in OCR’s enforcement of the Response: determination with respect to whether a compliance with this regulation’s breach notification rule will be carried breach occurred is called into question, timeliness requirements. out pursuant to the Enforcement Rule. the covered entity should produce the Additionally, since the Act and rule Pursuant to the Enforcement Rule, OCR documentation that demonstrates the are flexible in terms of how the may impose a civil money penalty for a reasonableness of its conclusions based elements are to be described, and do not failure to comply with the breach on the findings of its risk assessment. prohibit additional elements from being notification rule. OCR also has the 8. Technical Corrections included in the notice, in general, discretion to work with the covered Federal requirements contain flexibility entity to achieve voluntary compliance The interim final rule made several for covered entities to develop a notice through informal resolution, except in technical changes to align the HIPAA that satisfies both laws. cases in which it has found a violation Rules in light of the new breach due to willful neglect. Because every notification requirements of subpart D. Overview of Public Comments breach of unsecured protected health See 74 FR 42755–56. We did not receive While some commenters were pleased information must have an underlying comments on these changes. We retain that the breach notification rule impermissible use or disclosure under the technical corrections made in the preempts conflicting State law, other the Privacy Rule, OCR also has the interim final rule and also make an commenters expressed confusion or authority to impose a civil money additional technical correction by concern with this preemption standard. penalty for the underlying Privacy Rule adding ‘‘and’’ to the end of Many commenters stated that despite violation, even in cases where all § 160.534(b)(1)(iii) to make clear the the fact that in most cases a covered required breach notifications were relationship between § 160.534(b)(1)(iii) entity may only need to provide one provided. and the new § 160.534(b)(1)(iv). notification to satisfy both State and VI. Modifications to the HIPAA Privacy Federal law, there will be some cases in 9. Preemption Rule Under GINA which a covered entity will have to Interim Final Rule provide multiple notices to the same A. Background The interim final rule clarified that individual to ensure compliance with The Genetic Information contrary State law will be preempted by all relevant laws. This will result in Nondiscrimination Act of 2008 these breach notification regulations. confusion for the individual and (‘‘GINA’’), Public Law 110–233, 122 Section 1178 of the Social Security Act, increased costs for the covered entity. Stat. 881, prohibits discrimination based 42 U.S.C. 1320d–7, which was added by Some of these commenters suggested on an individual’s genetic information HIPAA, provides that HIPAA that this Federal breach notification law in both the health coverage and administrative simplification provisions should preempt all State breach employment contexts. With respect to generally preempt conflicting State law. notification laws, or alternatively, that health coverage, Title I of GINA Section 160.203 states that a standard, HHS should work with Congress and generally prohibits discrimination in requirement, or implementation the States to harmonize the breach premiums or contributions for group specification that is adopted as notification laws such that only one coverage based on genetic information, regulation at 45 CFR parts 160, 162, or notice is required following a breach. proscribes the use of genetic 164 and that is ‘‘contrary to a provision Final Rule information as a basis for determining of State law preempts the provision of eligibility or setting premiums in the We maintain the preemption standard State law.’’ Thus, whether a State law is individual and Medicare supplemental discussed in the interim final rule, contrary to these breach notification (Medigap) insurance markets, and limits which is based on section 1128 of the regulations is to be determined based on the ability of group health plans, health Social Security Act and applies to the the definition of ‘‘contrary’’ at § 160.202, insurance issuers, and Medigap issuers HITECH Act’s breach notification which states that a State law is contrary to collect genetic information or to provisions by virtue of section 13421 of if ‘‘[a] covered entity would find it request or require that individuals the HITECH Act. We continue to believe impossible to comply with both the undergo genetic testing. Title II of GINA that, generally, covered entities are able State and Federal requirements’’ or if generally prohibits use of genetic to comply with both State and Federal the State law ‘‘stands as an obstacle to information in the employment context, requirements for providing breach the accomplishment and execution of restricts employers and other entities notification with one breach notice the full purposes and objectives’’ of the covered by Title II from requesting, based on the flexibility provided to breach notification provisions in the requiring, or purchasing genetic entities in this Rule. However, even in Act. Covered entities must analyze VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00094 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

95 5659 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register Act. In addition, the term ‘‘health purposes of the Privacy Rule; (2) information, and strictly limits such insurance issuer,’’ as defined at 42 prohibit all health plans covered by the entities from disclosing genetic U.S.C. 300gg–91, includes a health HIPAA Privacy Rule from using or information. The Departments of Labor, maintenance organization (HMO). These disclosing protected health information Treasury, and Health and Human four types of entities (i.e., group health that is genetic information for Services (HHS) are responsible for plans, health insurance issuers, and underwriting purposes; (3) revise the administering and enforcing the GINA health maintenance organizations, as Title I nondiscrimination provisions, provisions relating to the Notice of defined in the PHSA, as well as issuers and the Equal Employment Opportunity Privacy Practices for health plans that of Medicare supplemental policies), Commission (EEOC) is responsible for perform underwriting; (4) make a correspond to the types of covered administering and enforcing the GINA number of conforming changes to 13 entities listed at subparagraphs (i) Title II nondiscrimination provisions. definitions and other provisions of the In addition to these through (iii) and (vi) of paragraph (1) of Rule; and (5) make technical corrections nondiscrimination provisions, section the definition of ‘‘health plan’’ at to update the definition of ‘‘health 105 of Title I of GINA contains new § 160.103 in the HIPAA Privacy Rule, plan.’’ privacy protections for genetic issued under HIPAA’s Administrative The 60-day public comment period information, which require the Simplification provisions. These also for the proposed rule closed on Secretary of HHS to revise the Privacy are the entities to which HIPAA’s December 7, 2009, and the Department Rule to clarify that genetic information nondiscrimination provisions apply and received approximately twenty-five 16 is health information and to prohibit to which the nondiscrimination comments in response to its proposal. group health plans, health insurance provisions of GINA Title I were After considering the public comments, issuers (including HMOs), and issuers of directed. the Department is issuing this final rule However, in addition to these four Medicare supplemental policies from to strengthen the privacy protections for types of entities, the HIPAA Privacy using or disclosing genetic information genetic information in accordance with 14 Rule also includes a number of other for underwriting purposes. GINA and the Department’s general entities within the definition of ‘‘health authority under sections 262 and 264 of B. Overview of the Proposed Rule plan’’: (1) Long-term care policies HIPAA. In developing this rule, the On October 7, 2009, the Department (excluding nursing home fixed- Department consulted with the published a notice of proposed indemnity policies); (2) employee Departments of Labor and Treasury, as rulemaking (NPRM or ‘‘proposed rule’’) welfare benefit plans or other required by section 105(b)(1) of GINA, to strengthen the privacy protections for arrangements that are established or to ensure, to the extent practicable, genetic information under the HIPAA maintained for the purpose of offering consistency across the regulations. In Privacy Rule by implementing the or providing health benefits to the addition, the Department coordinated protections for genetic information employees of two or more employers (to with the EEOC in the development of 15 required by GINA and making related the extent that they are not group health these regulations. changes to the Rule. In particular, in plans or health insurance issuers); (3) The provisions of the proposed rule accordance with section 105 of GINA high risk pools that are mechanisms and the public comments received that and the Department’s general authority established under State law to provide were within the scope of the proposed under sections 262 and 264 of HIPAA, health insurance coverage or rule are described in more detail below the Department proposed to: (1) comparable coverage to eligible in the section-by-section description of Explicitly provide that genetic individuals; (4) certain public benefit the final rule. information is health information for programs, such as Medicare Part A and C. Section-by-Section Description of B, Medicaid, the military and veterans’ 13 Final Rule and Response to Public The Departments of Labor (Employee Benefits health care programs, the Indian Health Security Administration), Treasury (Internal Comments Service program, and others; as well as Revenue Service), and HHS (Centers for Medicare (5) any other individual or group plan, 1. Scope: Extension of Required & Medicaid Services (CMS)) have issued regulations or combination of individual or group in a separate rulemaking (at 74 FR 51664) to Protections to All Health Plans Subject implement sections 101–103 of GINA, which plans that provides or pays for the cost to the HIPAA Privacy Rule amended: section 702 of the Employee Retirement of medical care (as the term ‘‘medical Income Security Act of 1974 (29 U.S.C. 1182); Proposed Rule care’’ is defined in section 2791(a)(2) of section 2702 of the Public Health Service Act (42 the PHSA, 42 U.S.C. 300gg–91(a)(2)). Section 105 of GINA requires HHS to U.S.C. 300gg–1) (renumbered as section 2705 by the Affordable Care Act); and section 9802 of the This last category includes, for example, modify the Privacy Rule to prohibit ‘‘a Internal Revenue Code of 1986. Section 104 of certain ‘‘excepted benefits’’ plans covered entity that is a group health GINA applies to Medigap issuers, which are subject described at 42 U.S.C. 300gg–91(c)(2), plan, health insurance issuer that issues to the provisions of section 1882 of the Social such as limited scope dental or vision health insurance coverage, or issuer of Security Act that are implemented by CMS, and benefits plans. See the definition of which incorporate by reference certain provisions a medicare [sic] supplemental policy’’ in a model regulation of the National Association ‘‘health plan’’ at § 160.103. from using or disclosing genetic of Insurance Commissioners (NAIC). The NAIC In the NPRM, the Department, using information for underwriting purposes. amended its model regulation on September 24, both its authority under GINA as well as Section 105 of GINA provides that the 2008, to conform to section 104 of GINA, and the its broad authority under HIPAA, amended regulation was published by CMS in the terms ‘‘group health plan’’ and ‘‘health on April 24, 2009, at 74 FR 18808. Federal Register proposed to apply the prohibition on insurance coverage’’ have the meanings With respect to Title II of GINA, the EEOC issued using and disclosing protected health given such terms under section 2791 of final regulations on November 9, 2010, at 75 FR information that is genetic information the Public Health Service Act (PHSA) 68912. for underwriting to all health plans that 14 (42 U.S.C. 300gg–91), and that the term Section 105 of GINA, entitled ‘‘Privacy and are subject to the Privacy Rule, rather Confidentiality,’’ amends Part C of Title XI of the ‘‘medicare [sic] supplemental policy’’ Social Security Act by adding section 1180 to than solely to the plans GINA explicitly has the meaning given such term in address the application of the HIPAA Privacy Rule requires be subject to the prohibition. section 1882(g) of the Social Security to genetic information. As explained in the proposed rule, the 15 Any reference in this preamble to GINA is a HIPAA Administrative Simplification 16 http:// The public comments are available at reference to Title I of GINA, except as otherwise . www.regulations.gov indicated. provisions provide the Secretary with VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00095 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

96 5660 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Final Rule States also regulate the use of genetic broad authority to craft privacy information in disability insurance, and standards that uniformly apply to all The final rule adopts the approach of ten States regulate its use in long-term health plans, regardless of whether such the proposed rule to apply the care insurance, and it is expected that health plans are governed by other prohibition on using or disclosing these numbers will continue to increase. portions of the HIPAA statute. In protected health information that is The commenter stated that as States addition, the Department indicated in genetic information for underwriting move forward in this area it was the proposed rule that nothing in GINA purposes to all health plans that are appropriate for the Federal government explicitly or implicitly curtails this covered entities under the HIPAA to do so as well. However, this and one broad authority of the Secretary to Privacy Rule, including those to which other commenter, while generally in promulgate privacy standards for any GINA does not expressly apply, except support of extending the prohibition on and all health plans that are governed with regard to issuers of long term care using or disclosing genetic information by the HIPAA Administrative policies. We continue to disagree with for underwriting to all health plans, also Simplification provisions. the commenters that stated such an Under the Privacy Rule, and recommended that the Department extension would conflict with GINA consistent with HIPAA, an individual’s monitor the impact of such a and is outside the scope of our privacy interests and rights with respect prohibition on long-term care insurers. authority. As explained more fully in A few commenters did not support to the use and disclosure of protected the proposed rule, the Department has the Department’s proposal and argued health information are protected broad authority under HIPAA to that the prohibition against using or uniformly without regard to the type of regulate a health plan’s uses and disclosing genetic information for health plan that holds the information. disclosures of protected health underwriting purposes in the Privacy Thus, under the Privacy Rule, information, including genetic Rule should apply only to those plans individuals can expect and benefit from information, to protect an individual’s to which GINA expressly applies. privacy protections that do not diminish privacy interests. See 74 FR 51698, Commenters argued that applying the based on the type of health plan from 51699–51700. It does not follow that by prohibition beyond the health plans which they obtain health coverage. In exempting ‘‘excepted benefits’’ from the identified in GINA was contrary to developing the proposed rule, the prohibitions under GINA that Congress GINA and its intent. Department believed that individuals’ intended to restrict the Department’s Certain commenters expressed interests in uniform protection under broad authority under HIPAA. Further, particular disagreement and concern the Privacy Rule against the use or there is no conflict with GINA in with applying the prohibition on the use disclosure of their genetic information extending the same privacy protections of genetic information for underwriting for underwriting purposes would outlined in GINA to those health plans to long-term care insurers. One outweigh any adverse impact on health that are not covered by GINA but are commenter argued that there was clear plans that are not covered by GINA, otherwise covered by the HIPAA Congressional intent in the legislative particularly since it was not expected Privacy Rule. GINA and section 264 of history of GINA to exempt ‘‘excepted that all of the health plans subject to the HIPAA are not irreconcilably benefits,’’ particularly long-term care Privacy Rule use or disclose protected inconsistent but rather operate insurance, from any prohibitions under health information that is genetic concurrently without conflict. Lastly, GINA and thus, the Privacy Rule should information for underwriting (or even GINA did not override HIPAA, and did not apply the prohibition on perform underwriting generally, in the not displace the Department’s authority underwriting with genetic information case of some of the public benefit to prohibit uses and disclosures of to issuers of long term care policies. The plans). For these reasons, the genetic information that GINA does not commenter also argued that the GINA Department proposed to apply the otherwise prohibit. Therefore, nothing prohibition should not apply to long- prohibition on using or disclosing in GINA explicitly or implicitly curtails term care insurers because long-term protected health information that is the broad authority of the Secretary to care plans have different characteristics genetic information for underwriting promulgate privacy standards for any from other health plans and applying purposes to all health plans that are and all health plans that are governed the GINA prohibition to long-term care HIPAA covered entities. by the HIPAA Administrative insurers would jeopardize the ability of Overview of Public Comments Simplification provisions. long-term care insurers to adequately We also continue to believe that The Department received comments underwrite and thus, the viability of the individuals have a strong privacy both in support of and against the long-term care insurance market. The interest in not having their genetic proposed application of the prohibition commenter explained that this would be information used in an adverse manner on using or disclosing genetic due to the fact that when underwriting, for underwriting purposes and to information for underwriting purposes long term care insurers look to believe that this privacy interest to all health plans covered by the determine an individual’s probability of outweighs any adverse impact on most Privacy Rule. Several commenters needing long-term care in the future and health plans covered by the Privacy agreed that the extension of the diagnosis of a particular condition is not Rule. With respect to most health plans proposed requirements to all health the only way this may be determined not subject to GINA, the public plans is an appropriate exercise of the and in some cases may not even be comment did not indicate that a Secretary’s discretion under HIPAA and relevant to such a determination. The prohibition on using genetic is necessary to protect the privacy Department also heard similar concerns information for underwriting would interests of all individuals without about the potential negative impact of have significant adverse impacts on the regard to the type of health plan holding an underwriting prohibition on the viability of these plans. Nor did the individuals’ health information, and economic viability of the long-term public comment generally provide stated that such an extension would market, from certain members of information showing that these health further encourage individuals to take Congress who wrote to the Secretary on plans actually use or disclose protected this issue, as well as from certain advantage of genetic services. In health information that is genetic outside parties during fact finding addition, one commenter in support of information for underwriting, or plan to meetings held by the Department. the proposal indicated that sixteen VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00096 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

97 5661 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register as added by section 105 of GINA (Pub. information. The commenter against the do so in the future (or even perform L. 110–233). underwriting generally, in the case of proposed inclusion to the definition some of the public benefit plans). argued that although GINA directs the 3. Section 160.103—Definitions However, as indicated above, the Department to treat genetic information The final rule modifies § 160.103 of Department did hear from a number of as health information, the language of the Privacy Rule to: (1) Revise the sources about the potential adverse GINA does not require a change to the definition of ‘‘health information’’ to impact a prohibition on using genetic definition of ‘‘health information,’’ and make clear that the term includes information for underwriting would this change would create costs for ‘‘genetic information;’’ (2) add have on the ability of a long-term care health plans, which would have to definitions for the GINA-related terms of insurer to effectively underwrite and update all their policies and procedures ‘‘family member,’’ ‘‘genetic thus, on the viability of the long-term to reflect the change. information,’’ ‘‘genetic services,’’ care insurance market generally. The Final Rule ‘‘genetic test,’’ and ‘‘manifestation or Department recognizes the importance manifested;’’ and (3) make technical of long-term care insurance coverage The final rule adopts the proposed corrections to the definition of ‘‘health and the need to ensure its continued modification to the definition of ‘‘health plan.’’ With respect to the GINA-related availability. The Department also information’’ at § 160.103. This terms, the final rule adopts definitions acknowledges that, at this time, it does modification to the definition is a that are generally consistent with the not have the information necessary to necessary clarification to the Privacy definitions of such terms promulgated more precisely and carefully measure Rule based on the statutory language. in the implementing regulations for the extent of such an impact on the Given that revising the definition of sections 101–103 of GINA. This will long-term market in order to ‘‘health information’’ to include genetic facilitate compliance for those health appropriately balance an individual’s information does not substantively plans subject to both the privacy as well privacy interests with such an impact. change the scope of the Privacy Rule, it as the nondiscrimination provisions of Thus, this final rule excludes long-term is unclear why such a change alone GINA. care plans from the underwriting would require revisions to a health prohibition. plan’s policies and procedures. Health a. Definition of ‘‘Health information’’ While we exempt long-term care plans that perform underwriting will Proposed Rule plans from the underwriting prohibition otherwise need to revise their policies in this final rule, we continue to believe Prior to enactment of GINA, the and procedures as necessary to comply an individual has a strong privacy Department issued guidance that genetic with this final rule, as well as the interest in the way his or her genetic information is health information modifications to the HIPAA Rules information is used for the underwriting protected by the Privacy Rule to the required by the Health Information of long-term care insurance. At the extent that such information is Technology for Economic and Clinical current time, however, we do not have individually identifiable and held by a Health (HITECH) Act. Thus, to the sufficient information to determine the covered entity (subject to the general extent the concern about this proper balance between the individual’s exclusions from the definition of modification stems from the fact that a 17 privacy interests and the industry’s ‘‘protected health information’’). health plan’s policies and procedures concerns about the cost effects of Section 105 of GINA requires the quote the prior regulatory definition of excluding genetic information. For that Secretary to revise the Privacy Rule to ‘‘health information,’’ the health plan reason, we are looking into ways to make clear that genetic information is can revise the definition at the time it obtain further information on this issue, health information under the Rule. is otherwise updating its policies and such as through a study by the National Thus, the Department proposed to procedures to comply with these rules. Association of Insurance Commissioners modify the definition of ‘‘health b. Definition of ‘‘Genetic Information’’ (NAIC) on the tension between the use information’’ at § 160.103 to explicitly of genetic information for underwriting provide that such term includes genetic Proposed Rule and the associated privacy concerns in information. The term ‘‘genetic information’’ is the context of their model long-term Overview of Public Comments defined in GINA and establishes what care rules. Based on the information the information is protected by the statute. The Department received a few Department may obtain, the Department Section 105 of GINA provides that the comments expressing specific support will reassess how best to move forward term ‘‘genetic information’’ in section for and one comment against the in this area in the future. 105 shall have the same meaning given Long-term care plans, while not proposed inclusion of the term ‘‘genetic the term in section 2791 of the PHSA subject to the underwriting prohibition, information’’ in the definition of ‘‘health (42 U.S.C. 300gg–91), as amended by continue to be bound by the Privacy information.’’ The commenters section 102 of GINA. Section 102(a)(4) Rule, as are all other covered health supporting the revision to the definition of GINA defines ‘‘genetic information’’ plans, to protect genetic information of ‘‘health information’’ indicated that to mean, with respect to any individual, from improper uses and disclosures, such an inclusion was necessary to information about: (1) Such individual’s and to only use or disclose genetic clarify that genetic information is health genetic tests; (2) the genetic tests of information as required or expressly family members of such individual; and 17 See, e.g., Frequently Asked Question number permitted by the Rule, or as otherwise http://www.hhs.gov/ocr/privacy/ 354, available at (3) the manifestation of a disease or authorized by the individual who is the hipaa/faq/protected information/354.html health _ _ , disorder in family members of such subject of the genetic information. Question: Does the HIPAA Privacy which states: individual (i.e., family medical history). Yes, Answer: Rule protect genetic information? 2. Section 160.101—Statutory Basis and GINA also provides that the term genetic information is health information protected Purpose by the Privacy Rule. Like other health information, ‘‘genetic information’’ includes, with to be protected it must meet the definition of respect to any individual, any request We have revised § 160.101, which protected health information: it must be for, or receipt of, genetic services, or describes the statutory basis of the individually identifiable and maintained by a participation in clinical research which HIPAA Rules, to include a reference to covered health care provider, health plan, or health care clearinghouse. See also 45 CFR 160.103. includes genetic services, by such section 1180 of the Social Security Act, VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00097 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

98 5662 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations clear what constitutes a genetic test gene variant associated with breast individual or family member of such under the definition. individual. GINA expressly provides cancer, are genetic information, and that the term ‘‘genetic information’’ such information may not be used or Final Rule shall not include information about the disclosed for underwriting purposes. The final rule adopts without sex or age of any individual. This basic The definitions of ‘‘manifestation or modification the definition of ‘‘genetic definition of ‘‘genetic information’’ in manifested’’ and ‘‘genetic test’’ are test’’ as proposed in the NPRM. This section 102(a)(4) of GINA (and that is to discussed more fully below. definition is consistent with the apply for purposes of section 105) is c. Definition of ‘‘Genetic Test’’ definition found in the implementing also expanded by section 102(a)(3), regulations for sections 101–103 of which provides that any reference to Proposed Rule GINA and with which compliance is genetic information concerning an As explained above, GINA provides already required by most health plans. individual or family member in the that the term ‘‘genetic information’’ Under this definition, a test to PHSA shall include: with respect to an includes information about an determine whether an individual has a individual or family member of an individual’s genetic tests or the genetic gene variant associated with breast individual who is a pregnant woman, tests of family members of the cancer (such as the BRCA1 or BRCA2 the genetic information of any fetus individual. Section 105 of GINA variant) is a genetic test. Similarly, a test carried by such pregnant woman; and provides that the term ‘‘genetic test’’ to determine whether an individual has with respect to an individual or family a genetic variant associated with shall have the same meaning as the term member utilizing an assisted hereditary nonpolyposis colorectal has in section 2791 of the PHSA (42 reproductive technology, the genetic cancer is a genetic test. Such tests are U.S.C. 300gg–91), as amended by information of any embryo legally held genetic in nature because they detect section 102 of GINA. Section 102(a)(4) by the individual or family member. genotypes, mutations, or chromosomal of GINA amends section 2791(d) of the The Department proposed to include changes. In contrast, medical tests that PHSA to define ‘‘genetic test’’ to mean this statutory definition of ‘‘genetic do not detect genotypes, mutations, or ‘‘an analysis of human DNA, RNA, information’’ in § 160.103. chromosomal changes, are not genetic chromosomes, proteins, or metabolites, Overview of Public Comments tests. For example, HIV tests, complete that detects genotypes, mutations, or blood counts, cholesterol tests, liver Most commenters did not address the chromosomal changes.’’ GINA further function tests, or tests for the presence proposed definition of ‘‘genetic clarifies that the term ‘‘genetic test’’ of alcohol or drugs are not genetic tests. information’’ in their comments on the does not include an analysis of proteins Consistent with the approach taken proposed rule. However, one or metabolites that does not detect generally with the HIPAA Privacy Rule, commenter stated that it was unclear genotypes, mutations, or chromosomal the Department declines to include what information may fall within the changes, nor does it include an analysis these examples in the regulatory text. scope of the term ‘‘genetic information’’ of proteins or metabolites that is directly The Department intends to issue future and whether such term may be related to a manifested disease, guidance on its web site about this construed to include traditional medical disorder, or pathological condition that issue. information or medical tests used in could reasonably be detected by a health underwriting today. care professional with appropriate d. Definition of ‘‘Genetic Services’’ training and expertise in the field of Final Rule Proposed Rule medicine involved. The final rule adopts without GINA provides that the term ‘‘genetic Consistent with the statutory modification the definition of ‘‘genetic information’’ includes, with respect to definition, the Department proposed to information’’ proposed in the NPRM. any individual, any request for, or define ‘‘genetic test’’ at § 160.103 as an This definition is consistent with the receipt of, genetic services, or analysis of human DNA, RNA, definition found in the implementing participation in clinical research which chromosomes, proteins, or metabolites, regulations for sections 101–103 of includes genetic services, by such if the analysis detects genotypes, GINA and with which compliance is individual or any family member of mutations, or chromosomal changes, already required by most health plans. such individual. Section 102(a)(4) of and to provide in the definition that The term ‘‘genetic information’’ GINA defines ‘‘genetic services’’ to ‘‘genetic test’’ does not include an includes information about the genetic mean: (1) A genetic test; (2) genetic analysis of proteins or metabolites that tests of the individual or of the counseling (including obtaining, is directly related to a manifested individual’s family members and about interpreting, or assessing genetic disease, disorder, or pathological diseases or disorders manifested in an information); or (3) genetic education. condition. While the statute refers to a individual’s family members (i.e., Thus, the fact that an individual or a ‘‘manifested’’ disease as one that could family health history). Thus, family member of the individual reasonably be detected by a health care information about manifested diseases, requested or received a genetic test, professional with appropriate training disorders, or conditions of the counseling, or education is information and expertise in the field of medicine individual or medical tests that do not protected under GINA. Genetic involved, the statute does not define meet the rule’s definition of ‘‘genetic counseling and education are means by ‘‘manifested.’’ Consequently, for clarity, test,’’ such as HIV tests, complete blood which individuals can obtain the Department proposed a definition of counts, cholesterol or liver function information and support about potential ‘‘manifested,’’ as described below. tests, or tests to detect for the presence risks for genetic diseases and disorders. of alcohol or drugs, are not genetic The Department proposed to add the Overview of Public Comments information, and such information may statutory definition of ‘‘genetic services’’ The Department received one be used or disclosed for underwriting to the Privacy Rule. comment requesting that the purposes. Conversely, family health Overview of Public Comments Department include examples within histories and information about genetic the regulatory text of the definition and tests, such as tests to determine whether The Department received one comment requesting that the another comment stated that it is not an individual or family member has a VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00098 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

99 5663 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations the same as relatives by full manifested disease, disorder, or Department add language to the consanguinity (such as siblings who pathological condition. Third, GINA definition to make clear that the genetic share both parents). The NPRM uses the term ‘‘manifestation’’ to clarify tests, genetic counseling, or genetic explained that this broad interpretation that nothing in Title I of GINA should education of a family member of an of ‘‘family member’’ was consistent with be construed to limit the ability of a individual are specifically covered by GINA’s legislative history, which health plan to adjust premiums or the term. suggests that the term ‘‘family member’’ contribution amounts for a group health Final Rule is to be broadly construed to provide the plan based on the manifestation of a The final rule adopts without maximum protection against disease or disorder of an individual 18 19 modification the definition of ‘‘genetic discrimination. enrolled in the plan. In addition, the However, GINA Department proposed to include in the provides that, in such case, the services’’ proposed in the NPRM. This manifestation of a disease or disorder in definition of ‘‘family member’’ non- definition is consistent with the one individual cannot also be used as exhaustive lists of persons who are definition found in the implementing first-, second-, third-, or fourth-degree genetic information about other group regulations for sections 101–103 of relatives. Finally, within the definition members and to further increase the GINA and with which compliance is premium for the plan. Similarly, for the of ‘‘family member,’’ the Department already required by most health plans. proposed to refer to the definition of individual health insurance market, The Department does not believe it GINA clarifies that it does not prohibit ‘‘dependent’’ contained in the necessary to add the term ‘‘family a health plan from establishing rules for implementing regulations at 45 CFR member’’ to the definition of ‘‘genetic 144.103 rather to the PHSA directly. eligibility for an individual to enroll in services’’ because the definition of coverage or from adjusting premium or ‘‘genetic information’’ makes clear that Overview of Public Comments contribution amounts for an individual information about any request for, or One commenter expressed support for based on the manifestation of a disease receipt of, genetic services by a family including relatives by affinity and by or disorder in that individual or in a member of an individual is protected less than full consanguinity, agreeing family member of such individual information. that this interpretation is consistent where such family member is covered e. Definition of ‘‘Family Member’’ with Congressional intent and provides under the individual’s policy. However, the most privacy protection for under GINA, the manifestation of a Proposed Rule individuals. This commenter also was disease or disorder in one individual The term ‘‘family member’’ is used in supportive of including non-exhaustive cannot also be used as genetic the definition of ‘‘genetic information’’ lists of persons who are first-, information about other individuals and in GINA to indicate that an individual’s second-, third-, and fourth-degree to further increase premiums or genetic information also includes relatives to add clarity to the definition. contribution amounts. information about the genetic tests of Given the importance of the term Final Rule the individual’s family members, as ‘‘manifested’’ or ‘‘manifestation,’’ the well as family medical history. Section As we received only support with Department proposed to define the term. 105 of GINA states that the term ‘‘family regard to the definition of ‘‘family Although GINA does not define the member’’ shall have the meaning given member,’’ the final rule adopts without term, it is clear from the statutory such term in section 2791 of the PHSA modification the definition of ‘‘family definition of ‘‘genetic test’’ that a (42 U.S.C. 300gg–91), as amended by member’’ proposed in the NPRM. This manifested disease or disorder is one GINA section 102(a)(4), which defines definition also is consistent with the ‘‘that could reasonably be detected by a ‘‘family member’’ to mean, with respect definition found in the implementing health care professional with to any individual: (1) A dependent (as regulations for sections 101–103 of appropriate training and expertise in the such term is used for purposes of GINA and with which compliance is field of medicine involved.’’ section 2701(f)(2) of the PHSA, 42 already required by most health plans. Accordingly, the proposed rule defined U.S.C. 300gg(f)(2)) of such individual; or the term ‘‘manifestation or manifested’’ f. Definition of ‘‘Manifestation or (2) any other individual who is a first- to mean, with respect to a disease, Manifested’’ degree, second-degree, third-degree, or disorder, or pathological condition, that Proposed Rule fourth-degree relative of such individual an individual has been or could or of a dependent of the individual. Although not separately defined by reasonably be diagnosed with the Section 2701(f)(2) of the PHSA uses the GINA, the terms ‘‘manifestation’’ or disease, disorder, or pathological term ‘‘dependent’’ to mean an ‘‘manifested’’ are used in GINA in three condition by a health care professional individual who is or may become important contexts. First, GINA uses the with appropriate training and expertise eligible for coverage under the terms of term ‘‘manifestation’’ to incorporate in the field of medicine involved. The a group health plan because of a ‘‘family medical history’’ into the proposed definition also provided that a relationship to the plan participant. definition of ‘‘genetic information’’ by disease, disorder, or pathological The Department proposed to stating that ‘‘genetic information’’ condition is not manifested if the incorporate GINA’s definition of ‘‘family includes, with respect to an individual, diagnosis is based principally on genetic member’’ into the Privacy Rule. The the manifestation of a disease or information. This clarification was proposed rule also clarified within the disorder in family members of such included due to the fact that variants of definition that relatives by affinity (such individual. Second, GINA uses the term genes associated with diseases have as by marriage or adoption) are to be ‘‘manifested’’ to exclude from the varying degrees of predictive power for treated the same as relatives by definition of ‘‘genetic test’’ those tests consanguinity (that is, relatives who 19 that analyze a physical malady rather We note that the Affordable Care Act, enacted on March 23, 2010, includes a provision effective share a common biological ancestor) than genetic makeup by excluding from for plan years beginning on or after January 1, 2014, and that, in determining the degree of the definition analyses of proteins or that prohibits insurers from discriminating against relationship, relatives by less than full metabolites that are directly related to a individuals or charging individuals higher rates consanguinity (such as half-siblings, based on pre-existing conditions. See Public Law 18 See House Report 110–28, Part 2 at 27. 111–148. who share only one parent) are treated VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00099 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

100 5664 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations manifested disease with respect to the predictive power genes provide in terms later development of the disease. In of ultimate development of a disease, as some cases, an individual may have a individual. In contrast, if the individual well as of the fact that a genetic test for genetic variant for a disease and yet undergoes a colonoscopy or other a disease may precede clinical signs or never develop the disease. In other medical tests that indicate the presence symptoms by years or even decades, the cases, the presence of a genetic variant of HNPCC, and the individual’s Department does not believe that the indicates that the individual will physician makes a diagnosis of HNPCC, definition is too narrow but rather that eventually develop the disease, such as HNPCC is a manifested disease with it is consistent with the provisions of is the case with Huntington’s disease. respect to the individual. GINA that protect genetic information However, an individual may obtain a If a health care professional with • from being used for health coverage positive test that shows the genetic appropriate expertise makes a diagnosis determinations. Finally, the definition variant for Huntington’s disease decades based on the symptoms of the patient, does not preclude a health care provider before any clinical symptoms appear. and uses genetic tests to confirm the from performing one or more genetic Under the proposed definition, the diagnosis, the disease will be tests to confirm a diagnosis so long as presence of a genetic variant alone considered manifested, despite the use the diagnosis is not based solely or would not constitute the diagnosis of a of genetic information. For example, if principally on the result of the genetic disease even in cases where it is certain a neurologist sees a patient with test. the individual possessing the genetic uncontrolled movements, a loss of To illustrate the definition, we variant will eventually develop the intellectual faculties, and emotional provide the following examples, which disease, such as with Huntington’s disturbances, and the neurologist were also included in the NPRM: disease. suspects the presence of Huntington’s • An individual may have a family Overview of Public Comments disease, the neurologist may confirm the member that has been diagnosed with diagnosis with a genetic test. While A few commenters expressed support Huntington’s disease and also have a genetic information is used as part of for adopting the proposed definition of genetic test result that indicates the the diagnosis, the genetic information is ‘‘manifestation or manifested’’ because presence of the Huntington’s disease not the sole or principal basis for the it would provide clarity to the rule and gene variant in the individual. However, diagnosis, and, therefore, the the scope of the underwriting when the individual is examined by a Huntington’s disease would be prohibition. One commenter requested neurologist (a physician with considered a manifested disease of the that the Department include the appropriate training and expertise for patient. examples provided in the preamble to diagnosing Huntington’s disease) the proposed rule directly within the because the individual has begun to As with the definition of ‘‘genetic regulatory definition. A few commenters suffer from occasional moodiness and test,’’ the Department declines to raised concerns about the inclusion in disorientation (symptoms which are include these examples in the regulatory the proposed definition of the associated with Huntington’s disease), text as this is inconsistent with the clarification that ‘‘a disease, disorder, or and the results of the examination do approach generally taken in the HIPAA pathological condition is not manifested not support a diagnosis of Huntington’s Privacy Rule. The Department intends if the diagnosis is based principally on disease, then Huntington’s disease is not to issue future guidance on its web site genetic information.’’ It was argued that manifested with respect to the with respect to the Rule’s protections for the proposed definition was too narrow individual. In contrast, if the individual genetic information. because, for some diseases, disorders, or exhibits additional neurological and g. Definition of ‘‘Health Plan’’ pathological conditions, a genetic test is behavioral symptoms, and the results of the primary means of diagnosing the the examination support a diagnosis of Proposed Rule condition and further that genetic tests Huntington’s disease by the neurologist, The Department proposed to make will more frequently be used to then Huntington’s disease is manifested technical corrections to update the diagnose diseases or conditions in the with respect to the individual. definition of ‘‘health plan’’ by revising An individual has had several • future given the continuing evolution of and renumbering the definition to: family members with colon cancer, one genetics. It was also argued that the Include specific reference to the of whom underwent genetic testing proposed definition went beyond GINA Voluntary Prescription Drug Benefit which detected a mutation in the MSH2 by indicating how a manifested disease Program under Part D of title XVIII of gene associated with hereditary or disorder is diagnosed. the Social Security Act, 42 U.S.C. nonpolyposis colorectal cancer Final Rule 1395w–101 through 1395w–152; remove (HNPCC). On the recommendation of the specific reference to the Civilian The final rule adopts without his physician (a health care professional Health and Medical Program of the modification the definition of with appropriate training and expertise Uniformed Services (CHAMPUS) (as ‘‘manifestation or manifested’’ proposed in the field of medicine involved), the defined in 10 U.S.C. 1072(4)), as this in the NPRM. The definition is individual undergoes a targeted genetic program is now part of the TRICARE consistent with the definition of test to look for the specific mutation health care program under title 10 of the ‘‘manifestation or manifested’’ found in found in the family member of the United States Code, and revise the the implementing regulations for the individual to determine if the reference to the title 10 health care individual himself is at increased risk non-discrimination provisions of program accordingly to read more for cancer. The genetic test shows that sections 101–103 of GINA and with generally ‘‘health care program for the the individual also carries the mutation which compliance is already required uniformed services’’ rather than ‘‘health but the individual’s colonoscopy for most health plans. In developing this care program for active military indicates no signs of disease and the definition, the agencies consulted with personnel’’; and reflect that Part C of individual has no symptoms. Because technical experts at the National Human title XVIII of the Social Security Act, 42 the individual has no signs or symptoms Genome Research Institute within the U.S.C. 1395w–21 through 1395w–28, is of colorectal cancer that could be used National Institutes of Health (NIH). In now called the Medicare Advantage by the individual’s physician to addition, for the reasons stated above program. diagnose the cancer, HNPCC is not a regarding the varying degrees of VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00100 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

101 5665 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register information (i.e., even non-genetic definition to clarify that ‘‘underwriting Overview of Public Comments information) for underwriting. purposes’’ does not include The Department did not receive any The adopted definition is consistent determinations of medical comments on the proposed technical with the definition promulgated in the appropriateness where an individual corrections to the definition of ‘‘health interim final regulations to implement seeks a benefit under the plan, coverage, plan.’’ sections 101–103 of GINA and with or policy. Final Rule which compliance is already required Overview of Public Comments by most health plans. We decline to The final rule incorporates the exclude wellness programs and the use About ten commenters addressed the technical corrections to the definition. of HRAs from the definition because, as proposed definition of ‘‘underwriting 4. Section 164.501—Definitions discussed in the interim final purposes.’’ Four commenters generally regulations issued by DOL, Treasury, The Department proposed to modify supported the proposed definition. and HHS, GINA Title I does not include § 164.501 to add a definition of Other commenters expressed concern 20 an exception for wellness programs. ‘‘underwriting purposes’’ and to make with the definition’s inclusion of However, we emphasize that health conforming changes to the definitions of discounts, rebates, payments in kind, or plans may continue to provide ‘‘payment’’ and ‘‘health care other premium differential mechanisms incentives for completing HRAs and operations.’’ in return for activities such as participating in wellness programs in completing a health risk assessment a. Definition of ‘‘Underwriting manners that do not involve the use or (HRA) or participating in a wellness Purposes’’ disclosure of genetic information. For program. These commenters were example, ‘‘personal habit’’ information Proposed Rule concerned that prohibiting the use of about an individual, such as smoking genetic information, particularly family Section 105 of GINA provides that the status and alcohol and drug use, is not health history, for such purposes would term ‘‘underwriting purposes’’ means, genetic information and thus, may be have a detrimental impact on wellness with respect to a group health plan, used by health plans for underwriting and disease management programs. One health insurance coverage, or Medicare purposes. Further, DOL has issued commenter was concerned that the supplemental policy: (A) Rules for, or guidance which makes clear that health definition would prohibit dental determination of, eligibility (including plans may continue to collect family insurance plans from offering enrollment and continued eligibility) health history through the use of HRAs preventive prognostic features to for, or determination of, benefits under 21 that are not tied to any reward. enrollees as part of the plan that test for the plan, coverage, or policy; (B) the In addition, the definition of susceptibility to dental decay and computation of premium or ‘‘underwriting purposes’’ includes an periodontal diseases. Enrollees that test contribution amounts under the plan, exception for determinations of medical positive would be provided with coverage, or policy; (C) the application appropriateness where an individual additional plan benefits as a supplement of any pre-existing condition exclusion seeks a benefit under the plan, coverage, to the standard benefits to cover more under the plan, coverage, or policy; and or policy. Thus, to the extent that an aggressive preventive services. Finally, a (D) other activities related to the individual is seeking a particular benefit few commenters were concerned that creation, renewal, or replacement of a under the plan and the health plan the broad definition of ‘‘underwriting contract of health insurance or health needs genetic information to determine purposes’’ would preclude plans from benefits. the medical appropriateness of using HRAs and offering wellness The Department proposed to adopt providing the benefit to the individual, programs even if no genetic information GINA’s statutory definition of the plan may use or disclose the is requested or used. For example, one ‘‘underwriting purposes’’ in § 164.501 of minimum necessary genetic information commenter was concerned that the the Privacy Rule, but also proposed to to determine the medical definition would prohibit the use of include certain clarifications for appropriateness of providing the ‘‘personal habit’’ information, such as consistency with the regulations benefit. For example, if a health plan information about smoking, or alcohol promulgated to implement the covers yearly mammograms for or drug use. nondiscrimination provisions in individuals under age 40 only in cases sections 101 through 103 of GINA. In where the individual can demonstrate Final Rule particular, the Department proposed to she is at increased risk for breast cancer, The final rule adopts the proposed include a parenthetical to explain that the plan can ask an individual under definition of ‘‘underwriting purposes’’ the rules for, or determination of age 40 to provide the results of a genetic but moves the definition to within the eligibility for, or determination of, test or family health history and use underwriting prohibition at benefits under the plan include changes such information to determine medical § 164.502(a)(5)(i). This makes clear that in deductibles or other cost-sharing appropriateness prior to paying a claim the definition applies only for purposes mechanisms in return for activities such for the mammogram. The medical of the prohibition on a health plan’s use as completing a health risk assessment appropriateness exception would also or disclosure of genetic information for or participating in a wellness program. cover situations where a dental plan underwriting purposes. As discussed The proposed rule also included a requires the results of a genetic test more fully below with respect to the parenthetical to make clear that the prior to offering a supplemental benefit definition of ‘‘health care operations,’’ computation of premium or for more aggressive preventive services we move the definition of contribution amounts under the plan, to the extent the individual seeks such ‘‘underwriting purposes’’ and retain the coverage, or policy includes discounts, a benefit. For example, a dental plan term ‘‘underwriting’’ within the rebates, payments in kind, or other may provide information to all of its definition of ‘‘health care operations’’ in premium differential mechanisms in enrollees about how to take advantage of response to several public comments return for activities such as completing expressing concern that the proposed a health risk assessment or participating 20 See 74 FR 51669, footnote 12. rule would no longer allow health plans in a wellness program. Finally, we 21 http://www.dol.gov/ebsa/faqs/faq- See Q14 at GINA.html. to use or disclose any protected health proposed a provision within the VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00101 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

102 5666 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations not genetic information for such a benefit, and when an enrollee 5. Section 164.502(a)—Uses and contacts the plan about obtaining the Disclosures of Protected Health underwriting, we include a reference to benefit, may require the individual to Information: General Rules the prohibition on using or disclosing take and provide the results of a genetic genetic information for underwriting a. Prohibition test to determine the medical purposes within the definition. The Proposed Rule appropriateness of providing the final rule also retains the term supplemental benefit to the individual. To implement section 105 of GINA, ‘‘enrollment’’ within the definition the Department proposed a new because we believe it is helpful to b. Definition of ‘‘Health Care prohibition on health plans using or clarify that this is a permitted health Operations’’ disclosing protected health information care operations activity. Proposed Rule that is genetic information for c. Definition of ‘‘Payment’’ underwriting purposes at The definition of ‘‘health care § 164.502(a)(3). We made clear that such operations’’ at § 164.501 includes at Proposed Rule a provision would operate paragraph (3) ‘‘underwriting, premium notwithstanding the other provisions in rating, and other activities relating to The definition of ‘‘payment’’ in the the Privacy Rule permitting uses and the creation, renewal or replacement of Privacy Rule at § 164.501 includes disclosures, and proposed a conforming a contract of health insurance or activities, such as ‘‘determinations of change to § 164.502(a)(1)(iv) to clarify benefits * * *.’’ To avoid confusion eligibility or coverage’’ by a health plan, further that an authorization could not with the use of both ‘‘underwriting’’ and some of which may fall within the be used to permit a use or disclosure of ‘‘underwriting purposes’’ in the Privacy definition of ‘‘underwriting purposes.’’ genetic information for underwriting Rule, and in recognition of the fact that To avoid any implication that a health purposes. the proposed definition of plan would be permitted to use or ‘‘underwriting purposes’’ includes Overview of Public Comments disclose protected health information activities that fall within both the for ‘‘payment’’ purposes that are Some commenters expressly definitions of ‘‘payment’’ and ‘‘health otherwise prohibited by the supported the proposed modification to care operations’’ in the Rule, the underwriting prohibition, we proposed the Privacy Rule to include the Department proposed to remove the to include a cross-reference in the prohibition, and the proposed term ‘‘underwriting’’ from the definition definition of ‘‘payment’’ to the clarification that an authorization of ‘‘health care operations.’’ We also cannot be used to otherwise permit a prohibition. Further, we believed the proposed to add the term ‘‘enrollment’’ prohibited use or disclosure of genetic inclusion of such a cross-reference to be to the express list of health care information. One commenter suggested necessary to properly align the operations activities to make clear that adding the examples from the preamble definition of ‘‘payment’’ in the Privacy the removal of the term ‘‘underwriting’’ to the regulatory text, as well as Rule with the nondiscrimination would not impact the use or disclosure language to the regulatory text to clarify of protected health information that is provisions of GINA Title I and their that the prohibition applies to genetic not genetic information for enrollment implementing regulations. GINA information obtained by a health plan purposes. These proposed revisions provides a rule of construction at prior to the passage of GINA. were not intended to be substantive section 102(a)(2), which adds paragraph changes to the definition and thus, 2702(c)(3) of the PHSA, to make clear Final Rule health plans would be permitted to that health plans are not prohibited The final rule adopts the proposed continue to use or disclose protected from obtaining and using the results of prohibition on a health plan’s use or health information, except genetic a genetic test in making determinations disclosure of genetic information for information, for underwriting purposes. regarding payment, as such term is underwriting purposes, except with defined by the HIPAA Privacy Rule. Overview of Public Comments regard to health plans that are issuers of Thus, the proposed exception would long term care policies, as explained The Department received a few above in section VI.C.1 regarding to make clear that GINA’s rule of comments on the proposed revisions to which plans the final rule applies. This construction regarding payment does the definition of ‘‘health care prohibition, located in this final rule at not allow a health plan to use the results operations.’’ One commenter supported § 164.502(a)(5), applies to all genetic of genetic tests for activities that would the inclusion of the word ‘‘enrollment.’’ information from the compliance date of otherwise constitute ‘‘underwriting A few commenters, however, expressed these modifications forward, regardless concern and confusion that the removal purposes,’’ such as for determinations of of when or where the genetic of the term ‘‘underwriting’’ from the eligibility for benefits. information originated. We do not definition of ‘‘health care operations’’ Overview of Public Comments believe a clarification of this fact in the would no longer permit uses or regulatory text is necessary. disclosures of even non-genetic The Department received two Consistent with Sec. 101(a) of the protected health information for comments on the proposed change to statute, this prohibition should not be underwriting. the definition of ‘‘payment,’’ one construed to limit the ability of a health Final Rule supporting the change and one plan to adjust premiums or contribution indicating it is unnecessary. amounts for a group health plan based Due to the confusion and concern on the manifestation of a disease or expressed by the commenters regarding Final Rule disorder of an individual enrolled in the the removal of the term ‘‘underwriting’’ plan, even though a health plan cannot from the definition, we retain the term For the reasons described above, the use the manifestation of a disease or ‘‘underwriting’’ within the definition of final rule adopts the proposed change to disorder in one individual as genetic ‘‘health care operations’’ at § 164.501 the definition of ‘‘payment.’’ information about other group members However, to make clear that a health plan may continue to use or disclose and to further increase the premium for only protected health information that is the plan. Similarly, for the individual VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00102 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

103 5667 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations protected health information for information to the plan sponsor if the health insurance market, a health plan underwriting, premium rating, or other plan sponsor requests the information is not prohibited from establishing rules activities relating to the creation, for the purpose of obtaining premium for eligibility for an individual to enroll renewal, or replacement of a contract for bids from health plans for providing in coverage or from adjusting premium health insurance or health benefits, from health insurance coverage under the or contribution amounts for an using or disclosing such protected group health plan, or for modifying, individual based on the manifestation of health information for any other amending, or terminating the group a disease or disorder in that individual purpose (except as required by law) if health plan. As this provision permits or in a family member of such the health insurance or health benefits activities that constitute ‘‘underwriting individual where such family member is are not placed with the health plan. The purposes,’’ as defined by GINA and the covered under the individual’s policy, Department proposed conforming proposed rule, the Department proposed even though the health plan cannot use amendments to § 164.514(g) to: (1) to modify § 164.504(f)(1)(ii) to clarify the manifestation of a disease or Remove the term ‘‘underwriting’’ to that § 164.504(f)(1)(ii) would not allow a disorder in one individual as genetic avoid confusion given the new disclosure of protected health information about other individuals to definition of ‘‘underwriting purposes,’’ information that is otherwise prohibited further increase premiums or which encompasses the activities by the underwriting prohibition. contribution amounts for those other described above; and (2) make clear that individuals. Overview of Public Comments a health plan that receives protected To illustrate how the prohibition The Department received one health information that is genetic operates, we reiterate the following comment in support of this information for the above purposes is examples (but for the reasons explained modification. not permitted to use or disclose such above, decline to include them in the information for underwriting purposes. regulatory text). If a health insurance Final Rule The proposed removal of the term issuer, with respect to an employer- The final rule adopts the modification ‘‘underwriting’’ from § 164.514(g) was sponsored group health plan, uses an to § 164.504(f)(1)(ii). not intended as a substantive change to individual’s family medical history or the scope of the provision. 7. Section 164.506—Uses and the results of genetic tests maintained in Disclosures To Carry Out Treatment, the group health plan’s claims Overview of Public Comments Payment, or Health Care Operations experience information to adjust the One commenter suggested that the plan’s blended, aggregate premium rate Proposed Rule Department reconsider the removal of for the upcoming year, the issuer would the term ‘‘underwriting’’ from this Section 164.506(a) of the Privacy Rule be using protected health information section as it could be viewed as a sets out the uses and disclosures a that is genetic information for substantive change to the scope of the covered entity is permitted to make to underwriting purposes in violation of provision, and expressed concern that carry out treatment, payment, or health § 164.502(a)(5)(i). Similarly, if a group the modification would prohibit a care operations. In light of the fact that health plan uses family medical history health plan from using or disclosing the proposed definition of provided by an individual incidental to genetic information as required by other ‘‘underwriting purposes’’ encompasses the collection of other information on a law. activities that fall both within the health risk assessment to grant a definitions of ‘‘payment’’ and ‘‘health Final Rule premium reduction to the individual, care operations’’ under the Privacy Rule, the group health plan would be using The final rule modifies § 164.514(g) to the Department proposed to add a cross- genetic information for underwriting refer to the prohibition, now at reference in § 164.506(a) to the new purposes in violation of § 164.502(a)(5). However, as with the underwriting prohibition to make clear § 164.502(a)(5)(i). definition of ‘‘health care operations,’’ that § 164.506 of the Privacy Rule would The prohibition is limited to health we do not remove the term not permit health plans to use or plans. A health care provider may use ‘‘underwriting’’ to avoid unnecessary disclose an individual’s protected or disclose genetic information as it sees confusion. We also clarify that a health health information that is genetic fit for treatment of an individual. If a plan may continue to use or disclose information for underwriting, even covered entity, such as an HMO, acts as protected health information that is though such a use or disclosure is both a health plan and health care genetic information as required by other considered payment or health care provider, it may use genetic information law, except to the extent doing so would operations. for purposes of treatment, to determine be inconsistent with the prohibition in Overview of Public Comments the medical appropriateness of a benefit, GINA and this final rule at and as otherwise permitted by the § 164.502(a)(5)(i) against using or The Department received one Privacy Rule, but may not use such disclosing genetic information for comment in support of this genetic information for underwriting underwriting purposes. modification. purposes. Such covered entities, in 9. Section 164.520—Notice of Privacy Final Rule particular, should ensure that Practices for Protected Health appropriate staff members are trained on The final rule adopts the modification Information the permissible and impermissible uses to § 164.506(a). of genetic information. Proposed Rule 8. Section 164.514(g)—Uses and As discussed above in Section IV with 6. Section 164.504(f)(1)(ii)— Disclosures for Activities Relating to the regard to the changes made to § 164.520 Requirements for Group Health Plans Creation, Renewal, or Replacement of a pursuant to the HITECH Act, § 164.520 Contract of Health Insurance or Health Proposed Rule of the Privacy Rule sets out the Benefits Section 164.504(f)(1)(ii) permits a requirements for most covered entities Proposed Rule group health plan, or health insurance to have and distribute a Notice of Section 164.514(g) of the Privacy Rule issuer or HMO with respect to the group Privacy Practices (NPP). With respect to the NPP, the Department believes that prohibits a health plan that receives health plan, to disclose summary health VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00103 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

104 5668 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations purposes. This commenter also asked plan would not be required to make individuals should be informed of their what the rules are for access to another change to its NPP to comply new rights and protections under this protected health information about an with the regulation. rule with respect to genetic information A number of comments addressed the individual by the individual’s extended in the health coverage context. Thus, the issue of the timing and manner of family members seeking to determine if Department proposed in distributing revised NPPs. In general, they are affected by a genetic trait. § 164.520(b)(1)(iii)(D) to require health With respect to the first Response: commenters recommended various plans that use or disclose protected question, these rules do not apply to alternatives, including: (1) Require health information for underwriting to health care providers. A covered health health plans to provide a revised NPP to include a statement in their NPP that provider may continue to disclose members in the next annual mailing; (2) they are prohibited from using or protected health information, including require health plans to provide either a disclosing protected health information genetic information, where doing so revised NPP or a supplement to that is genetic information about an meets the minimum necessary standard, members in the next annual mailing and individual for such purposes. Without to health plans for payment purposes. to post the revised NPP or supplement such a specific statement, individuals Under this Rule, the onus is on the on the health plan Web site would not be aware of this restriction health plan to not use or disclose immediately; (3) retain the existing 60- and the general statements regarding protected health information it receives day deadline for providing a revised permitted uses and disclosures for for such purposes for prohibited NPP to individuals or provide for a 30- treatment, payment, and health care underwriting purposes. Further, health day extension; and (4) allow for operations in the NPP of a health plan plans continue to be required by the distribution via electronic processes for that performs underwriting would not Privacy Rule to limit requests of more efficient delivery of NPPs to be accurate (i.e., the NPP would state protected health information to the members. that the health plan may use or disclose minimum necessary when requesting PHI for purposes of payment and health Final Rule such information from other covered care operations, which would not be The final rule adopts the requirement entities. The regulations implementing true with respect to genetic information for health plans that perform sections 101–103 of GINA also restrict when the use or disclosure is for underwriting to include in their NPPs a the ability of health plans covered by underwriting purposes). statement that they are prohibited from those rules to request genetic The preamble explained that the using or disclosing genetic information information. proposed prohibition on using or for such purposes, except with regard to With respect to the second question, disclosing genetic information for to the extent that an individual’s genetic issuers of long term care policies, which underwriting and the proposed information is needed for the treatment are not subject to the underwriting requirement to explicitly include a purposes of a family member, a covered prohibition. Health plans that have statement regarding the prohibition health care provider is permitted to already modified and redistributed their would represent a material change to disclose such information, subject to NPPs to reflect the statutory prohibition the NPP of health plans that perform any agreed-upon restriction, to another are not required to do so again, provided underwriting, and the Privacy Rule provider for the treatment of the family the changes to the NPP are consistent requires at § 164.520(c)(1)(i)(C) that member. See FAQ #512 at http:// with this rule. We also modify the NPP plans provide notice to individuals www.hhs.gov/ocr/privacy/hipaa/faq/ covered by the plan within 60 days of distribution requirements for health right request _ a _ _ , restriction/512.html to _ any material revision to the NPP. As in plans where there are material changes. which makes clear that a health care the NPRM issued to implement HITECH These modifications are discussed provider may share genetic information Act provisions, the Department above in Section IV with regard to about an individual with providers requested comment on ways to inform material changes to the NPP resulting treating family members of the individuals of this change to privacy from changes pursuant to the HITECH individual who are seeking to identify practices without unduly burdening Act. their own genetic health risks, provided health plans and provided several 10. Other Comments the individual has not requested and the possible alternatives. The Department One commenter requested Comment: health care provider has not agreed to a also explained that the obligation to clarification on preemption with regard restriction on such disclosure. revise the NPP for the reasons described One commenter requested Comment: to the new underwriting prohibition. above would fall only on health plans Response: Pursuant to subpart B of that the rule require that health plans that intend to use or disclose protected conducting or sponsoring research Part 160 of the HIPAA Administrative health information for activities that involving genetic information provide Simplification Rules, to the extent that constitute ‘‘underwriting purposes.’’ research participants with an explicit a provision of State law requires a use Thus, health care providers, as well as statement to ensure the individuals or disclosure of genetic information for health plans that do not perform understand that such information may an activity that would otherwise underwriting, would not be required to not and will not be used for constitute ‘‘underwriting purposes,’’ revise their NPPs. underwriting purposes. such State law would be preempted by Overview of Public Comments Response: We decline to require such the Privacy Rule unless an exception at a statement. The regulations One commenter supported informing § 160.203 applies. In contrast, State laws implementing sections 101–103 of GINA individuals in the NPP that health plans that provide greater privacy protection already require a statement to that effect are prohibited from using or disclosing for genetic information than the Privacy as a condition of the health plan genetic information for underwriting Rule continue to remain in place. requesting that a research participant Comment: One commenter asked how purposes. One commenter asked the undergo a genetic test as part of the a health care provider should ensure Department to clarify that where a research. See, e.g., 45 CFR 144.122(c)(5). that releasing an individual’s health plan has already made a change Further, this rule requires that health information to a health plan will not to the NPP to comply with a statute, plans that perform underwriting inform result in an inappropriate disclosure to such as with GINA, and has sent the individuals through their NPPs that the the health plan for underwriting revised NPP to members, the health VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00104 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

105 5669 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations between $114 million and $225.4 use and disclosure provisions as plans may not use or disclose genetic million. Annualizing the midpoints of required by their business associate information for such purposes. our cost estimates at three and seven contracts. However, with regard to the Comment: One commenter asked that percent over ten years produces costs of Security Rule, while we continue to the HIPAA de-identification standard be $35.2 million and $42.8 million, believe that most business associates strengthened to provide better 22 respectively. have implemented security protections protection for health information, We estimate that the effects of the that meet the Security Rule including genetic information. requirement for covered entities requirements as part of the assurances Response: The Privacy Rule’s de- (including indirect costs incurred by provided to covered entities through identification standard is outside the third party administrators, which their contracts, we recognize that some scope of this rulemaking. frequently send out notices on behalf of smaller or less sophisticated business VII. Regulatory Analyses health plans) to issue new notices of associates may not have engaged in the privacy practices, as a result of the final formal administrative safeguards A. Introduction changes to the HIPAA Privacy Rule required by the HIPAA Security Rule, We have prepared a regulatory impact under both the HITECH Act and GINA, and may not have written policies and statement in compliance with Executive will result in new costs of $55.9 million procedures for compliance. For these Order 12866 (September 1993, within 12 months of the effective date business associates, we estimate that the Regulatory Planning and Review), of the final rule. Annualizing the costs costs to come into compliance with the Executive Order 13563 (January 2011, over 10 years at 3 percent and 7 percent Security Rule will be between Improving Regulation and Regulatory results in annual NPP costs of approximately $22.6 million and $113 Review), the Regulatory Flexibility Act approximately $6.6 million and $8 million. Annualizing the midpoint (RFA) (September 19, 1980, Pub. L. 96– million, respectively. We have revised estimate ($67.8 million) at 3 percent and 354), the Unfunded Mandates Reform our cost estimate for NPP revisions 7 percent produces costs of $7.9 million Act of 1995 (UMRA) (March 22, 1995, since the proposed rule to reflect the and $9.7 million, respectively. Pub. L. 104–4), and Executive Order Although we also continue to believe increased flexibility provided in the 13132 on Federalism. We begin with a that most business associates have made final rule, which allows health plans to discussion of Executive Orders 12866 a good faith attempt to conform their include their new NPPs in their usual, and 13563 and then present a more agreements with subcontractors to annual mailing rather than send them to detailed analysis of costs and benefits. HIPAA requirements, we acknowledge individuals in a separate mailing. We Finally, relying on information the possibility that some business also note that combining GINA and explained in the cost-benefit analysis, associates may make such efforts for the HITECH requirements into a single rule we discuss issues related to the RFA, first time now that they and their results in lower costs than would be UMRA, and Federalism considerations. subcontractors are subject to direct incurred if covered entities were liability under the Rules. For this required to revise their NPPs multiple 1. Executive Order 12866 and Executive fraction of business associates, we times to comply with separate Order 13563 estimate that the costs to bring rulemakings. Executive Orders 12866 and 13563 Additionally, we have revised the subcontracts into compliance with the direct agencies to assess all costs and annual estimated cost to comply with business associate agreement benefits of available regulatory the final breach notification provisions. requirements will be between $21 alternatives and, if regulation is As we discuss below, we acknowledge million and $42 million. Annualizing necessary, to select regulatory there may still be some underreporting the midpoint of those estimates ($31.5 approaches that maximize net benefits of breaches, however we do anticipate million) at 3 percent and 7 percent (including potential economic, that the overall number of breaches will results in costs of $3.7 million and $4.5 environmental, public health and safety decrease in the future. As such, Table 2 million, respectively. effects, distributive impacts, and There may be other costs we are not below shows the costs of complying equity). Executive Order 13563 able to monetize because we lack data, with the provisions of the breach emphasizes the importance of and the rule may produce savings that notification final rule, which have been quantifying both costs and benefits, of may offset some or all of the added revised based on our experience with reducing costs, of harmonizing rules, costs. We discuss these unquantified the number of breach notifications we and of promoting flexibility. A costs and benefits of the rule at the end have received from covered entities regulatory impact analysis must be of the Regulatory Impact Analysis. during calendar years 2010 and 2011. prepared for major rules that have As a result of the economic impact, We estimate the total annual cost for the economically significant effects ($100 and other costs that are described but breach notification rule to be million or more in any one year) or not quantified in the regulatory analysis approximately $14.5 million. adversely affect in a material way the below, OMB has determined that this Annualizing over 10 years at 3% and economy, a sector of the economy, rule is an economically significant 7% produces annual breach productivity, competition, jobs, the regulatory action within the meaning of implementation costs of approximately environment, public health or safety, or section 3(f)(4) of Executive Order 12866. $17 million and $20.6 million. State, local, or Tribal government or We present our analysis of the costs and With regard to the business associate communities (58 FR 51741). Based on benefits of the rule in sections C and D provisions of the final rule, we assume the following analysis, this rule has below. that business associates currently been designated as an economically comply with the HIPAA Privacy Rule 2. Entities Subject to the Rule significant regulatory action within the This rule impacts covered health care 22 meaning of section 3(f)(4) of Executive The breach notification provisions are the rule’s only source of ongoing, annual costs. providers, health insurance issuers, and Order 12866. Accordingly, the rule has Therefore, with respect to breach, we annualize third party administrators acting on been reviewed by the Office of costs incurred on an annual basis. For the other behalf of health plans, which we Management and Budget. provisions, we calculate annualized opportunity estimate to total 698,238 entities. The To summarize, we estimate that the costs based on costs expended only in the first year of implementation. rule also applies to approximately 1–2 rule will result in new first-year costs of VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00105 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

106 5670 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register Table 1 below shows the number of million business associates and an 23 covered entities by class of provider and unknown number of subcontractors. insurer that will be affected by the Rule. 24 NAICS CODE UMBER OF C OVERED E NTITIES BY TABLE 1—N Estimated Number of number of small NAICS Providers/suppliers entities 25 entities Psy- 4,060 4,060 622 ... Hospitals (General Medical and Surgical, chiatric, Substance Abuse, Other Specialty). 623 ... Nursing Facilities (Nursing Care Faciliti es, 34,400 34,400 Residential Mental Retardation Facilities, Residential Mental Health and Substance Abuse Facilities, Community Care Facilities for the Elderly, Continuing Care Retirement Communities). 6211–6213 ... Office of MDs, DOs, Mental Health Practi- 419,286 419,286 tioners, Dentists, PT, OT, ST, Audiologists. 6214 ... Outpatient Care Centers (Family Planning 13,962 13,962 Centers, Outpatient Mental Health and Drug Abuse Centers, Other Outpatient Health Centers, HMO Medical Centers, Kidney Di- alysis Centers, Freestanding Ambulatory Surgical and Emergency Centers, All Other Outpatient Care Centers). 6215 ... Medical Diagnostic, and Imaging Service Co v- 7,879 7,879 ered Entities. 15,329 15,329 ... 6216 ... Home Health Service Covered Entities ... 6219 ... Other Ambulatory Care Service Covered Enti 5,879 5,879 - ties (Ambulance and Other). 26 N/A ... Durable Medical Equipment Suppliers ... 107,567 107,567 27 4611 ... Pharmacies ... 88,396 88,396 28 524114 ... Health Insurance Carriers ... 730 276 750 750 524292 ... Third Party Administrators Working on Behalf 29 . of Covered Health Plans ... Total Entities ... ... 698,238 697,784 flexibility for, and decrease burden on, modifications with respect to business the regulated entities, as well as to associates, which are the cause of many B. Why is this rule needed? harmonize certain requirements with of the security breaches for which the those under the Department’s Human Department receives breach reports. This final rule is needed to strengthen Subjects Protections regulations. The final rule also lays out standards and expand the privacy and security for when individuals and the Secretary protections for individuals’ health C. Costs must be informed that a breach of information and privacy rights 1. Breach Notification Costs protected health information has established under the HIPAA, as occurred so that individuals may take mandated by the HITECH Act and The preamble to the interim final rule measures to protect themselves from GINA. These enhancements are published on August 24, 2009, risks associated with the breach. By necessary to ensure continued adequate contained a regulatory impact statement establishing requirements for notifying protections for health information, as estimating the economic burden of individuals and making business well as trust in the health care system, implementing the rule. We are revising associates directly liable for complying particularly as the adoption and use of that impact statement in this final rule with certain provisions of the Privacy electronic health records increases. based upon our experience with and Security rules, we expect the Importantly, among other changes, the collecting breach notifications from number of breaches of protected health rule makes business associates of covered entities during calendar years information to decline over time. covered entities directly liable for 2010 and 2011. The analysis that follows is very This final rule also makes changes to Federal penalties for failures to comply similar to the analysis set forth in the the HIPAA rules, such as those that with certain provisions of the rule. This preamble to the interim final rule; streamline the research authorization expansion in liability closes a large gap however, instead of using information process, that are designed to increase in protection that existed prior to these 23 27 The Chain Pharmacy Industry http:// have a basis for estimating the number of Although we do not have data on the numbers subcontractors that will be subject to the rule. www.nacds.org/wmspage.cfm?parm1=507 . of business associates, our enforcement experience 24 28 Office of Advocacy, SBA, http://www.sba.gov/ Source: HHS ASPE analysis of 2010 NAIC leads us to believe that each covered entity has, on . advo/research/data.html Supplemental Health Care Exhibit data. average, two to three business associates, for a total 25 29 Because the vast majority of covered providers We include third party administrators in our of 1–2 million business associates. This number are small entities, we include all providers in our count of covered entities, although they are likely overestimates the number of business estimates of small providers. business associates, because the nature of their associates, as some entities may be business 26 representation of the majority of ERISA plans makes Centers for Medicare & Medicaid Services associates to multiple covered entities. We do not them an appropriate ‘‘surrogate’’ for those plans. covered entities. VerDate Mar<15>2010 20:19 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00106 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

107 5671 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register beginning to recognize areas of potential We acknowledge that there may still http://www.datalossdb.org to from be some underreporting of breaches as estimate the number of breaches that weakness and to take systemic actions the obligations of the regulation may not would occur each year, we have used to prevent breaches from occurring in yet have penetrated down to all covered the breach notifications provided to the the future, such as encrypting portable entities and business associates. At the Secretary during calendar years 2010 devices to avoid having to provide same time, we expect that some types of and 2011 to project the ongoing, annual breach notifications in the event the incidents being reported today may not costs to covered entities for device is lost or stolen. in the future as covered entities and implementing the breach notification Table 2 shows the costs of the business associates become more provisions. Several commenters noted provisions of the final rule based on the familiar with the definition of breach that significantly more breaches would breach notifications we have received and more adept at performing risk occur each year than the interim final from covered entities during calendar assessments and determining whether a rule anticipated, and we acknowledge years 2010 and 2011. We also present breach has occurred. We have received that the estimates provided in the the costs required for investigating breach notifications from covered interim final rule were significantly breaches and the amount of time we entities in several situations in which lower than our experience has been to anticipate individuals will spend calling notification was not necessary, such as date. As such, we believe that relying on the toll-free number for substitute where there was no underlying our experience receiving notifications notice. We estimate the total cost for the impermissible use or disclosure under addresses the concerns of the breach notification rule to be the Privacy Rule or where one of the commenters who thought we were approximately $14.5 million. exceptions to breach clearly applied to underestimating the number of breaches Discounting at 3 percent and 7 percent the situation. This is the type of over- that would occur each year. Based upon and annualizing over 10 years results in reporting that we expect to diminish in this information, we have revised the costs of $17 million and $20.6 million, the future. Additionally, covered projected annual cost to implement respectively. entities and business associates are these breach notification provisions. 2—S UMMARY OF A NNUAL C OMPLIANCE C OST FOR B REACH T OTIFICATION IN 2011 D OLLARS N ABLE Number of Number of Cost/affected affected Cost elements Cost/breach Cost individuals breaches individuals E-mail and 1st Class Mail ... 6,710,000 $182 $0.517 $3,467,122 19,000 1,190 6,605,500 480 0.086 571,200 Substitute Notices: Media Notice ... 30 1,190 Substitute Notices: Toll-Free Number ... 660,550 1,526 2.750 1,816,379 Imputed cost to affected individuals who call the toll-free 1,190 660,550 3.108 2,052,665 line ... 1,725 6,600,000 62 15,420 Notice to Media of Breach: Over 500 ... 250 0.002 6,600,000 0.002 15,420 250 Report to the Secretary: 500 or More ... 62 324,050 281 16.29 5,277,456 Investigation Costs: Under 500 ... 18,750 250 6,600,000 0.127 837,500 Investigation Costs: 500 or More ... 3,350 110,000 422,438 3.84 18,750 Annual Report to the Secretary: Under 500 ... 23 ... ... Total Cost ... ... ... 14,475,600 30 As we explain below in the section on substitute notice, we project that 6,605,500 individuals will be affected by breaches that may require substitute notice, but we expect that at most 10% of affected individuals will call the toll-free line for information. covered entities must still perform a risk rule. HIPAA covered entities and their In this revised analysis, we rely assessment following an impermissible business associates must comply with entirely on our experience with breach use or disclosure of protected health these regulations. We estimate that notifications received by the Secretary information to determine the probability approximately 700,000 HIPAA covered during calendar years 2010 and 2011, that the protected health information entities will be subject to the final rule, for projecting the ongoing, annual costs has been compromised. Events such as although many fewer will experience a of the breach notification rule. Based on hacking into an unencrypted database breach requiring them to fulfill the our experience in those years, we and theft of unsecured protected health breach notification requirements. project the likely number of breaches, information would in almost all cases number of affected individuals, and How many breaches will require constitute a breach in this final rule, just costs associated with this regulation. We notification? as they would under the interim final have not attempted to predict future rule’s definition of breach. However, costs because, as discussed above, while Although this final rule modifies the given the further clarity in this rule as we anticipate the overall number of definition of breach at § 164.402 to to the standard and factors to be breaches and the overall costs of remove the harm standard, we do not considered, other incidents that may not implementing the breach notification believe that this will have a significant have been considered a breach under provisions to fall over time, we do not effect on the number of breaches the interim final rule may be considered currently have enough data to establish reported to HHS or on the number of a breach under this final rule (or in such a trend. individuals affected. As discussed in some cases, vice versa). Section V above, this final rule removes Affected Entities the harm standard and implements a Instead of relying on data from more objective risk assessment for The entities affected by the breach http://www.datalossdb.org to estimate evaluating whether an impermissible notification regulation are outlined in the number of breaches and the number of individuals affected by such breaches use or disclosure is a breach. As a result, the impact statement of the interim final VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00107 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

108 5672 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 31 benefits. breach involving more than 500 If we assume 30 minutes per each year, this final rule uses breach individuals, and notifying the Secretary notification reports submitted to the breach for composing the letter, the cost of a breach, as well as the costs of Secretary by covered entities to revise equals $21.48. We assume that it will investigating and documenting our previous estimates. We believe these also take 30 minutes per breach for an breaches. Some commenters requested reports provide us with much more administrative assistant to prepare the that we include the cost of modifying complete information from which to letter in either email or printed formats contracts with business associates to project the overall cost of implementing and to document the letter to comply potentially define the breach with §§ 164.414(a) and 164.530(j). The this regulation. Beginning September 23, 2009, notification obligations between the median hourly wage for office and covered entities were obligated to notify parties. We note that costs to modify administrative support staff is $22.53, the Secretary of all breaches of protected business associate agreements generally including 50 percent for benefits. For health information occurring on or after to comply with the new HITECH the 30 minutes, we estimate $11.27 per that date. As of September 23, 2009, provisions are discussed elsewhere in breach. The combined labor cost for covered entities must report breaches this impact analysis. composing and preparing the document affecting 500 or more individuals to the is approximately $32.75 per breach. Half Cost of Notifying Affected Individuals Secretary without unreasonable delay of this cost will be allocated to the first- by First Class Mail or Email and in no case later than 60 days from class letter and the other half to the Section 164.404 requires all covered discovery of the breach, while breaches emails. entities to notify affected individuals of Although computer costs for sending affecting fewer individuals must be a breach either by first class mail, or if email will be insignificant, it will take reported to the Secretary within 60 days the individual has agreed, by email. In staff time to select the email address of the end of the calendar year in which the interim final rule, we assumed that from the entity’s mailing list. We the breach occurred. approximately one half of notices sent Based on our experience receiving assume that an office worker could to affected individuals would be sent breach notifications during calendar process and send 200 emails per hour at via first-class mail, while the rest would years 2010 and 2011, we project that a cost of $22.53 per hour. For each be sent via email. By comparison, in the HHS will receive approximately 19,000 mailed notice, we assume $0.06 for Federal Trade Commission’s (FTC) final breach notifications from covered paper and envelope and $0.45 for a first breach notification rule, the FTC entities annually or, on average, class stamp, totaling $0.51 per letter. We assumed that 90 percent of the notices approximately 1,583 breach estimate another $22.53 per hour to sent to individuals affected by a breach notifications each month. prepare the mailing by hand at a rate of requiring notification under the FTC Approximately 250 such notifications 100 letters per hour. rule would be emailed and only 10 Based on our revised estimate of the will report breaches affecting 500 or percent would be sent by regular first number of breaches that will occur in a more individuals and the remaining class mail. Since the firms that the FTC year, we can multiply the number of 18,750 reported breaches will affect regulates are primarily web-based, breaches by the cost of composing and fewer than 500 individuals. assuming that the vast majority of We project that approximately 6.71 preparing a notice (19,000 × $32.75) communications would be conducted million individuals will be affected by equals $622,250. Allocating half the through email is a reasonable the 19,000 breaches reported to HHS costs to emailing and the same amount assumption. For HIPAA covered each year, which is, on average, roughly to regular mail yields $311,125 to each entities, however, 90 percent of which 353 affected individuals per breach. category. are small businesses or nonprofit As in the interim final rule, we have Splitting our estimate of the number organizations that engage the entire U.S. assumed that no State has a notification of affected individuals evenly between population in providing health care requirement, despite the fact that this email and regular mail gives us services, we believed that notification will overestimate the burden imposed 3,355,000 affected individuals for each through email would be much more on covered entities because covered notice category. As we did in the limited than in the case of the entities entities have trained their staffs and interim final rule, for emails we divide the FTC regulates. Some physician have prepared procedures to follow affected individuals by the number of offices have been slow to adopt email when a breach occurs to comply with emails processed in an hour (200) and communication with their patients for existing breach notification multiply the result (16,775 hours) by the various reasons. We, therefore, assumed requirements of most of the States. To hourly cost of $22.53, giving us that only 50 percent of individuals ameliorate the overstatement of our cost $377,940. To this number we add the affected as a result of a breach of estimate somewhat, we have assumed $311,125 giving us an estimated cost for unsecured protected health information the costs for training personnel and for email notices of $689,066. We follow the same method for would receive email notices. As we did developing procedures for the most part estimating the cost of mailing notices not receive any comments on this have already been expended and are using postal mail plus the cost of assumption, we retain it here. therefore in the baseline. We did not As discussed in our analysis in the postage and supplies. Dividing 100 include these costs in our analysis of the interim final rule, there will be certain letters per hour into 3,355,000 yields annual costs. costs that both email and first-class mail We have followed the same approach 33,550 hours, which is then multiplied notification will share. The cost of to estimating the costs as outlined in the by $22.53 to reach $755,882 in labor drafting and preparing the notice will interim final rule. We examined the cost costs to prepare the mailing. Adding to apply to both forms. The median hourly of notifying affected individuals by first that the costs of postage and supplies wage for the labor category of a class mail, issuing substitute notice in ($1,711,050) and the costs of composing healthcare practitioner and technical major media or on a Web site along with and drafting ($311,125) equals worker in 2011 was approximately a toll-free phone number, notifying $2,778,057. Summing the cost of email $42.96, including 50 percent for fringe prominent media in the event of a and postal mail notices equals 31 Technical Occupations. Available at http:// Department of Labor, Occupational www.bls.gov/oes/current/oes _ nat.htm. Employment Statistics; Healthcare Practitioner and VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00108 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

109 5673 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register $3,467,122. Table 3 presents the results of our analysis in the order they are discussed above. OLLARS 2011 D T ABLE 3—C OST OF E-M AIL AND F IRST C LASS M AIL TO A FFECTED I NDIVIDUALS IN Total Email (Annual) Mail Number of breaches ... 9,500 ... ... 9,500 ... 19,000 Number of affected individuals or records ... 3,355,000 ... 3,35 5,000 ... 6,710,000 Hours to compose and document notice ... 9,500 (1 hr per 9,500 (1 hr per 19,000 breach). breach). Cost to compose and document notice ... $311,125 ... $311,1 25 ... $622,250 Hours to prepare mailing ... 33,550 ... ... 16,775 ... 50,325 $1,133,822 Cost to prepare mailing ... $755,882 ... ... $377,940 ... $1,711,050 Postage and supplies ... $1,711,050 ... ... N/A ... Total ... $2,778,057 ... $689,066 ... $3,467,122 receive regular notice, we now assume Multiplying this amount by the 1,190 Cost of Substitute Notice that less than 10 percent of individuals estimated breaches yields $571,200. In the event that a HIPAA covered affected by breaches requiring substitute Also, as noted in the interim final rule, entity is not able to contact an affected notice will call the toll-free line. if a HIPAA covered entity has a Web individual through email or postal mail, Therefore, as we anticipate 6,605,500 site, we assume there will be no cost to it must attempt to contact the person total individuals will be affected by post the notice to the Web site. We through some other means. If the 32 breaches requiring substitute notice, believe this overestimates the overall number of individuals who cannot be cost of publishing a notice, as many we assume that no more than 10 reached through the mailings is less covered entities will elect to post the percent, or 660,550, will call the toll- than ten, the entity may attempt to reach public notice only on their Web site, free number to determine if they are them by some other written means, or and not in a newspaper. affected by the breach. We note that by telephone. while this revision significantly reduces As outlined in the interim final rule, In the event that the covered entity is the overall cost to covered entities for the cost of setting up a toll-free phone unable to contact 10 or more affected providing substitute notice in situations number is a straight forward process of individuals through email or postal in which there is insufficient or out-of- contacting any one of a number of mail, the rule requires the entity to (1) date contact information for 10 or more service providers who offer toll-free publish a notice in the media individuals, we believe this estimate is service. The interim final rule found (newspaper, television, or radio) or post much more appropriate based on the that the prices for toll-free service range a notice on its Web site, containing the information we have received from from $0.027 per minute for a basic mail same information contained in the covered entities thus far. box arrangement to $0.07 per minute. A mailed notice, and (2) set up a toll-free Using this number and assuming that major, national phone service company number. The toll-free number is to be a call averages five minutes at $0.07 per offers toll-free service for $15 per month included in the media notice or notice minute, we estimate the total direct per toll-free number and per minute on the Web site. calling costs to equal $231,193. Added charge of $0.07. There is a one-time Based on the breach notification to this is $345,000 that represents the charge of $15. As in the interim final reports received by the Secretary during monthly fee per breach (1,190 breaches) rule, we use the costs of $15 per month calendar years 2010 and 2011, we for three months plus the one-time fee plus $15 activation fee and $0.07 per project that approximately 1,190 (totaling $60 per breach). This brings the minute. breaches affecting 10 or more total cost of setting up and maintaining Since the regulation requires individuals will require substitute toll-free lines to $576,193. providers to maintain a toll-free number notice (including 5% of breaches To this cost, we must also include the for three months, the monthly charge involving fewer than 500 individuals, office staff time to answer the incoming plus initial fee per breach will be $60. and all 250 breaches involving 500 or calls at $22.53 per hour. Based on an To estimate the number of calls to the more individuals). While several average of five minutes per call, a staff toll-free number, the interim final rule breaches affecting only 1 individual person could handle 12 calls per hour. assumed that more individuals than have also required substitute notice, as Dividing 12 into 660,550 equals those affected by the breach requiring stated in the interim final rule, we approximately 55,046 hours and then substitute notice would call out of believe the costs for notifying fewer multiplied by $22.53 equals $1,240,186. concern that their protected health than 10 individuals through alternative Summing all cost elements yields a total information might have been written means or by telephone would be cost of $1,816,379. compromised. The interim final rule very small and as a result we have not estimated that a number equal to all To the degree that entities already attempted to estimate those costs. affected individuals of all breaches The interim final rule estimated that maintain toll-free phone lines, our would call the toll-free number. Based it would cost approximately $240 to estimate overstates the costs of setting on our experience to date, and given publish a public notice in a newspaper. up a toll-free line as required under the that many individuals involved in Assuming the covered entity will rule. Table 4 presents our cost analysis breaches requiring substitute notice will publish two notices, the cost is $480. for the toll-free line. 32 breaches involving less than 500 individuals This number includes all individuals affected (6,600,000) and 5 percent of individuals affected by by breaches involving 500 or more individuals (5,500). VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00109 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

110 5674 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations -F OLLARS 2011 D ONTHS IN M HREE T INE FOR L REE OLL T PA U ETTING S T ABLE 4—A NNUAL C OST FOR Number of breaches Number of Number of breaches 500 Total affecting Costs calls + (250) fewer than 500 (5,500) $15,000 Monthly Charges for 3 months + 1-time Charge ($60/breach) ... N/A $345,000 $330,000 ... ... 5 minutes ... × Direct Calling Charges @ $.07/min $231,193 660,550 Labor cost @ $22.53/hr × 5 min per call ... ... ... 660,550 $ 1,240,186 × 7.5 min per call ... ... ... 660,550 $2,052,665 Cost to individuals @ $24.86/hr $3,869,044 Total ... ... ... ... 35 At an office manager’s Federal employee, earning $29 per hour. As in the interim final rule, we have time at $67 per Adding 50 percent to account for also imputed a cost to the time hour ($44.65 median wage plus 50 benefits equals $43.50. Approval of the percent for benefits) multiplied by 4 and individuals will spend calling the toll- release involves reading the document. free number. In estimating the time 8 hours, results in per breach costs of We expect this activity to take 15 involved, we assumed that a person will approximately $268 and $536, minutes. The median hourly rate for a spend five minutes per call. However, respectively. Multiplying $268 by the public relations manager is the person may not get through the first number of breaches affecting fewer than 34 approximately $44.86 in 2011. time and thus may have to call back a 10 individuals (17,800 breaches) results Adding second time which could add another 5 in investigation costs of $4,773,616. We 50 percent for benefits equals $67.29, so then multiply $536 by the number of minutes. Taking the average between 5 one quarter of an hour equals $16.82 for and 10 minutes, we used an average breaches affecting 10 to 499 individuals approving the release. The total cost of (940 breaches), which produces time of 7.5 minutes per caller. the release equals $61.68, and For purposes of imputing cost to an investigation costs of $503,840. Adding multiplying this amount by the number the totals for the two groups results in individual’s time, we took the median of breaches affecting more than 500 investigation costs of $5,277,456 per compensation amount from the Bureau individuals (250) equals $15,420. This 33 year for breaches affecting less than 500 of Labor Statistics of $24.86 amount is lower than our previous for all individuals. This estimate includes the estimate because we have adopted the occupations. Dividing 60 by 7.5 minutes time required to produce the more customary and realistic approach yields 8 calls per hour. Dividing the documentation required by § 164.414(a). of adding 50 percent to wages for number of calls per hour into 660,550 We note that this estimate is benefits, rather than doubling standard calls and then multiplying by $24.86, significantly higher than that in the wage rates to account for benefits. It gives us a cost of $2,052,665. interim final rule; however, this is due should be noted that even this amount Cost of Breaches Involving More Than entirely to the revised estimate that may overstate the actual costs of issuing 500 Individuals there will be approximately 18,750 a notice to the media. If a covered entity experiences a breaches affecting fewer than 500 The report to the Secretary that must breach of protected health information individuals per year. be sent contemporaneously with the affecting more than 500 individuals of a As stated in the interim final rule, for sending of the notices to the affected State or jurisdiction, § 164.406 of the breaches involving 500 or more individuals will contain essentially the rule requires the entity to notify the individuals, the breach investigation same information as the notice sent to media in the jurisdiction or State in may take up to 100 hours to complete; the affected individuals. As stated in the which the individuals reside. In however, we assume that the average interim final rule, we anticipate the time addition, § 164.408 of the rule requires investigation will take only 50 hours. At and cost to prepare the report will be the entity to notify the Secretary an office manager’s time of $67 per hour the same as that required for issuing a contemporaneously with notice to multiplied by 50 hours, this cost equals notice to the media. The cost for affected individuals in cases where 500 $3,350 per breach. Multiplying this by reporting to the Secretary the 250 or more individuals are affected by a the number of breaches (250) yields breaches affecting 500 or more breach. $837,500. individuals is $15,420. As stated in the interim final rule, we Cost of Submitting the Annual Breach Cost of Investigating a Breach anticipate that a covered entity will Summary to HHS issue a press release when it must notify As a prerequisite to issuing a notice Under § 164.408, covered entities the media under § 164.406. The tasks to individuals, to the media, and to the must notify the Secretary of all involved in issuing the press release Secretary, the covered entity will need breaches; however, covered entities will be the drafting of the statement and to conduct an investigation to determine reporting breaches affecting fewer than clearing it through the entity. As the nature and cause of the breach. We 500 individuals may report these discussed in the interim final rule, we estimate that the 95 percent of breaches breaches to the Secretary annually. assume that drafting a one-page in the under 500 category that affect Since the material for the submission statement will contain essentially the fewer than 10 individuals will require 4 has already been gathered and organized same information provided in the notice hours of investigation. The other 5 for the issuance of the notices to the to affected individuals and will take 1 percent of under 500 breaches, which affected individuals, we expect that hour of an equivalent to a GS–12 affect between 10 and 499 individuals, notifying the Department will require at may require up to 8 hours to investigate. 33 Department of Labor, Occupational 35 nat.htm _ www.bls.gov/oes/current/oes See for Employment Statistics. http://www.bls.gov/oes/ 34 http://www.bls.gov/oes/current/oes _ nat.htm. All Management Occupations. _ nat.htm . current/oes VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00110 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

111 5675 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register 37 have revised our earlier estimate of approximately 697,000 most an hour of office staff time once health care 3,500 third party administrators after providers in the U.S. is, therefore, per year. At $22.53 per hour multiplied learning that the majority of these expected to be approximately $20 by the total number of breaches (18,750) entities act as welfare administrators million. Printing the NPPs involves affecting fewer than 500 individuals, and do not administer health plans. In production and supplies at a cost of this cost equals $422,438. addition, some public non-Federal $0.10 per notice. Based on our prior 2. Notifying Individuals of Their New health plans may use third party estimates, health care providers are Privacy Rights administrators. Almost all of the public currently required to print and provide and ERISA plans, we believe, employ the NPP to approximately 613 million Covered entities must provide third party administrators to administer new patients annually. We assume that individuals with NPPs that detail how their health plans. While the third party most health care providers will spread the covered entity may use and disclose administrators will bear the direct costs the printing of their notices throughout protected health information and of issuing the revised NPPs, the costs the year, producing copies on a explain individuals’ rights with respect will generally be passed on to the plans quarterly, monthly, or even more to their own health information. that contract with them. Those plans frequent schedule. Further, providers Because of changes to the HIPAA Rules that self-administer their own plans will will have 8 months from the publication as a result of the HITECH Act and GINA, also incur the costs of issuing the of the final rule before they will need to the final rule requires covered entities to revised NPPs. We do not know how produce the revised NPPs, and, modify their NPPs and distribute them many plans administer as well as therefore, can use that time to adjust to individuals to advise them of the sponsor health plans and invited their inventory and printing schedule to following: (1) For health plans that comments on the number of self- transition to the revised notice without underwrite, the prohibition against administered plans. As we did not any additional expense. Thus, assuming health plans using or disclosing PHI that receive comments on this issue, we a worst case scenario in which all is genetic information about an assume that there are not enough self- providers would need to replace at most individual for underwriting purposes; administered plans to have an effect on 4 months of old inventory with the (2) the prohibition on the sale of these estimates. revised notice, the need for off-schedule protected health information without Each of the approximately 1,500 printing of the revised notice for this 4 the express written authorization of the health insurance issuers and health plan month period would be attributed to administrators will experience the same individual, as well as the other uses and this provision. We estimate, therefore, kinds of costs as we estimated for disclosures for which the rule expressly that providers will print not more than providers for drafting ($28 per entity) requires the individual’s authorization 204 million revised NPPs over and and printing ($0.10 per notice) the (i.e., marketing and disclosure of above their existing printing obligations NPPs. However, health insurers and psychotherapy notes, as appropriate); 613 million = 204 million). (4/12 × plan administrators will have to mail (3) the duty of a covered entity to notify Printing costs for 204 million NPPs will the NPPs to policy holders. We affected individuals of a breach of be $20.4 million (204 million × $0.10 = recognize that, under the existing unsecured protected health information; $20.4 million). Therefore, the total cost requirement to send new NPPs in a (4) for entities that have stated their for providers is approximately $40.4 separate mailing to all policy holders, intent to fundraise in their notice of million ($20 million + $20.4 million = the costs of distributing new NPPs, privacy practices, the individual’s right $40.4 million). including clerical time and in some to opt out of receiving fundraising For health plans, the costs related to cases, postage, constituted the majority communications from the covered the NPP consist of developing and of the overall costs of the rule to covered entity; and (5) the right of the individual drafting the revised NPP, and, for entities. However, in the proposed rule, to restrict disclosures of protected certain health plans, the costs of we requested comments on alternative health information to a health plan with printing and mailing the notice out-of- ways to inform individuals of material respect to health care for which the cycle because the revision is a material changes to their rights and protections individual has paid out of pocket in full. change. See § 164.520(c)(1)(v)(A). With that would be less burdensome and the exception of a few large health For providers, the costs related to the costly. Based on the comments and plans, most health plans do not self- NPP consist of developing and drafting consistent with E.O. 13563, in this final administer their plans. Most plans are the revised NPP, and, as discussed rule, we have adopted an alternative to either health insurance issuers below, the potential to incur out-of- the requirement to send the new NPP to (approximately 730) or utilize third cycle printing costs for the revised all policy holders within 60 days. After party administrators that act on their notice. There are no new costs consideration, we decided to permit behalf in the capacity of business attributable to the distribution of the health plans and third party associates. We identified approximately revised notice as providers have an administrators working for health plans 750 third party administrators acting as ongoing obligation to hand out the NPPs to include the revised NPP in their next business associates for ERISA plans. We when first-time patients come for their annual mailing, rather than within 60 appointments. We estimate that drafting days of the material change, if they have 37 We identified 698,238 entities that must the updated NPPs will require a Web site with an NPP. See prepare and deliver NPPs that are shown in Table approximately one-third of an hour of § 164.520(c)(1)(v)(A). We anticipate that 1 above. This includes 696,758 HIPAA covered entities that are health care providers, including professional, legal time at a cost of about most, if not all, affected entities will hospitals, nursing facilities, doctor offices, 36 $28. The total cost for attorneys for the take advantage of this option and will outpatient care centers, medical diagnostic, imaging not send the NPP in a separate mailing. service, home health service and other ambulatory 36 As such, we expect that the vast http://www.bls.gov/oes/current/ See care service covered entities, medical equipment naics3 541000.htm#23–0000 for lawyers. Note that _ suppliers, and pharmacies. For the purposes of our majority of health insurers will not we generally calculate labor costs based on the calculation, we have rounded this number to incur any out-of-cycle NPP median hourly rate, which for lawyers is $56.21 per 697,000. Table 1 also includes 730 health insurance dissemination costs. hour. We add 50 percent to account for fringe carriers and 750 third party administrators working Nonetheless, to account for any costs benefits, resulting in an estimated hourly cost of on behalf of covered health plans. The cost $84.32. estimates for these entities are addressed later. that might be incurred by a small VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00111 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

112 5676 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations percent of these plans will incur the example, because their job status minority of health insurers to distribute changed, they have supplemental the revised NPPs in a separate mailing, printing and distribution costs. Using policies, or they have more than one we have calculated the costs to these the above estimates, we assume for this employer, creating duplicate coverage. entities of doing so. We describe our purpose that 20 million notices (200 Therefore, ARC recommended we use methodology in the following × million total notices 10%) will be 200 million for the number of NPPs that paragraphs, beginning with an estimated need to be printed and sent through a will actually be sent. total number of NPP recipients. We then separate mailing, at a total cost of $15.5 We estimate the costs of drafting, calculate the costs of printing and million ($2 million printing + $13.5 printing, and distributing the NPP to all sending the revised NPP by separate million mailing). Therefore, the total potential recipients to be the following. mailings to all recipients and estimate cost to all plans for drafting, printing, First, drafting the NPP is estimated to that no more than 10 percent of these and distributing the NPP is require one-third hour of legal services costs will actually be incurred. approximately $15.5 million. We note 1,500 insurance plans at a cost of $28 × Because the Privacy Rule requires that that even this total may be an and insurance administrative entities, only the named insured or policy holder overestimation of the costs because which equals $42,000. Second, we need is notified of changes to the health many insurers may use bulk mailing to calculate printing and distribution plans’ privacy practices even if that rates to distribute their NPPs which costs for all potential recipients policy also covers dependents, we would reduce their mailing costs. assuming the revised notice would be expect that only policy holders will The total estimated cost for both sent in a separate mailing. As with receive the revised NPPs mandated by providers and health plans to notify providers, we estimate the cost of this rule. This assumption is consistent individuals and policy holders of printing the NPP, which includes the with the practices of public programs, changes in their privacy rights is cost of paper and actual printing, to be such as Medicare, which has a policy of approximately $55.9 million in the first $0.10 per notice. Therefore, we estimate mailing one notice or a set of program year following implementation of the the cost of printing 200 million notices materials to a household of four or fewer rule. for mail distribution at $20 million. beneficiaries at the same address. As a Further, we estimate the cost of result, although there are 50.7 million A number of commenters expressed distributing the NPPs, including clerical individual Medicare beneficiaries, the general concern regarding the costs of time and postage in the same manner as program only sends out approximately printing and distributing new NPPs but these costs were estimated for the 36 million pieces of mail per mailing. did not provide estimates of the costs Actuarial Research Corporation Breach Notification for Unsecured they anticipated or question our (ARC), our consultant, estimated the Protected Health Information calculations. Two health plan number of policy holders for all classes Regulations. Thus, we assume that an commenters estimated that the costs of of insurance products to be office worker could process and send printing and mailing NPPs to their approximately 183.6 million, including 100 mailings per hour at a cost of $22.53 members could reach up to $100,000. all public programs. The data comes per hour, plus a postage cost of $0.45 However, they did not provide from the Medical Expenditure Panel per mailing. If notices were required to information about the facts and Survey from 2004–2006 projected to be mailed to the 200 million assumptions underlying their analyses, 2010. ARC estimated 112.6 million beneficiaries in the sixty-day timeframe, including the number of beneficiaries or private sector policy holders and 71.0 the distribution costs would be $135 mailings they anticipated, so we were million public ‘‘policy holders.’’ The million (200 million/100 per hour × unable to evaluate their estimates. We total, including more recent Medicare $22.53 = $45 million + $90 million (200 have addressed some of this concern by data, is 188.3 million persons (which × million $0.45)). Total printing and permitting health plans that maintain a results in roughly a split of 60 percent distribution cost would have been $155 notice on their web sites to include their private policy holders and 40 percent million, if all policy holders received NPPs in their annual mailings, rather public ‘‘policy holders’’), whom we separate NPP mailings. Third, as than separately mailing the NPPs within expect to receive NPPs from their plans. discussed above, we expect that nearly 60 days of the material changes. The estimates do not capture policy all plans and third party administrators Table 5 below presents our analysis of holders who are in hospitals or nursing will be able to avoid having to do a costs to the providers, insurers, and homes at the time of the survey, or separate mailing of the revised notice third party administrators that are individuals who may have been insured under the new distribution provisions 38 required to issue NPPs under the rule. in this final rule, and that only 10 under more than one plan in a year, for OTICES OF RACTICES RIVACY TABLE 5—S UMMARY OF C OMPLIANCE C OST FOR N P P Health insurers & Total Providers third party adminis- Cost elements (approx.) trators Drafting NPPs ... $20 million ... $42,000 ... $20 million. Printing NPPs ... $20.4 million ... $2 million ... $22.4 million. Mailing NPPs ... N/A ... $13.5 million ... $13.5 million. Total (approx.) ... $40.4 million ... $15.5 million ... $55.9 million. 38 Health care clearinghouses function almost the protected health information they maintain and process, and therefore have no NPP requirements. exclusively as business associates with respect to VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00112 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

113 5677 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations estimate the costs to other business Rules. We explained that we have no 3. Business Associates and Covered associates later in this section. information on the degree of contract Entities and Their Contractual A few commenters cited concerns enforcement and compliance among Relationships about unfair competition for smaller business associates, and lack The rule extends liability for failure to business associate entities that they information regarding the size or type of comply with certain provisions of the believe will not be able to compete with business associates that contract with Privacy and Security Rules directly to larger business associate entities, covered entities. We have only rough business associates and business especially with regard to contract estimates as to the overall number of associate subcontractors. Prior to this negotiations including indemnification business associates, which range from rule and HITECH, these obligations and other risk allocation issues. approximately one million to two applied to business associates and their We understand that many small million depending on the number of subcontractors indirectly through business associates are concerned about business associates that serve multiple §§ 164.504(e) and 164.314(a), which the allocation of risk and covered entities. require that covered entities by contract indemnification in conjunction with While we did not have specific require business associates to limit uses their business associate contracts. information in this regard, we assumed and disclosures and implement Security However, as we discuss in section IV D that some business associates and Rule-like safeguards. above, as with any contracting subcontractors already comply with This final rule implements Section relationship, business associates and existing privacy and security standards 13401 of HITECH Act, which makes covered entities may include other in accordance with their indirect and business associates directly liable for provisions that dictate and describe contractual obligations. For them, the compliance with many of the same their business relationship. While these proposed rule would impose only a standards and implementation may or may not include indemnification limited burden. For other business specifications, and applies the same clauses or other risk-shifting provisions, associates, depending on the current penalties to business associates that these contractual provisions and level of compliance, the proposed rule apply to covered entities, under the relationships are outside the governance could impose significant burdens. We Security Rule. Additionally, in accord of the HIPAA Rules. requested comments regarding the with Section 13404 of the HITECH Act, Because we understand that covered amount of burden and the number of the rule requires business associates to entities and business associates remain affected business associates. comply with many of the same concerned with the cost to bring their Several commenters stated that requirements, and applies the same business associate agreements into requiring business associates to penalties to business associates that compliance with the final rule, we allow undertake compliance with the rule in apply to covered entities, under the contracts to be phased in over one year the same way as covered entities is Privacy Rule. Business associates must from the compliance date or 20 months excessive and burdensome, especially also obtain satisfactory assurances in the from the publication date of the final because in some cases business form of a business associate agreement rule, and we expect and encourage associates do not have the same type of from subcontractors that the covered entities and business associates relationship with individuals. Several subcontractors will safeguard any to incorporate the costs of modifying commenters pointed to the burden on protected health information in their contracts into the normal renegotiation covered entities and business associates possession. Finally, business associates of contracts as the contracts expire. As to renegotiate business associate must furnish any information the we did not receive comments to the agreements and train staff, and many Secretary requires to investigate contrary, we believe that most contracts specifically mentioned that compliance whether the business associate is in will be renegotiated over the phase-in with the Security Rule is particularly compliance with the regulations. period. In addition, the Department has costly. One commenter stated that it was In the proposed rule, we assumed that issued on its web site revised sample a business associate party to ‘‘tens of business associates’ compliance with business associate provisions, which thousands’’ of business associate their contracts range from the minimal should lessen the costs associated with contracts, with a significant cost to bring compliance to avoid contract contract modifications. all into compliance. As we believe covered entities termination to being fully compliant. We continue to expect that most generally are operating under HIPAA Further, we assumed that business business associates and subcontractors compliant contracts with their business associates in compliance with their have made and continue to make a associates, the transition period and contracts would have already good-faith effort to follow the terms of availability of sample contract designated personnel to be responsible their contracts. The burden of the rule provisions should make it possible for for formulating the organization’s on business associates and these entities to incorporate any minor privacy and security policies, performed subcontractors depends on the terms of contract modifications into normal the contracts between covered entities a risk analysis, and invested in contract renegotiations without any and business associates and between the hardware and software to prevent and appreciable added costs. We continue to business associates and subcontractors, monitor for internal and external believe that all covered entities have and the degree to which business breaches of protected health established business associate associates and subcontractors information. agreements with their business established privacy policies and We also stated in the proposed rule associates that are consistent with the adopted security measures that comport that while business associates were requirements of the HIPAA Rules, as with the HIPAA Rules. For business previously required to comply with the covered entities have been subject to associates and subcontractors that have HIPAA Rules according to the terms of direct liability under the Rules since already taken HIPAA-compliant their contracts with covered entities, their inception and have had more than measures to protect the privacy and and we expected that most business half a dozen years to make their security of the protected health associates did so already, the risk of contracts compliant. However, to the information in their possession, as criminal and/or civil monetary penalties extent that some contracts between required by their existing contracts, the may spur some business associates to covered entities and business associates rule imposes limited burden. We increase their efforts to comply with the VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00113 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

114 5678 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register policies and procedures and training is an overestimate because the group of are not currently in full compliance their employees on the policies and small business associates that may be with the business associate agreement procedures, nor did the comments on less likely than others to have compliant provisions, these entities may the impact statement offer any specific contracts in place with subcontractors experience limited costs to revise their information to provide an estimate. We are, because of their size, also less likely contracts. Although we are less certain about the assume that up to 80 percent of the 1– to have any subcontractors at all. Finally, in response to the current state of business associate- 2 million business associates, or commenters concerned with the cost subcontractor relationships, we believe between 800,000 and 1.6 million and burden on business associates to that most business associates have made business associates, may handle come into full compliance with the a good faith attempt to include the electronic protected health information Security Rule, we have taken another appropriate contractual requirements. and thus may have to document their look at the underlying assumptions in Still, we anticipate that some small existing security protocols. Further, of the proposal. We continue to believe business associates, now that they are these business associates, we assume that business associates have engaged in subject to direct liability under the that no more than 25 percent are likely privacy practices in compliance with rules, might establish or significantly to incur some cost to document their their contractual obligations to use and modify their subcontracts to come into administrative safeguards and their disclose protected health information as compliance for the first time. Such policies and procedures as now required limited by the Privacy Rule and their business associates would not be by statute and these regulations. We particular contracts with covered eligible for the extended transition believe that our original assumption of entities. Therefore, as we have stated period and, as a result, would incur the compliance with all Security Rule above, we do not believe that the costs of creating new contracts or requirements remains sound for the rest extension of liability for compliance renegotiating contracts out of cycle. In of the business associates, and we with Privacy Rule requirements as the Final Privacy Rule published in received no substantive comments to identified in this rulemaking will 2002, we estimated that entities would the contrary. The costs of coming into full impose any new costs or burdens. need between one and two hours to With regard to the Security Rule, compliance with the administrative develop and tailor a business associate which was of particular concern to safeguard procedures, such as agreement to their particular needs. See commenters as to the compliance costs performance of a risk analysis and 67 FR 53182, 53257. Taking the average on business associates, we also continue development of a risk management plan, of the lower and upper estimates to believe that business associates, in will vary depending on the size and provided in the earlier rulemaking, we providing their adequate assurances to complexity of the business associate, the estimate that developing and tailoring safeguard electronic protected health scope of their duties for the covered contract language normally would take information through their business entity and the protected health approximately 90 minutes of associate contracts, have implemented information they must secure, and the professional legal services at $84.32 per 39 security protections that meet the degree to which their prior hour. However, as in the 2002 Final standards and required implementation documentation of their security Privacy Rule (67 FR 53257), we estimate specifications in the Security Rule. protocols falls short of compliance with that providing model language will Further, we continue to believe that the standards in the Security Rule. In reduce the time required to develop business associates have made the the original Security Rule, we estimated contract language by at least one third. necessary investment in hardware and that covered entities would need Thus, we estimate that each new or software to secure the electronic approximately 16 hours to document significantly modified contract between protected health information as part of their policies and procedures. See 68 FR a business associate and its the investment in the hardware and 8334, 8368. As these policies and subcontractors will require, at most, one software needed for their management procedures are the reflection of the risk hour of a lawyer’s time at a cost of and processing of this information to management plan, which in turn is $84.32. perform their business associate based on the risk analysis, we believe We believe that no more than 25 functions and comply with the contract that this estimate would be inclusive of percent of 1–2 million business requirements at § 164.314(a). However, that time. We believe it will take associates, or 250,000–500,000 entities, based on the comments, we now believe business associates on average much would not have already made good faith that some business associates, less time to document their security efforts to achieve compliance and will particularly smaller business associates related policies and procedures, because need to create or significantly modify that may have access to electronic they have likely already engaged in subcontracts, resulting in total costs of protected health information for limited most of the analysis associated with the between $21 million and $42 million. purposes, may not have engaged in adoption of security protocols, even if We expect that each business certain of the formal administrative they may not have formally reduced all associate’s lawyer will draw up one safeguards. For example, these entities such protocols to writing, and because standard contract to use for all of its may not have performed a risk analysis, the scope of their responsibilities will subcontracts. We do not attribute established a risk management program, generally be much more constrained contract revision costs to subcontractors or designated a security official, and than that of the covered entity with because the required contract provisions may not have written policies and whom they have contracted. In addition, are not negotiable and subcontractors procedures, conducted employee while covered entities must perform will need to only sign the agreement. training, or documented compliance as these tasks with respect to their entire We note that our estimated cost likely required under §§ 164.308 and 164.316 business, generally only a small part of 39 of the Security Rule. any business associate is involved with See http://www.bls.gov/oes/current/ _ for lawyers. Note that 541000.htm#23–0000 naics3 We do not have information on what electronic protected health information. we generally calculate labor costs based on the percentage of business associates may Extrapolating from our estimate in the median hourly rate, which for lawyers is $56.21 per original Security Rule that entities have to engage in efforts to comply with hour. We add 50 percent to account for fringe would require approximately 16 hours some of the administrative safeguard benefits, resulting in an estimated hourly cost of $84.32. to implement and document Security standards, including documenting their VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00114 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

115 5679 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations 25 percent of 1.6 million business Rule compliance measures for the first requirements would be between $113 and $283, as first year, one-time costs. time, and applying the assumption that associates = 400,000; 400,000 × $283 (5 most of these measures already are in Assuming that businesses associates hr @ $56.61/hr) = $113 million.) These place, we estimate that these business with access to electronic protected costs represent one time first year costs health information represent 80 percent associates will need only between 2 and for full compliance by business 5 hours to formalize or update their of 1 to 2 million total business associates with the Security Rule associates (or 800,000 to 1.6 million applicable administrative safeguards. requirements. total), the aggregated costs for all We would cost the time needed to come Table 6 below presents the range of 40 business associates are estimated to be into compliance at $56.61/hour. our estimates of the costs to business between approximately $22.6 million According to these assumptions, the associates of achieving compliance with and $113 million. (25 percent of 800,000 range of costs that any one business the rules. business associates = 200,000; 200,000 × associate would incur to comply with $113 (2 hr @ $56.61/hr) = $22.6 million. the new statutory and regulatory USINESS TABLE 6—B OLLARS 2011 D STIMATES IN E OST C SSOCIATE A BAA between business as- Security rule compliance Data element sociates and subcontractors documentation Estimated number of affected entities ... 200,000–400,000 BAs ... 250,000–500,000 BAs. Hours needed to complete compliance activities ... 2–5 hours per BA ... 1 hour per BA. 56.61 ... $84.32. Cost per hour ... $ Total cost ... $22.6 million–$113 million .. $21 million–$42 million. Response to Other Public Comments making them altogether. We 4. Qualitative Analysis of Unquantified Costs acknowledge the potential for some lost Comment: One commenter suggested revenue due to these modifications in a. Authorization for Uses and that business associates will be reluctant cases where covered entities are Disclosures of Protected Health to contract with covered entities due to currently receiving financial Information for Marketing and Sale of perceived increased risks associated remuneration from third parties to send Protected Health Information with such contracts, and covered health-related communications to The final rule modifies the definition entities will be forced to hire more staff individuals. However, as we do not of ‘‘marketing’’ to encompass treatment at additional costs. know to what extent covered entities and health care operations today currently operate in this manner, Response: While the HIPAA Rules communications to individuals about and commenters did not include now impose direct liability with regard health-related products or services if the specific information in this regard, we to compliance, business associates were covered entity receives financial do not have data that could inform previously contractually liable for remuneration in exchange for making quantifying such loss. compliance with these provisions. the communication from or on behalf of The final rule also requires an Further, whether a covered entity uses the third party whose product or service individual’s authorization before a workforce members or business is being described. A covered entity covered entity may disclose protected associates to perform its operations must obtain an individual’s written health information in exchange for remains a decision for the covered authorization prior to sending marketing remuneration (i.e., ‘‘sell’’ protected communications to the individual. entity. As this commenter did not health information), even if the In the proposed rule, we requested provide specific information about his disclosure is for an otherwise permitted comment on the extent to which concerns, we cannot quantify the costs disclosure under the Privacy Rule. The covered entities currently receive associated with this comment, nor do final rule includes several exceptions to financial remuneration from third we have a basis for concluding that this authorization requirement. In the parties in exchange for sending business associates will refuse to proposed rule, we stated that on its face, information to individuals about the contract with covered entities as a result this new prohibition would appear to third parties’ health-related products or of this rule. increase the burden to covered entities services. In general, commenters did not Comment: One commenter suggested by requiring them to obtain indicate that complying with the final that requiring business associate authorizations in situations in which no rule would be administratively agreements will increase the costs of authorization is currently required. burdensome, but some commenters litigation. However, we believed such a scenario to expressed a general concern over the be unlikely. We believed most potential loss of revenue given the new Response: As business associate individuals would not authorize restrictions on receiving financial agreements were required under the disclosures of their protected health remuneration from a third party to send HIPAA Rules previously, and as the information when they were informed health-related communications to an commenter did not include specific the covered entity would be individual. These comments appear to information about what costs he remunerated for the disclosure. Thus, indicate that most covered entities believes will increase, we do not believe we believed covered entities would would not attempt to obtain such a requirement will increase simply discontinue making such authorizations for the now prohibited litigation generally. disclosures as it would not be communications but rather would forgo 40 _ Management Analysts (including responsibilities . To this wage rate we have nat.htm We have used the median wage rate described oes/current/oes for designing systems and procedures), which is added 50 percent for benefits, which results in a by the U.S. Bureau of Labor Statistics in its 2011 http://www.bls.gov/ approximately $37.74/hr. See total cost of $56.61/hr. National Compensation Survey for the category of VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00115 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

116 Federal Register 5680 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations study involves disclosing research approximately $22 to $28, per patient. worthwhile for covered entities to results that include protected health Some commenters indicated it may be continue to attempt to obtain such information to the sponsor. In contrast, burdensome to determine if authorizations. We requested comment a sale of protected health information remuneration was in fact received by on these assumptions. As noted above, the requirement to includes disclosures of protected health the entity. The comments on this provision did obtain authorization to receive information where a covered entity is not alter our belief that, in general, remuneration to make a disclosure of receiving remuneration from or on covered entities would discontinue protected health information contains behalf of the recipient of the data for the making disclosures in exchange for several exceptions. In the proposed rule, information itself. Thus, a disclosure of remuneration that require the we expressed our belief that covered protected health information by a individual’s authorization, given the entities would not incur additional costs covered entity to a third party unlikelihood most individuals would to continue making most of the excepted researcher that is conducting the agree to authorize such disclosures. disclosures as such exceptions were not research in exchange for remuneration Further, there are a number of constrained or limited in any way and would fall within these provisions, exceptions to the general prohibition thus, would not change the status quo. unless the only remuneration received that allow a covered entity to continue However, we recognized that the is a reasonable, cost-based fee to cover to operate ‘‘status quo’’ with respect to exception for research disclosures may the cost to prepare and transmit the data a number of types of disclosures, even impose additional burden on for such purposes. if the covered entity receives researchers as it was, consistent with b. Individual Right To Opt Out of remuneration. In response to the the statute, a conditional exception. Fundraising Communications comments, we acknowledge that it may Covered entities would be able to The current Privacy Rule requires be difficult to determine whether disclose protected health information covered entities give individuals the remuneration has been received by a under the research exception only to the opportunity to opt out of receiving covered entity, particularly since the extent any remuneration received in future fundraising communications prohibition encompasses both direct exchange for the information did not from the entity. The HITECH Act and and indirect (i.e., non-financial) exceed the cost to produce and transmit final rule strengthens the opt out by remuneration. We expect to issue future the information. Thus, we recognized requiring that it be clear and guidance on this topic to assist entities that researchers who purchase data from conspicuous and that an individual’s in complying. covered entities may now incur choice to opt out should be treated as With respect to the amounts currently additional costs as a result of the final a revocation of authorization. While the paid to covered entities by researchers, rule, in order to obtain newly required rule specified that a clear and some commenters indicated as a general authorizations, if they are currently conspicuous opt out method must not concern that limiting remuneration paying a covered entity more than the cause an individual to incur an undue received by covered entities from cost to produce and transmit the burden or more than a nominal cost, researchers may provide a disincentive protected health information (e.g., an proposed rule did not specify the for covered entities to continue assisting incentive payment to produce the data) method to be employed but rather left researchers in their efforts. However, and the covered entity is not willing to it up to the discretion of the covered commenters did not quantify what they accept only the costs to prepare and entity. We requested comment on the are paying covered entities above the transmit the data. It was also recognized extent to which the requirement that the costs to prepare and transmit the data, that some research may be jeopardized opportunity to elect not to receive nor did they provide information that to the extent that authorizations for the further fundraising communications be would give the Department an idea of entity to receive these incentive clear and conspicuous would have an the extent to which covered entities payments could not be obtained from impact on covered entities and their receive such payments. Therefore, while subjects. On the other hand, to the current fundraising materials. we acknowledge the potential for some extent covered entities agreed to receive Overall, commenters did not indicate lost revenue to covered entities due to only the costs to prepare and transmit that requiring the opt out for further these modifications or some additional the data, these entities would fundraising to be clear and conspicuous costs to researchers to obtain experience a loss of revenue while would greatly impact covered entities authorizations, we do not have data that researchers would experience a and their current fundraising efforts or could inform quantifying such costs. At corresponding decrease in costs, and provide specific anticipated costs in this the same time, we note that we have current disclosures for research regard. Rather, some commenters made some clarifications in the above purposes could continue without indicated that they already provide pre- preamble discussion regarding these authorization. While we acknowledged paid, pre-printed postcards for this provisions that we believe would lessen the potential costs under this provision, purpose with fundraising mailings and any such impact. Specifically, the we stated that we have no information doing so is neither costly nor imposes preamble explains that we do not on the amounts currently paid to a significant burden on the individual consider a sale of protected health covered entities by researchers for who wishes to opt out of further information to encompass payments a protected health information, and thus, communications. Based on this covered entity may receive in the form had no way to estimate the impact of the of grants, or contracts or other feedback and the continued flexibility provision. We solicited comment in this arrangements to perform programs or in the final rule to choose the opt out area. activities, such as a research study, Overall, commenters did not indicate method (e.g., toll-free number, post- where any provision of protected health that obtaining authorization prior to card), we do not believe that the information to the payer is a byproduct disclosing protected health information requirement that fundraising opt-outs be of the service being provided. Thus, the in exchange for remuneration would clear and conspicuous will result in payment by a research sponsor to a result in an increased burden or cost for significant new costs to covered entities. Further, while some commenters did covered entity to conduct a research the covered entity. However, one indicate that a pre-solicitation opt out study is not considered a sale of commenter did estimate that obtaining would be costly for covered entities in protected health information even if the additional authorizations may cost VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00116 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

117 5681 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations honor, in most cases, a self-pay patient’s systems. A covered entity is not response to our request for comment on request for a restriction to a health plan. required to purchase new software or this issue, as a result of this general Second, for those covered health care systems in order to accommodate an opposition, the final rule does not providers that do not currently, but will electronic copy request for a specific change the current requirement that now be required to, accommodate form that is not readily producible by covered entities only need to include an requests by self-pay patients to restrict the covered entity at the time of the opt-out with any solicitation sent to an disclosures to a health plan, the final request, provided that the covered entity individual rather than to the first rule provides significant flexibility in is able to provide some form of fundraising communication. how providers are to honor an electronic copy. Further, in cases where c. Individuals’ Access to Protected individual’s request and the preamble an individual chooses not to accept the Health Information makes various clarifications in response electronic copy that is readily In this final rule, we strengthen an to comments as to how to operationalize producible by the covered entity, a hard individual’s right to receive an this new requirement. For example, the copy may be offered. electronic copy of his or her protected We did hear from several commenters final rule makes clear that a health care health information. Specifically, as was that some legacy or other systems, while provider is not required to separate or proposed, the final rule requires that if capable of producing a hard copy as segregate records in order to ensure an an individual requests an electronic previously required under the existing individual’s restriction request is copy of protected health information access requirement, may not be capable honored. Rather, the final rule leaves it that is maintained electronically in one of producing any electronic copy at to the discretion of the provider as to or more designated record sets, the present. In these cases, covered entities how to flag information that is the covered entity must provide the may incur some cost burden in order to subject of a restriction. Further, the final individual with access to the electronic purchase software or hardware to rule provides flexibility as to how information in the electronic form and produce some kind of electronic copy restriction requests for certain services, format requested by the individual, if it for electronic information held in such as bundled services, are to be is readily producible, or, if not, in a designated record sets on such legacy handled, as well as what reasonable readable electronic form and format as systems. However, covered entities are efforts should be made to obtain agreed to by the covered entity and the not required to purchase additional payment from an individual whose individual. Also, as in the proposed software or hardware to meet original form of payment has been rule, the final rule provides that a individuals’ specific requests, as long as dishonored, prior to resorting to billing covered entity may charge a fee for costs at least one type of electronic copy is the health plan for the service. Finally, associated with labor and supplies for available. We anticipate some cost will in response to comments regarding the creating an electronic copy, including be incurred by covered entities with potential burden and cost of doing so, electronic portable media if agreed to by such systems; however we did not the final rule does not require health the individual, and clarifies that a receive comments on the extent of these care providers to inform downstream covered entity may charge for postage if costs, or the number of covered entities providers who may receive the an individual requests that the covered with legacy systems that will need to individual’s protected health entity transmit portable media incur such costs. information, such as a pharmacy or containing an electronic copy through specialist, of a restriction, given the lack d. Right To Restrict Certain Disclosures mail or courier. However, covered of automated technologies to support to a Health Plan entities may not include fees associated such a requirement. The final rule requires that a covered with maintaining systems, retrieval Notwithstanding the above, we health care provider agree in most cases costs, or infrastructure costs in the fee acknowledge that there will be some to an individual’s request to restrict they charge to provide an electronic additional burden on certain health care disclosure to a health plan of the copy. providers to ensure an individual’s individual’s protected health We continue to believe that this request to restrict a disclosure to a information that pertains to a health requirement will not result in health plan is honored where such a care service for which the individual significant new burdens on covered request would not have been honored in has paid the health care provider in full entities. Individuals already had a right the past. However, we do not have data out of pocket. This is a change from the to access protected health information to inform quantifying an estimated cost prior rule, which provided individuals maintained in electronic designated in this area. For example, we do not with the right to request a restriction on record sets under the prior Rule, and have data on the number of providers certain disclosures; however, a covered already had a right to receive an that currently accommodate requests entity was not required to agree to the electronic copy of such information to from self-pay patients to restrict restriction, whatever the circumstances. the extent the electronic copy was disclosures versus those that do not, the We do not believe that covered health readily producible by the covered number of requests that covered health care providers will incur substantial entity. The Rule provides significant care providers receive today that would costs to implement this expanded right flexibility to covered entities in now require a restriction, nor even the for a number of reasons. First, in order honoring individuals’ request for number of requests for restrictions to comply with the rule prior to this electronic access. While a covered entity generally that covered health care change, a covered entity is already must provide some type of electronic providers currently receive. required to have processes and copy to an individual who requests one, e. Impact of the Genetic Information procedures in place for accepting and a covered entity is not required to Underwriting Prohibition on Health considering individuals’ requests for provide the exact form of the copy or Plans restrictions, even if, as a general matter, access requested by the individual if it The final rule prohibits health plans the covered entity declines to agree to is not readily producible in such form. that are HIPAA covered entities, except such requests. This final rule does not Thus, covered entities may provide issuers of long term care policies, from require new or different processes for readily producible electronic copies of using or disclosing an individual’s receiving and reviewing requests for protected health information that are protected health information that is restrictions, just that the covered entity currently available on their various VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00117 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

118 5682 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register market. Given the concern regarding the certain research authorization genetic information for underwriting requirements and disclosures to schools impact of the underwriting prohibition purposes. As we explained in the regarding childhood immunizations, in on the long-term care market, the final proposed rule, the rule does not affect which we could decrease costs and rule exempts such plans from the health plans that do not currently use or increase flexibilities under the HIPAA prohibition. Thus, there are no costs to disclose protected health information Rules. The resulting changes are be attributed to long term care plans for underwriting purposes. Further, discussed below. with this rule. Further, given we did not even with respect to health plans that receive other comments that would lead perform underwriting, plans and issuers 1. Greater Privacy Protections for us to question the underlying in the group market previously Individuals assumptions in the proposed rule, we commented to the Department that they The benefits for individuals include do not expect this provision of the final do not, even prior to the passage of added information on their rights rule to result in substantial new costs on GINA, use genetic information for through an expanded NPP, and greater health plans, particularly those that underwriting purposes because pre- rights with regard to the uses and have been required to comply with the GINA laws and regulations prohibit disclosures of their personal health regulations implementing GINA’s them from discriminating against information through expanded nondiscrimination provisions for individuals based on any health status requirements to: (1) Obtain several years now. related factors, including genetic authorization before a covered entity or information. With respect to issuers in f. Enforcement Provisions business associate may disclose their the individual health insurance market, protected health information in The amendments contained within the Department acknowledged in the exchange for remuneration, (2) restrict this final rule to the HIPAA proposed rule that there may be more certain disclosures to a health plan at Enforcement Rule conform the significant policy changes associated the request of the individual, (3) regulatory language of the Rule to the with the prohibition on using or strengthen the ability of individuals to enhanced enforcement provisions of the disclosing protected health information opt out of further fundraising HITECH Act. Consistent with its that is genetic information for communications, and (4) limit uses and reasoning in prior HIPAA Enforcement underwriting purposes. However, the disclosures of protected health 41 rulemakings, the Department expects Department explained in the proposed information for marketing. Individuals the costs covered entities, and now rule that it did not have sufficient also will benefit from increased business associates, may incur with information to determine the extent of protection against discrimination based respect to their compliance with the such changes, that is, to what extent on their genetic information, achieved Enforcement Rule, itself, should be low issuers in the individual health through the prohibition against health in most cases. That is, covered entities insurance market use genetic plans using or disclosing protected and business associates that comply information for underwriting purposes. health information that is genetic with the HIPAA rules voluntarily, as is Regardless, as we explained in the information for underwriting purposes. expected, should not incur any proposed rule, in the case of either the Individuals also will have increased additional, significant costs as a result individual or group market, the access to their protected health of the Enforcement Rule. Further, we Department assumed, because a information in an electronic format. believe the increased penalties and prohibited use or disclosure of genetic Finally, under the rule, individuals’ other enhancements provided by the information for underwriting purposes health information will be afforded HITECH Act and which are reflected in would also be a discriminatory use of greater protection by business associates this final rule provide even more such information under the of covered entities who share liability incentive to covered entities and nondiscrimination provisions of GINA and responsibility with the covered business associates to take steps Title I and its implementing regulations, entity for safeguarding against necessary to comply and thus not be that there would be no costs associated impermissible uses and disclosures of liable for violations. with conforming a plan’s practices to protected health information. comply with the underwriting D. Qualitative Analysis of Unquantified 2. Breach Notification prohibition that are above and beyond Benefits the costs associated with complying The analysis of benefits of the breach While we are certain that the with the regulations implementing notification regulation is as stated in the regulatory changes in this final rule sections 101–103 of GINA. With respect interim final rule. In summary, we represent significant benefits, we cannot to the health plans not covered by GINA stated that notifying individuals affected monetize their value. Many commenters but subject to the proposed prohibition by a breach would alert them to and agreed with our assumptions regarding in the Privacy Rule, the Department also enable them to mitigate potential harms, the benefits to individuals, but we did assumed that the costs to comply would such as identity theft resulting from the not receive any comments that included be minimal because such plans either: exposure of certain identifiers, and specific information about quantifying (1) do not perform underwriting, as is reputational harm that may result from those benefits. The following sections the case generally with public benefit the exposure of sensitive medical describe in greater detail the qualitative plans; or (2) perform underwriting but information. Further, the breach benefits of the final rule. In addition to do not in most cases use genetic notification requirements provide greater privacy protections for information (including family medical incentive to covered entities and individuals, these benefits include the history) for such purposes. business associates to better safeguard results of our efforts to reduce burdens. In general, most comments in protected health information, such as by Consistent with E.O. 13563, we response to the proposed rule did not encrypting the information, where conducted a retrospective review of our provide information that contradicted possible. regulations and identified areas, such as We also believe that the modifications the above assumptions. However, to the definition of breach to remove the concern was expressed regarding the 41 See the preambles to the proposed and final harm standard and revise the risk adverse impact of such an underwriting Enforcement Rules at 70 FR 20224, 20248–49 (April 18, 2005) and 71 FR 8390, 8424 (February 16, 2006). assessment will ensure that covered prohibition on the long-term care VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00118 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

119 5683 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register the Department had articulated (i.e., researchers by reducing the need for entities and business associates apply easier access to old or ancient patient researchers to obtain multiple the rule in a more objective and uniform health information by family, historians, authorizations from the same individual manner. We believe that these archivists), the comments did not for research and further harmonizing the modifications will make the rule easier provide specific information that could Privacy Rule authorization requirements for covered entities and business inform our quantifying a cost-savings or with the informed consent requirements associates to implement and will result reduction in burden associated with this under the Common Rule. in consistency of notification across The final rule adopts the new change in policy. entities which will benefit consumers. The Department did receive one interpretation to allow covered entities 3. Compound Authorizations for comment asserting that covered entities to obtain authorizations for future Research Uses and Disclosures may keep decedent information, research uses and disclosures to the We proposed to permit compound particularly the information of famous extent such purposes are adequately authorizations for the use or disclosure individuals, for longer than 50 years described in the authorization such that of protected health information for past the date of death in order to it would be reasonable for the conditioned and unconditioned monetize those records. The commenter individual to expect that his or her research activities provided that the cited an example of an x-ray of a protected health information could be authorization clearly differentiates deceased celebrity being sold at an used or disclosed for such future between the conditioned and auction for $45,000. However, we do not research. While we did receive unconditioned research components anticipate that this is or will be a typical comments supporting our assertions and clearly allows the individual the scenario. that permitting authorizations for future option to opt in to the unconditioned research uses and disclosures would 6. Disclosures About a Decedent research activities. We believed that the reduce burden to covered entities and We proposed to permit covered proposed provision would reduce researchers by obviating the need for entities to disclose a decedent’s burden and costs on the research researchers to seek out past research protected health information to family community by eliminating the need for participants to obtain authorization for members and others who were involved multiple forms for research studies future studies which they may be able in the care or payment for care prior to involving both a clinical trial and a to authorize at the initial time of the decedent’s death, unless doing so is related biospecimen banking activity or enrollment into a study, and inconsistent with any prior expressed study and by harmonizing the Privacy additionally by reducing the waivers of preference of the individual that is Rule’s authorization requirements with authorization that researchers would known to the covered entity. In the the informed consent requirements need to obtain from Institutional Review preamble to the proposed rule, we under the Common Rule. This change to Boards, we did not receive specific stated our belief that the proposed the Rule had long been sought by the comment on cost savings that could change would reduce burden by research community. While we inform our quantifying the savings in permitting covered entities to disclose expected burden reduction and cost this final rule. protected health information about a savings due to these modifications, we 5. Period of Protection for Decedent decedent to family members and other had no data which to quantify an Information persons who were involved in an estimate of such savings. We requested We proposed to modify the current individual’s care while the individual comment on the anticipated savings that rule to limit the period for which a was alive, without having to obtain this change would bring to the research covered entity must protect an written permission in the form of an community. individual’s health information to 50 As explained above, the final rule authorization from the decedent’s years after the individual’s death. We adopts the proposal to permit personal representative, who may not be believed this would reduce the burden compound research authorizations. known or even exist, and may be more on both covered entities and those While almost all commenters on this difficult to locate as time passes. seeking the protected health information topic were supportive and agreed that However, we had no data to permit us of persons who have been deceased for the change would result in reduced to estimate the reduction in burden and many years by eliminating the need to burdens and costs due to a reduction in requested public comment on this issue. search for and find a personal The final rule adopts the modification forms and harmonization with the representative of the decedent, who in as proposed. However, as with the Common Rule, we did not receive many cases may not be known or even proposed rule, we are unable to quantify significant comment that could inform exist after so many years, to authorize any cost-savings with respect this our quantifying the anticipated cost- the disclosure. We believed this change change. While commenters confirmed savings associated with this would also benefit family members and that permitting such disclosures would modification. historians who may seek access to the help facilitate communications with 4. Authorizations for Future Research medical information of these decedents family members and other persons who Uses or Disclosures for personal and public interest reasons. were involved in an individual’s care or We requested comment on the However, we lacked any data to be able payment for care prior to death, we did Department’s previous interpretation to estimate the benefits (or any not receive any information that could that an authorization for research uses unanticipated costs) of this provision inform estimating a savings. and disclosures must include a and requested comment on these 7. Public Health Disclosures description of each purpose of the assertions. We proposed to create a new public The final rule adopts the modification requested use or disclosure that is study health provision to permit disclosure of to limit the period of protection for specific, and the possibility of proof of a child’s immunization by a decedent health information to 50 years modifying this interpretation to allow covered entity to a school in States that after the date of death. While most for the authorization of future research have school entry or similar laws. This comments responding to this proposal uses and disclosures. We believed that proposed change would have allowed a were very supportive of the change, this change in interpretation would covered health care provider to release agreeing with the anticipated benefits reduce burden on covered entities and VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00119 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

120 5684 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations $7.0 million and $34.5 million in given the provision’s flexibility and proof of immunization to a school annual receipts. Because 90 percent or without having to obtain a written narrow scope, we do not expect that the more of all health care providers meet authorization, provided the provider providers will need to do more than the SBA size standard for a small obtained the agreement, which may be ensure office staff have a copy of the business or are nonprofit organizations, oral, to the disclosure from a parent, new procedure. Further, any one-time we generally treat all health care guardian or other person acting in loco costs to develop and deploy the new providers as small entities for purposes parentis for the individual, or from the procedure will be offset by the savings of performing a regulatory flexibility individual, if the individual was an that are expected to accrue from the analysis. adult or emancipated minor. We change over time as the disclosures are With respect to health insurers and anticipated that the proposed change to carried out. While we acknowledge the third party administrators, the SBA size the regulations would reduce the overall savings associated with this standard is $7.0 million in annual burden on parents, schools, and covered change, as with other provisions in this receipts. While some insurers are entities in obtaining and providing rule providing increased flexibility for classified as nonprofit, it is possible written authorizations, and would compliance, we are unable to quantify they are dominant in their market. For minimize the amount of school missed them. For example, we do not have data example, a number of Blue Cross/Blue by students. However, because we on how many family doctors and other Shield insurers are organized as lacked data on the burden reduction, we providers generally make these types of nonprofit entities; yet they dominate the were unable to provide an estimate of disclosures and how many requests health insurance market in the States the possible savings and requested such providers generally receive for where they are licensed and therefore comment on this point. proof of immunization, and we did not would not be considered small The final rule adopts the proposal to receive data from commenters that businesses. Using the SBA’s definition permit covered entities to disclose, with could inform our estimating savings in of a small insurer as a business with less the oral or written agreement of a parent this area. than $7 million in revenues, premiums or guardian, a child’s proof of 42 E. Additional Regulatory Analyses earned as a measure of revenue, immunization to schools in States that and have school entry or similar laws. This data obtained from the National 1. Regulatory Flexibility Act obviates the need for a covered entity to Association of Insurance The Regulatory Flexibility Act 43 receive formal, executed HIPAA Commissioners, the Department requires agencies to analyze and authorizations for such disclosures. estimates that approximately 276 out of consider options for reducing regulatory While the final rule requires that 730 insurers had revenues of less than burden if the regulation will impose a 44 covered entities document the $7 million. significant burden on a substantial From the approximately $225.4 agreement, the final rule is flexible and number of small entities. The Act million (upper estimate) in costs we are does not prescribe the nature of the requires the head of the agency to either able to identify, the cost per covered documentation and does not require certify that the rule would not impose entity may be as low as $80 (for the vast signature by the parent, allowing such a burden or perform a regulatory majority of covered entities) and as high covered entities the flexibility to flexibility analysis and consider as $843 (for those entities that determine what is appropriate for their alternatives to lessen the burden. experience a breach), and we estimate purposes. For example, as the preamble For the reasons stated below, it is not that the cost per affected business indicates above, if a parent or guardian expected that the cost of compliance submits a written or email request to a associate will be between $84.32 and will be significant for small entities. Nor covered entity to disclose their child’s $282. These costs are discussed in detail is it expected that the cost of immunization records to the child’s in the regulatory impact analysis and compliance will fall disproportionately school, a copy of the request would below. We do not view this as a on small entities. Although many of the suffice as documentation of the significant burden because, for example, covered entities and business associates agreement. Likewise, if a parent or even the highest average compliance affected by the rule are small entities, guardian calls the covered entity and cost per covered entity we have they do not bear a disproportionate cost requests over the phone that their identified ($843) represents just burden compared to the other entities child’s immunization records be 0.0001% of annual revenues for a small subject to the rule. Further, with respect disclosed to the child’s school, a entity with only $7 million in receipts to small business associates, only the notation in the child’s medical record or (see the low end of SBA’s size standard fraction of these entities that has not elsewhere of the phone call would for health care providers). We include made a good faith effort to comply with suffice as documentation of the 750 third party administrators in the existing requirements will experience agreement. calculation of covered entities, to additional costs under the rule. The Given that the rule no longer requires represent approximately 2.5 million Department did not receive any 45 a formal, executed HIPAA authorization ERISA plans, most of which are small comments on its certification in the for such disclosures and provides entities, on whose behalf they carry our proposed rules. Therefore, the Secretary significant flexibility in the form of the certifies that this rule will not have a documentation required of a parent’s or 42 U.S. Small Business Administration, ‘‘Table of significant economic impact on a guardian’s agreement to the disclosure, Small Business Standards Matched to North American Industry Classification System Codes,’’ substantial number of small entities. this modification is expected to result in available at http://www.sba.gov/content/small- The RFA generally defines a ‘‘small reduced burden and cost to covered business-size-standards . entity’’ as (1) a proprietary firm meeting health care providers in making these 43 HHS ASPE analysis of 2010 NAIC the size standards of the Small Business disclosures, as well as to the parents Supplemental Health Care Exhibit Data. 44 Administration (SBA), (2) a nonprofit and schools involved in the process. We These counts could be an overestimate. Only health insurance premiums from both the group organization that is not dominant in its acknowledge that covered health care and individual market were counted. If insurers field, or (3) a small government providers who wish to use these less also offered other types of insurance, their revenues jurisdiction with a population of less formal processes in lieu of the could be higher. than 50,000. The SBA size standard for authorization will need to explain their 45 Source: 2010 Medical Expenditure Survey— Insurance Component. health care providers ranges between new procedure to office staff. However, VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00120 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

121 5685 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register Some of the costs of the regulation notices with their annual mailings compliance activities. We have no will fall on covered entities, which are rather than requiring plans to send them information on how many of these plans primarily health care providers and to individuals in a separate mailing. self-administer, and we did not receive 46 Third, we allow covered entities and health plans. any information from commenters in For the purpose of these business associates with existing HIPAA this area and so do not include a calculations, we included all provider compliant contracts twelve months from separate estimate for plans that self- costs as private sector costs. While we the date of the rule to renegotiate their administer. recognize that some providers are State contracts unless the contract is We estimate that the breach or Federal entities, we do not have otherwise renewed or modified before notification requirements will result in adequate information to estimate the such date. This amount of time plus the $14.5 million in annual costs to covered number of public providers, but we eight months from the publication date entities. Dividing that amount by the believe the number to be significantly of the rule to the compliance date approximately 19,000 entities that will less than 10 percent of all providers generally gives the parties 20 months to actually experience a breach of shown in Table 1. Therefore, as we did renegotiate their agreements. We believe protected health information each year, for the RFA analysis and for ease of that the added time will reduce the cost we estimate that the costs of complying calculation, we assumed that all to revise agreements because the with the breach notification provider costs are private sector costs. changes the rule requires will be requirements will amount to, on We did not receive any comments on incorporated into the routine updating average, $763 per covered entity that this assumption. of covered entities’ and business must respond to a breach. Smaller With respect to health plans, based on associates’ contracts. covered entities likely will face much the data discussed in section C, we Finally, the Department has also lower costs, as these entities generally estimate that 60 percent of policy published on its web site sample have protected health information for holders are served by private sector language for revising the contracts far fewer individuals than do larger health plans and 40 percent of policy between covered entities and business covered entities and breach notification holders are served by public sector associates. While the language is generic costs are closely linked to the number plans. Therefore, we attribute 60 percent and may not suit all entities and of individuals affected by a given breach of health plan costs to the private sector agreements, particularly larger entities incident. and 40 percent of plan costs to the and those with more complex business The other source of costs for covered public sector. relationships, we believe that it will entities arises from the requirement to The remaining costs of complying particularly help small entities with provide revised NPPs to the individuals with the regulation will be borne by their contract revisions and save them they serve. We estimate that the business associates of covered entities. time and money in redrafting their approximately 700,000 covered entities We do not have data with which to contracts to conform to the rule. will experience total costs of estimate the numbers of private versus approximately $55.9 million for public entity business associates. 2. Unfunded Mandates Reform Act compliance with the NPP requirements, However, we believe that the vast Section 202 of the Unfunded majority of, if not all, business or about $80 per covered entity. Mandates Reform Act of 1995 (UMRA) We estimate the costs for 200,000– associates, are private entities. requires that agencies assess anticipated 400,000 business associates to come into Therefore, we assumed all business costs and benefits before issuing any full compliance with the Security Rule associate costs are private sector costs. rule whose mandates would require Of the specific costs we can identify, to be approximately $22.6–$113 million. spending in any one year $100 million we estimate that approximately 91 The average cost per affected business in 1995 dollars, updated annually for percent of all costs, or between $103.7 associate would be approximately $198. inflation. In 2011, that threshold is Finally, we estimate that 250,000 to and $205 million, will fall on private approximately $136 million. UMRA 500,000 business associates will incur sector health care providers, health does not address the total cost of a rule. plans, and business associates. The costs totaling between $21 million and Rather, it focuses on certain categories remaining costs, approximately $10.3– $42 million, respectively, to establish or of cost, mainly those ‘‘Federal mandate’’ 20.4 million, will fall on public sector significantly modify contracts with costs resulting from: (1) Imposing health plans. The following paragraphs subcontractors to be in compliance with enforceable duties on State, local, or outline the distribution of costs arising the rule’s requirements for business Tribal governments, or on the private from the four cost-bearing elements of associate agreements. The average cost sector; or (2) increasing the stringency of the final rule: (1) Covered entities must per business associate would be conditions in, or decreasing the funding revise and distribute notices of privacy approximately $84. practices, (2) Covered entities that of, State, local, or Tribal governments Based on the relatively small cost per experience a breach of protected health under entitlement programs. covered entity and per business We are able to identify between $114 information must comply with the associate, the Secretary certifies that the and $225.4 million in costs on both the breach notification requirements, (3) Rule will not have a significant impact private sector and State and Federal certain business associates must revise on a substantial number of small entities for compliance with the final contracts with subcontractors to meet entities. Still, we considered and modifications to the HIPAA Privacy and business associate agreement adopted several solutions for reducing Security Rules, and for compliance with requirements, and (4) Certain business the burden on small entities. the final Breach Notification Rule. As First, we combined several required associates must make efforts to achieve stated above, there may be other costs rules into one rulemaking, which will full compliance with the administrative we are not able to monetize because we allow affected entities to revise and requirements of the Security Rule. lack data, and the rule may produce distribute their notices of privacy 46 Another type of covered entity, health care savings that may offset some or all of the practices at one time rather than clearinghouses, generally will not bear these costs, added costs. We must also separately multiple times, as each separate rule as clearinghouses are not required to provide a identify costs to be incurred by the was published. Second, in the final rule notice of private practices to individuals and are private sector and those incurred by we increase flexibility for health plans involved in a miniscule fraction of breach incidents, if any. State and Federal entities. by allowing them to send the revised VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00121 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

122 5686 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register We do not believe that the rule will 3. Federalism We estimate the costs for to comply with the NPP provisions will reach impose substantial direct compliance Executive Order 13132 establishes about $55.9 million, which will be costs on State and local governments certain requirements that an agency shared by providers and health plans. that are not required by statute. It is our must meet when it promulgates a rule Providers will bear approximately $40.4 understanding that State and local that imposes substantial direct million of these costs, all of which we government covered entities do not requirement costs on State and local attribute to the private sector. Health engage in marketing, the sale of governments, preempts State law, or plans will bear approximately $15.5 protected health information, or otherwise has Federalism implications. million and, as explained above, we fundraising. Therefore, the The Federalism implications of the have allocated 60 percent of health plan modifications in these areas would not Privacy and Security Rules were costs for NPPs, or $9.3 million, as cause additional costs to State and local assessed as required by Executive Order private sector costs. Public plans will governments. We anticipate that the 13132 and published as part of the bear the remaining $6.2 million. most significant direct costs on State preambles to the final rules on We estimate that private entities will and local governments will be the cost December 28, 2000 (65 FR 82462, bear 93 percent of the costs of 82797) and February 20, 2003 (68 FR for State and local government-owned compliance with the breach notification 8334, 8373), respectively. Regarding covered entities of drafting, printing, requirements, or about $13.5 million. preemption, the preamble to the final and distributing revised notices of This is because the majority of breach Privacy Rule explains that the HIPAA privacy practices, which would include reports are filed by health care statute dictates the relationship between the cost of mailing these notices for providers, all of whose costs we State law and Privacy Rule State health plans, such as Medicaid. attribute to the private sector. Consistent requirements. Therefore, the Privacy However, the costs involved can be with our estimate that 60 percent of Rule’s preemption provisions do not attributed to the statutory requirements, health plan members are enrolled in raise Federalism issues. The HITECH which provide individuals with private sector plans, we also include as Act, at section 13421(a), provides that strengthened rights about which they private costs 60 percent of the breach the HIPAA preemption provisions shall need to be notified. notification costs borne by health plans apply to the HITECH provisions and In considering the principles in and (based on the number of health plans requirements. While we have made requirements of Executive Order 13132, that have filed breach reports). minor technical changes to the the Department has determined that Finally, we estimate that all of the preemption provisions in Subpart B of these modifications to the Privacy and Part 160 to conform to and incorporate costs for business associates to create or Security Rules will not significantly the HITECH Act preemption provisions, revise business associate agreements affect the rights, roles, and these changes do not raise new with subcontractors ($42 million outer responsibilities of the States. Federalism issues. The changes include: estimate), and to come into full (1) Amending the definitions of compliance with the Security Rule F. Accounting Statement ‘‘contrary’’ and ‘‘more stringent’’ to ($113 million outer estimate), will be Whenever a rule is considered a reference business associates; and (2) private sector costs. significant rule under Executive Order further amending the definition of As the estimated costs to private 12866, we are required to develop an contrary to provide that State law would entities alone may exceed the $136 accounting statement indicating the be contrary to the HIPAA million threshold, UMRA requires us to costs associated with promulgating the Administrative Simplification prepare an analysis of the costs and rule. Below, we present overall provisions if it stands as an obstacle to benefits of the rule. We have already monetary annualized costs discounted the accomplishment and execution of done so, in accordance with Executive at 3 percent and 7 percent as described the full purposes and objectives of not Orders 12866 and 13563, and present in the Regulatory Impact Analysis. only HIPAA, but also the HITECH Act. this analysis in sections C and D. E STIMATED C OSTS OF THE F INAL R ULE [In 2011 millions] Minimum Primary Maximum estimate estimate estimate Costs (annualized) ($M) ($M) ($M) Discounted @7% ... 34.8 50.6 42.8 ... @3% ... 35.2 28.7 41.7 In the RIA, we acknowledged several subsidized health-related 3. Potential costs to certain covered potential sources of costs that we were entities who purchase software or communications to individuals rather unable to quantify. Because we have no hardware to allow them to produce an than obtain those individuals’ way to determine the extent to which electronic copy of individuals’ protected authorization for such communications; entities currently engage in certain health information; and 2. Costs to researchers to obtain 4. The burden to some health care activities for which they now need authorization to make incentive providers of ensuring that an authorization, or who will need to take payments (above the costs to prepare the individual’s request to restrict a on a new burden because of the rule, we data) to covered entities to produce data disclosure to a health plan is honored cannot predict the magnitude of these or, alternatively, a loss in revenue for where it might not have been before the costs with any certainty. These potential covered entities who agree to accept sources of cost include: final rule. only the costs to prepare and transmit 1. Potential lost revenue to covered While we are certain the changes in the data; entities who forgo making certain this final rule also represent distinct VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00122 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

123 5687 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations List of Subjects maintained documentation of their benefits to individuals with regard to the privacy and security of their health policies and procedures and 45 CFR Part 160 information, and with regard to their administrative safeguards under the Administrative practice and rights to that information, we are unable Security Rule, may experience a burden procedure, Computer technology, to quantify the benefits. Other expected coming into compliance with the Electronic information system, qualitative benefits, which are described documentation standard for the first Electronic transactions, Employer in detail above, include savings due to time because they are now subject to benefit plan, Health, Health care, Health provisions simplifying and streamlining direct liability under the Security Rule. facilities, Health insurance, Health requirements and increasing flexibility. Business Associate Agreements • records, Hospitals, Investigations, Such savings arise from: (§ 164.504(e)). We assumed in the Medicaid, Medical research, Medicare, 1. Eliminating the need for multiple proposed rule that business associates Penalties, Privacy, Reporting and record forms for certain research studies by and their subcontractors were keeping requirements, Security. permitting compound authorizations; complying with their existing 2. Obviating the need to find past 45 CFR Part 164 contractual obligations but research participants and obtain new Administrative practice and acknowledged that some contracts authorizations for new research by procedure, Computer technology, allowing individuals to authorize future would have to be modified to reflect Electronic information system, research uses and disclosures at the changes in the law. We requested Electronic transactions, Employer time of initial enrollment; comments on how many entities would benefit plan, Health, Health care, Health 3. Limiting the period of protection be unable able to revise contracts, in the facilities, Health insurance, Health for decedent information to permit normal course of business, within the records, Hospitals, Medicaid, Medical family members and historians to obtain phase-in period. We did not receive research, Medicare, Privacy, Reporting information about a decedent without comments that would allow us to make and record keeping requirements, needing to find a personal a specific estimate; nonetheless, in the Security. representative of the deceased final rule we assume that a significant For the reasons set forth in the individual to authorize the disclosure; minority of business associates will preamble, the Department amends 45 4. Permitting disclosures to a need to revise their business associate CFR Subtitle A, Subchapter C, parts 160 decedent’s family members or others agreements with subcontractors (or and 164, as set forth below: involved in the care or payment for care establish such agreements for the first prior to the decedent’s death; and time if they were not previously in PART 160—GENERAL 5. Permitting covered entities to compliance). ADMINISTRATIVE REQUIREMENTS document a parent’s informal agreement to disclose immunization information to C. Third-Party Disclosures ■ 1. The authority citation for part 160 a child’s school rather than requiring a is revised to read as follows: • Breach notification to affected signed authorization form. 42 U.S.C. 1302(a); 42 U.S.C. Authority: individuals and the media (§§ 164.404 & VIII. Collection of Information 1320d–1320d–9; sec. 264, Pub. L. 104–191, 164.406). We revise our estimates of the Requirements 110 Stat. 2033–2034 (42 U.S.C. 1320d–2 numbers of breaches, covered entities, (note)); 5 U.S.C. 552; secs. 13400–13424, Pub. This final rule contains the following and individuals affected to reflect our L. 111–5, 123 Stat. 258–279; and sec. 1104 of information collections (i.e., reporting, experience in administering the breach Pub. L. 111–148, 124 Stat. 146–154. recordkeeping, and third-party notification requirements under the disclosures) under the Paperwork 2. Revise § 160.101 to read as follows: ■ interim final rule. Reduction Act. Some of those § 160.101 Statutory basis and purpose. • Revision and dissemination of provisions involve changes from the notices of privacy practices for The requirements of this subchapter information collections set out in the protected health information implement sections 1171–1180 of the proposed and interim final rules. These (§ 164.520). Our burden estimates for Social Security Act (the Act), sections changes are noted below. 262 and 264 of Public Law 104–191, this provision in the proposed rule were A. Reporting section 105 of Public Law 110–233, based on the requirement for covered sections 13400–13424 of Public Law • Notification to the Secretary of entities to send a separate mailing 111–5, and section 1104 of Public Law breaches of unsecured protected health containing the new notice to each policy 111–148. information (§ 164.408). In the final holder. As part of an effort to reduce rule, we revise our estimated number of ■ 3. Amend § 160.102 as follows: overall burden, the final rule instead a. Redesignate paragraph (b) as ■ respondents and responses to reflect our permits health plans to send the revised paragraph (c); and experience administering the interim notice of privacy practices in their next ■ b. Add new paragraph (b) to read as final rule. annual mailing to policy holders, follows: allowing them to avoid additional B. Recordkeeping distribution burdens. We also revise the § 160.102 Applicability. • Documentation of safeguards and estimated number of affected covered * * * * * policies and procedures under the entities based on updated information (b) Where provided, the standards, Security Rule (§ 164.316). In the from the Department of Labor and the requirements, and implementation proposed rule, we assumed that all Small Business Administration. specifications adopted under this business associates were in compliance subchapter apply to a business In addition to the changes with the Security Rule’s documentation associate. summarized above, the information standard because of their contractual collections described in this final rule * * * * * obligations to covered entities under the have been submitted to the Office of HIPAA Rules. In the final rule, we ■ 4. Amend § 160.103 as follows: Management and Budget for review and recognize that a minority of business a. Revise the definitions of ‘‘Business ■ approval. associates, who have not previously associate’’, ‘‘Compliance date’’, VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00123 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

124 5688 / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations Federal Register any manner of information outside the covered entity or arrangement, or from ‘‘Disclosure’’, ‘‘Electronic media’’, the another business associate of such entity holding the information. introductory text of the definition of covered entity or arrangement, to the ‘‘Health information’’, paragraphs (1)(vi) * * * * * person. through (xi), and (xv) of the definition means: Electronic media (2) A covered entity may be a business of ‘‘Health plan’’, paragraph (2) of the (1) Electronic storage material on associate of another covered entity. definition of ‘‘Protected health which data is or may be recorded includes: (3) Business associate information,’’ and the definitions of electronically, including, for example, (i) A Health Information Organization, ‘‘Standard’’, ‘‘State’’, and ‘‘Workforce’’; devices in computers (hard drives) and E-prescribing Gateway, or other person and any removable/transportable digital that provides data transmission services b. Add, in alphabetical order, new ■ memory medium, such as magnetic tape with respect to protected health definitions of ‘‘Administrative or disk, optical disk, or digital memory information to a covered entity and that simplification provision’’, ‘‘ALJ’’, ‘‘Civil card; requires access on a routine basis to money penalty or penalty’’, ‘‘Family (2) Transmission media used to such protected health information. member’’, ‘‘Genetic information’’, exchange information already in (ii) A person that offers a personal ‘‘Genetic services’’, ‘‘Genetic test’’, electronic storage media. Transmission health record to one or more individuals ‘‘Manifestation or manifested’’, media include, for example, the on behalf of a covered entity. ‘‘Respondent’’, ‘‘Subcontractor’’, and Internet, extranet or intranet, leased (iii) A subcontractor that creates, ‘‘Violation or violate’’. lines, dial-up lines, private networks, receives, maintains, or transmits The revisions and additions read as and the physical movement of protected health information on behalf follows: removable/transportable electronic of the business associate. storage media. Certain transmissions, (4) Business associate does not § 160.103 Definitions. including of paper, via facsimile, and of include: * * * * * voice, via telephone, are not considered (i) A health care provider, with Administrative simplification to be transmissions via electronic media respect to disclosures by a covered provision means any requirement or if the information being exchanged did entity to the health care provider prohibition established by: not exist in electronic form immediately concerning the treatment of the (1) 42 U.S.C. 1320d–1320d–4, 1320d– before the transmission. individual. 7, 1320d–8, and 1320d–9; (ii) A plan sponsor, with respect to * * * * * (2) Section 264 of Pub. L. 104–191; disclosures by a group health plan (or Family member means, with respect (3) Sections 13400–13424 of Public by a health insurance issuer or HMO to an individual: Law 111–5; or with respect to a group health plan) to (4) This subchapter. (1) A dependent (as such term is ALJ means Administrative Law Judge. the plan sponsor, to the extent that the defined in 45 CFR 144.103), of the requirements of § 164.504(f) of this individual; or * * * * * subchapter apply and are met. (2) Any other person who is a first- (1) Except as Business associate: (iii) A government agency, with degree, second-degree, third-degree, or provided in paragraph (4) of this respect to determining eligibility for, or fourth-degree relative of the individual definition, business associate means, enrollment in, a government health plan or of a dependent of the individual. with respect to a covered entity, a that provides public benefits and is Relatives by affinity (such as by person who: administered by another government marriage or adoption) are treated the (i) On behalf of such covered entity or agency, or collecting protected health same as relatives by consanguinity (that of an organized health care arrangement information for such purposes, to the is, relatives who share a common (as defined in this section) in which the extent such activities are authorized by biological ancestor). In determining the covered entity participates, but other law. degree of the relationship, relatives by than in the capacity of a member of the (iv) A covered entity participating in less than full consanguinity (such as workforce of such covered entity or an organized health care arrangement half-siblings, who share only one arrangement, creates, receives, that performs a function or activity as parent) are treated the same as relatives maintains, or transmits protected health described by paragraph (1)(i) of this by full consanguinity (such as siblings information for a function or activity definition for or on behalf of such who share both parents). regulated by this subchapter, including organized health care arrangement, or (i) First-degree relatives include claims processing or administration, that provides a service as described in parents, spouses, siblings, and children. data analysis, processing or paragraph (1)(ii) of this definition to or (ii) Second-degree relatives include administration, utilization review, for such organized health care grandparents, grandchildren, aunts, quality assurance, patient safety arrangement by virtue of such activities uncles, nephews, and nieces. activities listed at 42 CFR 3.20, billing, or services. (iii) Third-degree relatives include benefit management, practice means Civil money penalty or penalty great-grandparents, great-grandchildren, management, and repricing; or the amount determined under § 160.404 (ii) Provides, other than in the great aunts, great uncles, and first of this part and includes the plural of capacity of a member of the workforce cousins. these terms. of such covered entity, legal, actuarial, (iv) Fourth-degree relatives include * * * * * accounting, consulting, data aggregation great-great grandparents, great-great Compliance date means the date by (as defined in § 164.501 of this grandchildren, and children of first which a covered entity or business subchapter), management, cousins. associate must comply with a standard, administrative, accreditation, or Genetic information means: implementation specification, financial services to or for such covered (1) Subject to paragraphs (2) and (3) requirement, or modification adopted entity, or to or for an organized health of this definition, with respect to an under this subchapter. care arrangement in which the covered individual, information about: (i) The individual’s genetic tests; entity participates, where the provision * * * * * (ii) The genetic tests of family Disclosure means the release, transfer, of the service involves the disclosure of members of the individual; provision of access to, or divulging in protected health information from such VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00124 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

125 5689 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations in the capacity of a member of the (xv) The Medicare Advantage program (iii) The manifestation of a disease or workforce of such business associate. under Part C of title XVIII of the Act, 42 disorder in family members of such U.S.C. 1395w–21 through 1395w–28. individual; or * * * * * (iv) Any request for, or receipt of, means, as the violate Violation or * * * * * genetic services, or participation in context may require, failure to comply Manifestation manifested means, or clinical research which includes genetic with an administrative simplification with respect to a disease, disorder, or services, by the individual or any family provision. pathological condition, that an member of the individual. means employees, Workforce individual has been or could reasonably (2) Any reference in this subchapter to volunteers, trainees, and other persons be diagnosed with the disease, disorder, genetic information concerning an whose conduct, in the performance of or pathological condition by a health individual or family member of an work for a covered entity or business care professional with appropriate individual shall include the genetic associate, is under the direct control of training and expertise in the field of information of: such covered entity or business medicine involved. For purposes of this (i) A fetus carried by the individual or associate, whether or not they are paid subchapter, a disease, disorder, or family member who is a pregnant by the covered entity or business pathological condition is not manifested woman; and associate. if the diagnosis is based principally on (ii) Any embryo legally held by an ■ 5. Add § 160.105 to subpart A to read genetic information. individual or family member utilizing as follows: * * * * * an assisted reproductive technology. *** Protected health information § 160.105 Compliance dates for (3) Genetic information excludes (2) Protected health information implementation of new or modified information about the sex or age of any excludes individually identifiable standards and implementation individual. health information: specifications. Genetic services means: (i) In education records covered by Except as otherwise provided, with (1) A genetic test; the Family Educational Rights and respect to rules that adopt new (2) Genetic counseling (including Privacy Act, as amended, 20 U.S.C. standards and implementation obtaining, interpreting, or assessing 1232g; specifications or modifications to genetic information); or (ii) In records described at 20 U.S.C. standards and implementation (3) Genetic education. 1232g(a)(4)(B)(iv); specifications in this subchapter in Genetic test means an analysis of (iii) In employment records held by a accordance with § 160.104 that become human DNA, RNA, chromosomes, covered entity in its role as employer; effective after January 25, 2013, covered proteins, or metabolites, if the analysis and entities and business associates must detects genotypes, mutations, or (iv) Regarding a person who has been comply with the applicable new chromosomal changes. Genetic test does deceased for more than 50 years. standards and implementation not include an analysis of proteins or specifications, or modifications to * * * * * metabolites that is directly related to a standards and implementation means a covered entity or Respondent manifested disease, disorder, or specifications, no later than 180 days business associate upon which the pathological condition. from the effective date of any such Secretary has imposed, or proposes to * * * * * standards or implementation impose, a civil money penalty. Health information means any specifications. * * * * * information, including genetic ■ 6. Revise § 160.201 to read as follows: Standard means a rule, condition, or information, whether oral or recorded in requirement: any form or medium, that: * * * § 160.201 Statutory basis. (1) Describing the following * * * * * The provisions of this subpart information for products, systems, means * * * Health plan implement section 1178 of the Act, services, or practices: (1) * * * section 262 of Public Law 104–191, (i) Classification of components; (vi) The Voluntary Prescription Drug section 264(c) of Public Law 104–191, (ii) Specification of materials, Benefit Program under Part D of title and section 13421(a) of Public Law 111– performance, or operations; or XVIII of the Act, 42 U.S.C. 1395w–101 5. (iii) Delineation of procedures; or through 1395w–152. ■ 7. In § 160.202, revise the definition of (2) With respect to the privacy of (vii) An issuer of a Medicare ‘‘Contrary’’ and paragraph (1)(i) of the protected health information. supplemental policy (as defined in definition of ‘‘More stringent’’ to read as section 1882(g)(1) of the Act, 42 U.S.C. * * * * * follows: 1395ss(g)(1)). refers to one of the following: State (viii) An issuer of a long-term care (1) For a health plan established or § 160.202 Definitions. policy, excluding a nursing home fixed regulated by Federal law, State has the * * * * * indemnity policy. meaning set forth in the applicable when used to compare a Contrary, (ix) An employee welfare benefit plan section of the United States Code for provision of State law to a standard, or any other arrangement that is such health plan. requirement, or implementation established or maintained for the (2) For all other purposes, State specification adopted under this purpose of offering or providing health means any of the several States, the subchapter, means: benefits to the employees of two or more District of Columbia, the (1) A covered entity or business employers. Commonwealth of Puerto Rico, the associate would find it impossible to (x) The health care program for Virgin Islands, Guam, American Samoa, comply with both the State and Federal uniformed services under title 10 of the and the Commonwealth of the Northern requirements; or United States Code. Mariana Islands. (2) The provision of State law stands (xi) The veterans health care program Subcontractor means a person to as an obstacle to the accomplishment under 38 U.S.C. chapter 17. whom a business associate delegates a and execution of the full purposes and function, activity, or service, other than * * * * * objectives of part C of title XI of the Act, VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00125 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

126 5690 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations possession of any other agency, or business associate about the section 264 of Public Law 104–191, or institution, or person and the other complaint, the Secretary will describe sections 13400–13424 of Public Law agency, institution, or person fails or the acts and/or omissions that are the 111–5, as applicable. *** More stringent refuses to furnish the information, the basis of the complaint. (1) * * * covered entity or business associate 12. Revise § 160.308 to read as ■ (i) Required by the Secretary in must so certify and set forth what efforts follows: connection with determining whether a it has made to obtain the information. § 160.308 Compliance reviews. covered entity or business associate is in (3) Protected health information compliance with this subchapter; or (a) The Secretary will conduct a obtained by the Secretary in connection compliance review to determine with an investigation or compliance * * * * * whether a covered entity or business review under this subpart will not be ■ 8. Revise § 160.300 to read as follows: associate is complying with the disclosed by the Secretary, except if § 160.300 Applicability. applicable administrative simplification necessary for ascertaining or enforcing provisions when a preliminary review This subpart applies to actions by the compliance with the applicable of the facts indicates a possible violation Secretary, covered entities, business administrative simplification due to willful neglect. associates, and others with respect to provisions, if otherwise required by law, (b) The Secretary may conduct a ascertaining the compliance by covered or if permitted under 5 U.S.C. compliance review to determine entities and business associates with, 552a(b)(7). whether a covered entity or business and the enforcement of, the applicable ■ 14. Revise § 160.312 to read as associate is complying with the provisions of this part 160 and parts 162 follows: applicable administrative simplification and 164 of this subchapter. § 160.312 Secretarial action regarding provisions in any other circumstance. § 160.302 [Removed and Reserved] complaints and compliance reviews. ■ 13. Revise § 160.310 to read as (a) Resolution when noncompliance is ■ 9. Remove and reserve § 160.302. follows: (1) If an investigation of a indicated. ■ 10. Revise § 160.304 to read as § 160.310 Responsibilities of covered complaint pursuant to § 160.306 or a follows: entities and business associates. compliance review pursuant to (a) Provide records and compliance § 160.304 Principles for achieving § 160.308 indicates noncompliance, the compliance. A covered entity or business reports. Secretary may attempt to reach a associate must keep such records and The Secretary will, to Cooperation. (a) resolution of the matter satisfactory to submit such compliance reports, in such the extent practicable and consistent the Secretary by informal means. time and manner and containing such with the provisions of this subpart, seek Informal means may include information, as the Secretary may the cooperation of covered entities and demonstrated compliance or a determine to be necessary to enable the business associates in obtaining completed corrective action plan or Secretary to ascertain whether the compliance with the applicable other agreement. covered entity or business associate has administrative simplification (2) If the matter is resolved by complied or is complying with the provisions. informal means, the Secretary will so Assistance. (b) The Secretary may applicable administrative simplification inform the covered entity or business provide technical assistance to covered provisions. associate and, if the matter arose from Cooperate with complaint (b) entities and business associates to help a complaint, the complainant, in investigations and compliance reviews. them comply voluntarily with the writing. A covered entity or business associate applicable administrative simplification (3) If the matter is not resolved by must cooperate with the Secretary, if the provisions. informal means, the Secretary will— (i) So inform the covered entity or Secretary undertakes an investigation or 11. In § 160.306, revise paragraphs (a) ■ business associate and provide the compliance review of the policies, and (c) to read as follows: covered entity or business associate an procedures, or practices of the covered § 160.306 Complaints to the Secretary. opportunity to submit written evidence entity or business associate to determine Right to file a complaint. (a) A person of any mitigating factors or affirmative whether it is complying with the who believes a covered entity or defenses for consideration under applicable administrative simplification business associate is not complying §§ 160.408 and 160.410 of this part. The provisions. (c) Permit access to information. (1) A with the administrative simplification covered entity or business associate covered entity or business associate provisions may file a complaint with the must submit any such evidence to the must permit access by the Secretary Secretary. Secretary within 30 days (computed in during normal business hours to its the same manner as prescribed under * * * * * facilities, books, records, accounts, and § 160.526 of this part) of receipt of such (c) Investigation. (1) The Secretary other sources of information, including notification; and will investigate any complaint filed (ii) If, following action pursuant to protected health information, that are under this section when a preliminary paragraph (a)(3)(i) of this section, the pertinent to ascertaining compliance review of the facts indicates a possible Secretary finds that a civil money with the applicable administrative violation due to willful neglect. penalty should be imposed, inform the simplification provisions. If the (2) The Secretary may investigate any covered entity or business associate of Secretary determines that exigent other complaint filed under this section. (3) An investigation under this section such finding in a notice of proposed circumstances exist, such as when may include a review of the pertinent determination in accordance with documents may be hidden or destroyed, policies, procedures, or practices of the § 160.420 of this part. a covered entity or business associate (b) Resolution when no violation is covered entity or business associate and must permit access by the Secretary at found. If, after an investigation pursuant of the circumstances regarding any any time and without notice. to § 160.306 or a compliance review (2) If any information required of a alleged violation. pursuant to § 160.308, the Secretary covered entity or business associate (4) At the time of the initial written determines that further action is not under this section is in the exclusive communication with the covered entity VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00126 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

127 5691 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations based on the act or omission of any warranted, the Secretary will so inform ■ 20. Revise § 160.408 to read as agent of the covered entity, including a follows: the covered entity or business associate workforce member or business and, if the matter arose from a § 160.408 Factors considered in associate, acting within the scope of the complaint, the complainant, in writing. determining the amount of a civil money agency. ■ 15. In § 160.316, revise the penalty. (2) A business associate is liable, in introductory text to read as follows: In determining the amount of any accordance with the Federal common civil money penalty, the Secretary will § 160.316 Refraining from intimidation or law of agency, for a civil money penalty consider the following factors, which retaliation. for a violation based on the act or may be mitigating or aggravating as omission of any agent of the business A covered entity or business associate appropriate: associate, including a workforce may not threaten, intimidate, coerce, (a) The nature and extent of the member or subcontractor, acting within harass, discriminate against, or take any violation, consideration of which may the scope of the agency. other retaliatory action against any include but is not limited to: individual or other person for— 18. In § 160.404, revise the ■ (1) The number of individuals introductory text of paragraphs (b)(2)(i), * * * * * affected; and (b)(2)(iii), and (b)(2)(iv) to read as ■ 16. In § 160.401, revise the definition (2) The time period during which the follows: of ‘‘Reasonable cause’’ to read as violation occurred; follows: (b) The nature and extent of the harm § 160.404 Amount of a civil money penalty. resulting from the violation, * * * * * § 160.401 Definitions. consideration of which may include but (b) * * * * * * * * is not limited to: (2) * * * Reasonable cause means an act or (i) For a violation in which it is (1) Whether the violation caused omission in which a covered entity or established that the covered entity or physical harm; business associate knew, or by business associate did not know and, by (2) Whether the violation resulted in exercising reasonable diligence would exercising reasonable diligence, would financial harm; have known, that the act or omission not have known that the covered entity (3) Whether the violation resulted in violated an administrative or business associate violated such harm to an individual’s reputation; and simplification provision, but in which provision, (4) Whether the violation hindered an the covered entity or business associate individual’s ability to obtain health * * * * * did not act with willful neglect. care; (iii) For a violation in which it is * * * * * (c) The history of prior compliance established that the violation was due to with the administrative simplification willful neglect and was corrected during ■ 17. Revise § 160.402 to read as provisions, including violations, by the the 30-day period beginning on the first follows: covered entity or business associate, date the covered entity or business § 160.402 Basis for a civil money penalty. consideration of which may include but associate liable for the penalty knew, or, (a) General rule. Subject to § 160.410, is not limited to: by exercising reasonable diligence, the Secretary will impose a civil money (1) Whether the current violation is would have known that the violation penalty upon a covered entity or the same or similar to previous occurred, business associate if the Secretary indications of noncompliance; * * * * * determines that the covered entity or (2) Whether and to what extent the (iv) For a violation in which it is business associate has violated an covered entity or business associate has established that the violation was due to administrative simplification provision. attempted to correct previous willful neglect and was not corrected Violation by more than one (b) indications of noncompliance; during the 30-day period beginning on covered entity or business associate. (1) (3) How the covered entity or business the first date the covered entity or Except as provided in paragraph (b)(2) associate has responded to technical business associate liable for the penalty of this section, if the Secretary assistance from the Secretary provided knew, or, by exercising reasonable determines that more than one covered in the context of a compliance effort; diligence, would have known that the entity or business associate was and violation occurred, responsible for a violation, the Secretary (4) How the covered entity or business * * * * * will impose a civil money penalty associate has responded to prior 19. Revise § 160.406 to read as ■ against each such covered entity or complaints; follows: business associate. (d) The financial condition of the (2) A covered entity that is a member § 160.406 Violations of an identical covered entity or business associate, requirement or prohibition. of an affiliated covered entity, in consideration of which may include but accordance with § 164.105(b) of this is not limited to: The Secretary will determine the subchapter, is jointly and severally (1) Whether the covered entity or number of violations of an liable for a civil money penalty for a business associate had financial administrative simplification provision violation of part 164 of this subchapter based on the nature of the covered difficulties that affected its ability to based on an act or omission of the entity’s or business associate’s comply; affiliated covered entity, unless it is obligation to act or not act under the (2) Whether the imposition of a civil established that another member of the provision that is violated, such as its money penalty would jeopardize the affiliated covered entity was responsible obligation to act in a certain manner, or ability of the covered entity or business within a certain time, or to act or not act for the violation. associate to continue to provide, or to Violation attributed to a covered (c) with respect to certain persons. In the pay for, health care; and entity or business associate. (1) A case of continuing violation of a (3) The size of the covered entity or covered entity is liable, in accordance provision, a separate violation occurs business associate; and with the Federal common law of agency, (e) Such other matters as justice may each day the covered entity or business for a civil money penalty for a violation require. associate is in violation of the provision. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00127 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

128 5692 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations diligence, would have known that the requirements, and implementation 21. Revise § 160.410 to read as ■ violation occurred; or specifications under part C of title XI of follows: (ii) Such additional period as the the Act, section 264 of Public Law 104– § 160.410 Affirmative defenses. Secretary determines to be appropriate 191, and sections 13400–13424 of (a) The Secretary may not: based on the nature and extent of the Public Law 111–5. (1) Prior to February 18, 2011, impose failure to comply. ■ 27. In § 164.104, revise paragraph (b) a civil money penalty on a covered 22. Revise § 160.412 to read as ■ to read as follows: entity or business associate for an act follows: that violates an administrative § 164.104 Applicability. simplification provision if the covered § 160.412 Waiver. * * * * * entity or business associate establishes For violations described in (b) Where provided, the standards, that the violation is punishable under § 160.410(b)(2) or (c) that are not requirements, and implementation 42 U.S.C. 1320d–6. corrected within the period specified specifications adopted under this part (2) On or after February 18, 2011, under such paragraphs, the Secretary apply to a business associate. impose a civil money penalty on a may waive the civil money penalty, in ■ 28. Amend § 164.105 as follows: covered entity or business associate for whole or in part, to the extent that the ■ a. Revise the introductory text of an act that violates an administrative payment of the penalty would be paragraph (a)(1), the introductory text of simplification provision if the covered excessive relative to the violation. paragraph (a)(2)(i), paragraph (a)(2)(ii), entity or business associate establishes 23. Revise § 160.418 to read as ■ the introductory text of paragraph that a penalty has been imposed under follows: (a)(2)(iii), and paragraphs (a)(2)(iii)(A) 42 U.S.C. 1320d–6 with respect to such and (B); act. § 160.418 Penalty not exclusive. ■ b. Redesignate paragraph (a)(2)(iii)(C) (b) For violations occurring prior to Except as otherwise provided by 42 as paragraph (a)(2)(iii)(D) and add new February 18, 2009, the Secretary may U.S.C. 1320d–5(b)(1) and 42 U.S.C. paragraph (a)(2)(iii)(C); not impose a civil money penalty on a 299b–22(f)(3), a penalty imposed under c. Revise newly redesignated ■ covered entity for a violation if the this part is in addition to any other paragraph (a)(2)(iii)(D); and covered entity establishes that an penalty prescribed by law. d. Revise paragraph (b). ■ affirmative defense exists with respect 24. Amend § 160.534 as follows: ■ The revisions read as follows: to the violation, including the following: a. Revise paragraph (b)(1)(iii); ■ (1) The covered entity establishes, to § 164.105 Organizational requirements. ■ b. Add paragraph (b)(1)(iv); and the satisfaction of the Secretary, that it c. Revise paragraph (b)(2). ■ Standard: Health care (a)(1) did not have knowledge of the violation, The revisions read as follows: component. If a covered entity is a determined in accordance with the hybrid entity, the requirements of this § 160.534 The hearing. Federal common law of agency, and by part, other than the requirements of this exercising reasonable diligence, would * * * * * section, § 164.314, and § 164.504, apply not have known that the violation (b)(1) * * * only to the health care component(s) of occurred; or (iii) Claim that a proposed penalty the entity, as specified in this section. (2) The violation is— should be reduced or waived pursuant (2) * * * (i) Due to circumstances that would to § 160.412 of this part; and (i) Application of other provisions. In make it unreasonable for the covered (iv) Compliance with subpart D of applying a provision of this part, other entity, despite the exercise of ordinary part 164, as provided under than the requirements of this section, business care and prudence, to comply § 164.414(b). § 164.314, and § 164.504, to a hybrid with the administrative simplification (2) The Secretary has the burden of entity: provision violated and is not due to going forward and the burden of * * * * * willful neglect; and persuasion with respect to all other The Safeguard requirements. (ii) (ii) Corrected during either: issues, including issues of liability other covered entity that is a hybrid entity (A) The 30-day period beginning on than with respect to subpart D of part must ensure that a health care the first date the covered entity liable 164, and the existence of any factors component of the entity complies with for the penalty knew, or by exercising considered aggravating factors in the applicable requirements of this part. reasonable diligence would have determining the amount of the proposed In particular, and without limiting this known, that the violation occurred; or penalty. requirement, such covered entity must (B) Such additional period as the * * * * * ensure that: Secretary determines to be appropriate (A) Its health care component does based on the nature and extent of the PART 164—SECURITY AND PRIVACY not disclose protected health failure to comply. information to another component of (c) For violations occurring on or after ■ 25. The authority citation for part 164 the covered entity in circumstances in February 18, 2009, the Secretary may is revised to read as follows: which subpart E of this part would not impose a civil money penalty on a 42 U.S.C. 1302(a); 42 U.S.C. Authority: prohibit such disclosure if the health covered entity or business associate for 1320d–1320d–9; sec. 264, Pub. L. 104–191, care component and the other a violation if the covered entity or 110 Stat. 2033–2034 (42 U.S.C. 1320d– component were separate and distinct business associate establishes to the 2(note)); and secs. 13400–13424, Pub. L. 111– legal entities; 5, 123 Stat. 258–279. satisfaction of the Secretary that the (B) Its health care component protects violation is— ■ 26. Revise § 164.102 to read as electronic protected health information (1) Not due to willful neglect; and follows: with respect to another component of (2) Corrected during either: § 164.102 Statutory basis. the covered entity to the same extent (i) The 30-day period beginning on that it would be required under subpart the first date the covered entity or The provisions of this part are C of this part to protect such business associate liable for the penalty adopted pursuant to the Secretary’s information if the health care knew, or, by exercising reasonable authority to prescribe standards, VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00128 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

129 5693 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations (B) The designation of an affiliated ■ component and the other component 33. Amend § 164.306 as follows: ■ a. Revise the introductory text of covered entity must be documented and were separate and distinct legal entities; paragraph (a) and paragraph (a)(1); the documentation maintained as (C) If a person performs duties for b. Revise paragraph (b)(1), the ■ required by paragraph (c) of this section. both the health care component in the introductory text of paragraph (b)(2), Safeguard requirements. (ii) An capacity of a member of the workforce and paragraphs (b)(2)(i) and (b)(2)(ii); affiliated covered entity must ensure of such component and for another ■ c. Revise paragraph (c); that it complies with the applicable component of the entity in the same d. Revise paragraph (d)(2), the ■ requirements of this part, including, if capacity with respect to that introductory text of paragraph (d)(3), the affiliated covered entity combines component, such workforce member paragraph (d)(3)(i), and the introductory the functions of a health plan, health must not use or disclose protected text of paragraph (d)(3)(ii); and care provider, or health care health information created or received e. Revise paragraph (e). ■ clearinghouse, § 164.308(a)(4)(ii)(A) and in the course of or incident to the The revisions read as follows: § 164.504(g), as applicable. member’s work for the health care component in a way prohibited by * * * * * § 164.306 Security standards: General subpart E of this part. rules. ■ 29. Revise § 164.106 to read as Responsibilities of the covered (iii) (a) Covered General requirements. follows: entity. A covered entity that is a hybrid entities and business associates must do § 164.106 Relationship to other parts. entity has the following responsibilities: the following: (A) For purposes of subpart C of part In complying with the requirements (1) Ensure the confidentiality, 160 of this subchapter, pertaining to of this part, covered entities and, where integrity, and availability of all compliance and enforcement, the provided, business associates, are electronic protected health information covered entity has the responsibility of required to comply with the applicable the covered entity or business associate complying with this part. provisions of parts 160 and 162 of this creates, receives, maintains, or (B) The covered entity is responsible subchapter. transmits. for complying with § 164.316(a) and ■ 30. The authority citation for subpart * * * * * § 164.530(i), pertaining to the C of part 164 is revised to read as (b) * * * implementation of policies and follows: (1) Covered entities and business procedures to ensure compliance with associates may use any security 42 U.S.C. 1320d–2 and 1320d– Authority: applicable requirements of this part, measures that allow the covered entity 4; sec. 13401, Pub. L. 111–5, 123 Stat. 260. including the safeguard requirements in or business associate to reasonably and ■ 31. Revise § 164.302 to read as paragraph (a)(2)(ii) of this section. appropriately implement the standards follows: (C) The covered entity is responsible and implementation specifications as for complying with § 164.314 and specified in this subpart. § 164.302 Applicability. § 164.504 regarding business associate (2) In deciding which security A covered entity or business associate arrangements and other organizational measures to use, a covered entity or must comply with the applicable requirements. business associate must take into standards, implementation (D) The covered entity is responsible account the following factors: specifications, and requirements of this for designating the components that are (i) The size, complexity, and subpart with respect to electronic part of one or more health care capabilities of the covered entity or protected health information of a components of the covered entity and business associate. covered entity. documenting the designation in (ii) The covered entity’s or the 32. In § 164.304, revise the definitions ■ accordance with paragraph (c) of this business associate’s technical of ‘‘Administrative safeguards’’ and section, provided that, if the covered infrastructure, hardware, and software ‘‘Physical safeguards’’ to read as entity designates one or more health security capabilities. follows: care components, it must include any * * * * * component that would meet the (c) Standards. A covered entity or § 164.304 Definitions. definition of a covered entity or business associate must comply with * * * * * business associate if it were a separate the applicable standards as provided in are Administrative safeguards legal entity. Health care component(s) this section and in § 164.308, § 164.310, administrative actions, and policies and also may include a component only to § 164.312, § 164.314 and § 164.316 with procedures, to manage the selection, the extent that it performs covered respect to all electronic protected health development, implementation, and functions. information. maintenance of security measures to Standard: Affiliated covered (b)(1) (d) * * * protect electronic protected health Legally separate covered entities. (2) When a standard adopted in information and to manage the conduct entities that are affiliated may designate § 164.308, § 164.310, § 164.312, of the covered entity’s or business themselves as a single covered entity for § 164.314, or § 164.316 includes associate’s workforce in relation to the purposes of this part. required implementation specifications, protection of that information. (2) Implementation specifications. a covered entity or business associate * * * * * Requirements for designation of an (i) must implement the implementation Physical safeguards are physical affiliated covered entity. specifications. measures, policies, and procedures to (A) Legally separate covered entities (3) When a standard adopted in protect a covered entity’s or business may designate themselves (including § 164.308, § 164.310, § 164.312, associate’s electronic information any health care component of such § 164.314, or § 164.316 includes systems and related buildings and covered entity) as a single affiliated addressable implementation equipment, from natural and covered entity, for purposes of this part, specifications, a covered entity or environmental hazards, and if all of the covered entities designated business associate must— unauthorized intrusion. are under common ownership or (i) Assess whether each control. * * * * * implementation specification is a VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00129 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

130 5694 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations § 164.310 Physical safeguards. Access establishment and (C) reasonable and appropriate safeguard in Implement modification (Addressable). its environment, when analyzed with A covered entity or business associate policies and procedures that, based reference to the likely contribution to must, in accordance with § 164.306: upon the covered entity’s or the protecting electronic protected health * * * * * business associate’s access authorization information; and ■ 36. Revise the introductory text of (ii) As applicable to the covered entity policies, establish, document, review, § 164.312 to read as follows: or business associate— and modify a user’s right of access to a workstation, transaction, program, or § 164.312 Technical safeguards. * * * * * process. (e) Maintenance. A covered entity or A covered entity or business associate business associate must review and must, in accordance with § 164.306: * * * * * modify the security measures (6) * * * * * * * * implemented under this subpart as (ii) Implementation specification: 37. Amend § 164.314 by revising ■ needed to continue provision of Response and reporting (Required). paragraphs (a) and (b)(2)(iii) to read as reasonable and appropriate protection of Identify and respond to suspected or follows: electronic protected health information, known security incidents; mitigate, to and update documentation of such § 164.314 Organizational requirements. the extent practicable, harmful effects of security measures in accordance with Standard: Business associate (a)(1) security incidents that are known to the § 164.316(b)(2)(iii). The contracts or other arrangements. covered entity or business associate; and contract or other arrangement required 34. Amend § 164.308 as follows: ■ document security incidents and their a. Revise the introductory text of ■ by § 164.308(b)(4) must meet the outcomes. paragraph (a), paragraph (a)(1)(ii)(A), requirements of paragraph (a)(2)(i), * * * * * paragraph (a)(1)(ii)(C), paragraph (a)(2), (a)(2)(ii), or (a)(2)(iii) of this section, as (8) Standard: Evaluation. Perform a paragraph (a)(3)(ii)(C), paragraph applicable. periodic technical and nontechnical (2) Implementation specifications (a)(4)(ii)(C), paragraph (a)(6)(ii), and evaluation, based initially upon the (Required). paragraph (a)(8); and standards implemented under this rule (i) Business associate contracts. The ■ b. Revise paragraph (b). and, subsequently, in response to The revisions read as follows: contract must provide that the business environmental or operational changes associate will— affecting the security of electronic § 164.308 Administrative safeguards. (A) Comply with the applicable protected health information, that (a) A covered entity or business requirements of this subpart; establishes the extent to which a associate must, in accordance with (B) In accordance with covered entity’s or business associate’s § 164.306: § 164.308(b)(2), ensure that any security policies and procedures meet (1) * * * subcontractors that create, receive, the requirements of this subpart. (ii) * * * maintain, or transmit electronic (b)(1) Business associate contracts Conduct Risk analysis (Required). (A) protected health information on behalf A covered and other arrangements. an accurate and thorough assessment of of the business associate agree to entity may permit a business associate the potential risks and vulnerabilities to comply with the applicable to create, receive, maintain, or transmit the confidentiality, integrity, and requirements of this subpart by entering electronic protected health information availability of electronic protected into a contract or other arrangement that on the covered entity’s behalf only if the health information held by the covered complies with this section; and covered entity obtains satisfactory entity or business associate. (C) Report to the covered entity any assurances, in accordance with * * * * * security incident of which it becomes § 164.314(a), that the business associate Apply Sanction policy (Required). (C) aware, including breaches of unsecured will appropriately safeguard the appropriate sanctions against workforce protected health information as required information. A covered entity is not members who fail to comply with the by § 164.410. required to obtain such satisfactory The covered Other arrangements. (ii) security policies and procedures of the assurances from a business associate entity is in compliance with paragraph covered entity or business associate. that is a subcontractor. (a)(1) of this section if it has another * * * * * (2) A business associate may permit a arrangement in place that meets the Standard: Assigned security (2) business associate that is a requirements of § 164.504(e)(3). Identify the security responsibility. subcontractor to create, receive, (iii) Business associate contracts with official who is responsible for the maintain, or transmit electronic subcontractors. The requirements of development and implementation of the protected health information on its paragraphs (a)(2)(i) and (a)(2)(ii) of this policies and procedures required by this behalf only if the business associate section apply to the contract or other subpart for the covered entity or obtains satisfactory assurances, in arrangement between a business business associate. accordance with § 164.314(a), that the associate and a subcontractor required (3) * * * subcontractor will appropriately by § 164.308(b)(4) in the same manner (ii) * * * safeguard the information. as such requirements apply to contracts Termination procedures (C) Implementation specifications: (3) or other arrangements between a (Addressable). Implement procedures Written contract or other arrangement covered entity and business associate. for terminating access to electronic Document the satisfactory (Required). (b) * * * protected health information when the assurances required by paragraph (b)(1) (2) * * * employment of, or other arrangement or (b)(2) of this section through a written (iii) Ensure that any agent to whom it with, a workforce member ends or as contract or other arrangement with the provides this information agrees to required by determinations made as business associate that meets the implement reasonable and appropriate specified in paragraph (a)(3)(ii)(B) of applicable requirements of § 164.314(a). security measures to protect the this section. information; and ■ 35. Revise the introductory text of (4) * * * * * * * * (ii) * * * § 164.310 to read as follows: VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00130 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

131 5695 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations based on a risk assessment of at least the discovered by a business associate as of 38. Revise the introductory text of ■ following factors: the first day on which such breach is § 164.316 and the third sentence of (i) The nature and extent of the known to the business associate or, by paragraph (a) to read as follows: protected health information involved, exercising reasonable diligence, would § 164.316 Policies and procedures and including the types of identifiers and have been known to the business documentation requirements. the likelihood of re-identification; associate. A business associate shall be A covered entity or business associate (ii) The unauthorized person who deemed to have knowledge of a breach must, in accordance with § 164.306: used the protected health information or if the breach is known, or by exercising (a) * * * A covered entity or business to whom the disclosure was made; reasonable diligence would have been associate may change its policies and (iii) Whether the protected health known, to any person, other than the procedures at any time, provided that information was actually acquired or person committing the breach, who is the changes are documented and are viewed; and an employee, officer, or other agent of implemented in accordance with this (iv) The extent to which the risk to the the business associate (determined in subpart. protected health information has been accordance with the Federal common mitigated. * * * * * law of agency). Unsecured protected health ■ 39. Revise § 164.402 to read as * * * * * means protected health information follows: 43. The authority citation for subpart ■ information that is not rendered E of part 164 is revised to read as § 164.402 Definitions. unusable, unreadable, or indecipherable follows: to unauthorized persons through the use As used in this subpart, the following of a technology or methodology terms have the following meanings: Authority: 42 U.S.C. 1320d–2, 1320d–4, and 1320d–9; sec. 264 of Pub. L. 104–191, means the acquisition, access, Breach specified by the Secretary in the 110 Stat. 2033–2034 (42 U.S.C. 1320d–2 use, or disclosure of protected health guidance issued under section (note)); and secs. 13400–13424, Pub. L. 111– information in a manner not permitted 13402(h)(2) of Public Law 111–5. 5, 123 Stat. 258–279. under subpart E of this part which 40. In § 164.406, revise paragraph (a) ■ compromises the security or privacy of ■ 44. In § 164.500, redesignate to read as follows: the protected health information. paragraph (c) as paragraph (d) and add § 164.406 Notification to the media. (1) Breach excludes: new paragraph (c) to read as follows: (i) Any unintentional acquisition, For a breach of (a) Standard. § 164.500 Applicability. access, or use of protected health unsecured protected health information * * * * * information by a workforce member or involving more than 500 residents of a (c) Where provided, the standards, person acting under the authority of a State or jurisdiction, a covered entity requirements, and implementation covered entity or a business associate, if shall, following the discovery of the specifications adopted under this such acquisition, access, or use was breach as provided in § 164.404(a)(2), subpart apply to a business associate made in good faith and within the scope notify prominent media outlets serving with respect to the protected health of authority and does not result in the State or jurisdiction. information of a covered entity. further use or disclosure in a manner * * * * * not permitted under subpart E of this * * * * * ■ 41. In § 164.408, revise paragraph (c) part. 45. Amend § 164.501 as follows: ■ to read as follows: (ii) Any inadvertent disclosure by a a. Revise paragraphs (1) and (3) of the ■ person who is authorized to access § 164.408 Notification to the Secretary. definition of ‘‘Health care operations’’; protected health information at a b. Revise the definition of ■ * * * * * covered entity or business associate to ‘‘Marketing’’; and (c) Implementation specifications: another person authorized to access ■ c. Revise paragraph (1)(i) of the Breaches involving less than 500 protected health information at the same definition of ‘‘Payment’’. individuals. For breaches of unsecured covered entity or business associate, or The revisions read as follows: protected health information involving organized health care arrangement in less than 500 individuals, a covered § 164.501 Definitions. which the covered entity participates, entity shall maintain a log or other * * * * * and the information received as a result documentation of such breaches and, Health care operations means * * * of such disclosure is not further used or not later than 60 days after the end of (1) Conducting quality assessment disclosed in a manner not permitted each calendar year, provide the and improvement activities, including under subpart E of this part. notification required by paragraph (a) of outcomes evaluation and development (iii) A disclosure of protected health this section for breaches discovered of clinical guidelines, provided that the information where a covered entity or during the preceding calendar year, in obtaining of generalizable knowledge is business associate has a good faith belief the manner specified on the HHS web not the primary purpose of any studies that an unauthorized person to whom site. resulting from such activities; patient the disclosure was made would not 42. In § 164.410, revise paragraph (a) ■ safety activities (as defined in 42 CFR reasonably have been able to retain such to read as follows: 3.20); population-based activities information. relating to improving health or reducing (2) Except as provided in paragraph § 164.410 Notification by a business health care costs, protocol development, associate. (1) of this definition, an acquisition, case management and care coordination, access, use, or disclosure of protected General rule. —(1) Standard (a) A contacting of health care providers and health information in a manner not business associate shall, following the patients with information about permitted under subpart E is presumed discovery of a breach of unsecured treatment alternatives; and related to be a breach unless the covered entity protected health information, notify the functions that do not include treatment; or business associate, as applicable, covered entity of such breach. demonstrates that there is a low Breaches treated as discovered. (2) * * * * * probability that the protected health (3) Except as prohibited under For purposes of paragraph (a)(1) of this information has been compromised § 164.502(a)(5)(i), underwriting, section, a breach shall be treated as VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00131 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

132 5696 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations purposes specified under Payment means: enrollment, premium rating, and other (1) * * * § 164.504(e)(2)(i)(A) or (B) if such uses activities related to the creation, (i) Except as prohibited under or disclosures are permitted by its renewal, or replacement of a contract of § 164.502(a)(5)(i), a health plan to obtain contract or other arrangement. health insurance or health benefits, and premiums or to determine or fulfill its ceding, securing, or placing a contract (4) Business associates: Required uses responsibility for coverage and for reinsurance of risk relating to claims and disclosures. A business associate is provision of benefits under the health for health care (including stop-loss required to disclose protected health plan; or insurance and excess of loss insurance), information: provided that the requirements of (i) When required by the Secretary * * * * * § 164.514(g) are met, if applicable; under subpart C of part 160 of this 46. In § 164.502, revise paragraphs (a), ■ subchapter to investigate or determine * * * * * (b)(1), (e), and (f) to read as follows: the business associate’s compliance Marketing: (1) Except as provided in § 164.502 Uses and disclosures of with this subchapter. paragraph (2) of this definition, protected health information: General rules. (ii) To the covered entity, individual, marketing means to make a Standard. A covered entity or (a) or individual’s designee, as necessary to communication about a product or business associate may not use or satisfy a covered entity’s obligations service that encourages recipients of the disclose protected health information, under § 164.524(c)(2)(ii) and (3)(ii) with communication to purchase or use the except as permitted or required by this respect to an individual’s request for an product or service. subpart or by subpart C of part 160 of electronic copy of protected health (2) Marketing does not include a this subchapter. information. communication made: Covered entities: Permitted uses (1) (5) Prohibited uses and disclosures. (i) To provide refill reminders or and disclosures. A covered entity is Use and disclosure of genetic (i) otherwise communicate about a drug or permitted to use or disclose protected information for underwriting purposes: biologic that is currently being health information as follows: Notwithstanding any other provision of prescribed for the individual, only if (i) To the individual; this subpart, a health plan, excluding an any financial remuneration received by (ii) For treatment, payment, or health issuer of a long-term care policy falling the covered entity in exchange for care operations, as permitted by and in within paragraph (1)(viii) of the making the communication is compliance with § 164.506; shall not use definition of health plan, reasonably related to the covered (iii) Incident to a use or disclosure or disclose protected health information entity’s cost of making the otherwise permitted or required by this that is genetic information for communication. subpart, provided that the covered underwriting purposes. For purposes of (ii) For the following treatment and entity has complied with the applicable paragraph (a)(5)(i) of this section, health care operations purposes, except requirements of §§ 164.502(b), underwriting purposes means, with where the covered entity receives 164.514(d), and 164.530(c) with respect respect to a health plan: financial remuneration in exchange for to such otherwise permitted or required (A) Except as provided in paragraph making the communication: use or disclosure; (a)(5)(i)(B) of this section: (A) For treatment of an individual by (iv) Except for uses and disclosures ) Rules for, or determination of, 1 ( a health care provider, including case prohibited under § 164.502(a)(5)(i), eligibility (including enrollment and management or care coordination for the pursuant to and in compliance with a continued eligibility) for, or individual, or to direct or recommend valid authorization under § 164.508; determination of, benefits under the alternative treatments, therapies, health (v) Pursuant to an agreement under, or plan, coverage, or policy (including care providers, or settings of care to the as otherwise permitted by, § 164.510; changes in deductibles or other cost- individual; and sharing mechanisms in return for (B) To describe a health-related (vi) As permitted by and in activities such as completing a health product or service (or payment for such compliance with this section, § 164.512, risk assessment or participating in a product or service) that is provided by, § 164.514(e), (f), or (g). wellness program); or included in a plan of benefits of, the (2) Covered entities: Required ( 2 ) The computation of premium or covered entity making the A covered entity is required disclosures. contribution amounts under the plan, communication, including to disclose protected health information: coverage, or policy (including communications about: the entities (i) To an individual, when requested discounts, rebates, payments in kind, or participating in a health care provider under, and required by § 164.524 or other premium differential mechanisms network or health plan network; § 164.528; and in return for activities such as replacement of, or enhancements to, a (ii) When required by the Secretary completing a health risk assessment or health plan; and health-related products under subpart C of part 160 of this participating in a wellness program); or services available only to a health subchapter to investigate or determine ( 3 ) The application of any pre-existing plan enrollee that add value to, but are the covered entity’s compliance with condition exclusion under the plan, not part of, a plan of benefits; or this subchapter. coverage, or policy; and Business associates: Permitted (3) (C) For case management or care ( ) Other activities related to the 4 uses and disclosures. A business coordination, contacting of individuals creation, renewal, or replacement of a associate may use or disclose protected with information about treatment contract of health insurance or health health information only as permitted or alternatives, and related functions to the benefits. required by its business associate extent these activities do not fall within (B) Underwriting purposes does not contract or other arrangement pursuant the definition of treatment. include determinations of medical to § 164.504(e) or as required by law. means Financial remuneration (3) appropriateness where an individual The business associate may not use or direct or indirect payment from or on seeks a benefit under the plan, coverage, disclose protected health information in behalf of a third party whose product or or policy. a manner that would violate the service is being described. Direct or (ii) Sale of protected health requirements of this subpart, if done by indirect payment does not include any information: the covered entity, except for the payment for treatment of an individual. VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00132 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

133 5697 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations protected health information from activity or practice of the business (A) Except pursuant to and in another covered entity or business associate that constituted a material compliance with § 164.508(a)(4), a associate, a covered entity or business breach or violation of the business covered entity or business associate may associate must make reasonable efforts associate’s obligation under the contract not sell protected health information. (B) For purposes of this paragraph, to limit protected health information to or other arrangement, unless the sale of protected health information the minimum necessary to accomplish covered entity took reasonable steps to means: the intended purpose of the use, cure the breach or end the violation, as 1 ) Except as provided in paragraph ( disclosure, or request. applicable, and, if such steps were (a)(5)(ii)(B)( 2 ) of this section, a unsuccessful, terminated the contract or * * * * * disclosure of protected health arrangement, if feasible. (e)(1) Standard: Disclosures to information by a covered entity or (iii) A business associate is not in business associates. (i) A covered entity business associate, if applicable, where compliance with the standards in may disclose protected health the covered entity or business associate § 164.502(e) and this paragraph, if the information to a business associate and directly or indirectly receives business associate knew of a pattern of may allow a business associate to create, remuneration from or on behalf of the activity or practice of a subcontractor receive, maintain, or transmit protected recipient of the protected health that constituted a material breach or health information on its behalf, if the information in exchange for the violation of the subcontractor’s covered entity obtains satisfactory protected health information. obligation under the contract or other assurance that the business associate ( 2 ) Sale of protected health arrangement, unless the business will appropriately safeguard the information does not include a associate took reasonable steps to cure information. A covered entity is not disclosure of protected health the breach or end the violation, as required to obtain such satisfactory information: applicable, and, if such steps were assurances from a business associate ) For public health purposes i ( unsuccessful, terminated the contract or that is a subcontractor. pursuant to § 164.512(b) or § 164.514(e); arrangement, if feasible. (ii) A business associate may disclose ( ) For research purposes pursuant to ii (2) Implementation specifications: protected health information to a § 164.512(i) or § 164.514(e), where the A contract Business associate contracts. business associate that is a only remuneration received by the between the covered entity and a subcontractor and may allow the covered entity or business associate is a business associate must: subcontractor to create, receive, reasonable cost-based fee to cover the (i) Establish the permitted and maintain, or transmit protected health cost to prepare and transmit the required uses and disclosures of information on its behalf, if the business protected health information for such protected health information by the associate obtains satisfactory purposes; business associate. The contract may not assurances, in accordance with iii ) For treatment and payment ( authorize the business associate to use § 164.504(e)(1)(i), that the subcontractor purposes pursuant to § 164.506(a); or further disclose the information in a will appropriately safeguard the ) For the sale, transfer, merger, or iv ( manner that would violate the information. consolidation of all or part of the requirements of this subpart, if done by Implementation specification: (2) covered entity and for related due the covered entity, except that: Documentation. The satisfactory diligence as described in paragraph (A) The contract may permit the assurances required by paragraph (e)(1) (6)(iv) of the definition of health care business associate to use and disclose of this section must be documented operations and pursuant to § 164.506(a); protected health information for the through a written contract or other v ) To or by a business associate for ( proper management and administration written agreement or arrangement with activities that the business associate of the business associate, as provided in the business associate that meets the undertakes on behalf of a covered entity, paragraph (e)(4) of this section; and applicable requirements of § 164.504(e). or on behalf of a business associate in (B) The contract may permit the A Standard: Deceased individuals. (f) the case of a subcontractor, pursuant to business associate to provide data covered entity must comply with the §§ 164.502(e) and 164.504(e), and the aggregation services relating to the requirements of this subpart with only remuneration provided is by the health care operations of the covered respect to the protected health covered entity to the business associate, entity. information of a deceased individual for or by the business associate to the (ii) Provide that the business associate a period of 50 years following the death subcontractor, if applicable, for the will: of the individual. (A) Not use or further disclose the performance of such activities; * * * * * ) To an individual, when requested ( vi information other than as permitted or under § 164.524 or § 164.528; required by the contract or as required ■ 47. In § 164.504, revise paragraphs (e), ( vii ) Required by law as permitted by law; (f)(1)(ii) introductory text, and (B) Use appropriate safeguards and under § 164.512(a); and (f)(2)(ii)(B) to read as follows: ) For any other purpose permitted viii ( comply, where applicable, with subpart § 164.504 Uses and disclosures: by and in accordance with the C of this part with respect to electronic Organizational requirements. applicable requirements of this subpart, protected health information, to prevent * * * * * where the only remuneration received use or disclosure of the information Standard: Business associate (e)(1) by the covered entity or business other than as provided for by its contracts. (i) The contract or other associate is a reasonable, cost-based fee contract; arrangement required by § 164.502(e)(2) (C) Report to the covered entity any to cover the cost to prepare and transmit must meet the requirements of use or disclosure of the information not the protected health information for paragraph (e)(2), (e)(3), or (e)(5) of this provided for by its contract of which it such purpose or a fee otherwise section, as applicable. becomes aware, including breaches of expressly permitted by other law. (ii) A covered entity is not in (b) * * * unsecured protected health information (1) When Minimum necessary applies. compliance with the standards in as required by § 164.410; using or disclosing protected health (D) In accordance with § 164.502(e) and this paragraph, if the information or when requesting § 164.502(e)(1)(ii), ensure that any covered entity knew of a pattern of VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00133 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

134 5698 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations (A) The disclosure is required by law; entity or its business associate) contains subcontractors that create, receive, or requirements applicable to the business maintain, or transmit protected health ) The business associate obtains 1 (B)( associate that accomplish the objectives information on behalf of the business reasonable assurances from the person of paragraph (e)(2) of this section and associate agree to the same restrictions to whom the information is disclosed § 164.314(a)(2), if applicable. and conditions that apply to the that it will be held confidentially and business associate with respect to such (ii) If a business associate is required used or further disclosed only as information; by law to perform a function or activity required by law or for the purposes for (E) Make available protected health on behalf of a covered entity or to which it was disclosed to the person; information in accordance with provide a service described in the and § 164.524; definition of business associate in ) The person notifies the business ( 2 (F) Make available protected health § 160.103 of this subchapter to a covered associate of any instances of which it is information for amendment and entity, such covered entity may disclose aware in which the confidentiality of incorporate any amendments to protected health information to the the information has been breached. protected health information in business associate to the extent (5) Implementation specifications: accordance with § 164.526; necessary to comply with the legal Business associate contracts with (G) Make available the information mandate without meeting the The requirements of subcontractors. required to provide an accounting of requirements of this paragraph and § 164.504(e)(2) through (e)(4) apply to disclosures in accordance with § 164.314(a)(1), if applicable, provided the contract or other arrangement § 164.528; that the covered entity attempts in good required by § 164.502(e)(1)(ii) between a (H) To the extent the business faith to obtain satisfactory assurances as business associate and a business associate is to carry out a covered required by paragraph (e)(2) of this associate that is a subcontractor in the entity’s obligation under this subpart, section and § 164.314(a)(1), if same manner as such requirements comply with the requirements of this applicable, and, if such attempt fails, apply to contracts or other arrangements subpart that apply to the covered entity documents the attempt and the reasons between a covered entity and business in the performance of such obligation. that such assurances cannot be associate. (I) Make its internal practices, books, obtained. (f)(1)* * * and records relating to the use and (iii) The covered entity may omit from (ii) Except as prohibited by disclosure of protected health its other arrangements the termination § 164.502(a)(5)(i), the group health plan, information received from, or created or authorization required by paragraph or a health insurance issuer or HMO received by the business associate on (e)(2)(iii) of this section, if such with respect to the group health plan, behalf of, the covered entity available to authorization is inconsistent with the may disclose summary health the Secretary for purposes of statutory obligations of the covered information to the plan sponsor, if the determining the covered entity’s entity or its business associate. plan sponsor requests the summary compliance with this subpart; and (iv) A covered entity may comply health information for purposes of: (J) At termination of the contract, if with this paragraph and § 164.314(a)(1) feasible, return or destroy all protected * * * * * if the covered entity discloses only a health information received from, or (2) * * * limited data set to a business associate (ii) * * * created or received by the business for the business associate to carry out a (B) Ensure that any agents to whom it associate on behalf of, the covered entity health care operations function and the provides protected health information that the business associate still covered entity has a data use agreement received from the group health plan maintains in any form and retain no with the business associate that agree to the same restrictions and copies of such information or, if such complies with § 164.514(e)(4) and conditions that apply to the plan return or destruction is not feasible, § 164.314(a)(1), if applicable. sponsor with respect to such extend the protections of the contract to (4) Implementation specifications: information; the information and limit further uses Other requirements for contracts and and disclosures to those purposes that * * * * * other arrangements. (i) The contract or make the return or destruction of the ■ 48. In § 164.506, revise paragraphs (a) other arrangement between the covered information infeasible. and (c)(5) to read as follows: entity and the business associate may (iii) Authorize termination of the permit the business associate to use the § 164.506 Uses and disclosures to carry contract by the covered entity, if the protected health information received out treatment, payment, or health care covered entity determines that the operations. by the business associate in its capacity business associate has violated a as a business associate to the covered Standard: Permitted uses and (a) material term of the contract. entity, if necessary: disclosures. Except with respect to uses Implementation specifications: (3) (A) For the proper management and or disclosures that require an Other arrangements. (i) If a covered administration of the business associate; authorization under § 164.508(a)(2) entity and its business associate are both or through (4) or that are prohibited under governmental entities: (B) To carry out the legal § 164.502(a)(5)(i), a covered entity may (A) The covered entity may comply responsibilities of the business use or disclose protected health with this paragraph and § 164.314(a)(1), associate. information for treatment, payment, or if applicable, by entering into a health care operations as set forth in (ii) The contract or other arrangement memorandum of understanding with the paragraph (c) of this section, provided between the covered entity and the business associate that contains terms that such use or disclosure is consistent business associate may permit the that accomplish the objectives of with other applicable requirements of business associate to disclose the paragraph (e)(2) of this section and this subpart. protected health information received § 164.314(a)(2), if applicable. by the business associate in its capacity (B) The covered entity may comply * * * * * as a business associate for the purposes with this paragraph and § 164.314(a)(1), (c) * * * described in paragraph (e)(4)(i) of this if applicable, if other law (including (5) A covered entity that participates section, if: regulations adopted by the covered in an organized health care arrangement VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00134 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

135 5699 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations close personal friend of the individual, a consent to participate in research. may disclose protected health or any other person identified by the Where a covered health care provider information about an individual to other individual, the protected health has conditioned the provision of participants in the organized health care information directly relevant to such research-related treatment on the arrangement for any health care person’s involvement with the provision of one of the authorizations, operations activities of the organized individual’s health care or payment as permitted under paragraph (b)(4)(i) of health care arrangement. related to the individual’s health care. this section, any compound 49. Amend § 164.508 as follows: ■ (ii) * * * Any such use or disclosure authorization created under this ■ a. Revise the headings of paragraphs of protected health information for such paragraph must clearly differentiate (a), (a)(1), and (a)(2); notification purposes must be in between the conditioned and ■ b. Revise paragraph (a)(3)(ii); accordance with paragraphs (b)(2), ■ c. Add new paragraph (a)(4); and unconditioned components and provide (b)(3), (b)(4), or (b)(5) of this section, as d. Revise paragraphs (b)(1)(i), and ■ the individual with an opportunity to applicable. (b)(3). opt in to the research activities The revisions and additions read as * * * * * described in the unconditioned follows: (2) * * * authorization. (iii) Reasonably infers from the (ii) An authorization for a use or § 164.508 Uses and disclosures for which circumstances, based on the exercise of disclosure of psychotherapy notes may an authorization is required. professional judgment, that the only be combined with another (a) Standard: Authorizations for uses individual does not object to the authorization for a use or disclosure of Authorization —(1) and disclosures disclosure. psychotherapy notes. required: General rule. *** (3) * * * If the individual is not (iii) An authorization under this (2) Authorization required: present, or the opportunity to agree or section, other than an authorization for Psychotherapy notes. *** object to the use or disclosure cannot a use or disclosure of psychotherapy (3) * * * practicably be provided because of the notes, may be combined with any other (ii) If the marketing involves financial individual’s incapacity or an emergency such authorization under this section, remuneration, as defined in paragraph circumstance, the covered entity may, in except when a covered entity has (3) of the definition of marketing at the exercise of professional judgment, conditioned the provision of treatment, § 164.501, to the covered entity from a determine whether the disclosure is in payment, enrollment in the health plan, third party, the authorization must state the best interests of the individual and, or eligibility for benefits under that such remuneration is involved. if so, disclose only the protected health paragraph (b)(4) of this section on the (4) Authorization required: Sale of information that is directly relevant to provision of one of the authorizations. protected health information. the person’s involvement with the The prohibition in this paragraph on (i) Notwithstanding any provision of individual’s care or payment related to combining authorizations where one this subpart, other than the transition the individual’s health care or needed authorization conditions the provision provisions in § 164.532, a covered entity for notification purposes. * * * of treatment, payment, enrollment in a must obtain an authorization for any (4) Uses and disclosures for disaster health plan, or eligibility for benefits disclosure of protected health relief purposes. A covered entity may under paragraph (b)(4) of this section information which is a sale of protected use or disclose protected health does not apply to a compound health information, as defined in information to a public or private entity authorization created in accordance § 164.501 of this subpart. (ii) Such authorized by law or by its charter to with paragraph (b)(3)(i) of this section. authorization must state that the assist in disaster relief efforts, for the * * * * * disclosure will result in remuneration to purpose of coordinating with such the covered entity. ■ 50. Amend § 164.510 as follows: entities the uses or disclosures (b) * * * ■ a. Revise paragraph (a)(1)(ii) permitted by paragraph (b)(1)(ii) of this (1) * * * section. The requirements in paragraphs introductory text; (i) A valid authorization is a (b)(2), (b)(3), or (b)(5) of this section b. Revise paragraph (b)(1)(i), the ■ document that meets the requirements apply to such uses and disclosures to second sentence of paragraph (b)(1)(ii), in paragraphs (a)(3)(ii), (a)(4)(ii), (c)(1), the extent that the covered entity, in the paragraph (b)(2)(iii), the first sentence of and (c)(2) of this section, as applicable. exercise of professional judgment, paragraph (b)(3), and paragraph (b)(4); * * * * * determines that the requirements do not and An Compound authorizations. (3) interfere with the ability to respond to ■ c. Add new paragraph (b)(5). authorization for use or disclosure of the emergency circumstances. The revisions and additions read as (5) Uses and disclosures when the protected health information may not be follows: individual is deceased. If the individual combined with any other document to § 164.510 Uses and disclosures requiring is deceased, a covered entity may create a compound authorization, an opportunity for the individual to agree or disclose to a family member, or other except as follows: to object. (i) An authorization for the use or persons identified in paragraph (b)(1) of * * * * * this section who were involved in the disclosure of protected health (a) * * * individual’s care or payment for health information for a research study may be (1) * * * care prior to the individual’s death, combined with any other type of written (ii) Use or disclose for directory protected health information of the permission for the same or another purposes such information: individual that is relevant to such research study. This exception includes person’s involvement, unless doing so is * * * * * combining an authorization for the use inconsistent with any prior expressed (b) * * * or disclosure of protected health preference of the individual that is (1) * * * information for a research study with known to the covered entity. (i) A covered entity may, in another authorization for the same accordance with paragraphs (b)(2), research study, with an authorization ■ 51. Amend § 164.512 as follows: (b)(3), or (b)(5) of this section, disclose for the creation or maintenance of a ■ a. Revise the paragraph heading for to a family member, other relative, or a research database or repository, or with paragraph (b), the introductory text of VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00135 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

136 5700 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations (e)(1)(ii)(A) or (B) of this section, if the paragraph (b)(1) and the introductory apply to the limited data set recipient covered entity makes reasonable efforts text of paragraph (b)(1)(v)(A); with respect to such information; and b. Add new paragraph (b)(1)(vi); ■ to provide notice to the individual * * * * * ■ c. Revise the introductory text of sufficient to meet the requirements of (f) Fundraising communications. paragraph (e)(1)(iii) and paragraph paragraph (e)(1)(iii) of this section or to Standard: Uses and disclosures for (1) (e)(1)(vi); seek a qualified protective order Subject to the conditions of fundraising. ■ d. Revise paragraph (i)(2)(iii); and sufficient to meet the requirements of paragraph (f)(2) of this section, a ■ e. Revise paragraphs (k)(1)(ii), (k)(3), paragraph (e)(1)(v) of this section. covered entity may use, or disclose to a and (k)(5)(i)(E). * * * * * business associate or to an The revisions and additions read as (i) * * * institutionally related foundation, the follows: (2) * * * following protected health information Protected health information (iii) for the purpose of raising funds for its § 164.512 Uses and disclosures for which A brief description of the needed. own benefit, without an authorization an authorization or opportunity to agree or protected health information for which meeting the requirements of § 164.508: object is not required. use or access has been determined to be (i) Demographic information relating * * * * * necessary by the institutional review to an individual, including name, (b) Standard: Uses and disclosures for board or privacy board, pursuant to address, other contact information, age, public health activities. Permitted (1) paragraph (i)(2)(ii)(C) of this section; gender, and date of birth; uses and disclosures. A covered entity (ii) Dates of health care provided to an * * * * * may use or disclose protected health individual; (k) * * * information for the public health (1) * * * (iii) Department of service activities and purposes described in this (ii) Separation or discharge from information; paragraph to: military service. A covered entity that is (iv) Treating physician; * * * * * a component of the Departments of (v) Outcome information; and (v) * * * Defense or Homeland Security may (vi) Health insurance status. (A) The covered entity is a covered disclose to the Department of Veterans (2) Implementation specifications: health care provider who provides Affairs (DVA) the protected health Fundraising requirements. (i) A covered health care to the individual at the information of an individual who is a entity may not use or disclose protected request of the employer: member of the Armed Forces upon the health information for fundraising * * * * * separation or discharge of the individual purposes as otherwise permitted by (vi) A school, about an individual from military service for the purpose of paragraph (f)(1) of this section unless a who is a student or prospective student a determination by DVA of the statement required by of the school, if: individual’s eligibility for or entitlement § 164.520(b)(1)(iii)(A) is included in the (A) The protected health information to benefits under laws administered by covered entity’s notice of privacy that is disclosed is limited to proof of the Secretary of Veterans Affairs. practices. immunization; (ii) With each fundraising * * * * * (B) The school is required by State or communication made to an individual (3) Protective services for the other law to have such proof of under this paragraph, a covered entity President and others. A covered entity immunization prior to admitting the must provide the individual with a clear may disclose protected health individual; and and conspicuous opportunity to elect information to authorized Federal (C) The covered entity obtains and not to receive any further fundraising officials for the provision of protective documents the agreement to the communications. The method for an services to the President or other disclosure from either: individual to elect not to receive further persons authorized by 18 U.S.C. 3056 or (1) A parent, guardian, or other person fundraising communications may not to foreign heads of state or other persons of the individual, in loco parentis acting cause the individual to incur an undue authorized by 22 U.S.C. 2709(a)(3), or if the individual is an unemancipated burden or more than a nominal cost. for the conduct of investigations minor; or (iii) A covered entity may not authorized by 18 U.S.C. 871 and 879. (2) The individual, if the individual is condition treatment or payment on the * * * * * an adult or emancipated minor. individual’s choice with respect to the (5) * * * * * * * * receipt of fundraising communications. (i) * * * (e) * * * (iv) A covered entity may not make (E) Law enforcement on the premises (1) * * * fundraising communications to an of the correctional institution; or (iii) For the purposes of paragraph individual under this paragraph where * * * * * (e)(1)(ii)(A) of this section, a covered the individual has elected not to receive ■ 52. In § 164.514, revise paragraphs entity receives satisfactory assurances such communications under paragraph (e)(4)(ii)(C)( 4 ), (f), and (g) to read as from a party seeking protected health (f)(1)(ii)(B) of this section. follows: information if the covered entity (v) A covered entity may provide an receives from such party a written individual who has elected not to § 164.514 Other requirements relating to statement and accompanying receive further fundraising uses and disclosures of protected health documentation demonstrating that: information. communications with a method to opt back in to receive such * * * * * * * * * * communications. (vi) Notwithstanding paragraph (e) * * * Standard: uses and disclosures for (g) (e)(1)(ii) of this section, a covered entity (4) * * * If a underwriting and related purposes. may disclose protected health (ii) * * * health plan receives protected health information in response to lawful (C) * * * information for the purpose of process described in paragraph (e)(1)(ii) ) Ensure that any agents to whom it 4 ( underwriting, premium rating, or other of this section without receiving provides the limited data set agree to the activities relating to the creation, satisfactory assurance under paragraph same restrictions and conditions that VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00136 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

137 5701 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations (A) The right to request restrictions on (vi) A covered entity must agree to the renewal, or replacement of a contract of certain uses and disclosures of protected request of an individual to restrict health insurance or health benefits, and health information as provided by disclosure of protected health if such health insurance or health § 164.522(a), including a statement that information about the individual to a benefits are not placed with the health the covered entity is not required to health plan if: plan, such health plan may only use or (A) The disclosure is for the purpose agree to a requested restriction, except disclose such protected health of carrying out payment or health care in case of a disclosure restricted under information for such purpose or as may operations and is not otherwise required § 164.522(a)(1)(vi); be required by law, subject to the by law; and prohibition at § 164.502(a)(5)(i) with * * * * * (B) The protected health information respect to genetic information included (v) * * * pertains solely to a health care item or in the protected health information. (A) A statement that the covered service for which the individual, or entity is required by law to maintain the * * * * * person other than the health plan on privacy of protected health information, ■ 53. Amend § 164.520: behalf of the individual, has paid the to provide individuals with notice of its a. Revise paragraphs (b)(1)(ii)(E), ■ covered entity in full. legal duties and privacy practices with (b)(1)(iii), (b)(1)(iv)(A), (b)(1)(v)(A), (2) Implementation specifications: respect to protected health information, (c)(1)(i) introductory text, and A covered Terminating a restriction. and to notify affected individuals (c)(1)(i)(B); entity may terminate a restriction, if: following a breach of unsecured b. Remove paragraph (c)(1)(i)(C); and ■ * * * * * protected health information; ■ c. Add paragraph (c)(1)(v). (iii) The covered entity informs the The revisions and addition read as * * * * * individual that it is terminating its follows: (c) * * * agreement to a restriction, except that (1) * * * § 164.520 Notice of privacy practices for such termination is: (i) A health plan must provide the protected health information. (A) Not effective for protected health notice: * * * * * information restricted under paragraph * * * * * (b) * * * (a)(1)(vi) of this section; and (B) Thereafter, at the time of (1) * * * (B) Only effective with respect to enrollment, to individuals who are new (ii) * * * protected health information created or enrollees. (E) A description of the types of uses received after it has so informed the * * * * * and disclosures that require an individual. (v) If there is a material change to the authorization under § 164.508(a)(2)– (3) Implementation specification: notice: (a)(4), a statement that other uses and A covered entity must Documentation. (A) A health plan that posts its notice disclosures not described in the notice document a restriction in accordance on its web site in accordance with will be made only with the individual’s with § 160.530(j) of this subchapter. paragraph (c)(3)(i) of this section must written authorization, and a statement * * * * * prominently post the change or its that the individual may revoke an 55. Amend § 164.524 as follows: ■ revised notice on its web site by the authorization as provided by ■ a. Remove paragraph (b)(2)(ii) and effective date of the material change to § 164.508(b)(5). redesignate paragraph (b)(2)(iii) as the notice, and provide the revised (iii) Separate statements for certain paragraph (b)(2)(ii); notice, or information about the material If the covered entity uses or disclosures. ■ b. Revise newly designated paragraph change and how to obtain the revised intends to engage in any of the (b)(2)(ii); notice, in its next annual mailing to following activities, the description c. Revise paragraph (c)(2)(i); ■ individuals then covered by the plan. required by paragraph (b)(1)(ii)(A) of d. Redesignate paragraph (c)(2)(ii) as ■ (B) A health plan that does not post this section must include a separate paragraph (c)(2)(iii); its notice on a web site pursuant to statement informing the individual of e. Add new paragraph (c)(2)(ii); ■ paragraph (c)(3)(i) of this section must such activities, as applicable: f. Revise paragraphs (c)(3) and ■ provide the revised notice, or (A) In accordance with § 164.514(f)(1), (c)(4)(i); information about the material change the covered entity may contact the ■ g. Redesignate paragraphs (c)(4)(ii) and how to obtain the revised notice, to individual to raise funds for the covered and (c)(4)(iii) as paragraphs (c)(4)(iii) individuals then covered by the plan entity and the individual has a right to and (c)(4)(iv), respectively; and within 60 days of the material revision opt out of receiving such ■ h. Add new paragraph (c)(4)(ii). to the notice. communications; (B) In accordance with The revisions and additions read as § 164.504(f), the group health plan, or a * * * * * follows: health insurance issuer or HMO with ■ 54. Amend § 164.522 as follows: § 164.524 Access of individuals to respect to a group health plan, may ■ a. Revise paragraph (a)(1)(ii); protected health information. disclose protected health information to ■ b. Add new paragraph (a)(1)(vi); and the sponsor of the plan; or * * * * * ■ c. Revise the introductory text of (C) If a covered entity that is a health (b) * * * paragraph (a)(2), and paragraphs plan, excluding an issuer of a long-term (2) * * * (a)(2)(iii), and paragraph (a)(3). (ii) If the covered entity is unable to care policy falling within paragraph The revisions and additions read as take an action required by paragraph (1)(viii) of the definition of health plan, follows: (b)(2)(i)(A) or (B) of this section within intends to use or disclose protected § 164.522 Rights to request privacy the time required by paragraph (b)(2)(i) health information for underwriting protection for protected health information. of this section, as applicable, the purposes, a statement that the covered (a)(1) * * * covered entity may extend the time for entity is prohibited from using or (ii) Except as provided in paragraph such actions by no more than 30 days, disclosing protected health information (a)(1)(vi) of this section, a covered entity provided that: that is genetic information of an is not required to agree to a restriction. (A) The covered entity, within the individual for such purposes. (iv) * * * * * * * * time limit set by paragraph (b)(2)(i) of VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00137 Fmt 4701 Sfmt 4700 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

138 5702 Federal Register / Vol. 78, No. 17 / Friday, January 25, 2013 / Rules and Regulations not comply with §§ 164.308(b), (i) Labor for copying the protected this section, as applicable, provides the 164.314(a), 164.502(e), and 164.504(e), health information requested by the individual with a written statement of only in accordance with paragraph (e) of individual, whether in paper or the reasons for the delay and the date by this section. electronic form; which the covered entity will complete (ii) Supplies for creating the paper its action on the request; and Implementation specification: (e) copy or electronic media if the (B) The covered entity may have only Deemed compliance. (1) Qualification. individual requests that the electronic one such extension of time for action on Notwithstanding other sections of this copy be provided on portable media; a request for access. part, a covered entity, or business (c) * * * associate with respect to a * * * * * (i) The (2) Form of access requested. subcontractor, is deemed to be in 56. In § 164.532, revise paragraphs (a), ■ covered entity must provide the compliance with the documentation and (c)(2), (c)(3), (d), (e)(1), and (e)(2), and individual with access to the protected contract requirements of §§ 164.308(b), add paragraphs (c)(4) and (f) to read as health information in the form and 164.314(a), 164.502(e), and 164.504(e), follows: format requested by the individual, if it with respect to a particular business § 164.532 Transition provisions. is readily producible in such form and associate relationship, for the time format; or, if not, in a readable hard Standard: Effect of prior (a) period set forth in paragraph (e)(2) of copy form or such other form and Notwithstanding authorizations. this section, if: format as agreed to by the covered entity §§ 164.508 and 164.512(i), a covered (i) Prior to January 25, 2013, such and the individual. entity may use or disclose protected covered entity, or business associate (ii) Notwithstanding paragraph health information, consistent with with respect to a subcontractor, has (c)(2)(i) of this section, if the protected paragraphs (b) and (c) of this section, entered into and is operating pursuant health information that is the subject of pursuant to an authorization or other to a written contract or other written a request for access is maintained in one express legal permission obtained from arrangement with the business associate or more designated record sets an individual permitting the use or that complies with the applicable electronically and if the individual disclosure of protected health provisions of §§ 164.314(a) or 164.504(e) requests an electronic copy of such information, informed consent of the that were in effect on such date; and information, the covered entity must individual to participate in research, a (ii) The contract or other arrangement provide the individual with access to waiver of informed consent by an IRB, is not renewed or modified from March the protected health information in the or a waiver of authorization in 26, 2013, until September 23, 2013. electronic form and format requested by accordance with § 164.512(i)(1)(i). (2) Limited deemed compliance the individual, if it is readily producible * * * * * period. A prior contract or other in such form and format; or, if not, in (c) * * * arrangement that meets the qualification a readable electronic form and format as (2) The informed consent of the requirements in paragraph (e) of this agreed to by the covered entity and the individual to participate in the research; section shall be deemed compliant until individual. (3) A waiver, by an IRB, of informed the earlier of: consent for the research, in accordance * * * * * (i) The date such contract or other (i) Time and manner of access. (3) with 7 CFR 1c.116(d), 10 CFR arrangement is renewed or modified on The covered entity must provide the 745.116(d), 14 CFR 1230.116(d), 15 CFR or after September 23, 2013; or access as requested by the individual in 27.116(d), 16 CFR 1028.116(d), 21 CFR (ii) September 22, 2014. a timely manner as required by 50.24, 22 CFR 225.116(d), 24 CFR * * * * * paragraph (b)(2) of this section, 60.116(d), 28 CFR 46.116(d), 32 CFR Effect of prior data use agreements. (f) including arranging with the individual 219.116(d), 34 CFR 97.116(d), 38 CFR If, prior to [January 25, 2013, a covered for a convenient time and place to 16.116(d), 40 CFR 26.116(d), 45 CFR entity has entered into and is operating inspect or obtain a copy of the protected 46.116(d), 45 CFR 690.116(d), or 49 CFR pursuant to a data use agreement with health information, or mailing the copy 11.116(d), provided that a covered a recipient of a limited data set that of the protected health information at entity must obtain authorization in complies with § 164.514(e), the individual’s request. The covered accordance with § 164.508 if, after the notwithstanding § 164.502(a)(5)(ii), the entity may discuss the scope, format, compliance date, informed consent is covered entity may continue to disclose and other aspects of the request for sought from an individual participating a limited data set pursuant to such access with the individual as necessary in the research; or agreement in exchange for remuneration (4) A waiver of authorization in to facilitate the timely provision of from or on behalf of the recipient of the accordance with § 164.512(i)(1)(i). access. protected health information until the (d) Standard: Effect of prior contracts (ii) If an individual’s request for earlier of: or other arrangements with business access directs the covered entity to associates. Notwithstanding any other (1) The date such agreement is transmit the copy of protected health provisions of this part, a covered entity, renewed or modified on or after information directly to another person or business associate with respect to a September 23, 2013; or designated by the individual, the subcontractor, may disclose protected covered entity must provide the copy to (2) September 22, 2014. health information to a business the person designated by the individual. * * * * * associate and may allow a business The individual’s request must be in Dated: January 15, 2013. associate to create, receive, maintain, or writing, signed by the individual, and Kathleen Sebelius, transmit protected health information clearly identify the designated person Secretary. on its behalf pursuant to a written and where to send the copy of protected [FR Doc. 2013–01073 Filed 1–17–13; 4:15 pm] contract or other written arrangement health information. with such business associate that does (4) * * * BILLING CODE 4153–01–P VerDate Mar<15>2010 18:57 Jan 24, 2013 Jkt 229001 PO 00000 Frm 00138 Fmt 4701 Sfmt 9990 E:\FR\FM\25JAR2.SGM 25JAR2 sroberts on DSK5SPTVN1PROD with

Related documents

DER Directory

DER Directory

FAA CONSULTANT DER DIRECTORY May 9, 2019 AIR-6F0, Delegation & Organizational Procedures Branch This directory is generated from information in the FAA Designee Information Network (DIN). If you are a...

More info »
Guide to Privacy and Security of Electronic Health Information

Guide to Privacy and Security of Electronic Health Information

Guide to Privacy and Security of Electronic Health Information Vers ion 2.0 April 2015 information contained in this Guide is not intended to serve as legal advice nor should it substitute for legal c...

More info »